PPRUNE MAIL SPAM
Moderator
Join Date: May 1998
Location: .
Posts: 250
Likes: 0
Received 0 Likes
on
0 Posts
Ok Mad_Max_II - I'm sure that you think that you're very clever in being able to do this, but to be honest any of us can do exactly what you're suggesting, and with far better results, by simply running some publicly available software / freeware - so it's not exactly rocket science old son.
Whilst we try very hard to make PPRuNe anonymous - which is one of its primary strengths - there's a limit to what we can do, given our technology & funds - but we're working on it.
E.g. Do you remember the cut and paste days of the early PPRuNe (i.e. five plus years ago) and how it was then - we can go back to that if you all wish ?!
Of course if you were really worried about PPRuNe security one would have hoped that you'd have discreetly contacted us and raised the above point (albeit that we already know about it) - however, a cynic might say, that you've really only done this as part of a self-serving-glorification of your actions and view point.
Ultimately, any PPRuNe account is as secure (anonymous) as its owner wishes it to be - and the fact that many have chosen to allow their email addresses to be visible (me included) should be no cause for concern, either for them, nor for you.
Ps. Can I please ask all genuine PPRuNer's to desist from running the above script against our server, the primary reason being that it does nothing more than tie up server bandwidth to provide nothing more than is already visible within many a contributors profile.
Whilst we try very hard to make PPRuNe anonymous - which is one of its primary strengths - there's a limit to what we can do, given our technology & funds - but we're working on it.
E.g. Do you remember the cut and paste days of the early PPRuNe (i.e. five plus years ago) and how it was then - we can go back to that if you all wish ?!
Of course if you were really worried about PPRuNe security one would have hoped that you'd have discreetly contacted us and raised the above point (albeit that we already know about it) - however, a cynic might say, that you've really only done this as part of a self-serving-glorification of your actions and view point.
Ultimately, any PPRuNe account is as secure (anonymous) as its owner wishes it to be - and the fact that many have chosen to allow their email addresses to be visible (me included) should be no cause for concern, either for them, nor for you.
Ps. Can I please ask all genuine PPRuNer's to desist from running the above script against our server, the primary reason being that it does nothing more than tie up server bandwidth to provide nothing more than is already visible within many a contributors profile.
Chief PPRuNe Pilot
OK, I apologise for my condescending tone but I still insist that no one can access someones email address if they have selected the option to keep it hidden from view in their profile.
Besides you writing a script there is also plenty of off the shelf software that anyone can buy that will download the whole website and then you can run other scripts which will trawl out users email addresses IF THEY ARE NOT HIDDEN IN THEIR PROFILE.
As in anything in life, if you elect to keep your phone number ex-directory then it is not published anywhere but if you give your number out then it is available to whoever you gave it to to do as they wish. On this website YOU DO NOT HAVE ACCESS TO THE MEMBERS EMAIL LIST! You only have access to the email addresses of those members who have elected NOT to keep their email address hidden! What is you problem with that? Where have we EVER said that HIDDEN email addresses are accessible? Nowhere and that is because they AREN'T. Can you understand that?
If anyone is worried about someone trawling this or any other website for their email address then go into your profile and select the option to keep your email address hidden. That way there is no way that any script can get your email address.
So, THERE IS NO WAY YOUR EMAIL ADDRESS CAN BE HARVESTED BY A SPIDER IF YOU HAVE SELECTED THE OPTION TO KEEP IT HIDDEN IN YOUR PROFILE SETTINGS. Of course peoples email addresses will be susceptible to spam if they make it available just as their home addresses are susceptible to harvesting if their phone numbers are not ex-directory. I can't understand what else all the scaremongering is about?
The other thing is that now many people will want to try that script and will probably bog the server down and generally get up everybody elses noses. Thank you for that... NOT!
Just so it is absolutely clear for even the dimmest wit, IF YOUR EMAIL ADDRESS IS HIDDEN FROM VIEW USING THE OPTION IN YOUR PROFILE THEN IT CANNOT BE HARVESTED!
The origin of this thread was because someone thought that we were selling their email addresses and/or the website was not secure and we explained that that was not the case but you had to try and prove a point which you have not proven. All that has happened is that you have automated a way to get peoples email addresses if they have chosen to make them accessible! Nothing new in that but to do so in public instead of trying to contact us privately with your concers only shows that you are obviously out to create as much chaos for us. It is bad enough dealing with the day to day issues but you obviously need the self gratification of arguing a point that and scareing some people with old news.
Now, can this be dropped or do I have to make it easier to understand?
[ 09 December 2001: Message edited by: Capt PPRuNe ]
Besides you writing a script there is also plenty of off the shelf software that anyone can buy that will download the whole website and then you can run other scripts which will trawl out users email addresses IF THEY ARE NOT HIDDEN IN THEIR PROFILE.
As in anything in life, if you elect to keep your phone number ex-directory then it is not published anywhere but if you give your number out then it is available to whoever you gave it to to do as they wish. On this website YOU DO NOT HAVE ACCESS TO THE MEMBERS EMAIL LIST! You only have access to the email addresses of those members who have elected NOT to keep their email address hidden! What is you problem with that? Where have we EVER said that HIDDEN email addresses are accessible? Nowhere and that is because they AREN'T. Can you understand that?
If anyone is worried about someone trawling this or any other website for their email address then go into your profile and select the option to keep your email address hidden. That way there is no way that any script can get your email address.
So, THERE IS NO WAY YOUR EMAIL ADDRESS CAN BE HARVESTED BY A SPIDER IF YOU HAVE SELECTED THE OPTION TO KEEP IT HIDDEN IN YOUR PROFILE SETTINGS. Of course peoples email addresses will be susceptible to spam if they make it available just as their home addresses are susceptible to harvesting if their phone numbers are not ex-directory. I can't understand what else all the scaremongering is about?
The other thing is that now many people will want to try that script and will probably bog the server down and generally get up everybody elses noses. Thank you for that... NOT!
Just so it is absolutely clear for even the dimmest wit, IF YOUR EMAIL ADDRESS IS HIDDEN FROM VIEW USING THE OPTION IN YOUR PROFILE THEN IT CANNOT BE HARVESTED!
The origin of this thread was because someone thought that we were selling their email addresses and/or the website was not secure and we explained that that was not the case but you had to try and prove a point which you have not proven. All that has happened is that you have automated a way to get peoples email addresses if they have chosen to make them accessible! Nothing new in that but to do so in public instead of trying to contact us privately with your concers only shows that you are obviously out to create as much chaos for us. It is bad enough dealing with the day to day issues but you obviously need the self gratification of arguing a point that and scareing some people with old news.
Now, can this be dropped or do I have to make it easier to understand?
[ 09 December 2001: Message edited by: Capt PPRuNe ]
Join Date: Dec 2001
Location: United Kingdom
Posts: 5
Likes: 0
Received 0 Likes
on
0 Posts
In the usual tradition of pprune, a mountain has been very much made out of a molehill.
Most of the issues raised by Capt pprune and crashdive, I did not dispute or raise in the first instance and the rest I believe to be inaccurate and/or fudged.
Without wanting to turn this issue into a slagging match I would like to make a few comments.
1. My original post was intended to be informative, to answer the issues raised and to counter the inaccurate comments made by those whom I thought should know better. It was NOT intended to be in any way malicious or anti-pprune. I thought the subsequent comments made by crashdive and Capt PPRuNe to be entirely negative and indeed a little paranoid in nature.
2. I agree with what has been repeatedly stated at every opportunity by crashdrive and Capt PPRuNe - Only publicly available email addresses can be harvested. The original point of my post, after all, was to get this message across. My reasoning was that at least PPRuNe members could then make an informed decision based on FACTS, rather than on what had been previously written, as to whether or not they wished to make their email address public.
3 I do not agree with the parallels drawn between publicly listed email addresses and telephone numbers. We all know that the issues at stake are of zero cost & time advertising using email (SPAM) and that the key difference between the telephone and email is that with email the recipient pays. Very few people receive unsolicited advertising telephone calls as a result of automated harvesting of telephone numbers, but when it comes to our email addresses, the opposite is in fact true.
4. My post was not meant to raise any security issues, as I have no reason to believe that the security of this forum is in jeopardy. Again, it was meant only to accurately inform. I did state in my email that pprune was no different than most other forums when it came to the issues raised.
5. Answering the hypothetical cynic's statement, that what I done was self-serving-glorification of my actions and view point, well let me just say that what I done was to write 15 lines of code, something which most 12 year olds with a bit of VB background could do in their sleep. It's hardly the pinnacle of computer science now is it?
I have absolutely nothing to gain or lose from anyone on this BB. Again, my only intention was to satisfy people’s curiosity as to how these email addresses are harvested.
Capt PPRuNe stated
A secondary purpose for my post was to show that the process is VERY EASILY automated, and I believe I demonstrated as much in the 15 lines of code posted.
6. As I've stated in the point above about the ease with which something like this can be written, might I suggest that out of the 46000 members of pprune, the number of those with this capability might be in the 000s. How many have actually run a similar program, Discounting the spammers, who obviously don't need my help?
Although I don't necessarily disagree with your decision to remove the code, it is after all your board, I would like to point out that in my opinion, just because people can do something, doesn't mean they actually will. Maybe a little naive on my part, but in my book, it beats paranoia hands down.
Capt. PPRuNe you start your post apologising for being condescending, then continue with some extremely patronising comments against me, and my apparent lack of comprehension. I would ask that if you would not act with such rudeness face to face then please do not do so while hiding behind a bulletin board. I'm sure I speak for many when I say this.
Finally, getting back to thee core of the issue, I think you should state in the member preference section, that email addresses made publicly available are susceptible to spam.
[ 10 December 2001: Message edited by: Mad_Max_II ]
Most of the issues raised by Capt pprune and crashdive, I did not dispute or raise in the first instance and the rest I believe to be inaccurate and/or fudged.
Without wanting to turn this issue into a slagging match I would like to make a few comments.
1. My original post was intended to be informative, to answer the issues raised and to counter the inaccurate comments made by those whom I thought should know better. It was NOT intended to be in any way malicious or anti-pprune. I thought the subsequent comments made by crashdive and Capt PPRuNe to be entirely negative and indeed a little paranoid in nature.
2. I agree with what has been repeatedly stated at every opportunity by crashdrive and Capt PPRuNe - Only publicly available email addresses can be harvested. The original point of my post, after all, was to get this message across. My reasoning was that at least PPRuNe members could then make an informed decision based on FACTS, rather than on what had been previously written, as to whether or not they wished to make their email address public.
3 I do not agree with the parallels drawn between publicly listed email addresses and telephone numbers. We all know that the issues at stake are of zero cost & time advertising using email (SPAM) and that the key difference between the telephone and email is that with email the recipient pays. Very few people receive unsolicited advertising telephone calls as a result of automated harvesting of telephone numbers, but when it comes to our email addresses, the opposite is in fact true.
4. My post was not meant to raise any security issues, as I have no reason to believe that the security of this forum is in jeopardy. Again, it was meant only to accurately inform. I did state in my email that pprune was no different than most other forums when it came to the issues raised.
5. Answering the hypothetical cynic's statement, that what I done was self-serving-glorification of my actions and view point, well let me just say that what I done was to write 15 lines of code, something which most 12 year olds with a bit of VB background could do in their sleep. It's hardly the pinnacle of computer science now is it?
I have absolutely nothing to gain or lose from anyone on this BB. Again, my only intention was to satisfy people’s curiosity as to how these email addresses are harvested.
Capt PPRuNe stated
Not impossible, probably, to try and trawl the published addresses but certainly not something that is automated very well.
6. As I've stated in the point above about the ease with which something like this can be written, might I suggest that out of the 46000 members of pprune, the number of those with this capability might be in the 000s. How many have actually run a similar program, Discounting the spammers, who obviously don't need my help?
Although I don't necessarily disagree with your decision to remove the code, it is after all your board, I would like to point out that in my opinion, just because people can do something, doesn't mean they actually will. Maybe a little naive on my part, but in my book, it beats paranoia hands down.
Capt. PPRuNe you start your post apologising for being condescending, then continue with some extremely patronising comments against me, and my apparent lack of comprehension. I would ask that if you would not act with such rudeness face to face then please do not do so while hiding behind a bulletin board. I'm sure I speak for many when I say this.
Finally, getting back to thee core of the issue, I think you should state in the member preference section, that email addresses made publicly available are susceptible to spam.
[ 10 December 2001: Message edited by: Mad_Max_II ]
Join Date: Oct 2001
Location: Johannesburg
Posts: 91
Likes: 0
Received 0 Likes
on
0 Posts
It is always nice to watch a fight. Once the fighting is over maybe we can get down to solving the problem. Why should I be worried about people here finding out my e-mail address. I want to hear from other Ppruners.
Anyway - maybe you boffins can help us lesser mortals with some advice on how to deal with spammers.
Is there a way I can get revenge and send them a load of junk that will fill their mailbox's or render them impotent. I have heard of mailbombs and the like. Are they legal? and where can I get one.
Any Ideas?
Anyway - maybe you boffins can help us lesser mortals with some advice on how to deal with spammers.
Is there a way I can get revenge and send them a load of junk that will fill their mailbox's or render them impotent. I have heard of mailbombs and the like. Are they legal? and where can I get one.
Any Ideas?
4g_handicap, you said:
"Is there a way I can get revenge and send them a load of junk that will fill their mailbox's or render them impotent."
The "From:" address is almost certainly false. Although the email headers contain information showing how the spam got from their machine to yours (I've put an example line down below) the spammers usually put in enough red herrings to make it more complicated than it already is. Also, they usually work by signing up for a free dial-up account and then using an "open relay" - in effect hijacking somebody else's machine to do the hard work of actually sending out the thousands of emails. Meanwhile the free dial-up account just gets thrown away.
http://www.claws-and-paws.com/spam-l/
and http://ddi.digital.net/~gandalf/spamfaq.html
both contain more information than you probably want to know...
Received: from fmr01.intel.com_[192.168.229.35] (253.dallas-09rh15rt-tx.dial-access.att.net [12.86.216.253]) by dns1.mce.co.jp (8.8.5/Netio-1.0) with SMTP id TAA26508; Mon, 10 Dec 2001 19:44:06 +0900
From: [email protected]
"Is there a way I can get revenge and send them a load of junk that will fill their mailbox's or render them impotent."
The "From:" address is almost certainly false. Although the email headers contain information showing how the spam got from their machine to yours (I've put an example line down below) the spammers usually put in enough red herrings to make it more complicated than it already is. Also, they usually work by signing up for a free dial-up account and then using an "open relay" - in effect hijacking somebody else's machine to do the hard work of actually sending out the thousands of emails. Meanwhile the free dial-up account just gets thrown away.
http://www.claws-and-paws.com/spam-l/
and http://ddi.digital.net/~gandalf/spamfaq.html
both contain more information than you probably want to know...
Received: from fmr01.intel.com_[192.168.229.35] (253.dallas-09rh15rt-tx.dial-access.att.net [12.86.216.253]) by dns1.mce.co.jp (8.8.5/Netio-1.0) with SMTP id TAA26508; Mon, 10 Dec 2001 19:44:06 +0900
From: [email protected]
Join Date: Nov 2001
Location: EGLD
Posts: 41
Likes: 0
Received 0 Likes
on
0 Posts
4g_handicap - If your e-mail address has been added to someones mailing list then it's a fair bet this won't be the last spam you'll receive. The best advice I can give is to use your e-mail software's capabilities to block the senders address so as you don't get any more. Microsoft Outlook for instance gives you the capability to 'block' e-mail addresses and entire domains (the bit that comes after the @ symbol in the address). Not every e-mail client may have such facility, but if yours doesn't you could always consider using another e-mail client (if you had internet access through one provider and hence had their e-mail client software, there's usually no reason why another vendors e-mail client couldn't be configured to access your existing e-mail provider). A good source of both freeware & shareware software is http://www.download.com - you might find suitable e-mail client software there if you don't have access to anything else. You might also find utilites to use in conjuntion with your web browser that prevent those tiresome 'extra' windows opening up when you visit some folks web sites (let me know if you find anything - I haven't had then chance to look myself).
Anything designed to clog up an e-mail system (and potentially damaged the operating efficiency of a company) is likely (if not surely) to be classed illegal. Certainly the authors of the 'I luv u' mail virus can testify to that.
On this point, there is another doing the rounds at the moment. The message subject is 'HI' and it contains a file with a .SCR extension. If you open it then it forwards itself on to all the e-mail addresses store locally (again - it's just designed to bring e-mail servers to there knees with the volume of traffic). Still cleaning this one up in my own company unfortunately - despite sticking notes on ever blo@dy door, notice board and desk in the office !!!!!
Hope this helps
Suction
Anything designed to clog up an e-mail system (and potentially damaged the operating efficiency of a company) is likely (if not surely) to be classed illegal. Certainly the authors of the 'I luv u' mail virus can testify to that.
On this point, there is another doing the rounds at the moment. The message subject is 'HI' and it contains a file with a .SCR extension. If you open it then it forwards itself on to all the e-mail addresses store locally (again - it's just designed to bring e-mail servers to there knees with the volume of traffic). Still cleaning this one up in my own company unfortunately - despite sticking notes on ever blo@dy door, notice board and desk in the office !!!!!
Hope this helps
Suction
Join Date: Dec 2001
Location: STL
Posts: 140
Likes: 0
Received 0 Likes
on
0 Posts
4g_handicap, suction is correct about not resorting to mailbombs. At the least you will lose your account. At worst you could be held liable for vast damages. However, I am not sure that filtering would be very useful. Most spammers hit and run, not using the same address twice. Also, they often forge addresses from large, respectable domains so blocking an entire domain is usually not practical. Most of the spam I receive has its payoff in the reply-to address. If the message appears to violate the terms of service of the provider of that reply-to account, then I forward the spam with full header to abuse@<fill_in_appropriately>. I state that the message *may* violate the provider's terms of service and request that they look into it. Also, your own ISP may be receptive to helping its clients fight spam (if only because it is the one that incurs the costs). If you look up your own terms of service you may find an address to which you can report spam. In some cases big ISPs have sued spammers for damages.
If the ISP of the spammer is as scummy as its client then I forward everything involved to the US Federal Trade Commission. The address is [email protected] They will not get involved in individual cases but they can influence eventual antispam lawmaking. Americans who want to check this out can start on the page http://www.ftc.gov/ and then click on the button "File a Complaint Online." That will bring up a page that tells you to forward the unsolicited commercial email or UCE to the email address given above. Other countries probably have their own remedies. So far I have seen absolutely no positive results from any efforts to fight spam. But, "all that is necessary for the triumph of evil ... "
If the ISP of the spammer is as scummy as its client then I forward everything involved to the US Federal Trade Commission. The address is [email protected] They will not get involved in individual cases but they can influence eventual antispam lawmaking. Americans who want to check this out can start on the page http://www.ftc.gov/ and then click on the button "File a Complaint Online." That will bring up a page that tells you to forward the unsolicited commercial email or UCE to the email address given above. Other countries probably have their own remedies. So far I have seen absolutely no positive results from any efforts to fight spam. But, "all that is necessary for the triumph of evil ... "
Join Date: Feb 2000
Location: asia
Posts: 542
Likes: 0
Received 0 Likes
on
0 Posts
Without wanting to incur the wrath of the almighty (sorry Danny), it is worth making th epoint that I tried to make earlier
Any publically available page on the web that contains an e-mail address is open to having that address harvested by automated spiders, and the e-mail address added to spam lists.
There are actually people who make money out of selling e-mail addresses they have garnered in this way, adn of course the addresses become more valuable if they can be linked to certain attributes - eg flying, or a love of it.
The moral is don't publish your e-mail address anywhere on the web if you don't want spam, and also don't forward interesting jokes or pictures with long lists of mail addresses on them.
Any publically available page on the web that contains an e-mail address is open to having that address harvested by automated spiders, and the e-mail address added to spam lists.
There are actually people who make money out of selling e-mail addresses they have garnered in this way, adn of course the addresses become more valuable if they can be linked to certain attributes - eg flying, or a love of it.
The moral is don't publish your e-mail address anywhere on the web if you don't want spam, and also don't forward interesting jokes or pictures with long lists of mail addresses on them.
Join Date: Dec 2001
Location: United Kingdom
Posts: 5
Likes: 0
Received 0 Likes
on
0 Posts
Since contributing to this topic (Althogh Danny might have a different word for it) I have had a little think about some measures which may be taken to thwart the spammers and the automatic harvesting of emails from this BB.
1. Danny switches off the email validation system, so that pprune users can add their own anti-spam additions to their publicly viewable email addresses Eg. madmax(remove)@pilot.pprune.org.
2. The makers of the UBB system (Infopop) program in measures similar to the anti flood system, whereby only one profile will be served to a single IP address in any given time scale -say one every 3 minutes.
3. When serving a profile page, instead of showing the plain text email address, the UBB system creates, on the fly, a graphical representation of the address. This would be just as easy for a human to read, but would be very difficult for a harvesing script to do so, without going down the (very complicated) OCR path.
Anyone got any more?
Btw. I have contacted infopop with the concerns raised within this topic, and with my proposed solutions. I'll let you know what they say.
1. Danny switches off the email validation system, so that pprune users can add their own anti-spam additions to their publicly viewable email addresses Eg. madmax(remove)@pilot.pprune.org.
2. The makers of the UBB system (Infopop) program in measures similar to the anti flood system, whereby only one profile will be served to a single IP address in any given time scale -say one every 3 minutes.
3. When serving a profile page, instead of showing the plain text email address, the UBB system creates, on the fly, a graphical representation of the address. This would be just as easy for a human to read, but would be very difficult for a harvesing script to do so, without going down the (very complicated) OCR path.
Anyone got any more?
Btw. I have contacted infopop with the concerns raised within this topic, and with my proposed solutions. I'll let you know what they say.
Join Date: Dec 2001
Location: United Kingdom
Posts: 5
Likes: 0
Received 0 Likes
on
0 Posts
Ok, to finish with this thread, I have been in touch with Charles Capps, a programmer with infopop and he has agreed to incorporate into the next version of UBB, the suggestion I made about serving only one profile page in any given time limit. This would cause severe difficulties to harvesting spiders, and I believe should prevent the problems discussed here.
