Posting to newsgoups

[steve]

They are sent to you. You just don't get to see them or download them.
The bandwidth is still being used for them to get to your server's inbox.

Yes, I know how it works but I'm a NIMBY

I should point out that my job before I retired was on a team
implementing a completely new TCP/IP so I got to know a bit about it.
The job before that was on messaging and SMS. That included traffic
monitoring.

Spam messages should be stopped at as near to source as possible. In
my case that's my ISP not my client application. I'm quite happy to
let them delete spam in my inbox. I trust them and so I'm not
interested in seeing the details of what they are removing. I did
check for two months and never had any problems.

As a matter of interest I used to have a look at my inbox by
connecting directly. The retention is set to 30 days so I got a good
view of the volume of retained messages.

The last time I looked my retained spam had dropped from about 300 a
day to about 100 a day so my ISP is helping to stop spam without my
need to change the methods I have used for ten years.

Perhaps I'll have another quick look around to see what is happening
now.


Steve Wolstenholme Neural Planner Software

 

[Julian]

Totally impractical. My main address has existed for years and is
already on many spam lists. There is no point in changing it now. My
customers would be inconvenienced by having to edit my addresses or
fill in web forms. I don't edit addresses so why should I expect my
customers to? I hate filling in forms.

I agree, it's not much point shutting the stable door after the horse
has bolted. Fortunately, I've always used generic names like sales,
support and webmaster for my business, and spammers seem to avoid them
(although they don't appear in plain html anywhere on my web pages
anyway.) But I've ditched two previous personal email addresses because
of it.

I've programmed my mail server to wait a nice long time before rejecting
mail to the now-invalid addresses. At least it slows the buggers down a
bit...

 

[GSV Three Minds in a Can]

This is Syncme for forever:

I found that I needed to do this, because: once, when I used to read
another newsgroup, there was an user that replied both to the newsgroup
and to my e-mail.

Outhouse Express makes it too easy to do that. Usenet and Email should
be kept at arm's length. 8>.

 

[Duh_OZ]

Most of my posts are VIA Google so the e-mail isn't munged. AOL, for
all its faults, does a good job at filtering malware. I can't even
remember the last time I received malware VIA AOL.

On the other hand, I was able to get a "coveted" A e-mail address from
one of the many free services out there and before even sending out an
e-mail I had already started receiving bounced malware messages. The
price to pay for a short e-mail address I guess. Almost all the
bounced e-mails are Netsky's of course.

 

[Rick]

So you're saying that the bandwidth problem should be blamed on the
recipient of spam? That it is their fault that the spammers are
pouring out crap to every email address they can find?

[Rant deleted]

<<chuckle>>

You call the snipped portion of that posting a "rant"? We must have
different definitions of what "rant" means. <<smile>>

I notice you didn't asnwer my question about whether you also thought that
all real email addresses should be removed from web pages as well. After
all, if you're seriously proposing that all valid email addresses should be
removed from Usenet since they are available for harvesting, doesn't the
very same logic apply to web pages? Especially when you consider just how
small a percentage of internet users actually use Usenet these days, versus
the sheer number of email addresses on web sites out there.

I'm not blaming anyone. I'm just suggesting that it wastes less
resources by not putting valid email addresses where they can be
harvested, and using an obviously invalid one where you have to put
something. Using a valid address where there's no need is plain
stupid, because you *know* it's going to generate more spam. There are
all kinds of other ways to let people who read newsgroup posts know
how to contact you if you want them to. The fact that you have
software that can save *you* from dealing with the flood of spam
doesn't justify it.

So anyone using their real email address on usenet is stupid? I won't try
to assess my own intelligence level since that would obviously be somewhat
biased, but I've noted a number of other people who use their real email
address and whom I consider to be far from "stupid". Perhaps we move in
different circles?

If you wish to jump through hoops and make anyone trying to get in touch
with you jump through hoops, then go for it! Personally, I prefer my
method.

 

[Julian]

I notice you didn't asnwer my question about whether you also thought that
all real email addresses should be removed from web pages as well.

Yes they should be removed in clear text. It isn't rocket science to use
java or some other method to present a mailto link in a way that a robot
can't harvest. Otherwise use generic addresses like sales, support and
webmaster that spammers seeem to steer clear of.

So anyone using their real email address on usenet is stupid?

Okay, stupid is putting it a bit strongly, but why add to the problem
when simple methods let you avoid doing so?

If you wish to jump through hoops and make anyone trying to get in touch
with you jump through hoops, then go for it!

I don't particularly want, or expect, anyone to contact me by email as a
result of usenet postings, but if anyone has a burning need to, there's
a web URL in my sig and a contact form on the web site. That provides a
spam-free way for web visitors get in contact with me too (and as an
extra benefit avoids the possibility of a spam filter sidelining their
message.)

 

[Rick]

Yes they should be removed in clear text. It isn't rocket science to
use java or some other method to present a mailto link in a way that a
robot can't harvest. Otherwise use generic addresses like sales,
support and webmaster that spammers seeem to steer clear of.

For large businesses with an IT department who maintain an ongoing
capability for updating their sites, I'd agree. But there are also
literally millions of small businesses and individuals who have web sites
but do not have the luxury of an IT department, the knowledge to implement
what you are describing, or even the ability to do something like that in
some cases. For them, what you are suggesting is an entirely different
proposition which will cost them money, if they can do it at all.

By the way, I monitor several support/webmaster addresses for some of my
clients and I can assure you that they are NOT ignored by spammers.

Okay, stupid is putting it a bit strongly, but why add to the problem
when simple methods let you avoid doing so?

But then your simple methods end up being not so simple when implemented
on a wide-scale basis. Remember when munging first became popular? Lots of
people started using something like "rsimon at cris.com" and some of the
harvesters became smart enough to translate them? If everyone starts
munging their email address, how long do you think it will be before the
bots start trying to parse the most commonly used methods? What then? Keep
changing the munging method as the spammers adapt? It would then start
resembling the virus/antivirus model. An action/reaction loop, ad
infinitum.

And then there is the entire question of how you get this across to
newbies. Do you just leave them to fend for themselves? After all, they're
the ones who are most likely to click on something stupid and get infected
in the first place. They then become yet another conduit the spammers will
use to pump their junk out to everyone.

I don't particularly want, or expect, anyone to contact me by email as
a result of usenet postings, but if anyone has a burning need to,
there's a web URL in my sig and a contact form on the web site. That
provides a spam-free way for web visitors get in contact with me too
(and as an extra benefit avoids the possibility of a spam filter
sidelining their message.)

Herein lies the rub. I understand where you're coming from but I disagree
with your premise. You are basically offering three different ways to help
reduce the amount of spam being generated. One is to mung the address which
(IMHO) has several problems with it. A second is not to use an email
address at all which may work for you but I see that as a big step
backwards. The third option is the one you use by offering a web site
address. Besides adding in unnecessary steps to go through, it is also an
approach that many people simply do not have available to them.

Above and beyond that, I question just how much "bandwidth wastage" any of
your approaches will realistically remove. Usenet users are a relatively
small subset of the entire internet population to begin with. Your premise
is that if the spammers don't have those addresses to send to, then they
will send fewer junk emails. From what little I have read and seen, the
primary restriction on spammers outgoing traffic is always bandwidth
limitations and not the number of addresses they have to send to. If they
have fewer addresses, any bandwidth they would have saved is simply taken
up by pumping out more copies of the same spam, or entirely different spam
messages to those addresses that they do have.

To make a real dent in "wasted bandwidth" you have to affect spammers at
their source, not at their reception points. While we, as recipients, are
primarily concerned with what we see in our inboxes, there is little that
we as individuals can do to limit the overall problem. ISP's on the other
hand, can have a big impact. When Comcast shut down outgoing port 25
traffic a couple months ago, they cut the amount of spam generated from
their network by ~35%. That one act reduced the "wasted bandwidth" of
spammers by far more than any munging of email addresses by Usenet users
would do (IMHO).

 

[Conor]

I noticed there are several people here posting with valid email addresses.
As far as I knew this was bad practice however, some seem to be from
people who are offering good/valuable advice.
Has this changed in anyway or are they using some means of avoiding
spambots picking up the addresses that I'm not aware of.

Many people use a GMail, Hotmail or other such throwaway webmail
account with spam filtering for an address on Usenet whilst keeping
their main account seperate.

 

[Julian]

For large businesses with an IT department who maintain an ongoing
capability for updating their sites, I'd agree. But there are also
literally millions of small businesses and individuals who have web sites
but do not have the luxury of an IT department, the knowledge to implement
what you are describing, or even the ability to do something like that in
some cases.

Oh come on. I'm no web guru nor Javascript wizard. But there are dozens
of websites that tell you how to avoid putting email addresses in the
clear, and supply little scripts to help do it.

By the way, I monitor several support/webmaster addresses for some of my
clients and I can assure you that they are NOT ignored by spammers.
<<smile>>

Interesting. I try to protect these addresses on my site as I would any
other, but some software listing sites aren't very clever and put
contact addresses in the clear, and I haven't noticed any spam going to
them.

But then your simple methods end up being not so simple when implemented
on a wide-scale basis. Remember when munging first became popular? Lots of
people started using something like "rsimon at cris.com" and some of the
harvesters became smart enough to translate them? If everyone starts
munging their email address, how long do you think it will be before the
bots start trying to parse the most commonly used methods?

I'm not sure they are going to, otherwise they would already. When I
accessed usenet through Google I used an address at my domain with
"nospam" in the domain. I only ever noticed one attempt to send mail to
my server using that address, and that may have been someone trying to
email me.

And then there is the entire question of how you get this across to
newbies. Do you just leave them to fend for themselves?

It's one of those things you learn, usually *after* it starts becoming a
problem, like the need for good virus protection.

Above and beyond that, I question just how much "bandwidth wastage" any of
your approaches will realistically remove.

To make a real dent in "wasted bandwidth" you have to affect spammers at
their source, not at their reception points.

Well, this is where I think address munging is a good method (I've used
it a long time, and only don't because individual.net doesn't like it.)
If you use an invalid address then it gets rejected by the server at the
RCPT TO stage, no data gets sent (saving bandwidth) and no software at
the receiving end has to determine if it's spam or not (saving other
resources.) If the software the spammers used wasn't written by clueless
morons, it could even determine from this that the address is dead, and
delete it from the list so that time isn't wasted trying to send still
more garbage to it, but sadly I don't see any sign of that happening.

I realise what I'm suggesting isn't going to wipe out spam, but at least
it isn't helping to generate more of it. And in particular, it isn't
causing more spam to arrive in *my* mailbox, using up my bandwidth,
which I pay for.

 

[Rick]

Oh come on. I'm no web guru nor Javascript wizard. But there are
dozens of websites that tell you how to avoid putting email addresses
in the clear, and supply little scripts to help do it.

<<chuckle>>

The timing for our conversation couldn't have been better! <<smile>> As it
happens, I just got back to my office from a visit with a small business in
the next county. They just hired me to completely overhaul their existing
web site that they've had up and running for around 4 years now. It seems
that their "web person" quit on them over a year ago and they haven't the
faintest clue on how to modify the plain text on their existing web site,
much less add in any scripting. Nor are they the only such case that I know
of.

Sometimes it's easy for us to forget just how much more we know about
computers than the vast majority of people out there. Heck, if it weren't
for Google Groups, the vast majority of "web surfers" out there wouldn't
even be able to access Usenet unless someone else configured their news
client for them. I agree that it is relatively easy for many of the people
in here to make it more difficult (but not necessarily impossible) to
harvest email addresses from web pages. But we are not the average computer
user. I don't say this to inflate anyone's ego (most especially mine since

It's one of those things you learn, usually *after* it starts becoming
a problem, like the need for good virus protection.

Unfortunately, by then that email address is already listed on multiple
spam lists and your approach will be basically useless for preventing spam
to it. Their only option is to then create a new address and implement your
procedure at that point in time.

resources.) If the software the spammers used wasn't written by
clueless morons, it could even determine from this that the address is
dead, and delete it from the list so that time isn't wasted trying to
send still more garbage to it, but sadly I don't see any sign of that
happening.

I don't think it's because they're clueless, per se. I think it has more
to do with the fact that they simply don't care. They're using others
people's resources anyway and aren't paying for it. If they run short of
resources, they'll just expand their botnet by a few more machines and
press on.

I realise what I'm suggesting isn't going to wipe out spam, but at
least it isn't helping to generate more of it. And in particular, it
isn't causing more spam to arrive in *my* mailbox, using up my
bandwidth, which I pay for.

Well, I don't necessarily agree with you but I think we've probably both
aired out our opinions on this matter. I'll shut up and go back to lurk
mode now. <<smile>>

 

[David W. Hodgins]

Well, this is where I think address munging is a good method (I've used
it a long time, and only don't because individual.net doesn't like it.)

I'm posting through individual.net. I set up nomail.afraid.org specifically for use
in usenet. The name resolves to 127.0.0.127 If a spammer tries to send to
it, they'll be trying to send to their own computer.

From http://news.individual.net/faq.html#5.3

| 5.3 May I mangle my "From:" header address so that I do not get SPAM?
| We recommend creating a special e-mail address for use with Usenet articles only
| and protecting it with suitable filtering rules. This way your regular mailbox will stay
| untroubled, but you can still receive mail responses to your Usenet articles.
|
| Another option is using the Top Level Domain ".invalid" (see RFC 2606). The Top Level
| Domain ".invalid" is intended for construction of obviously invalid addresses like
| "(e-mail address removed)". Such addresses do not disturb and pollute regular name space
| and can easily be identified as invalid by both humans and machines.

Regards, Dave Hodgins