On Fri, 2006-04-21 at 17:27 -0400, Rich Kulawiec wrote:
There are a couple of other small points I'd like to add.
Why not keep them on list so everyone can share in your thoughts. You have no need to preach this to me as I realize if you use a public list you give up your right to privacy, as far as your email address is concerned.
First is that spammers have long since figured out that subscribing to lots and lots of mailing lists and harvesting every address in every message is a reasonably good way to populated their databases. So while at one point in time, protecting web-based archives of lists probably made sense...it doesn't any more *except* for small lists where subscriptions are individually vetted and so there is thus some decent chance of preventing spammers from subscribing.
[ As an aside, this is also why Google's attempt to "protect" its Usenet archives is a complete waste of resources. Spammers already have newsfeeds. They've had them for years. ]
Second is that spammers have more recently figured out that installing code to collect all addresses found in any file (notably mail messages, but really, *any* file) on hijacked Windows boxes is a worthwhile exercise. We're into the gray area between spam, worms, and spyware here, but the gist is that since there is money to be made by gathering such addresses and selling them, people are doing it.
So...are you *certain* that every single person you sent mail to today is using a known-not-infected system? How about the mail server(s) that your message traversed? And even if the answer to both questions is "yes", how do you know that all of those will STAY uninfected -- since of course a copy of your message may well be sitting there, ready to be perused, when one of those systems succumbs to the Windows-malware-o'-the-day on next Thursday?
The bottom line is this: it is no longer possible to prevent a "used" address, that is, an email address which is used for everyday things, from falling into the hands of spammers. Special-purpose addresses? Sure, especially if you run your own mail server and turn things like VRFY and EXPN off. But ordinary run-of-the-mill addresses will find their way to spammers sooner or later, at which point they become commodities to be bought/sold/traded and the game is over.
I'm *not* suggesting that any of this is A Good Thing. It's not. I'm just saying that it's probably realistic to presume that the spammers already or will soon possess any email address in use and to plan defenses accordingly.
---Rsk
-- Ken Schneider UNIX since 1989, linux since 1994, SuSE since 1998