Email Harvesting

I’ve been receiving a lot of Swen emails to my ruby-talk address lately.
This mailing alias is rather new and so my guess is that this list is
actively being harvested for emails. Is there something we can do to
fix this? This is getting boring, my email bandwidth quota is being
eaten by these goddam 150kb emails.
nikolai

···


::: name: Nikolai Weibull :: aliases: pcp / lone-star / aka :::
::: born: Chicago, IL USA :: loc atm: Gothenburg, Sweden :::
::: page: www.pcppopper.org :: fun atm: gf,lps,ruby,lisp,war3 :::
main(){printf(&linux["\021%six\012\0"],(linux)[“have”]+“fun”-97);}

Hi,

I’ve been receiving a lot of Swen emails to my ruby-talk address
lately.
This mailing alias is rather new and so my guess is that this list is
actively being harvested for emails. Is there something we can do to
fix this? This is getting boring, my email bandwidth quota is being
eaten by these goddam 150kb emails.

That’s because this list is mirrored to usenet (see
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&group=comp.lang.ruby
) with all email addresses intact. I also find this annoying, and
wasn’t aware of the fact when I subscribed (probably because I didn’t
read the fine print).

Possible solutions, none of which I find appealing:

  • Stop mirroring the list to usenet: Would keep usenet users from
    participating
  • Remove email addresses from posts before mirroring: Makes it harder
    to reply off-list
  • Set up another list that isn’t mirrored
  • Use the list via usenet using a fake email address

Cheers,
-Ralph.

That turns out not to be the case.

Swen, like a number of other windows trojans, viruses, and worms,
automatically scrapes a system’s address book, mailboxes, web cache, and
in some cases general files looking for anything that looks like an e-mail
address. There’s no list that’s distributed, or any Master Evil Spammer
sending these things out–just a depressingly large number of folks who
actively infected their machines (swen required the user to run the
infecting attachment by hand) and now have a widget installed that does
the local scraping and mailing.

If your email address is on someone’s local machine for any
reason–they’re subscribed to the ruby-talk list, read a message via
google groups, you sent them mail, someone sent them mail with you on the
CC line, someone installed software with your email address in the docs,
or is subscribed to a newsgroup with a local newsreader–you’re going to
get a swen if they get infected. Possibly many of them.

Obfuscating email addresses on the web pages may help a bit, at least for
a while, for the virus mail. Won’t stop the spammers as much, as they’re
more likely to put a bit more effort into the deobfuscation, but it will,
for now, slow swen and its ilk.

Note that once anyone with your email address legitimately in their
inbox or outbox gets infected you will get swens and their like–since
these viruses all forge the from: as well as the to:, other people will
get mail that looks like it’s from you, which puts your address in the
inbox, which makes it fair game for the automated scanners on more
machines. And even if they avoid immediate infection, it may well be
around for the next round of infection.

				Dan
···

On Sun, 19 Oct 2003, Nikolai Weibull wrote:

I’ve been receiving a lot of Swen emails to my ruby-talk address lately.
This mailing alias is rather new and so my guess is that this list is
actively being harvested for emails.

This has nothing to do with it. I’ve got a dedicated usenet address
and it gets far less spam than any other address I have (and this
was even true when I was far more active in newsgroups than I am
now). People like to blame this on the news gateway, but that’s not
it at all.

Look instead to web archives (e.g., www.ruby-talk.org).

-austin

···

On Sun, 19 Oct 2003 21:30:21 +0900, Ralph Pöllath wrote:

Hi,

I’ve been receiving a lot of Swen emails to my ruby-talk address
lately. This mailing alias is rather new and so my guess is that
this list is actively being harvested for emails. Is there
something we can do to fix this? This is getting boring, my email
bandwidth quota is being eaten by these goddam 150kb emails.
That’s because this list is mirrored to usenet […] with all
email addresses intact. I also find this annoying, and wasn’t
aware of the fact when I subscribed (probably because I didn’t
read the fine print).


austin ziegler * austin@halostatue.ca * Toronto, ON, Canada
software designer * pragmatic programmer * 2003.10.21
* 13.31.21

Look instead to web archives (e.g., www.ruby-talk.org).
yes, this is also not very good. i’m betting this generates a lot more
problems than the usenet stuff. i don’t think spammers bother too much
with parsing emails from usenet. would it be possible for someone to
take care of this?
nikolai

···


::: name: Nikolai Weibull :: aliases: pcp / lone-star / aka :::
::: born: Chicago, IL USA :: loc atm: Gothenburg, Sweden :::
::: page: www.pcppopper.org :: fun atm: gf,lps,ruby,lisp,war3 :::
main(){printf(&linux[“\021%six\012\0”],(linux)[“have”]+“fun”-97);}

Nikolai Weibull said:

with parsing emails from usenet. would it be possible for someone to
take care of this?

My $.02 = Attempting to hide all the emails does more harm than good… it
really only makes it harder for people to contact you who have a genuine
reason to do so (i.e. - with a Ruby question). As far as spam goes, not
publishing your email address certainly helps, but the first time a friend
or relative sends you an electronic “greeting card” you’re sunk.

Perhaps the effort would be better spent on improving anti-spam systems…
Personally, I find the Bayesian-ish approach of bogofilter to be quite
good. I catch ~100 spams per day & only one or two get through. More
attention (and contributions) to projects like this would improve the
situation much more than going through web archives & mangling email
addresses.

-Ryan

···


Ryan Dlugosz
ryan@dlugosz.net

http://dlugosz.net

Nikolai Weibull said:

with parsing emails from usenet. would it be possible for someone to
take care of this?

My $.02 = Attempting to hide all the emails does more harm than good… it
really only makes it harder for people to contact you who have a genuine
reason to do so (i.e. - with a Ruby question). As far as spam goes, not
publishing your email address certainly helps, but the first time a friend
or relative sends you an electronic “greeting card” you’re sunk.

Perhaps the effort would be better spent on improving anti-spam systems…
Personally, I find the Bayesian-ish approach of bogofilter to be quite
good. I catch ~100 spams per day & only one or two get through. More
attention (and contributions) to projects like this would improve the
situation much more than going through web archives & mangling email
addresses.
Hey, I don’t have problems capturing spam, I just don’t want it reaching
me, period. Parsing out email addresses does make it harder to respond
to people, yes, and that is often not a problem. If you’re mailing to a
mailing list, you expect people to reply to the mailing list, not the
email address you sent from. And if people really want to contact you,
they can probably understand the parsed email, such as
ruby-talk at pcppopper dot org
or some less obvious parsing,
nikolai

···


::: name: Nikolai Weibull :: aliases: pcp / lone-star / aka :::
::: born: Chicago, IL USA :: loc atm: Gothenburg, Sweden :::
::: page: www.pcppopper.org :: fun atm: gf,lps,ruby,lisp,war3 :::
main(){printf(&linux[“\021%six\012\0”],(linux)[“have”]+“fun”-97);}