From: Tothwolf <>
Date: Fri Oct 10 18:06:05 2003

On Fri, 10 Oct 2003, Pete Turnbull wrote:
> On Oct 9, 22:16, Tothwolf wrote:
> > Or...maybe replacing the From: email address in the archive emails
> > with the list email address hasn't worked as well as folks thought it
> > might?
> Ah, does that mean I'm not the only person who doesn't like that? It
> just looks wrong to me, putting some other address against my name, and
> I'm sure that's part of the cause of so many non-subscriber replies
> being sent to the list (I'm sure most are meant to go to the original
> poster).

I didn't care for it from the start, but I didn't mention it on-list
because it was only supposed to be temporary. It seems like *tons* of
emails that are meant to go to someone privately are ending up on the list
because of the addresses being changes, which IMHO is a really bad
thing...I don't know of any other email lists that are doing this,
probably because of the type of problems we are having with it here.

> The intent was to prevent address harvesting, but I'd prefer my address
> was just obfuscated in some way (maybe split up). Wasn't the
> address-replacing meant to be temporary, until a better way was found to
> obfuscate the sender address? Actually, I don't care if it's not even
> obfuscated, but I know others do.

There are tons of ways to defeat harvesters. Some options include:

* Obfuscate the address somehow. Two common methods are removing/
  modifying non-alphanumeric characters ('_at_', '.', etc), and/or using HTML
  '&' escape sequences to create the address (not 100% reliable, but
  defeats a large number of harvesters).

* Present a different (or no) From: email address depending on whether or
  not the person accessing the archive has authenticated themselves.

* Create a MD5 hash of the email address and link it to a CGI script that
  resolves the hash into a real address via a database once some sort of
  authentication is done.

* Replace the email address with an image and link it and/or the name of
  the sender to a CGI script that can authenticate the person, which once
  done will display the original email address and/or message in it's
  original form.

Two fairly simple ways of authenticating the person are:

* Authenticate the person with their mailman email address/password.

* Ask the user to type in some disfigured text that is rendered in an
  image (to defeat OCR software).

Both of these authentication types could be implemented, with the first
having an option to store a long term cookie so the subscriber does not
have to constantly re-enter their password. The second method could simply
redirect the person to a generated URL that will expire after a set amount
of time.

Of course...maybe wpoison should be linked in somehow too? ;)

...And what is up with the new list software changing the To: address?
"General Discussion: On-Topic and Off-Topic Posts"

Received on Fri Oct 10 2003 - 18:06:05 BST

This archive was generated by hypermail 2.3.0 : Fri Oct 10 2014 - 23:36:23 BST