On Fri, 10 Oct 2003, Pete Turnbull wrote:
On Oct 9, 22:16, Tothwolf wrote:
Or...maybe replacing the From: email address in
the archive emails
with the list email address hasn't worked as well as folks thought it
might?
Ah, does that mean I'm not the only person who doesn't like that? It
just looks wrong to me, putting some other address against my name, and
I'm sure that's part of the cause of so many non-subscriber replies
being sent to the list (I'm sure most are meant to go to the original
poster).
I didn't care for it from the start, but I didn't mention it on-list
because it was only supposed to be temporary. It seems like *tons* of
emails that are meant to go to someone privately are ending up on the list
because of the addresses being changes, which IMHO is a really bad
thing...I don't know of any other email lists that are doing this,
probably because of the type of problems we are having with it here.
The intent was to prevent address harvesting, but
I'd prefer my address
was just obfuscated in some way (maybe split up). Wasn't the
address-replacing meant to be temporary, until a better way was found to
obfuscate the sender address? Actually, I don't care if it's not even
obfuscated, but I know others do.
There are tons of ways to defeat harvesters. Some options include:
* Obfuscate the address somehow. Two common methods are removing/
modifying non-alphanumeric characters ('@', '.', etc), and/or using
HTML
'&' escape sequences to create the address (not 100% reliable, but
defeats a large number of harvesters).
* Present a different (or no) From: email address depending on whether or
not the person accessing the archive has authenticated themselves.
* Create a MD5 hash of the email address and link it to a CGI script that
resolves the hash into a real address via a database once some sort of
authentication is done.
* Replace the email address with an image and link it and/or the name of
the sender to a CGI script that can authenticate the person, which once
done will display the original email address and/or message in it's
original form.
Two fairly simple ways of authenticating the person are:
* Authenticate the person with their mailman email address/password.
* Ask the user to type in some disfigured text that is rendered in an
image (to defeat OCR software).
Both of these authentication types could be implemented, with the first
having an option to store a long term cookie so the subscriber does not
have to constantly re-enter their password. The second method could simply
redirect the person to a generated URL that will expire after a set amount
of time.
Of course...maybe wpoison should be linked in somehow too? ;)
...And what is up with the new list software changing the To: address?
"General Discussion: On-Topic and Off-Topic Posts"
-Toth