~sircmpwn/public-inbox

6 4

Public visibility of Email Address and Spam

Details
Message ID
<0ade6b63-2195-41d3-bfe2-22bd6a3f6e67@lemondev.xyz>
DKIM signature
missing
Download raw message
Hello Drew,

I was thinking about mailing lists and if they're a viable 
implementation as a comment system for a blog or website and something 
came to mind: Wouldn't the email addresses being displayed in public get 
spammed?

Also does lists.sr.ht allow users to hide their email addresses?

Thanks
Details
Message ID
<169745926046.7.9782538703338530906.196754472@ploum.eu>
In-Reply-To
<0ade6b63-2195-41d3-bfe2-22bd6a3f6e67@lemondev.xyz> (view parent)
DKIM signature
missing
Download raw message
On 23/10/15 10:55, Ahmed Mazen wrote:
>This email failed anti-phishing checks when it was received by SimpleLogin, be careful with its content.
>More info on https://simplelogin.io/docs/getting-started/anti-phishing/
>
>------------------------------
>Hello Drew,
>
>I was thinking about mailing lists and if they're a viable
>implementation as a comment system for a blog or website and something
>came to mind: Wouldn't the email addresses being displayed in public get
>spammed?

Hello Ahmed and Drew,

I hope I’m not mistaken by answering this "public-inbox" mail. I feel 
that this is one benefit of a "public-inbox" but feel free to tell me 
that this should not be done. 

I stumbled upon this message by exploring what a "public inbox" was and 
thinking about setting my own and felt I had quite some experience to 
add my 0.02€.

I use simplelogin.io (with a custom domain) to create an email alias for 
each single website I use. This allows me to track the origin of spam 
extensively. You are right: most public email addresses ends up being 
spammed, sometimes very quickly.

This is the case for:
- every email listed on my own website.
- email used only once on FreeBSD bugzilla
- email which appeared only on my gemini capsule at the time
- email used only once to report a Debian bug (was spammed less than 15 
   days after)
- email used in the changelog of my own software

(a lot more but which is out-of-scope here)

So it looks like it is everywhere, right?

Well, for some strange reason, it is not the case for:

- email associated with git commits, on both github, gitlab and 
   sourcehut
- email used on some openbsd mailing-lists
- email used on sourcehut

To this day, I have no idea if there is something done especially in 
those cases or if it is plain luck.  Personally, I consider that any 
public email will ends, sooner or later, being spammed and in databases.

Spammed doesn’t means 100 mails a day. It usually means a bunch of 4/5 
emails in a row every week/2 weeks, with some random spam/scam 
inbetween. This might not seem much until you realize that it is "per 
address" and the spams are not always the same, so they add up. If I had 
used the same adresse everywhere, I would ends up with multiple spams 
every day (yep, I did some statistics).

I’ve also discovered some patterns which seem to indicate addresses 
being added to databases. One of those pattern is an address starting to 
receive spams months (if not years) without receiving anything. Also two 
completely unrelated spammed addresses randomly receiving exactly the 
same content.

The older address I’ve haven’t been used for 15 years and has been 
completely disabled (thus replying with "user not found" for more than 5 
years). This adress still receive more than 5 spams a day.

The conclusion is without appeal: any public address will, sooner or 
later, be spammed (at least you should consider it that way) and once it 
is public, there’s no way to retract it.

I can live with it myself as I use an alias everywhere and can quickly 
disable it. But this is not the case for everyone, it involves some 
convolutions to post/reply to mailing-lists. And lists such as this one 
expose the mail of everybody.

>
>Also does lists.sr.ht allow users to hide their email addresses?

I remember a discussion about it where Drew said it was not the case. I 
don’t think it has changed (as a sourcehut user myself, I can’t do it. 
But, again, my sourcehut alias is one of the very few public aliases 
which never received any spam. I don’t know what Drew did but, so far, 
it works! Thank you Drew ;-)

Also, hiding mail address would break one core feature of sourcehut 
which is allowing people without a sourcehut account to reply.

>
>Thanks
>

-- 
Ploum - Lionel Dricot
Blog: https://www.ploum.net
Livres: https://ploum.net/livres.html
Details
Message ID
<CWA5LKW0MWCE.2LJJZ2UBWANAZ@sylphrena.radiant.pixelhero.dev>
In-Reply-To
<169745926046.7.9782538703338530906.196754472@ploum.eu> (view parent)
DKIM signature
missing
Download raw message
My email is publicly visible on multiple sites
(including my own), and I've received one singular spam message to the
account _ever_, in the nearly two years I've used it.

It could just be that Migadu's spam filters are unusually good, but I
have it configured to filter to the spam folder, which. has exactly zero
spam entries in it right now.

That said, I've heard from others that they _did_ end up having to hide
their email on their own site to reduce spam, and that doing so
noticably reduced the rate at which they received it.

I'm just confused why I never get any, to be honest. I don't think I'm
doing anything _too_ unusual?

Figured I'd contribute my experience to the conversation, since it seems
to deviate noticably from the norm :)

- Noam Preil
Details
Message ID
<B270A55C-3FCD-4498-B7EE-A19C0B757096@smlavine.com>
In-Reply-To
<CWA5LKW0MWCE.2LJJZ2UBWANAZ@sylphrena.radiant.pixelhero.dev> (view parent)
DKIM signature
missing
Download raw message
I occasionally get spam to my (self-hosted and
publicly available) email address, but only from
those purporting to be Chinese factory
salespeople that want to sell me furniture in
bulk.

So I think it's just the luck of the draw.
-- 
Sebastian LaVine | https://smlavine.com
Details
Message ID
<48efff5d-b5c4-47ac-9b78-62eb11d64f40@lemondev.xyz>
In-Reply-To
<CWA5LKW0MWCE.2LJJZ2UBWANAZ@sylphrena.radiant.pixelhero.dev> (view parent)
DKIM signature
missing
Download raw message
Hey All,

Thanks for your replies. It seems displaying public email wouldn't 
attract as much spam as I thought.

What about spam to the mailing list instead? Derailing the conversation 
through flooding the mailing list or flooding the current topic. And I 
don't mean with slurs or obvious spam text but AI generated text.

I was thinking that with _insert big social media company here_, they 
would have this problem solved as the barrier to entry is an account 
that's verified with a phone number(which are typically unique). Bad for 
privacy, bad for usability, good for ensuring no spam.

I like the ability to contribute to a conversation without an account to 
the platform. But I wonder whether or not it is viable for a discussion 
platform.

I also wonder if this is an issue worth considering since, after all, 
premature optimization is the root of all evil.

Would really love input on this. Thanks.
Details
Message ID
<169771004922.7.5620123142275252424.198308164@ploum.eu>
In-Reply-To
<48efff5d-b5c4-47ac-9b78-62eb11d64f40@lemondev.xyz> (view parent)
DKIM signature
missing
Download raw message
On 23/10/19 01:47, Ahmed Mazen wrote:
>Hey All,
>
>Thanks for your replies. It seems displaying public email wouldn't
>attract as much spam as I thought.

Well, it happened this morning for the first time. Two spam in a row to 
my sourcehut email address. Both using "~lioploum" as the recipient 
name, something I don’t use anywhere but on sourcehut (I’m usually ploum 
but it was already used on sourcehut).


So, as I said, it was just a matter of time. I can consider this address 
as compromised.
>
>What about spam to the mailing list instead? Derailing the conversation
>through flooding the mailing list or flooding the current topic. And I
>don't mean with slurs or obvious spam text but AI generated text.
>
>I was thinking that with _insert big social media company here_, they
>would have this problem solved as the barrier to entry is an account
>that's verified with a phone number(which are typically unique). Bad for
>privacy, bad for usability, good for ensuring no spam.
>
>I like the ability to contribute to a conversation without an account to
>the platform. But I wonder whether or not it is viable for a discussion
>platform.
>
>I also wonder if this is an issue worth considering since, after all,
>premature optimization is the root of all evil.

Drew may have data but, so far, I haven’t seen any spam on any sourcehut 
list. I think it helps that, by default, HTML emails are blocked on 
sourcehut ;-)
>
>Would really love input on this. Thanks.
>

-- 
Ploum - Lionel Dricot
Blog: https://www.ploum.net
Livres: https://ploum.net/livres.html
Details
Message ID
<d029dd23-5f8d-46a2-bb36-6afacf076748@lemondev.xyz>
In-Reply-To
<169771004922.7.5620123142275252424.198308164@ploum.eu> (view parent)
DKIM signature
missing
Download raw message
On 10/19/23 18:07, Ploum wrote:
>
> Drew may have data but, so far, I haven’t seen any spam on any sourcehut
> list. I think it helps that, by default, HTML emails are blocked on
> sourcehut ;-)

I was thinking about LLM generated text. That is, text that looks like 
it was made by humans but was generated by a computer but looks 
convincing enough to fool people.

The sinister part of it is that as mailing lists become popular, some 
people might use LLMs to derail conversations or simply spread 
misinformation. On Twitter, you could search for ChatGPT's "There Was an 
Error Generating a Response" and you could find thousands if not 
hundreds of thousands of tweets with that text indicating that there are 
Twitter accounts that are completely AI generated.

In the older mailing lists, the technology wasn't as developed as it is 
now. Now that it is developed, the amount of spam that can be sent to a 
server is profound because it is harder to detect.
Reply to thread Export thread (mbox)