Re: [Pan-users] Munging?

[Duncan]

Travis posted on Thu, 28 Jul 2011 15:17:28 -0700 as excerpted:

> -----Original Message-----
> From: Steven D'Aprano Sent: Thursday, July 28, 2011 12:36 PM To:
> address@hidden Subject: Re:
> [Pan-users] Munging?
> 
> Beartooth wrote:
>> My posting profiles all require an email address. Can it a/o should it
>> be a munged one -- say with space-paren-at-paren-space instead of @?
> 
> You mean something like this?
> 
> fred (@) example.com
> 
> 
> That's not a valid email address, because the @ sign is commented out.
> (Yes, email addresses can include comments. Many mail clients don't
> allow them, because they are stupid and don't follow the standard, but
> it is legal.)
> 
> If you are just making up an address, why not just do something like
> this?
> 
> address@hidden
> 
> 
> 
> It would be more appropriate to use
> address@hidden
> 
> Someday somewhere somebody might register nowhere.com

I can't actually see what those addresses are, as I'm reading thru gmane, 
which munges them (tho it can be noted that the gmane munges are valid as 
forwarding addresses if the original address was valid, it just goes thru 
the gmane despammer first).

However, what I've long done here for real news (that is, non-gmane/non-
list) is use something like the following (with the @ further munged to 
avoid gmane scrambling, but it should be obvious):

news.duncan (at) cox.replytogroup.net.please

1) Add the munging on the domain side of the @ so your ISP (or your own 
mail server if you're so lucky) doesn't have to deal with it)

2) Use at least two-word domain munging, alternating valid and invalid 
(cox is valid, replytogroup is invalid, net is valid, please is not), 
with the intention of making it more difficult for automated spambot 
demunging while still making it reasonably easy for real for humans.

3) The user side of the @ is valid as-is (news.duncan, not simply duncan, 
not simply news), so if a spambot /does/ successfully demunge the domain 
side, if they try the same technique on the user side, they'll be a minor 
headache for the mail server (unavoidable once the domain munging is 
cracked) but it still won't get me.

4) Make the tld (top-level-domain, like .com, here, .please) invalid, so 
anything that tries to use the address as-is isn't going to put any more 
load on the system than necessary (the first TLD dns returns invalid, 
operation goes no further), trying to validate dns.

That's it for the address munging.  However, there's two (or three, 
depending on how they're counted) additional components to my scheme, as 
well.

5) In my mail client, have a keywording filter.  For any mail that comes 
in to that address, the filter looks for " -news" at the END of the 
subject line. (No-quotes, space, dash, news, END)  So a properly
keyword-added subject line for replying directly to me for this thread 
(were it on a newsgroup where I use the munged address, not a list where 
I use my list address) would be:

Re: Munging? -news

Anything coming in at that address without that " -news" at the end of 
the subject line gets trashed (as do all HTML messages coming in there).

6) Completing (almost) the setup, I make use of pan's custom-header 
capacities, adding these instructions as custom headers.  Note that the 
x- is specified in the RFCs as a prefix to be assigned to custom headers, 
to be sure they don't conflict with any non-custom headers:


x-munging1: Usenet replies preferred,  If replying by mail,
x-munging2: do ALL the following to avoid the spam traps:
x-munging3: 1) Use plain text.  HTML format auto-trashed.
x-munging4: 2) Kill address reply2group and please phrases.
x-munging5: 3) Put " -news" at the END of the subject
x-munging6: (no quotes, space, dash, news, END)

7) Finally, Replacing the first line of my list sig as used below,
I have this:

Duncan - Newsgroup replies preferred.  See x-munging headers for mail.

That:

a) makes the point that I prefer news replies.

b) "gently" encourages them by forcing people to look at the headers and 
jump thru some hoops to actually get a valid email address, and then to 
add the keyword so I actually see the message.

c) makes it known that replying via email is still possible when 
necessary, referring people to the instructions in the headers.

d) rather more strongly "encourages" people who aren't intelligent enough 
or simply don't care enough to follow instructions and who would thus 
unnecessarily "reply to all" or "reply to sender" instead of to the 
newsgroup, to instead "reply to group".  If they can't even care enough 
to notice that, the message couldn't have been that important anyway and 
would be a milder form of spam anyway, simply wasting my time, so if it 
doesn't get to me, oh, well...

Taken as a whole, this scheme has been *VERY* successful for me over the 
years.  Despite my posting a demungable address quite visibly to various 
newsgroups over the years, the number of spam hits on the news.duncan 
address remains very low, and could well be due to spambot address 
randomization.  And the keywording has been 100% effective in killing 
them.  No spammer is likely to tailor message subjects specific enough to 
get around it, and if one ever does, it's simple enough to change the 
keywording rules and relevant header lines while retaining the rest of 
the system as-is.

Meanwhile, I *HAVE* gotten a number of legitimate messages on that 
address from people over the years, where they cared enough to do the 
keywording as well.  Further, the keywording has to be done only once per 
subject/thread.  Once done for the first message, all replies 
automatically keep the same keywording so if the initial message ends up 
in an ongoing exchange, it "just works".

If I trust the other end enough, I eventually give them one of my other 
addresses as a contact so they don't have to worry about the keyword 
filter on the news address for future messages.

A 100% correct identification rate, no-false-positives, no-false-
negatives, is considered impossible for the general case.  (If it were 
ever possible at all, the spammers would soon get ahold of it and it 
would again be impossible.)  However, this application is specialized 
enough that I seem to have accomplished it.  Of course I can't know what 
messages never got to me as a result, but by definition, those were 
milder forms of spam anyway, and thus a waste of time, because the other 
end obviously didn't care enough about it to do it right (or was too dumb 
to know how to access the custom headers), so why should I care about it 
either?  In any case, if they considered the message /that/ important and 
they saw no response, they /could/ reply via newsgroup, if even with a 
simple, "Hey, Duncan, I can't figure out your email thing, can you 
contact me directly at this address? <their address>"  That way, they get 
to put their unmungable address out there in whatever munged form they 
choose, and I can respond to them.

By similar token, anyone who DOES care enough to jump thru the hoops gets 
rather higher priority treatment, generally at least /some/ reply, which 
they might not otherwise, because I know the effort it took to contact me 
directly on that address in the first place, and thus, that they consider 
the message of at least enough importance to do so, regardless of whether 
I'd ordinarily consider it so or not.  (In practice, however, I don't 
believe I've ever received a message that got thru those hoops that I 
didn't consider important on its face, so the fact that they consider it 
important enough to jump thru them only increases the priority for me.  
Of course, someone could be contrarian just to prove me wrong and break 
that 100% record, but again, it should be simple enough to block them if 
that ever happens.  That it's so effective on the automated stuff already 
makes everything else easier to handle, even if someone starts 
deliberately targeting it.)


Meanwhile, another alternative exists as well, particularly for you 
Beartooth, as I know you already use gmane.  As I mentioned, their munged 
addresses remain valid -- it just goes thru their spam filters and gets 
forwarded to the unmunged address you used.  As such, you could simply 
use the gmane munged version of your real address on non-gmane and gmane-
but-unmunged groups/servers as well, and let gmane handle the spam 
filtering, forwarding, etc.

Finally, it's worth noting that by virtue of the fact that gmane verifies 
addresses the first time they're used in posting to a gmane group/list, 
you cannot use a (non-gmane) munged address on gmane.  So don't even try 
that, as the verification mail will go to the munged address and never 
get to you, so no message you post to gmane using such an address will 
ever make it.  (Well, unless the address as-munged is valid as well, 
similar to the way gmane's munging works.)

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman