E-mail Scramblers

In article <Sd******************************@comcast.com>,
vikenkNO_SPAM@NO_SPAMcomcast.net says...

Hello all,

<SIGH> I'm soooooo sick and tired of getting spam e-mails. I'm sure that
part of the reson for this is that my e-mail address is publicly available
on my website, ready to be picked by e-mail harvesting programs.

I tried to thwart them by adding a REMOVE_THIS in my e-mail address
(username@REMOVE_THISispname.net), but the e-mails have not stopped. As for
NG's, I have the return address blocked in a similar fashion.

I Googled for e-mail scramblers but what I found were all JavaScript based.
Are there any non-javascript based scramblers out there, or do I have to go
with a JavaScript scrambler?

Thanks.

This has been gone over many times in many groups. There is no fool-
proof way to prevent email harvesting.

Viken Karaguesian wrote:

I tried to thwart them by adding a REMOVE_THIS in my e-mail address
(username@REMOVE_THISispname.net), but the e-mails have not stopped.
As for NG's, I have the return address blocked in a similar fashion.

You haven't heard that the spammers run the harvest and remove all these
common words you (the collective you) add to your addys?

REMOVETHIS, REMOVE_THIS, NOSPAM, NO_SPAM, and so on...

--
-bts
-Warning: I brake for lawn deer

In article <16*****************************@40tude.net>,
"Beauregard T. Shagnasty" <a.*********@example.invalid> wrote:

Viken Karaguesian wrote:

I tried to thwart them by adding a REMOVE_THIS in my e-mail address
(username@REMOVE_THISispname.net), but the e-mails have not stopped.
As for NG's, I have the return address blocked in a similar fashion.

You haven't heard that the spammers run the harvest and remove all these
common words you (the collective you) add to your addys?

REMOVETHIS, REMOVE_THIS, NOSPAM, NO_SPAM, and so on...

You use a valid email address that contains the term nospam as part of
the actual name. Smart spammers will remove the nospam, and get an
invalid address. Unfortunately dumb spammers will not remove the nospam
and will still send you spam. Conversely, people who just click on a
mailto link will get through to you, but people who looks at the
resulting email address and remove the nospam will not get through to
you. I am thinking of changing my address every month - jan2006@ etc.

--
http://www.ericlindsay.com

In article <NO********************************@freenews.iinet .net.au>,
Eric Lindsay <NO**********@ericlindsay.com> wrote:

You use a valid email address that contains the term nospam as part of
the actual name. Smart spammers will remove the nospam, and get an
invalid address. Unfortunately dumb spammers will not remove the nospam
and will still send you spam. Conversely, people who just click on a
mailto link will get through to you, but people who looks at the
resulting email address and remove the nospam will not get through to
you. I am thinking of changing my address every month - jan2006@ etc.

SpamAssassin is everyone's server-side friend. Really!

leo

--
<http://web0.greatbasin.net/~leo/>

"Viken Karaguesian" <vikenkNO_SPAM@NO_SPAMcomcast.net> wrote:

I tried to thwart them by adding a REMOVE_THIS in my e-mail address
(username@REMOVE_THISispname.net), but the e-mails have not stopped.

Once your email address has made it onto spammer's lists the spam will
continue. The only way to escape from that is to change your email
address.

An alternative is deploying client side filtering, this should prevent
you seeing most of the spam, but it will still arrive in your POP box
and require you to download at least the headers.

--
Spartanicus

In article <le***********************@sn-indi.vsrv-sjc.supernews.net>,
le*@greatbasin.com says...

In article <NO********************************@freenews.iinet .net.au>,
Eric Lindsay <NO**********@ericlindsay.com> wrote:

You use a valid email address that contains the term nospam as part of
the actual name. Smart spammers will remove the nospam, and get an
invalid address. Unfortunately dumb spammers will not remove the nospam
and will still send you spam. Conversely, people who just click on a
mailto link will get through to you, but people who looks at the
resulting email address and remove the nospam will not get through to
you. I am thinking of changing my address every month - jan2006@ etc.

SpamAssassin is everyone's server-side friend. Really!

leo

SpamAssasin is useful if watched carefully - I used that for a few days.
It was much too aggressive and I was not getting some of my client's
emails. I ended up turning it off.

On Tue, 24 Jan 2006, Eric Lindsay wrote:

In article <16*****************************@40tude.net>,
"Beauregard T. Shagnasty" <a.*********@example.invalid> wrote:

[snip]

You haven't heard that the spammers run the harvest and remove all these
common words you (the collective you) add to your addys?

REMOVETHIS, REMOVE_THIS, NOSPAM, NO_SPAM, and so on...

You use a valid email address that contains the term nospam as part of
the actual name. Smart spammers will remove the nospam, and get an
invalid address. Unfortunately dumb spammers will not remove the nospam
and will still send you spam. Conversely, people who just click on a
mailto link will get through to you, but people who looks at the
resulting email address and remove the nospam will not get through to
you. I am thinking of changing my address every month - jan2006@ etc.

A possibly stupid idea (when has that ever stopped me?[1]):

Get a username, <your_initials>nospam (in Eric's case, "elnospam")
and then post it with "nospam" prepended to it along with the
instructions, "Remove only the *first* 'nospam' to email me."

Spammers who don't try to demung will try to send to "nospamelnospam"
which is invalid. Spammers who try to demung the address will try to
send to "el" (removing both "nospam"s) or "noelno" (removing both
"spam"s[2]), both of which are invalid.

Those who follow the instructions (which spammers never (or seldom)
look at) will send to "elnospam" and their email will get through.

In HTML mailto URLs, you could try prepending "%20" (a space) to the
username in the URL. Many spammers' harvesters treat '%' as a delimiter
and the such harvesters *will* include the "20", making the username
invalid. (I regularly get spam addressed to a %-escaped '/' ("%2F")
in an "http" URL on my anti-spam page.)

While technically invalid in a URL because it contains spaces), I have
found that an email address with inline parenthesized comments (allowed
by RFC 822) will work with most email software. If a comma was part of
the comment text and a spammer stored addresses in a comma-delimited
database, sorting the addresses would break up yours into two pieces.

On my outdated CIH virus page,
http://www.chebucto.ns.ca/~af380/CIH.html
I have the following address encoded in the HTML:

%20af380@( Norman )chebucto( De Forest ).ns( CIH.html ).ca

and have received several requests for antivirus help to that address,
complete with the parenthesized comments. "(De Forest, Norman)" might
be slightly more effective if it caused the address to be broken up
in a comma-delimited list of addresses but I haven't tested that yet.
(Note the leading %-encoded space which should be stripped by conforming
software.) According to RFC 822, spaces *outside* the parentheses are
also allowed but that breaks some Windows-based email software.

[1] That was a rhetorical question.
[2] A few years ago I was a beta-tester for my ISP's automunge feature
for the tin newsreader which appended "nospam" to the username when
posting to Usenet. I was therefore posting as "af380nospam". To
this day, I still get the occasional spam with multiple sorted
addresses in the "To:" header including "af380", "af380nospam"
*and* "af380no".
--
Norman De Forest http://www.chebucto.ns.ca/~af380/Profile.html
af***@chebucto.ns.ca [=||=] (At the Sign of the Flashing Cursor)
"Oh how I miss the days when it was easier to catch gonorhea than a
computer virus." -- Big Will in alt.comp.virus, March 9, 2005

saz wrote:

This has been gone over many times in many groups.
Indeed, and it's not an HTML issue.
There is no fool-proof way to prevent email harvesting.

There is. Remove all your pages. This won't prevent you from getting
spam, of course. For that, the fool-proof method is to disconnect from
the Internet and never return.

Other methods are just foolish.

If you wish to use the Internet and participate in it, stay tuned to
getting spam and deal with it somehow, e.g. using spam filtering
software. Don't make it your readers' problem.

Viken Karaguesian wrote:

Hello all,

<SIGH> I'm soooooo sick and tired of getting spam e-mails. I'm sure that
part of the reson for this is that my e-mail address is publicly available
on my website, ready to be picked by e-mail harvesting programs.

I tried to thwart them by adding a REMOVE_THIS in my e-mail address
(username@REMOVE_THISispname.net), but the e-mails have not stopped.

Well, naturally. They don't just use addresses they harvested *today*.

>> I tried to thwart them by adding a REMOVE_THIS in my e-mail address

(username@REMOVE_THISispname.net), but the e-mails have not stopped.

Well, naturally. They don't just use addresses they harvested *today*.

My mistake :>) What I meant to say was that the spam hasn't even slowed
down. Of course, I know it won't stop altogether (I'm not *that* naive), but
to be able to reduce it would be nice.

I get about 5-10 spam messages a day that make it through my ISP's mail
filters. For every one e-mail that gets through, there's probably about 10
that get trapped. If I go to my webmail, I can see piles of spam in my
"Screened Mail" folder.

I would just like to slow it down...

--
Viken K.
http://home.comcast.net/~vikenk

Viken Karaguesian wrote:

I tried to thwart them by adding a REMOVE_THIS in my e-mail address
(username@REMOVE_THISispname.net), but the e-mails have not stopped.

Well, naturally. They don't just use addresses they harvested *today*.

My mistake :>) What I meant to say was that the spam hasn't even slowed
down. Of course, I know it won't stop altogether (I'm not *that* naive), but
to be able to reduce it would be nice.

I get about 5-10 spam messages a day that make it through my ISP's mail
filters. For every one e-mail that gets through, there's probably about 10
that get trapped. If I go to my webmail, I can see piles of spam in my
"Screened Mail" folder.

I would just like to slow it down...

You can't. Once you are on a list, you're a gonner. You don't even
need to publish your address anywhere, spammers will target ISPs with
random addresses to see those that work and those that don't. Any that
aren't bounced almost immediately must be real.
--
Rob

"Viken Karaguesian" <vikenkNO_SPAM@NO_SPAMcomcast.net> wrote:

I tried to thwart them by adding a REMOVE_THIS in my e-mail address
(username@REMOVE_THISispname.net), but the e-mails have not stopped.

Well, naturally. They don't just use addresses they harvested *today*.

My mistake :>) What I meant to say was that the spam hasn't even slowed
down. Of course, I know it won't stop altogether (I'm not *that* naive), but
to be able to reduce it would be nice.

Thinking that it will slow down is just as naive. People who harvest
email addresses sell their lists, so you can expect spam to *increase*
over time once your email has been successfully harvested even if you
removed all occurrences of the address from the net.

--
Spartanicus

In article <dr**********@phys-news4.kolumbus.fi>,
"Jukka K. Korpela" <jk******@cs.tut.fi> wrote:

If you wish to use the Internet and participate in it, stay tuned to
getting spam and deal with it somehow, e.g. using spam filtering
software. Don't make it your readers' problem.

Legalising duelling, or just outright assassination of spammers would be
acceptable to me.

--
http://www.ericlindsay.com

Eric Lindsay <NO**********@ericlindsay.com> wrote:

In article <dr**********@phys-news4.kolumbus.fi>,
"Jukka K. Korpela" <jk******@cs.tut.fi> wrote:

If you wish to use the Internet and participate in it, stay tuned to
getting spam and deal with it somehow, e.g. using spam filtering
software. Don't make it your readers' problem.

Legalising duelling, or just outright assassination of spammers would be
acceptable to me.

No kidding, I heard there was a spammer who stupidly left his address
on his website and was found murdered.

--
http://www.ren-prod-inc.com/hug_soft...action=contact

JRS: In article <si********************************@news.spartanic us.ut
vinternet.ie>, dated Tue, 24 Jan 2006 08:24:38 remote, seen in
news:comp.infosystems.www.authoring.html, Spartanicus
<in*****@invalid.invalid> posted :

Once your email address has made it onto spammer's lists the spam will
continue. The only way to escape from that is to change your email
address.
That does not help domain name owners/leasers, who have to handle in
some way all mail for what is on the right of the @.
An alternative is deploying client side filtering, this should prevent
you seeing most of the spam, but it will still arrive in your POP box
and require you to download at least the headers.

For those who get mail by POP, maybe. Those who collect by SMTP can
reject on envelope rather than full header.

ISTM that spam-list-purchasers might get quite upset if they realised
how much ancient content there must be in many such lists.

--
© John Stockton, Surrey, UK. ?@merlyn.demon.co.uk Turnpike v4.00 IE 4 ©
<URL:http://www.jibbering.com/faq/> JL/RC: FAQ of news:comp.lang.javascript
<URL:http://www.merlyn.demon.co.uk/js-index.htm> jscr maths, dates, sources.
<URL:http://www.merlyn.demon.co.uk/> TP/BP/Delphi/jscr/&c, FAQ items, links.

JRS: In article <NO********************************@freenews.iinet .net.
au>, dated Tue, 24 Jan 2006 15:32:14 remote, seen in news:comp.infosyste
ms.www.authoring.html, Eric Lindsay <NO**********@ericlindsay.com>
posted :

I am thinking of changing my address every month - jan2006@ etc.

Could be smarter to follow ISO 8601 (I believe it's a FIPS) and use a
format where alphanumeric order is date order. Makes coding to reject
old mail more efficient, for example. Eschew taint of FFF.

--
© John Stockton, Surrey, UK. ?@merlyn.demon.co.uk Turnpike v4.00 MIME. ©
Web <URL:http://www.merlyn.demon.co.uk/> - w. FAQish topics, links, acronyms
PAS EXE etc : <URL:http://www.merlyn.demon.co.uk/programs/> - see 00index.htm
Dates - miscdate.htm moredate.htm js-dates.htm pas-time.htm critdate.htm etc.

On Tue, 24 Jan 2006 04:10:10 GMT, "Beauregard T. Shagnasty"
<a.*********@example.invalid> wrote:

Viken Karaguesian wrote:

I tried to thwart them by adding a REMOVE_THIS in my e-mail address
(username@REMOVE_THISispname.net), but the e-mails have not stopped.
As for NG's, I have the return address blocked in a similar fashion.

Once your address gets onto spammer's lists it will probably stay there
for years. Subsequently adding a "REMOVE_THIS" doesn't help - you have
to do it before first use.
You haven't heard that the spammers run the harvest and remove all these
common words you (the collective you) add to your addys?

REMOVETHIS, REMOVE_THIS, NOSPAM, NO_SPAM, and so on...

Actually I've heard that they don't. This may no longer be current
information, but I've heard from a couple of people who've seen
spamlists that there didn't seem to be any attempt to "clean up" the
list at all. Apparently there are still sufficient valid addresses
there. And anyone who puts a spamtrap in their address is not very
likely to buy from spammers anyway, so it probably wouldn't be worth the
effort of cleaning the lists.

I use K9. It takes a little training to start with, but works really
well.
http://www.keir.net/k9.html

--
Stephen Poley

http://www.xs4all.nl/~sbpoley/webmatters/

Spartanicus wrote:

"Viken Karaguesian" <vikenkNO_SPAM@NO_SPAMcomcast.net> wrote:

I tried to thwart them by adding a REMOVE_THIS in my e-mail address
(username@REMOVE_THISispname.net), but the e-mails have not stopped.

Once your email address has made it onto spammer's lists the spam will
continue. The only way to escape from that is to change your email
address.

No - what you need to do is make sure you click on the "remove me from
this list" link on every spam email you recieve. That way, they all
know you don't want any more spam.

<really evil grin and maniacal laughter>

JRS: In article <I6*****************@news.optus.net.au>, dated Wed, 25
Jan 2006 06:43:52 remote, seen in news:comp.infosystems.www.authoring.ht
ml, RobG <rg***@iinet.net.au> posted :

You can't. Once you are on a list, you're a gonner. You don't even
need to publish your address anywhere, spammers will target ISPs with
random addresses to see those that work and those that don't. Any that
aren't bounced almost immediately must be real.

They may be considered real, but it's not always a valid assumption.
Dial-up Internet hosts cannot reject until connected.

--
© John Stockton, Surrey, UK. ?@merlyn.demon.co.uk DOS 3.3, 6.20; Win98. ©
Web <URL:http://www.merlyn.demon.co.uk/> - FAQqish topics, acronyms & links.
PAS EXE TXT ZIP via <URL:http://www.merlyn.demon.co.uk/programs/00index.htm>
My DOS <URL:http://www.merlyn.demon.co.uk/batfiles.htm> - also batprogs.htm.

In article <xD**************@merlyn.demon.co.uk>,
Dr John Stockton <jr*@merlyn.demon.co.uk> wrote:

JRS: In article <NO********************************@freenews.iinet .net.
au>, dated Tue, 24 Jan 2006 15:32:14 remote, seen in news:comp.infosyste
ms.www.authoring.html, Eric Lindsay <NO**********@ericlindsay.com>
posted :

I am thinking of changing my address every month - jan2006@ etc.

Could be smarter to follow ISO 8601 (I believe it's a FIPS) and use a
format where alphanumeric order is date order. Makes coding to reject
old mail more efficient, for example. Eschew taint of FFF.

I can't believe I missed that. I am using 20060125 etc style dates in
generating the addresses for entries in my blog, so I have no excuse for
reverting. Thank you.

--
http://www.ericlindsay.com

In article <pp********************************@4ax.com>,
hug <contact_info@sig_line.clickit> wrote:

Eric Lindsay <NO**********@ericlindsay.com> wrote:

Legalising duelling, or just outright assassination of spammers would be
acceptable to me.

No kidding, I heard there was a spammer who stupidly left his address
on his website and was found murdered.

If that was the Russian, there seemed to be material indicating an
existing dispute between criminal groups, so I didn't count that as
assassination of a spammer.

On hiding addresses on the web, I note some Mac users are doing echo
37560563490876061899467535710315185401098P|dc and similar, so I wonder
how long that will withstand the spammers.

--
http://www.ericlindsay.com

> No - what you need to do is make sure you click on the "remove me from

this list" link on every spam email you recieve. That way, they all
know you don't want any more spam.

Isn't "remove me from your list" really just code for "please send me a
lot more spam"? LOL!

Viken K.

In article <MP************************@newsgroups.comcast.net >,
saz <sa*****@nospammersexcite.com> wrote:

This has been gone over many times in many groups. There is no fool-
proof way to prevent email harvesting.

There isn't? What isn't fool-proof about having a CGI web form that
someone has to fill out to communicate with you? No email address
can be seen or derived anywhere in the web page source. I'm not
talking about the often-abused webmail perl scripts, but a custom
CGI that you write yourself.

The site I'm developing now uses that method. No email addresses
anywhere on the site. The "Contact us" link takes you to a form.

Granted, when replying to such email sent via a form, the recipient
does see an email address. But it's not getting harvested from the
web site.

-A

In article <16*****************************@40tude.net>,
Beauregard T. Shagnasty <a.*********@example.invalid> wrote:

I tried to thwart them by adding a REMOVE_THIS in my e-mail address
(username@REMOVE_THISispname.net), but the e-mails have not stopped.

You haven't heard that the spammers run the harvest and remove all these
common words you (the collective you) add to your addys?

REMOVETHIS, REMOVE_THIS, NOSPAM, NO_SPAM, and so on...

I really doubt that any spammers bother. My domain gets lots of
spam to addresses that have those strings embedded in the address.

-A

In article <dr**********@blue.rahul.net>, ax**@spamcop.net says...

In article <MP************************@newsgroups.comcast.net >,
saz <sa*****@nospammersexcite.com> wrote:

This has been gone over many times in many groups. There is no fool-
proof way to prevent email harvesting.

There isn't? What isn't fool-proof about having a CGI web form that
someone has to fill out to communicate with you? No email address
can be seen or derived anywhere in the web page source. I'm not
talking about the often-abused webmail perl scripts, but a custom
CGI that you write yourself.

The site I'm developing now uses that method. No email addresses
anywhere on the site. The "Contact us" link takes you to a form.

Granted, when replying to such email sent via a form, the recipient
does see an email address. But it's not getting harvested from the
web site.

-A

The OP was not talking about a form, but an email address on a page.

Dr John Stockton wrote:

JRS: In article <I6*****************@news.optus.net.au>, dated Wed, 25
Jan 2006 06:43:52 remote, seen in news:comp.infosystems.www.authoring.ht
ml, RobG <rg***@iinet.net.au> posted :

You can't. Once you are on a list, you're a gonner. You don't even
need to publish your address anywhere, spammers will target ISPs with
random addresses to see those that work and those that don't. Any that
aren't bounced almost immediately must be real.

They may be considered real, but it's not always a valid assumption.
Dial-up Internet hosts cannot reject until connected.

Not merely wrong. Your premise is dangerously wrong.

Dial-up users pick up mail from their ISP's host. And mail that's on
the ISP's host is mail that's already been accepted.

If you try to reject it when you dial up, you're just spamming the
poor sod whose address got forged.

If you're a dialup user, your options are whatever your ISP provides.

--
Nick Kew

In article <dr**********@blue.rahul.net>, axlq <ax**@spamcop.net> wrote:

In article <16*****************************@40tude.net>,
Beauregard T. Shagnasty <a.*********@example.invalid> wrote:

I tried to thwart them by adding a REMOVE_THIS in my e-mail address
(username@REMOVE_THISispname.net), but the e-mails have not stopped.

You haven't heard that the spammers run the harvest and remove all these
common words you (the collective you) add to your addys?

REMOVETHIS, REMOVE_THIS, NOSPAM, NO_SPAM, and so on...

I really doubt that any spammers bother. My domain gets lots of
spam to addresses that have those strings embedded in the address.

I've seen spam to what are very obviously usenet message ids....

The spammers really don't care, since they're stealing other peoples'
bandwidth anyway, and the more addresses they can claim to have, the
more they can charge the suckers who sign up for their services.

Viken Karaguesian wrote:

No - what you need to do is make sure you click on the "remove me from
this list" link on every spam email you recieve. That way, they all
know you don't want any more spam.

Isn't "remove me from your list" really just code for "please send me a
lot more spam"? LOL!

Right ;->

JRS: In article <k4************@asgard.webthing.com>, dated Thu, 26 Jan
2006 02:35:28 remote, seen in news:comp.infosystems.www.authoring.html,
Nick Kew <ni**@asgard.webthing.com> posted :

Dr John Stockton wrote:

JRS: In article <I6*****************@news.optus.net.au>, dated Wed, 25
Jan 2006 06:43:52 remote, seen in news:comp.infosystems.www.authoring.ht
ml, RobG <rg***@iinet.net.au> posted :

You can't. Once you are on a list, you're a gonner. You don't even
need to publish your address anywhere, spammers will target ISPs with
random addresses to see those that work and those that don't. Any that
aren't bounced almost immediately must be real.

They may be considered real, but it's not always a valid assumption.
Dial-up Internet hosts cannot reject until connected.

Not merely wrong. Your premise is dangerously wrong.

Dial-up users pick up mail from their ISP's host. And mail that's on
the ISP's host is mail that's already been accepted.

If you try to reject it when you dial up, you're just spamming the
poor sod whose address got forged.

If you're a dialup user, your options are whatever your ISP provides.

My ISP provides what I describe; mail for merlyn is not rejected
immediately, but only when I connect to the ISP - or, rather, when the
ISP's SMTP soon afterwards connects to me as a result of an ISP-internal
tip-off that I've connected - and my software then sees and can reject
it.

There is at present no nick@merlyn ; mail for nick will not be accepted,
and I don't currently plan that it will be. However, you could, after I
disconnect the connection that uploads this, (a) send mail to
nick@merlyn; (b) then persuade me by non-Net means to create
nick@merlyn; (c) then, when I next connect, not get any form of
rejection, but even maybe get a reply. So mail sent to a non-existent
name can be fully received, too.

I don't collect mail by POP3, though the option is available.

What happens when mail bounces is another matter.

You have asserted that saying that a "Dial-up Internet hosts cannot
reject until connected" is wrong - I don't understand how a machine
which is not connected - is perhaps not even powered up - is perhaps in
pieces, or extinct, can possibly reject mail.

Demon itself will reject customer-type inbound mail only when addressed
to non-existent customers (fr**@philanthropically.demon... should be
such an address) or after it has been festering there for IIRC 30 days.

Your dial-up mail service, if you have [had] one, may well work
differently.
NOTE : I'm not attempting to distinguish between any more than these
states for an E-mail : heading towards me, fully accepted here, heading
away from me, deleted.

--
© John Stockton, Surrey, UK. ?@merlyn.demon.co.uk Turnpike v4.00 MIME ©
Web <URL:http://www.uwasa.fi/~ts/http/tsfaq.html> -> Timo Salmi: Usenet Q&A.
Web <URL:http://www.merlyn.demon.co.uk/news-use.htm> : about usage of News.
No Encoding. Quotes before replies. Snip well. Write clearly. Don't Mail News.

JRS: In article <dr**********@blue.rahul.net>, dated Thu, 26 Jan 2006
01:25:12 remote, seen in news:comp.infosystems.www.authoring.html, axlq
<ax**@spamcop.net> posted :

In article <MP************************@newsgroups.comcast.net >,
saz <sa*****@nospammersexcite.com> wrote:

This has been gone over many times in many groups. There is no fool-
proof way to prevent email harvesting.

There isn't? What isn't fool-proof about having a CGI web form that
someone has to fill out to communicate with you? No email address
can be seen or derived anywhere in the web page source. I'm not
talking about the often-abused webmail perl scripts, but a custom
CGI that you write yourself.

The site I'm developing now uses that method. No email addresses
anywhere on the site. The "Contact us" link takes you to a form.

Granted, when replying to such email sent via a form, the recipient
does see an email address. But it's not getting harvested from the
web site.

By that method, you get fewer genuine E-mails.

Those who fetch Web pages while connected for reading off-line, and
those who prefer to communicate outbound and inbound by E-mail because
of the filing then provided, may just not bother to start communication.

Commercially, that may be advantageous; you may only want permanently-
connected or determined customers.

But those who publish technical material may lose feedback and
corrections.

Use the form, by all means; but provide in addition the E-address in a
format which a human, but not a robot, can interpret - but not one which
a robot can think it has understood.

--
© John Stockton, Surrey, UK. ?@merlyn.demon.co.uk DOS 3.3, 6.20; Win98. ©
Web <URL:http://www.merlyn.demon.co.uk/> - FAQqish topics, acronyms & links.
PAS EXE TXT ZIP via <URL:http://www.merlyn.demon.co.uk/programs/00index.htm>
My DOS <URL:http://www.merlyn.demon.co.uk/batfiles.htm> - also batprogs.htm.

On Fri, 27 Jan 2006, Dr John Stockton wrote:

Nick Kew <ni**@asgard.webthing.com> posted :

Dial-up users pick up mail from their ISP's host. And mail that's on
the ISP's host is mail that's already been accepted.

If you try to reject it when you dial up, you're just spamming the
poor sod whose address got forged.

Quite...
My ISP provides what I describe; mail for merlyn is not rejected
immediately, but only when I connect to the ISP - or, rather, when
the ISP's SMTP soon afterwards connects to me as a result of an
ISP-internal tip-off that I've connected - and my software then sees
and can reject it.
You can't have it both ways. Either that rejected mail is dropped
into a black hole and forgotten (in which case, bona fide mail that
has been accidentally rated as spam will be lost, and nobody will be
any the wiser), or else, as Nick rightly said, your ISP will compose
bounces to inform some innocent third party/ies that you've rejected
some spam. In the latter case, it won't be long before that leads to
a blacklisting for what's known as backscatter[0] - and rightly so
too.

Bluster as much as you like, but that's the logic of how it works.
What happens when mail bounces is another matter.
Try reading what Nick said.
You have asserted that saying that a "Dial-up Internet hosts cannot
reject until connected" is wrong - I don't understand how a machine
which is not connected - is perhaps not even powered up - is perhaps
in pieces, or extinct, can possibly reject mail.

Try parsing the original statement in accordance with reality, instead
of trying to turn it into some kind of fantasy and then refuting that
fantasy[1]. If you doubt Nick's bona fides, then your ability to
evaluate contributors here is seriously in need of maintenance,
forsooth.
[0] I prefer to call it "collateral spam", which was the term the
JANET folks originally used, and seems to me more appropriate.

[1] otherwise referred to as a "straw man argument".

Dr John Stockton wrote:

My ISP provides what I describe; mail for merlyn is not rejected
immediately, but only when I connect to the ISP

Whoosh!

What happens between you and your ISP is utterly immaterial.
If it's waiting for you on your ISP's server, then IT HAS ALREADY
BEEN ACCEPTED FROM THE SPAMMER.

Bouncing email that has been accepted by your ISP's server puts YOU
on the level of the spammer - because the recipient of the bounce
(if any) is an innocent victim. And dropping it is also problematic,
because any false positive you get will be dropped without the
sender ever knowing. Just don't do it.

--
Nick Kew

JRS: In article <jv************@asgard.webthing.com>, dated Fri, 27 Jan
2006 22:55:11 remote, seen in news:comp.infosystems.www.authoring.html,
Nick Kew <ni**@asgard.webthing.com> posted :

Dr John Stockton wrote:

My ISP provides what I describe; mail for merlyn is not rejected
immediately, but only when I connect to the ISP
Whoosh!

What happens between you and your ISP is utterly immaterial.
If it's waiting for you on your ISP's server, then IT HAS ALREADY
BEEN ACCEPTED FROM THE SPAMMER.

Bouncing email that has been accepted by your ISP's server puts YOU
on the level of the spammer - because the recipient of the bounce
(if any) is an innocent victim. And dropping it is also problematic,
because any false positive you get will be dropped without the
sender ever knowing. Just don't do it.

When at my ISP, it has not been accepted by the Internet host that it is
directed to.

When at my ISP, it has not reached the Internet host that it is directed
to.

When at my ISP, it is merely being held in an intermediate machine until
it can be passed on to its destination.

My ISP's mail system knows NOTHING about what left-hand parts are valid
with @merlyn.dcu .

Merlyn owns (well, leases) the whole of a dotted quad (though legitimate
stuff for www.merlyn.dcu does not reach here).
Please look back to my first post in this branch of the thread - well,
I'd better repeat the relevant part :-
<QUOTE>You can't. Once you are on a list, you're a gonner. You don't even
need to publish your address anywhere, spammers will target ISPs with
random addresses to see those that work and those that don't. Any that
aren't bounced almost immediately must be real.

They may be considered real, but it's not always a valid assumption.
Dial-up Internet hosts cannot reject until connected.
</QUOTE>
Read carefully, and you will see that I was saying ONLY that the lack of
an immediate bounce does not necessarily mean that the address is valid.

Let X be a 15-character random alphanumeric string.

Then X at aol.com is (almost certainly) a non-deliverable address; a
spammer probing it should receive an immediate bounce.

But X at merlyn.dcu is (certainly) a non-deliverable address; a
spammer probing it will NOT receive an immediate bounce, but will
receive a bounce after I next Connect.
REMEMBER :

The point under consideration is the timing of a bounced probe, and a
probe needs to have a return address such that the spammer will see the
bounce.

The decision as to what happens to each mail sent to @merlyn.dcu is
taken here in this room, by me and my machine; we set our policy before
connecting, but that policy can only be observed from outside this room
while a connection is active.

--
© John Stockton, Surrey, UK. ?@merlyn.demon.co.uk Turnpike v4.00 MIME ©
Web <URL:http://www.uwasa.fi/~ts/http/tsfaq.html> -> Timo Salmi: Usenet Q&A.
Web <URL:http://www.merlyn.demon.co.uk/news-use.htm> : about usage of News.
No Encoding. Quotes before replies. Snip well. Write clearly. Don't Mail News.

On Sat, 28 Jan 2006, Dr John Stockton being his usual obtuse self:

[much bluster omitted]

fx: Whoosh*2

REMEMBER :

Remember: you've just voluminously repeated everything that we already
knew, while studiously avoiding the key point. If you still don't know
what that is, too bad. Try a mail admin's forum.

EOT for me. [f'up proposed.]

On Sat, 28 Jan 2006 22:51:52 +0000, Dr John Stockton
<jr*@merlyn.demon.co.uk> wrote:

When at my ISP, it has not been accepted by the Internet host that it is
directed to.

When at my ISP, it has not reached the Internet host that it is directed
to.
These points are true but the fact the ISP has not rejected the mail
does indicate that the address is valid. The ISP is an agent and should
only accept mail if it has a user account where the mail can be stored.
If the ISP doesn't have such a account it should reject the attempt to
send the message.

I recently had a problem where mails for a valid user were rejected by
the ISP (error 550, user unknown) even though the user is valid and the
sender is acceptable. It turns out that the ISP always tries to open a
mail channel back to the sender before accepting the incoming message
and then rejects the incoming message if the back channel attempt fails.
This is part of their anti-spam procedure and they definitely don't want
to acknowledge to a suspect sender that an address is valid. The
downside to this approach is that the rejection is fatal and the sender
won't retry the transfer later as it does with some other errors.

An ISP has to reject an undeliverable message immediately as it can't do
so later. So if it accepts mail it is a pretty good indication that the
address is valid. There are exceptions though. I have two previous
ISPs (accounts now closed) and mail sent to these addresses is accepted
but never delivered to me.
Read carefully, and you will see that I was saying ONLY that the lack of
an immediate bounce does not necessarily mean that the address is valid.

Let X be a 15-character random alphanumeric string.

Then X at aol.com is (almost certainly) a non-deliverable address; a
spammer probing it should receive an immediate bounce.

But X at merlyn.dcu is (certainly) a non-deliverable address; a
spammer probing it will NOT receive an immediate bounce, but will
receive a bounce after I next Connect.

I don't see how you can do an equivalent 'bounce' here. The ISP has
accepted the message and the connection is closed. All you can do is
send a text reply to the advertised sender.

-- Steven

JRS: In article <l1********************************@4ax.com>, dated
Mon, 30 Jan 2006 08:22:37 remote, seen in news:comp.infosystems.www.auth
oring.html, Steven <Ph****@Syd.au> posted :

On Sat, 28 Jan 2006 22:51:52 +0000, Dr John Stockton
<jr*@merlyn.demon.co.uk> wrote:

When at my ISP, it has not been accepted by the Internet host that it is
directed to.

When at my ISP, it has not reached the Internet host that it is directed
to.
These points are true but the fact the ISP has not rejected the mail
does indicate that the address is valid.

It does not. It means only that the domain, in my case merlyn.dcu, is
valid. Since the whole of merlyn.dcu is leased by me, the ISP does not
retain the authority to object to particular left-hand parts.
The ISP is an agent and should
only accept mail if it has a user account where the mail can be stored.
If the ISP doesn't have such a account it should reject the attempt to
send the message.
Inapplicable concept here, probably based on familiarity with systems
where the valid E-addresses are agreed between USP & user and POP3 is
the mail protocol from ISP to user.
An ISP has to reject an undeliverable message
Only if the ISP knows it to be undeliverable.
immediately as it can't do
so later. So if it accepts mail it is a pretty good indication that the
address is valid. There are exceptions though. I have two previous
ISPs (accounts now closed) and mail sent to these addresses is accepted
but never delivered to me.
That's another disproof of the flawed assertion "Any that aren't bounced
almost immediately must be real.".

Read carefully, and you will see that I was saying ONLY that the lack of
an immediate bounce does not necessarily mean that the address is valid.

I don't see how you can do an equivalent 'bounce' here. The ISP has
accepted the message and the connection is closed. All you can do is
send a text reply to the advertised sender.

Be aware that my ISP, and the authors of my Internet software, have a
justified reputation for a thorough understanding and a careful
implementation of the RFCs.

My machine, being an Internet host, can in fact act as an ISP to others
(disregarding bandwidth and up-time and terms of my account with my
ISP).

--
© John Stockton, Surrey, UK. ?@merlyn.demon.co.uk Turnpike v4.00 MIME ©
Web <URL:http://www.uwasa.fi/~ts/http/tsfaq.html> -> Timo Salmi: Usenet Q&A.
Web <URL:http://www.merlyn.demon.co.uk/news-use.htm> : about usage of News.
No Encoding. Quotes before replies. Snip well. Write clearly. Don't Mail News.

On Mon, 30 Jan 2006 13:28:16 +0000, Dr John Stockton
<jr*@merlyn.demon.co.uk> wrote:

These points are true but the fact the ISP has not rejected the mail
does indicate that the address is valid.
It does not. It means only that the domain, in my case merlyn.dcu, is
valid. Since the whole of merlyn.dcu is leased by me, the ISP does not
retain the authority to object to particular left-hand parts.

Your ISP relationship here sounds different from what I would call
normal. I posted here because of my recent problems with mail being
incorrectly rejected and the reasons seem relevant to this thread but
apparently not your setup.

[snip]
That's another disproof of the flawed assertion "Any that aren't bounced
almost immediately must be real.".

I only said "pretty good indication" . I was going to condition my
initial statement with "seem" but "seem to indicate" sounded very wimpy.

Read carefully, and you will see that I was saying ONLY that the lack of
an immediate bounce does not necessarily mean that the address is valid.

No argument. In fact I presented an instance where a rejection occurred
even though the address was valid. But, generally speaking, I still say
that rejection/acceptance indicates an invalid/valid address.
I don't see how you can do an equivalent 'bounce' here. The ISP has
accepted the message and the connection is closed. All you can do is
send a text reply to the advertised sender.

Be aware that my ISP, and the authors of my Internet software, have a
justified reputation for a thorough understanding and a careful
implementation of the RFCs.

I didn't say you were doing anything wrong.

-- Steven

JRS: In article <78********************************@4ax.com>, dated
Tue, 31 Jan 2006 09:00:08 remote, seen in news:comp.infosystems.www.auth
oring.html, Steven <Ph****@Syd.au> posted :

On Mon, 30 Jan 2006 13:28:16 +0000, Dr John Stockton
<jr*@merlyn.demon.co.uk> wrote:

These points are true but the fact the ISP has not rejected the mail
does indicate that the address is valid.

It does not. It means only that the domain, in my case merlyn.dcu, is
valid. Since the whole of merlyn.dcu is leased by me, the ISP does not
retain the authority to object to particular left-hand parts.

Your ISP relationship here sounds different from what I would call
normal.

Of course. ISTM that I indicated clearly enough that my machine is an
Internet host. It owns (well, leases) the whole of a dotted quad.

Apart from the terms of the lease, my intermittent dialup, and the
modest bandwidth, I could offer you all the services you'd expect of an
ISP, if I were to install suitable software. (Except that
www.merlyn.dcu cannot be effectively implemented on this machine, since
for obvious reasons the ISP handles that itself.)

But you'll notice that some of the "Experts" here don't let the
limitations of their expertise limit their pontifications.

--
© John Stockton, Surrey, UK. ?@merlyn.demon.co.uk DOS 3.3, 6.20; Win98. ©
Web <URL:http://www.merlyn.demon.co.uk/> - FAQqish topics, acronyms & links.
PAS EXE TXT ZIP via <URL:http://www.merlyn.demon.co.uk/programs/00index.htm>
My DOS <URL:http://www.merlyn.demon.co.uk/batfiles.htm> - also batprogs.htm.

Stephen Poley wrote:
And anyone who puts a spamtrap in their address is not very

likely to buy from spammers anyway, so it probably wouldn't be worth the
effort of cleaning the lists.

'Which' magazine (IIRC) in the UK did a trial where they set up a large
number of addresses and put them into the public domain somehow.

After a period of time they started to reply to all the spam they
received [to a sub-set of the addresses], trying to buy the goods and
services that were offered.

Apart from the porn sellers, they got next to no responses, except for
an incrase in spam to the addresses they had replied to. They concluded
that everything except the porn was little more than an attempt to
validate addresses for resale to other spammers.

Nik