GNU logs - #14811, boring messages

Message sent to help-debbugs@HIDDEN:

Subject: bug#14811: Debbugs <at> spam countermeasure inadequate
Resent-From: ua2y-rti1@HIDDEN
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: help-debbugs@HIDDEN
Resent-Date: Sun, 07 Jul 2013 13:50:02 +0000
Resent-Message-ID: <handler.14811.B.137320497930631 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
To: 14811 <at> debbugs.gnu.org
Content-type: text/plain
Date: Sun, 07 Jul 2013 09:50:35 -0400
From: ua2y-rti1@HIDDEN
Precedence: list
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Message-Id: <E1UvpLO-0007xy-AE <at> debbugs.gnu.org>

Package: debbugs.gnu.org

On 2013 April 22 I filed an emacs bug using an email address specifically generated for that purpose and used for nothing else.

On 2013 May 18 I started receiving spam messages on that email address.  The most likely explanation is that
an email address harvester is overcoming the <at> countermeasure.

Message sent:

Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailer: MIME-tools 5.503 (Entity 5.503)
Content-Type: text/plain; charset=utf-8
X-Loop: help-debbugs@HIDDEN
From: help-debbugs@HIDDEN (GNU bug Tracking System)
To: ua2y-rti1@HIDDEN
Subject: bug#14811: Acknowledgement (Debbugs <at> spam countermeasure
 inadequate)
Message-ID: <handler.14811.B.137320497930631.ack <at> debbugs.gnu.org>
References: <E1UvpLO-0007xy-AE <at> debbugs.gnu.org>
X-Gnu-PR-Message: ack 14811
X-Gnu-PR-Package: debbugs.gnu.org
Reply-To: 14811 <at> debbugs.gnu.org
Date: Sun, 07 Jul 2013 13:50:03 +0000

Thank you for filing a new bug report with debbugs.gnu.org.

This is an automatically generated reply to let you know your message
has been received.

Your message is being forwarded to the package maintainers and other
interested parties for their attention; they will reply in due course.

Your message has been sent to the package maintainer(s):
 help-debbugs@HIDDEN

If you wish to submit further information on this problem, please
send it to 14811 <at> debbugs.gnu.org.

Please do not send mail to help-debbugs@HIDDEN unless you wish
to report a problem with the Bug-tracking system.

--=20
14811: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D14811
GNU Bug Tracking System
Contact help-debbugs@HIDDEN with problems

Message received at control <at> debbugs.gnu.org:

Received: (at control) by debbugs.gnu.org; 7 Jul 2013 17:28:30 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Jul 07 13:28:30 2013
Received: from localhost ([127.0.0.1]:37544 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1UvslB-0000wP-EN
	for submit <at> debbugs.gnu.org; Sun, 07 Jul 2013 13:28:29 -0400
Received: from fencepost.gnu.org ([208.118.235.10]:42701 ident=Debian-exim)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <rgm@HIDDEN>) id 1Uvsl9-0000wH-O5
 for control <at> debbugs.gnu.org; Sun, 07 Jul 2013 13:28:28 -0400
Received: from rgm by fencepost.gnu.org with local (Exim 4.71)
 (envelope-from <rgm@HIDDEN>) id 1Uvsl9-00066w-2F
 for control <at> debbugs.gnu.org; Sun, 07 Jul 2013 13:28:27 -0400
Date: Sun, 07 Jul 2013 13:28:27 -0400
Message-Id: <E1Uvsl9-00066w-2F@HIDDEN>
Subject: control message for bug 14811
To: <control <at> debbugs.gnu.org>
X-Mailer: mail (GNU Mailutils 2.1)
From: Glenn Morris <rgm@HIDDEN>
X-Spam-Score: -5.3 (-----)
X-Debbugs-Envelope-To: control
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <http://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <http://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <http://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -5.3 (-----)

merge 13194 14811

Message sent to help-debbugs@HIDDEN:

Subject: bug#14811: Debbugs <at> spam countermeasure inadequate
Resent-From: Glenn Morris <rgm@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: help-debbugs@HIDDEN
Resent-Date: Mon, 08 Jul 2013 00:28:02 +0000
Resent-Message-ID: <handler.14811.B14811.137324326321439 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
To: ua2y-rti1@HIDDEN
Cc: 14811 <at> debbugs.gnu.org
From: Glenn Morris <rgm@HIDDEN>
References: <E1UvpLO-0007xy-AE <at> debbugs.gnu.org>
Date: Sun, 07 Jul 2013 20:27:39 -0400
In-Reply-To: <E1UvpLO-0007xy-AE <at> debbugs.gnu.org> (ua2y-rti1@HIDDEN's
 message of "Sun, 07 Jul 2013 09:50:35 -0400")
Message-ID: <aq4nc53ngk.fsf@HIDDEN>
User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Precedence: list
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>

ua2y-rti1@HIDDEN wrote:

> On 2013 April 22 I filed an emacs bug using an email address
> specifically generated for that purpose and used for nothing else.
>
> On 2013 May 18 I started receiving spam messages on that email
> address. The most likely explanation is that an email address
> harvester is overcoming the <at> countermeasure.

I can mainly repeat my comments from

http://debbugs.gnu.org/cgi/bugreport.cgi?bug=13194

I'm sympathetic. I don't like spam, and we should certainly not make it
totally trivial to harvest addresses (like bugs.debian.org does), but I
feel that in this day and age everyone has to expect some spam and have
a method for dealing with it. Based on the data I mention in bug#13194,
it feels to me like the simple "at" solution we have in place eliminates
say ~ 99% of the spam (this is a qualitative feeling).

Emacs bug reports appear on several other sites that are not under our
control, and further obscuring debbugs.gnu.org will have zero impact on
them. For example, the gnu.emacs.bugs newsgroup (how I wish it would go
away), and gmane.org, which uses the same <at> mechanism.

So no matter what we do on debbugs.gnu.org, we cannot promise that
reporting an Emacs bug will never lead to you getting a spam email.
Sorry.

If you want to do an experiment, make another totally new address and
use it to send mail to 14811-quiet <at> debbugs.gnu.org. This should not get
sent on to any other site. Then wait and see if that new address gets
spam.

I don't mind tweaking the obscuration method if someone has a
suggestion, but I doubt it will make much difference, for the reasons I
mention above.

Message sent to help-debbugs@HIDDEN:

X-Loop: help-debbugs@HIDDEN
Subject: bug#14811: Debbugs <at> spam countermeasure inadequate
Resent-From: Bob Proulx <bob@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: help-debbugs@HIDDEN
Resent-Date: Sat, 20 Jul 2013 00:45:02 +0000
Resent-Message-ID: <handler.14811.B14811.13742810555656 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 14811
X-GNU-PR-Package: debbugs.gnu.org
X-GNU-PR-Keywords: 
To: 14811 <at> debbugs.gnu.org
Cc: ua2y-rti1@HIDDEN
Received: via spool by 14811-submit <at> debbugs.gnu.org id=B14811.13742810555656
          (code B ref 14811); Sat, 20 Jul 2013 00:45:02 +0000
Received: (at 14811) by debbugs.gnu.org; 20 Jul 2013 00:44:15 +0000
Received: from localhost ([127.0.0.1]:38513 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1V0LHT-0001T9-EG
	for submit <at> debbugs.gnu.org; Fri, 19 Jul 2013 20:44:15 -0400
Received: from joseki.proulx.com ([216.17.153.58]:60470)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <bob@HIDDEN>) id 1V0LHQ-0001Sr-H3
 for 14811 <at> debbugs.gnu.org; Fri, 19 Jul 2013 20:44:13 -0400
Received: from hysteria.proulx.com (hysteria.proulx.com [192.168.230.119])
 by joseki.proulx.com (Postfix) with ESMTP id 19BCD211D5;
 Fri, 19 Jul 2013 18:44:09 -0600 (MDT)
Received: by hysteria.proulx.com (Postfix, from userid 1000)
 id E1BB42DCE8; Fri, 19 Jul 2013 18:44:08 -0600 (MDT)
Date: Fri, 19 Jul 2013 18:44:08 -0600
From: Bob Proulx <bob@HIDDEN>
Message-ID: <20130720004408.GA17988@HIDDEN>
References: <E1UvpLO-0007xy-AE <at> debbugs.gnu.org>
 <aq4nc53ngk.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <aq4nc53ngk.fsf@HIDDEN>
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Spam-Score: -0.4 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <http://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <http://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <http://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.4 (/)

Glenn Morris wrote:
> ua2y-rti1@HIDDEN wrote:
> > On 2013 April 22 I filed an emacs bug using an email address
> > specifically generated for that purpose and used for nothing else.

I don't see the usefulness of using fingerprinted email addresses when
sending messages out to the world.  Because out of the thousands of
potential readers of the message all it takes is one of them to be
reading the message on a virus infected system.  At that point the
email address is very likely to be used by the spammer driving the
botnet behind the virus.

> > On 2013 May 18 I started receiving spam messages on that email
> > address. The most likely explanation is that an email address
> > harvester is overcoming the <at> countermeasure.

Or that your email was read by someone on a virus infected MS-Windows
computer system and the virus harvested your address.

> I'm sympathetic. I don't like spam, and we should certainly not make it
> totally trivial to harvest addresses (like bugs.debian.org does), but I
> feel that in this day and age everyone has to expect some spam and have
> a method for dealing with it.

I agree.  I wanted to add a few thoughts.

I think it is unreasonable to expect that email may be sent and that
the sender's email address will never be known.  Once you send an
email then there are so many things that can happen to cause the
sending email address to become known.  Like the virus example.  But
that is simply one of many possibilities.  Genies are easy to let out
of the bottle but quite hard to put back in them.

Also it is impossible for a free(dom) software project to operate
without transparency.  And that very transparency requires that email
addresses will be seen somewhere along the way.  It isn't possible to
keep something secret when the very basis of the project is that it is
available to the community to contribute.  Community projects operate
in a public setting.  Anything else would be a completely different
thing.

Someone will suggest going to a very closed web based bug tracking
system.  That has been tried.  But it has its own set of negatives
associated with it.  That is why the email based debbugs is so
attractive.

> Emacs bug reports appear on several other sites that are not under our
> control, and further obscuring debbugs.gnu.org will have zero impact on
> them. For example, the gnu.emacs.bugs newsgroup (how I wish it would go
> away), and gmane.org, which uses the same <at> mechanism.

I also wish the newsgroup gateway would go away.  I really wish it had
never been implemented.

> So no matter what we do on debbugs.gnu.org, we cannot promise that
> reporting an Emacs bug will never lead to you getting a spam email.
> Sorry.

And the same thing for sending to any mailing list under the gnu.org
umbrella.  It just isn't possible.

Bob

Message sent to help-debbugs@HIDDEN:

X-Loop: help-debbugs@HIDDEN
Subject: bug#14811: Debbugs <at> spam countermeasure inadequate
Resent-From: Glenn Morris <rgm@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: help-debbugs@HIDDEN
Resent-Date: Thu, 25 Jul 2013 16:57:01 +0000
Resent-Message-ID: <handler.14811.B14811.137477136332160 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 14811
X-GNU-PR-Package: debbugs.gnu.org
X-GNU-PR-Keywords: 
To: Bob Proulx <bob@HIDDEN>
Cc: ua2y-rti1@HIDDEN, 14811 <at> debbugs.gnu.org
Received: via spool by 14811-submit <at> debbugs.gnu.org id=B14811.137477136332160
          (code B ref 14811); Thu, 25 Jul 2013 16:57:01 +0000
Received: (at 14811) by debbugs.gnu.org; 25 Jul 2013 16:56:03 +0000
Received: from localhost ([127.0.0.1]:49446 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1V2Opd-0008MF-8f
	for submit <at> debbugs.gnu.org; Thu, 25 Jul 2013 12:56:02 -0400
Received: from fencepost.gnu.org ([208.118.235.10]:39753 ident=Debian-exim)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <rgm@HIDDEN>) id 1V2OpZ-0008Lt-BV
 for 14811 <at> debbugs.gnu.org; Thu, 25 Jul 2013 12:55:58 -0400
Received: from rgm by fencepost.gnu.org with local (Exim 4.71)
 (envelope-from <rgm@HIDDEN>)
 id 1V2OpX-0000EA-Ky; Thu, 25 Jul 2013 12:55:55 -0400
From: Glenn Morris <rgm@HIDDEN>
References: <E1UvpLO-0007xy-AE <at> debbugs.gnu.org>
 <aq4nc53ngk.fsf@HIDDEN>
 <20130720004408.GA17988@HIDDEN>
X-Spook: insurgency John Kerry bomb North Korea Centro
X-Ran: F7(&W'vR*qy1>Wf#fnY5T`phGX~.IYO=u%"_V#SAF<cc0<yuf?5>@2,mMwU=xE4c5b#5A6
X-Hue: red
X-Attribution: GM
Date: Thu, 25 Jul 2013 12:55:55 -0400
In-Reply-To: <20130720004408.GA17988@HIDDEN> (Bob Proulx's
 message of "Fri, 19 Jul 2013 18:44:08 -0600")
Message-ID: <s31u6mr338.fsf@HIDDEN>
User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Spam-Score: -5.0 (-----)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <http://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <http://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <http://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -5.0 (-----)


I've now fully removed the (non debbugs.gnu.org) email addresses on
the _static_ bug web-pages (eg http://debbugs.gnu.org/db/14/14811.html).
These are the only pages that get indexed by search engines.

BTW, a study that one person did (admittedly, it's 5 years old now)
suggests that methods like " <at> " were >~ 99% effective at the time:

http://techblog.tilllate.com/2008/07/20/ten-methods-to-obfuscate-e-mail-addresses-compared/

Personally, I think it still strikes the right balance between
inconveniencing legitimate users and spam harvesters.

I am considering inserting a "debbugs-remove" component (or somesuch) to
all non-debbugs addresses on the dynamic (ie, cgi) bug web pages, but am
not sure it is worth the effort. Those pages are not indexed by search
engines, and they contain links to the mbox files, which I am absolutely
not going to obfuscate.

Last modified: Mon, 25 Nov 2019 12:00:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.