mailing list archives
Re: Mailing lists and unsolicited/malicious spam
From: n3td3v <xploitable () gmail com>
Date: Fri, 26 Nov 2004 16:51:27 +0000
On the note of hiding e-mail addresses:
Yahoo! Groups, a fully featured user group and mailing list has taken
steps to prevent malicious users harvesting new e-mail addresses to
add to spam list databases. They (Yahoo) cut the e-mail address on the
website, so harvesting becomes impossible by only showing the user
side of the e-mail address. Example "n3td3v () ".
On the note of mailing lists and user groups having its own unique
(back-end off list) spam:
I have also noticed Yahoo!s own resident hax0rs, spammers, whatever
you wish to label them as, actually use Yahoo! users to create bot
yahoo accounts (by sending them a carefully crafted url, which relays
via google and queries the malicious webpage, which looks like a
legitimate Yahoo! word verification page) to later broadcast out to
Yahoo! users of Yahoo! Mail and Yahoo! Groups. So, in some instances,
mailing lists and user groups can have its internal scams going on (if
the network is big enough, which yahoo (mail and groups)
We could take Yahoo!s e-mail hiding idea, but take it a step further:
I was thinking, why are all e-mail addresses not encrypted as soon as
they leave the authors mail client, surely this would stop anyone
seeing the address, apart from the mail client at the other end the
message was intended for. And when a user mails a mailing list the
e-mail address could be read by the mailing list software, but stays
encrypted for the broadcast out to the subscribers of the list.
All you need to do to stop spam is have e-mail addresses encrpyted and
only readable by the person they were sent to. perhaps to make it
nicer, leave the user@ side of the e-mail address showing, but encrypt
the @domain side of the e-mail address.
Don't tell me, this has already been thought of and i'm the last to
think of it, oh well nevermind!
This would at least stop the malicious spammers harvesting new
addresses on mailing lists and the third party sites where mailing
list threads are published, example: seclists.org. I'm sure encrpyting
the domain side of e-mail addresses has its pitfalls and flaws. Its
just something I thought about on top of my head, I haven't researched
fully the pro's and con's (at least yet).
n3td3v () h4hfshjkewts
Full-Disclosure - We believe in it.