GNU bug report logs - #14811
Debbugs <at> spam countermeasure inadequate

Message received at 14811 <at> debbugs.gnu.org:

Received: (at 14811) by debbugs.gnu.org; 25 Jul 2013 16:56:03 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Jul 25 12:56:03 2013
Received: from localhost ([127.0.0.1]:49446 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1V2Opd-0008MF-8f
	for submit <at> debbugs.gnu.org; Thu, 25 Jul 2013 12:56:02 -0400
Received: from fencepost.gnu.org ([208.118.235.10]:39753 ident=Debian-exim)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <rgm@HIDDEN>) id 1V2OpZ-0008Lt-BV
 for 14811 <at> debbugs.gnu.org; Thu, 25 Jul 2013 12:55:58 -0400
Received: from rgm by fencepost.gnu.org with local (Exim 4.71)
 (envelope-from <rgm@HIDDEN>)
 id 1V2OpX-0000EA-Ky; Thu, 25 Jul 2013 12:55:55 -0400
From: Glenn Morris <rgm@HIDDEN>
To: Bob Proulx <bob@HIDDEN>
Subject: Re: bug#14811: Debbugs <at> spam countermeasure inadequate
References: <E1UvpLO-0007xy-AE <at> debbugs.gnu.org>
 <aq4nc53ngk.fsf@HIDDEN>
 <20130720004408.GA17988@HIDDEN>
X-Spook: insurgency John Kerry bomb North Korea Centro
X-Ran: F7(&W'vR*qy1>Wf#fnY5T`phGX~.IYO=u%"_V#SAF<cc0<yuf?5>@2,mMwU=xE4c5b#5A6
X-Hue: red
X-Attribution: GM
Date: Thu, 25 Jul 2013 12:55:55 -0400
In-Reply-To: <20130720004408.GA17988@HIDDEN> (Bob Proulx's
 message of "Fri, 19 Jul 2013 18:44:08 -0600")
Message-ID: <s31u6mr338.fsf@HIDDEN>
User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Spam-Score: -5.0 (-----)
X-Debbugs-Envelope-To: 14811
Cc: ua2y-rti1@HIDDEN, 14811 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <http://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <http://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <http://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -5.0 (-----)


I've now fully removed the (non debbugs.gnu.org) email addresses on
the _static_ bug web-pages (eg http://debbugs.gnu.org/db/14/14811.html).
These are the only pages that get indexed by search engines.

BTW, a study that one person did (admittedly, it's 5 years old now)
suggests that methods like " <at> " were >~ 99% effective at the time:

http://techblog.tilllate.com/2008/07/20/ten-methods-to-obfuscate-e-mail-addresses-compared/

Personally, I think it still strikes the right balance between
inconveniencing legitimate users and spam harvesters.

I am considering inserting a "debbugs-remove" component (or somesuch) to
all non-debbugs addresses on the dynamic (ie, cgi) bug web pages, but am
not sure it is worth the effort. Those pages are not indexed by search
engines, and they contain links to the mbox files, which I am absolutely
not going to obfuscate.

Message received at 14811 <at> debbugs.gnu.org:

Received: (at 14811) by debbugs.gnu.org; 20 Jul 2013 00:44:15 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Jul 19 20:44:15 2013
Received: from localhost ([127.0.0.1]:38513 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1V0LHT-0001T9-EG
	for submit <at> debbugs.gnu.org; Fri, 19 Jul 2013 20:44:15 -0400
Received: from joseki.proulx.com ([216.17.153.58]:60470)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <bob@HIDDEN>) id 1V0LHQ-0001Sr-H3
 for 14811 <at> debbugs.gnu.org; Fri, 19 Jul 2013 20:44:13 -0400
Received: from hysteria.proulx.com (hysteria.proulx.com [192.168.230.119])
 by joseki.proulx.com (Postfix) with ESMTP id 19BCD211D5;
 Fri, 19 Jul 2013 18:44:09 -0600 (MDT)
Received: by hysteria.proulx.com (Postfix, from userid 1000)
 id E1BB42DCE8; Fri, 19 Jul 2013 18:44:08 -0600 (MDT)
Date: Fri, 19 Jul 2013 18:44:08 -0600
From: Bob Proulx <bob@HIDDEN>
To: 14811 <at> debbugs.gnu.org
Subject: Re: bug#14811: Debbugs <at> spam countermeasure inadequate
Message-ID: <20130720004408.GA17988@HIDDEN>
References: <E1UvpLO-0007xy-AE <at> debbugs.gnu.org>
 <aq4nc53ngk.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <aq4nc53ngk.fsf@HIDDEN>
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Spam-Score: -0.4 (/)
X-Debbugs-Envelope-To: 14811
Cc: ua2y-rti1@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <http://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <http://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <http://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.4 (/)

Glenn Morris wrote:
> ua2y-rti1@HIDDEN wrote:
> > On 2013 April 22 I filed an emacs bug using an email address
> > specifically generated for that purpose and used for nothing else.

I don't see the usefulness of using fingerprinted email addresses when
sending messages out to the world.  Because out of the thousands of
potential readers of the message all it takes is one of them to be
reading the message on a virus infected system.  At that point the
email address is very likely to be used by the spammer driving the
botnet behind the virus.

> > On 2013 May 18 I started receiving spam messages on that email
> > address. The most likely explanation is that an email address
> > harvester is overcoming the <at> countermeasure.

Or that your email was read by someone on a virus infected MS-Windows
computer system and the virus harvested your address.

> I'm sympathetic. I don't like spam, and we should certainly not make it
> totally trivial to harvest addresses (like bugs.debian.org does), but I
> feel that in this day and age everyone has to expect some spam and have
> a method for dealing with it.

I agree.  I wanted to add a few thoughts.

I think it is unreasonable to expect that email may be sent and that
the sender's email address will never be known.  Once you send an
email then there are so many things that can happen to cause the
sending email address to become known.  Like the virus example.  But
that is simply one of many possibilities.  Genies are easy to let out
of the bottle but quite hard to put back in them.

Also it is impossible for a free(dom) software project to operate
without transparency.  And that very transparency requires that email
addresses will be seen somewhere along the way.  It isn't possible to
keep something secret when the very basis of the project is that it is
available to the community to contribute.  Community projects operate
in a public setting.  Anything else would be a completely different
thing.

Someone will suggest going to a very closed web based bug tracking
system.  That has been tried.  But it has its own set of negatives
associated with it.  That is why the email based debbugs is so
attractive.

> Emacs bug reports appear on several other sites that are not under our
> control, and further obscuring debbugs.gnu.org will have zero impact on
> them. For example, the gnu.emacs.bugs newsgroup (how I wish it would go
> away), and gmane.org, which uses the same <at> mechanism.

I also wish the newsgroup gateway would go away.  I really wish it had
never been implemented.

> So no matter what we do on debbugs.gnu.org, we cannot promise that
> reporting an Emacs bug will never lead to you getting a spam email.
> Sorry.

And the same thing for sending to any mailing list under the gnu.org
umbrella.  It just isn't possible.

Bob

Message received at 14811 <at> debbugs.gnu.org:

Received: (at 14811) by debbugs.gnu.org; 8 Jul 2013 00:27:43 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Jul 07 20:27:43 2013
Received: from localhost ([127.0.0.1]:38051 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1UvzIs-0005Zi-Ko
	for submit <at> debbugs.gnu.org; Sun, 07 Jul 2013 20:27:43 -0400
Received: from fencepost.gnu.org ([208.118.235.10]:48632 ident=Debian-exim)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <rgm@HIDDEN>) id 1UvzIq-0005Zb-Tl
 for 14811 <at> debbugs.gnu.org; Sun, 07 Jul 2013 20:27:41 -0400
Received: from rgm by fencepost.gnu.org with local (Exim 4.71)
 (envelope-from <rgm@HIDDEN>)
 id 1UvzIp-0002wY-7L; Sun, 07 Jul 2013 20:27:39 -0400
From: Glenn Morris <rgm@HIDDEN>
To: ua2y-rti1@HIDDEN
Subject: Re: bug#14811: Debbugs <at> spam countermeasure inadequate
References: <E1UvpLO-0007xy-AE <at> debbugs.gnu.org>
X-Spook: Verisign bank credit card industrial espionage event
X-Ran: P_'V`cO\##pBukaXh.bI$lrG^H"rJV%>G[2N3gc{Xr/RFe87QhwvS1mZR!4;[%&R09T3o@
X-Hue: blue
X-Attribution: GM
Date: Sun, 07 Jul 2013 20:27:39 -0400
In-Reply-To: <E1UvpLO-0007xy-AE <at> debbugs.gnu.org> (ua2y-rti1@HIDDEN's
 message of "Sun, 07 Jul 2013 09:50:35 -0400")
Message-ID: <aq4nc53ngk.fsf@HIDDEN>
User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Spam-Score: -5.3 (-----)
X-Debbugs-Envelope-To: 14811
Cc: 14811 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <http://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <http://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <http://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -5.3 (-----)

ua2y-rti1@HIDDEN wrote:

> On 2013 April 22 I filed an emacs bug using an email address
> specifically generated for that purpose and used for nothing else.
>
> On 2013 May 18 I started receiving spam messages on that email
> address. The most likely explanation is that an email address
> harvester is overcoming the <at> countermeasure.

I can mainly repeat my comments from

http://debbugs.gnu.org/cgi/bugreport.cgi?bug=13194

I'm sympathetic. I don't like spam, and we should certainly not make it
totally trivial to harvest addresses (like bugs.debian.org does), but I
feel that in this day and age everyone has to expect some spam and have
a method for dealing with it. Based on the data I mention in bug#13194,
it feels to me like the simple "at" solution we have in place eliminates
say ~ 99% of the spam (this is a qualitative feeling).

Emacs bug reports appear on several other sites that are not under our
control, and further obscuring debbugs.gnu.org will have zero impact on
them. For example, the gnu.emacs.bugs newsgroup (how I wish it would go
away), and gmane.org, which uses the same <at> mechanism.

So no matter what we do on debbugs.gnu.org, we cannot promise that
reporting an Emacs bug will never lead to you getting a spam email.
Sorry.

If you want to do an experiment, make another totally new address and
use it to send mail to 14811-quiet <at> debbugs.gnu.org. This should not get
sent on to any other site. Then wait and see if that new address gets
spam.

I don't mind tweaking the obscuration method if someone has a
suggestion, but I doubt it will make much difference, for the reasons I
mention above.

Message received at submit <at> debbugs.gnu.org:

Received: (at submit) by debbugs.gnu.org; 7 Jul 2013 13:49:39 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Jul 07 09:49:39 2013
Received: from localhost ([127.0.0.1]:36593 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1UvpLO-0007xy-AE
	for submit <at> debbugs.gnu.org; Sun, 07 Jul 2013 09:49:38 -0400
Received: from mail01.spamex.com ([107.23.136.169]:58509)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <ua2y-rti1@HIDDEN>) id 1UvpLJ-0007xj-Ov
 for submit <at> debbugs.gnu.org; Sun, 07 Jul 2013 09:49:34 -0400
Received: from 10.0.0.143 (web01.local.clicvu.com [10.0.0.202])
 by mail01.spamex.com (Postfix) with ESMTP id 183D32232
 for <submit <at> debbugs.gnu.org>; Sun,  7 Jul 2013 13:49:19 +0000 (UTC)
Content-type: text/plain
Date: Sun, 07 Jul 2013 09:50:35 -0400
From: ua2y-rti1@HIDDEN
Subject: Debbugs <at> spam countermeasure inadequate
To: submit <at> debbugs.gnu.org
X-Spam-Score: -12.5 (------------)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <http://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <http://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <http://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Message-Id: <E1UvpLO-0007xy-AE <at> debbugs.gnu.org>
X-Spam-Score: -12.6 (------------)

Package: debbugs.gnu.org

On 2013 April 22 I filed an emacs bug using an email address specifically generated for that purpose and used for nothing else.

On 2013 May 18 I started receiving spam messages on that email address.  The most likely explanation is that
an email address harvester is overcoming the <at> countermeasure.