From: John Stanley (stanley@peak.org)
Date: Wed Mar 14 2001 - 18:00:10 CST
On Wed, 14 Mar 2001, Kent Landfield wrote:
> stanley@peak.org writes:
> # Russ wrote:
> # >I'm confused by this paragraph. I think I disagree with what it's saying
> # >both coming and going. Using .invalid and a munged address *does*
> # >effectively prevent automated harvesting of the addresses, and not using
> # >".invalid" seems unlikely to be evidence of *malicious* intent
> # >necessarily.
> #
> # It does not prevent harvesting, it prevents spam from appearing in the
> # poster's mailbox. It also consumes the spammers disk and time. This is a
> # win-win for everyone of any significance.
>
> I find this whole thing silly. How dumb do you think the authors of
> harvesting software are ?
I think some of them are exceedingly dumb. When they harvest message id's
and spam them, I think they are lacking a lot.
> So now we are going to document a means that they can code
> to in order to harvest the names.
We are? Which document will that be? Or do you mean "harvest" in the pure
sense that they can simply extract the email addresses from the From:
header? Well, yes, RFC1036 already tells them how to code that. But I've
seen nothing that tells someone how to convert an invalid address marked
by .invalid into something useful.
> I have always found the argument that
> it prevents spam a bit confused. Harvesting and reselling email addresses
> is a business that the slimey elements participate in. They have automated
> tools that spider and harvest email addresses. This is an automated process,
> not one done by hand.
Yes. That's why munging, properly done, prevents spam. Nobody is looking
at the addresses so they can't trivially decode them, or decode them based
on instructions in the body at all. When the spammer sends the spam off to
that address, it hits a DNS lookup failure at the first lookup. I.e., that
bit of spam is bounced -- it does not go to the intended recipient. That's
preventing spam.
> If you added invalid to get kent@landfield.com.invalid
Why in God's name would you do that? Is kent@landfield.com an invalid
address that should have .invalid added to the end? Is kent@landfield.com
munged? I thought it was your real address.
> the only thing you are really accomplishing is that you are stoping the
> readership from being able to reply to a poster directly.
That's why you wouldn't do it.
But that brings up an interesting point. Who is going to get the blame
when someone uses the .invalid flag to mark an address as invalid, and the
spammers start using the "remove the .invalid flag" trick? (I could
legally post as kent@landfied.com.invalid, because the address sans
.invalid is one that I am not authorized to use -- and adding .invalid
makes it conformant.) Someone posting as kent@landfield.com.invalid will
cause kent@landfield.com to get spam. Kent@landfield.com will blame the
poster for forging an address in his domain even though he didn't.
What we are setting up is a system where the blame for spam is pointed at
people who DO follow the standard. Is kent@landfield.com going to care
that the poster clearly and unambiguously marked the address as invalid
according to news standards when kent is getting spammed because of it?