When Danny introduced the welcome PPRuNe mail system, it was intended to be spam-free. So I was rather annoyed to have received spam fron an organisation calling itself www.fl***************ing.com (http://www.fl***************ing.com) today. It also asked me to pass the e-mail on to ALL OTHER aviation interested people in my address book - which of course I didn't. Any else been bothered by these people?

(Edited to obscure the name of these haemorrhoids!!)

[This message has been edited by BEagle (edited 18 June 2001).]

Yeah, looks like most people with visible emails got the same thing.

Have a look at:

http://www.pprune.org/ubb/NonCGI/Forum57/HTML/001717.html

Have a good one, Dave.

------------------
Flying is easy - just throw yourself at the ground and miss.

Yup, me too and I havn't even got a PPRuNe.com hot mail account. I think it is if you show any e-mail acc in your profile.

Question is how did they get so many addresses, did they manually access every profile they could or...? (N.B. certainly not insinuating that Pprune handed them on)

I got one too - guess they check profiles as mine's a freeserve address!

Never mind, it was at least fairly relevant (though not perhaps for an Ex Sim Guy ! :) )

What really gets me is the plonkers that mail you offering you a "great mortgage deal" - only available in USA :mad: with loads of bandwidth-hogging HTML. I usually send it straight back with their own address a couple of dozen times in the "copy to" box http://www.pprune.org/ubb/NonCGI/tongue.gif

------------------
What goes around . . .
. . often lands better!

Guys, I also have a pprune email address but i dont show it in messages or my profile. I havent gotten any spam messages to the account. So I guess that someone with a lot of patience is writing down any visible addresses.

Mutt.

On the advice of somebody else here, I put a dot after the .com on the visible page so it could not be detected as an e-mail address by a trawling programme or something of the like, so it says [email protected]., and I have not received one of these e-mails...yet. If it came from e-mail on the visible pages, it probably will not be the fault of the mail people.

I got one too. I plan to post their email address all over the usenet :)

------------------
Per dementia ad astra

Got this as well. Definitely pprune related as I make full use of demon's unlimited mailboxes. Guess if your fly enough with programming you could open profiles or the e mail icon and copy open e's to a file-comments anyone?

Like the bit that says "please also forward this e-mail to all the flight-related contacts in your address book (though please avoid spamming anyone)" One for the Oxymoron collection.

Airbanda
Proud to be an Anorak.

[This message has been edited by Airbanda (edited 18 June 2001).]

Its just an ad but when you spend half an hour trying to get a new password because you've forgotten the old one to get into your post box, its a bloody irritating ad!

Not that I expect the net to be full of people with impeccable morals but its just irritating and now filed in my electronic rubbish bin!

Isn't technology wonderful?!

An interesting little program available with Norton Systemworks checks your computers security measures. Mostly okay but it did mention that my browser was pretty free and easy with my browsing history. (Then there was an advert for their firewall program so maybe thats the reason). Also e-mails are not very private or secure.

PPRuNe does not give out email addresses. Automatic spiders cannot get addresses from the Members list on this bulletin board. What someone has done is go individually from post to post and opened the profiles of those people who have their email address visible and copied and pasted it into their own mailing list.

Nothing I can do about that unfortunately. One of the down sides of the internet is the amount of spam you get. You should see mine! http://www.pprune.org/ubb/NonCGI/eek.gif

------------------
Capt PPRuNe
aka Danny Fyne
The Professional Pilots RUmour NEtwork

Danny, could you clarify your comment about spiders and members lists.

Although I haven't bothered to do it, it would be a fairly easy job to set up a script to got through looking at the profiles and harvesting e-mail addresses from them.

Although sites may not intentionally give out e-mail addresses, and page on the web that can be read can be scanned for an e-mail address, and thus harvested.

There is big money in harvesting and providing lists to advertisers. This site would be a safe bet for attracting members of above average income, etc, and so becomes a nice target for the harvesters.

Tricks like the extra dot after the dot com can sometimes save you lots of spam, but won't work with the Danny's e-mail verification system

[This message has been edited by stickyb (edited 18 June 2001).]

stickyb, if it's so easy please be my guest and have a go. The actual email address isn't stored in an html file so most spiders can't access them. They are actually scripts. Bit technical but the way email addresses are stored on the server is designed to prevent spiders accessing them.

Not impossible, probably, to try and trawl the published addresses but certainly not something that is automated very well. I am fairly sure these people have manually gone through the profiles of Users who have their email address publicly available.

I'm not happy about it but I don't think there's much I can do about it... for now.

------------------
Capt PPRuNe
aka Danny Fyne
The Professional Pilots RUmour NEtwork

Personally I LOVE the spam I am getting. I know EXACTLY where they got my e-mail address and as an anorak I just LOVE it when strange people send me mails asking me to sit in an airoplane and get paid!!!

They cannot be harvesting E-mail adresses manually because I am as professional as a 3 week old pork sausage.

Yet they want me to fly!!!!!!


:)

Interesting note, My E-mail is not shown in my profile. I re-registered last December. Looks like the harvest was months ago. Maybe that is why some get the spam and the new registrees dont....


[This message has been edited by Kiteflyer (edited 19 June 2001).]

Ditto on what Danny said. The most logical way that a PPRuNee's email address could be obtained is via the 'show profile' option.

Somebody could indeed cut & paste the address from this screen into a list on another, or write / run a little program to sift out the single email address (this assumes that the address is visibile, i.e. that a contributor has allowed their email address to be seen by all and sundry) from the HTML source.

If you're not sure what I mean then, if you're using MS-Explorer, click on BEagle's profile at the top of this page and in the new page that then appears click on drop-down menu items View / Source (at the top of the window), and then search within the HTML code for the string 'Current Email:'.

All this aside, just think there's probably some poor bugger out there wildly pointing and clicking at PPRuNe profiles, hoping the email address is visible, so that thay can capture it into a list - it's really rather sad.

------------------
CrashDive

Administrator to The Professional Pilots RUmour NEtwork

May you live in interesting times !

Yeah Right Capt PPRuNe, some pretty naive comments there!
If your email address is publicly available
on this or any other forum then it is a piece of
p1ss to write a spidering program which will extract
it along with every other email address. No doubt
this is what has been done in the above spamming
incident.

Btw, I decided to take up the offer extended to stickyb

The program below is written in Visual Basic
and will return EVERY single email address
publicly available on the PPRuNe forum

Code deleted to prevent users from trying it out as it would only clog the server up and does not prove anything except that users who choose to leave their email address accessible can have them read by a bit of code and then have them used in spam. If you do not want your email address to be accessible by some code then select the option to keep it hidden in your profile.

[ 09 December 2001: Message edited by: Capt PPRuNe ]

Well, there must be some very sad people out there to have trawled up this old thread. If you had taken just a few minutes to read carefully what I said you wouldn't have had to spend six months figuring all this out and then wasting my and everyone elses time posting this in a thread that is going to be moved to the Computer & Internet forum! :rolleyes:

For your delectation I will repeat myself here and highlight the relevant bits: Not impossible, probably, to try and trawl the published addresses but certainly not something that is automated very well. I am fairly sure these people have manually gone through the profiles of Users who have their email address publicly available.

OK, so someone with your training can write a script that will trawl through every post, thread by thread and make a note of any email addresses that have been left available for public viewing. All users have the option in their profile to keep their email addresses private and there is no way you can write anything that will trawl for those private addresses.

A bit like someone trawling through a phone directory and noting all the addresses and numbers. No one on any website can guarantee that if someone leaves their email address visible no one will note it down and add it to a list.

As for your condescending, childish tone... there's a good boy, now go and play with your script somewhere else! :rolleyes:

Really don't think you can blame PPRuNe/Danny.

IF that was the case then it would go out to everyone, I have not had that to my PPRuNe Mail OR my clearly displayed private email address, NOT that I really want it.. :rolleyes:

Now wait just one minute!
Why don't you get down off your bloody high horse!
The point of the post was to let people know that their email addresses are susceptible to AUTOMATED harvesting and as a consequence SPAM.

Regarding your quote, which apparently I didn't bother to read, I DID read this!

Automatic spiders cannot get addresses from the Members list on this bulletin board.

...and this

What someone has done is go individually from post to post and opened the profiles of those people who have their email address visible and copied and pasted it into their own mailing list.

This is patently untrue and misleading, as I've shown. If your BB is susceptible to automated harvesting (Like most others!) why don't you just come out and say so?

It is obvious that many people are under the impression that they won't be spammed because, as you infer, it is too time-consuming/sad to manually cut and paste the addresses.

Now regarding the six Month old post comment, is it not yourself who constantly harps on about utilising old topics, rather than constantly starting new ones?

And as for condescending comments – The phrase about the pot calling the kettle black somehow springs to mind.
stickyb, if it's so easy please be my guest and have a go
hmmm....

Ok Mad_Max_II - I'm sure that you think that you're very clever in being able to do this, but to be honest any of us can do exactly what you're suggesting, and with far better results, by simply running some publicly available software / freeware - so it's not exactly rocket science old son.

Whilst we try very hard to make PPRuNe anonymous - which is one of its primary strengths - there's a limit to what we can do, given our technology & funds - but we're working on it.
E.g. Do you remember the cut and paste days of the early PPRuNe (i.e. five plus years ago) and how it was then - we can go back to that if you all wish ?!

Of course if you were really worried about PPRuNe security one would have hoped that you'd have discreetly contacted us and raised the above point (albeit that we already know about it) - however, a cynic might say, that you've really only done this as part of a self-serving-glorification of your actions and view point.

Ultimately, any PPRuNe account is as secure (anonymous) as its owner wishes it to be - and the fact that many have chosen to allow their email addresses to be visible (me included) should be no cause for concern, either for them, nor for you.

Ps. Can I please ask all genuine PPRuNer's to desist from running the above script against our server, the primary reason being that it does nothing more than tie up server bandwidth to provide nothing more than is already visible within many a contributors profile.

OK, I apologise for my condescending tone but I still insist that no one can access someones email address if they have selected the option to keep it hidden from view in their profile.

Besides you writing a script there is also plenty of off the shelf software that anyone can buy that will download the whole website and then you can run other scripts which will trawl out users email addresses IF THEY ARE NOT HIDDEN IN THEIR PROFILE.

As in anything in life, if you elect to keep your phone number ex-directory then it is not published anywhere but if you give your number out then it is available to whoever you gave it to to do as they wish. On this website YOU DO NOT HAVE ACCESS TO THE MEMBERS EMAIL LIST! You only have access to the email addresses of those members who have elected NOT to keep their email address hidden! What is you problem with that? Where have we EVER said that HIDDEN email addresses are accessible? Nowhere and that is because they AREN'T. Can you understand that?

If anyone is worried about someone trawling this or any other website for their email address then go into your profile and select the option to keep your email address hidden. That way there is no way that any script can get your email address.

So, THERE IS NO WAY YOUR EMAIL ADDRESS CAN BE HARVESTED BY A SPIDER IF YOU HAVE SELECTED THE OPTION TO KEEP IT HIDDEN IN YOUR PROFILE SETTINGS. Of course peoples email addresses will be susceptible to spam if they make it available just as their home addresses are susceptible to harvesting if their phone numbers are not ex-directory. I can't understand what else all the scaremongering is about?

The other thing is that now many people will want to try that script and will probably bog the server down and generally get up everybody elses noses. Thank you for that... NOT!

Just so it is absolutely clear for even the dimmest wit, IF YOUR EMAIL ADDRESS IS HIDDEN FROM VIEW USING THE OPTION IN YOUR PROFILE THEN IT CANNOT BE HARVESTED!

The origin of this thread was because someone thought that we were selling their email addresses and/or the website was not secure and we explained that that was not the case but you had to try and prove a point which you have not proven. All that has happened is that you have automated a way to get peoples email addresses if they have chosen to make them accessible! Nothing new in that but to do so in public instead of trying to contact us privately with your concers only shows that you are obviously out to create as much chaos for us. It is bad enough dealing with the day to day issues but you obviously need the self gratification of arguing a point that and scareing some people with old news.

Now, can this be dropped or do I have to make it easier to understand?

[ 09 December 2001: Message edited by: Capt PPRuNe ]

In the usual tradition of pprune, a mountain has been very much made out of a molehill.
Most of the issues raised by Capt pprune and crashdive, I did not dispute or raise in the first instance and the rest I believe to be inaccurate and/or fudged.
Without wanting to turn this issue into a slagging match I would like to make a few comments.

1. My original post was intended to be informative, to answer the issues raised and to counter the inaccurate comments made by those whom I thought should know better. It was NOT intended to be in any way malicious or anti-pprune. I thought the subsequent comments made by crashdive and Capt PPRuNe to be entirely negative and indeed a little paranoid in nature.

2. I agree with what has been repeatedly stated at every opportunity by crashdrive and Capt PPRuNe - Only publicly available email addresses can be harvested. The original point of my post, after all, was to get this message across. My reasoning was that at least PPRuNe members could then make an informed decision based on FACTS, rather than on what had been previously written, as to whether or not they wished to make their email address public.

3 I do not agree with the parallels drawn between publicly listed email addresses and telephone numbers. We all know that the issues at stake are of zero cost & time advertising using email (SPAM) and that the key difference between the telephone and email is that with email the recipient pays. Very few people receive unsolicited advertising telephone calls as a result of automated harvesting of telephone numbers, but when it comes to our email addresses, the opposite is in fact true.

4. My post was not meant to raise any security issues, as I have no reason to believe that the security of this forum is in jeopardy. Again, it was meant only to accurately inform. I did state in my email that pprune was no different than most other forums when it came to the issues raised.

5. Answering the hypothetical cynic's statement, that what I done was self-serving-glorification of my actions and view point, well let me just say that what I done was to write 15 lines of code, something which most 12 year olds with a bit of VB background could do in their sleep. It's hardly the pinnacle of computer science now is it?
I have absolutely nothing to gain or lose from anyone on this BB. Again, my only intention was to satisfy people’s curiosity as to how these email addresses are harvested.
Capt PPRuNe stated
Not impossible, probably, to try and trawl the published addresses but certainly not something that is automated very well.
A secondary purpose for my post was to show that the process is VERY EASILY automated, and I believe I demonstrated as much in the 15 lines of code posted.

6. As I've stated in the point above about the ease with which something like this can be written, might I suggest that out of the 46000 members of pprune, the number of those with this capability might be in the 000s. How many have actually run a similar program, Discounting the spammers, who obviously don't need my help?
Although I don't necessarily disagree with your decision to remove the code, it is after all your board, I would like to point out that in my opinion, just because people can do something, doesn't mean they actually will. Maybe a little naive on my part, but in my book, it beats paranoia hands down.

Capt. PPRuNe you start your post apologising for being condescending, then continue with some extremely patronising comments against me, and my apparent lack of comprehension. I would ask that if you would not act with such rudeness face to face then please do not do so while hiding behind a bulletin board. I'm sure I speak for many when I say this.

Finally, getting back to thee core of the issue, I think you should state in the member preference section, that email addresses made publicly available are susceptible to spam.

[ 10 December 2001: Message edited by: Mad_Max_II ]

It is always nice to watch a fight. Once the fighting is over maybe we can get down to solving the problem. Why should I be worried about people here finding out my e-mail address. I want to hear from other Ppruners.
:rolleyes:

Anyway - maybe you boffins can help us lesser mortals with some advice on how to deal with spammers.

Is there a way I can get revenge and send them a load of junk that will fill their mailbox's or render them impotent. I have heard of mailbombs and the like. Are they legal? and where can I get one.

Any Ideas?
:confused:

4g_handicap, you said:

"Is there a way I can get revenge and send them a load of junk that will fill their mailbox's or render them impotent."

The "From:" address is almost certainly false. Although the email headers contain information showing how the spam got from their machine to yours (I've put an example line down below) the spammers usually put in enough red herrings to make it more complicated than it already is. Also, they usually work by signing up for a free dial-up account and then using an "open relay" - in effect hijacking somebody else's machine to do the hard work of actually sending out the thousands of emails. Meanwhile the free dial-up account just gets thrown away.
http://www.claws-and-paws.com/spam-l/
and http://ddi.digital.net/~gandalf/spamfaq.html
both contain more information than you probably want to know...

Received: from fmr01.intel.com_[192.168.229.35] (253.dallas-09rh15rt-tx.dial-access.att.net [12.86.216.253]) by dns1.mce.co.jp (8.8.5/Netio-1.0) with SMTP id TAA26508; Mon, 10 Dec 2001 19:44:06 +0900
From: [email protected]

4g_handicap - If your e-mail address has been added to someones mailing list then it's a fair bet this won't be the last spam you'll receive. The best advice I can give is to use your e-mail software's capabilities to block the senders address so as you don't get any more. Microsoft Outlook for instance gives you the capability to 'block' e-mail addresses and entire domains (the bit that comes after the @ symbol in the address). Not every e-mail client may have such facility, but if yours doesn't you could always consider using another e-mail client (if you had internet access through one provider and hence had their e-mail client software, there's usually no reason why another vendors e-mail client couldn't be configured to access your existing e-mail provider). A good source of both freeware & shareware software is http://www.download.com - you might find suitable e-mail client software there if you don't have access to anything else. You might also find utilites to use in conjuntion with your web browser that prevent those tiresome 'extra' windows opening up when you visit some folks web sites (let me know if you find anything - I haven't had then chance to look myself).

Anything designed to clog up an e-mail system (and potentially damaged the operating efficiency of a company) is likely (if not surely) to be classed illegal. Certainly the authors of the 'I luv u' mail virus can testify to that.

On this point, there is another doing the rounds at the moment. The message subject is 'HI' and it contains a file with a .SCR extension. If you open it then it forwards itself on to all the e-mail addresses store locally (again - it's just designed to bring e-mail servers to there knees with the volume of traffic). Still cleaning this one up in my own company unfortunately - despite sticking notes on ever blo@dy door, notice board and desk in the office !!!!!

Hope this helps

Suction

4g_handicap, suction is correct about not resorting to mailbombs. At the least you will lose your account. At worst you could be held liable for vast damages. However, I am not sure that filtering would be very useful. Most spammers hit and run, not using the same address twice. Also, they often forge addresses from large, respectable domains so blocking an entire domain is usually not practical. Most of the spam I receive has its payoff in the reply-to address. If the message appears to violate the terms of service of the provider of that reply-to account, then I forward the spam with full header to abuse@<fill_in_appropriately>. I state that the message *may* violate the provider's terms of service and request that they look into it. Also, your own ISP may be receptive to helping its clients fight spam (if only because it is the one that incurs the costs). If you look up your own terms of service you may find an address to which you can report spam. In some cases big ISPs have sued spammers for damages.

If the ISP of the spammer is as scummy as its client then I forward everything involved to the US Federal Trade Commission. The address is [email protected] They will not get involved in individual cases but they can influence eventual antispam lawmaking. Americans who want to check this out can start on the page http://www.ftc.gov/ and then click on the button "File a Complaint Online." That will bring up a page that tells you to forward the unsolicited commercial email or UCE to the email address given above. Other countries probably have their own remedies. So far I have seen absolutely no positive results from any efforts to fight spam. But, "all that is necessary for the triumph of evil ... "

Without wanting to incur the wrath of the almighty (sorry Danny), it is worth making th epoint that I tried to make earlier
Any publically available page on the web that contains an e-mail address is open to having that address harvested by automated spiders, and the e-mail address added to spam lists.
There are actually people who make money out of selling e-mail addresses they have garnered in this way, adn of course the addresses become more valuable if they can be linked to certain attributes - eg flying, or a love of it.
The moral is don't publish your e-mail address anywhere on the web if you don't want spam, and also don't forward interesting jokes or pictures with long lists of mail addresses on them.

Since contributing to this topic (Althogh Danny might have a different word for it) I have had a little think about some measures which may be taken to thwart the spammers and the automatic harvesting of emails from this BB.

1. Danny switches off the email validation system, so that pprune users can add their own anti-spam additions to their publicly viewable email addresses Eg. madmax(remove)@pilot.pprune.org.

2. The makers of the UBB system (Infopop) program in measures similar to the anti flood system, whereby only one profile will be served to a single IP address in any given time scale -say one every 3 minutes.

3. When serving a profile page, instead of showing the plain text email address, the UBB system creates, on the fly, a graphical representation of the address. This would be just as easy for a human to read, but would be very difficult for a harvesing script to do so, without going down the (very complicated) OCR path.

Anyone got any more?

Btw. I have contacted infopop with the concerns raised within this topic, and with my proposed solutions. I'll let you know what they say.

Well you have convinced me to at least make my email address NOT available on PPRuNe any longer....... :(

Ok, to finish with this thread, I have been in touch with Charles Capps, a programmer with infopop and he has agreed to incorporate into the next version of UBB, the suggestion I made about serving only one profile page in any given time limit. This would cause severe difficulties to harvesting spiders, and I believe should prevent the problems discussed here.