On the protection of emails in the archives

On the protection of emails in the archives

[Guillaume MULLER]

[-- Attachment #1.1: Type: text/plain, Size: 1027 bytes --]

Hi all,

I recently sent an email on this mailing list (see https://orgmode.org/list/b1e778c5-acbf-8a17-c9bf-dcb6693e9845@univ-st-etienne.fr/ )

Since then, I'm receiving spams on the email address I used to send the message.

After some research, it seems that this email address only appears on 2 websites, notably this orgmode.org mailing list archive.

Would it be possible to configure the archive to obfuscate / hide the email addresses inorder to protect its users?

According to what I understand, this list uses the "GNU mailman" software, which in turn uses "Pipermail" for the archive. From what I read in the docs (https://www.gnu.org/software/mailman/mailman-member/node40.html ), the default configuration should be that the email addresses are protected : "The HTML archives which are created by Pipermail (the archiving program which comes default with Mailman) contain only obscured addresses.". So is there a particular reason why this option has been disabled?

Thanks for your feedback

GM


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 236 bytes --]

Re: On the protection of emails in the archives

[Russell Adams]

Guillaume

On Thu, Apr 08, 2021 at 10:29:00AM +0200, Guillaume MULLER wrote:
> Hi all,
>
> I recently sent an email on this mailing list (see https://orgmode.org/list/b1e778c5-acbf-8a17-c9bf-dcb6693e9845@univ-st-etienne.fr/ )

Yes you did, and the official archive is here where the list is hosted.

https://lists.gnu.org/archive/html/emacs-orgmode/2021-04/msg00184.html

> Since then, I'm receiving spams on the email address I used to send the message.

Welcome to the tragedy of the commons known as the Internet.

> Would it be possible to configure the archive to obfuscate / hide the email addresses inorder to protect its users?

We do. The GNU mailing list archive that hosts the mailing list does.

I can't say regarding the other. Maybe someone else can check it.




------------------------------------------------------------------
Russell Adams                            RLAdams@AdamsInfoServ.com

PGP Key ID:     0x1160DCB3           http://www.adamsinfoserv.com/

Fingerprint:    1723 D8CA 4280 1EC9 557F  66E8 1154 E018 1160 DCB3

Re: On the protection of emails in the archives

[Daniele Nicolodi]

On 08/04/2021 10:29, Guillaume MULLER wrote:
> Hi all,
> 
> I recently sent an email on this mailing list (see https://orgmode.org/list/b1e778c5-acbf-8a17-c9bf-dcb6693e9845@univ-st-etienne.fr/ )
> 
> Since then, I'm receiving spams on the email address I used to send the message.
> 
> After some research, it seems that this email address only appears on 2 websites, notably this orgmode.org mailing list archive.

A Google search demonstrates otherwise.

> Would it be possible to configure the archive to obfuscate / hide the email addresses inorder to protect its users?

In this time and age, it is not an useful anti-spam measure. It is much
more likely that your email address is harvested from the address book
or the received emails of someone that has their email account
compromised because of a weak password (or, in this case, from any other
website that publishes it).

Cheers,
Dan

Re: On the protection of emails in the archives

[Kyle Meyer]

Guillaume MULLER writes:

> Hi all,
>
> I recently sent an email on this mailing list (see
> https://orgmode.org/list/b1e778c5-acbf-8a17-c9bf-dcb6693e9845@univ-st-etienne.fr/
> )
>
> Since then, I'm receiving spams on the email address I used to send
> the message.
>
> After some research, it seems that this email address only appears on
> 2 websites, notably this orgmode.org mailing list archive.

Your email address can also be harvested from the lists.gnu.org
archives.  Inspect the output of

  $ curl -fSsL https://lists.gnu.org/archive/html/emacs-orgmode/2020-07/msg00125.html
  $ curl -fSsL https://lists.gnu.org/archive/mbox/emacs-orgmode/2020-07

> Would it be possible to configure the archive to obfuscate / hide the
> email addresses inorder to protect its users?

<https://orgmode.org/list> and its upstream source
<https://yhetil.org/orgmode> are public-inbox
(<https://public-inbox.org/>) archives.  There's an option (disabled by
default) to configure address obfuscation.  However, in my view email
obfuscation is giving you a false sense of security.  Ignoring other
ways spammers get your address, you're posting to a public space, and
your address can be harvested (and, as shown above, not just from these
public-inbox archives).

And this isn't something specific to Org mode's archives.  Just as some
examples, take a look at <https://lore.kernel.org/git/>,
<https://issues.guix.gnu.org/>,
<https://lists.sr.ht/~sircmpwn/sr.ht-discuss/>, or
<https://lists.gnu.org/archive/html/emacs-devel/2021-04/msg00285.html>.

Anyway, that being said and despite my opinion on this, I'm considering
turning on obfuscation at <https://orgmode.org/list> and
<https://yhetil.org/orgmode>.  There's at least one issue that'd need to
be fixed before doing so though:
<https://public-inbox.org/meta/87a6q8p5qa.fsf@kyleam.com/>.

Re: On the protection of emails in the archives

[Tim Cross]

Kyle Meyer <kyle@kyleam.com> writes:

> Guillaume MULLER writes:
>
>> Hi all,
>>
>> I recently sent an email on this mailing list (see
>> https://orgmode.org/list/b1e778c5-acbf-8a17-c9bf-dcb6693e9845@univ-st-etienne.fr/
>> )
>>
>> Since then, I'm receiving spams on the email address I used to send
>> the message.
>>
>> After some research, it seems that this email address only appears on
>> 2 websites, notably this orgmode.org mailing list archive.
>
> Your email address can also be harvested from the lists.gnu.org
> archives.  Inspect the output of
>
>   $ curl -fSsL https://lists.gnu.org/archive/html/emacs-orgmode/2020-07/msg00125.html
>   $ curl -fSsL https://lists.gnu.org/archive/mbox/emacs-orgmode/2020-07
>
>> Would it be possible to configure the archive to obfuscate / hide the
>> email addresses inorder to protect its users?
>
> <https://orgmode.org/list> and its upstream source
> <https://yhetil.org/orgmode> are public-inbox
> (<https://public-inbox.org/>) archives.  There's an option (disabled by
> default) to configure address obfuscation.  However, in my view email
> obfuscation is giving you a false sense of security.  Ignoring other
> ways spammers get your address, you're posting to a public space, and
> your address can be harvested (and, as shown above, not just from these
> public-inbox archives).
>
> And this isn't something specific to Org mode's archives.  Just as some
> examples, take a look at <https://lore.kernel.org/git/>,
> <https://issues.guix.gnu.org/>,
> <https://lists.sr.ht/~sircmpwn/sr.ht-discuss/>, or
> <https://lists.gnu.org/archive/html/emacs-devel/2021-04/msg00285.html>.
>
> Anyway, that being said and despite my opinion on this, I'm considering
> turning on obfuscation at <https://orgmode.org/list> and
> <https://yhetil.org/orgmode>.  There's at least one issue that'd need to
> be fixed before doing so though:
> <https://public-inbox.org/meta/87a6q8p5qa.fsf@kyleam.com/>.

I totally agree. I have no issue if 'hiding' email addresses can be done
and has no other unfortunate side effects, but I don't believe it
actually achieves much, so don't care if the default is not changed.

I think you have to accept that the email address you use in public mail
lists is going to be harvested and as others have mentioned, a lot of
email harvesting occurs when someone who has your address in their
address book has their system compromised.

The only sane action is good spam filtering. While I know a lot of
people complain about the Google gmail spam filtering, for me it is
remarkably accurate. It is unusual for me to see even a couple of spam
messages in my inbox every few months. My spam/junk box usually gets
around 10-15 messages a day and occasional messages flagged as spam
which are not (usually because the sender's mail server isn't doing SPF
or any of the other spam prevention headers correctly). Takes me about 1
minute to scan and 'delete forever' each day, so no big problem.  
-- 
Tim Cross

Re: On the protection of emails in the archives

[Jean Louis]

* Tim Cross <theophilusx@gmail.com> [2021-04-09 10:06]:
> The only sane action is good spam filtering. While I know a lot of
> people complain about the Google gmail spam filtering, for me it is
> remarkably accurate.

Maybe, but then you may also receive email mostly form public
providers. My experience from stories of recipients tells me Google is
not accurate, many genuine emails are missed.

Nobody should use Google for emails. Why trust some 100,000 staff
members with personal information?


-- 
Jean

Take action in Free Software Foundation campaigns:
https://www.fsf.org/campaigns

Sign an open letter in support of Richard M. Stallman
https://rms-support-letter.github.io/

Re: On the protection of emails in the archives

[Tim Cross]

Jean Louis <bugs@gnu.support> writes:

> Nobody should use Google for emails. Why trust some 100,000 staff
> members with personal information?

Please do not tell me what I should or shold not do. I am an adult 
and am perfectly capable of making up my own mind thank you. 
-- 
Tim Cross

Re: On the protection of emails in the archives

[Jean Louis]

Sorry Tim. While that is my opinion, it is not meant to be taken
personally, I am corresponding with many people with Google account,
that is really nothing personal.

My opinion is for safety of users and awareness, though. Would you
stubmle upon similar opinions on websites, it would not be taken that
way. I did not mean to.

Examples of privacy nightmare:
https://medium.com/digitalprivacywise/why-you-should-stop-using-google-chrome-6c934c9a827c

Example of surveillannce:
https://en.wikipedia.org/wiki/PRISM_(surveillance_program)


-- 
Jean

Take action in Free Software Foundation campaigns:
https://www.fsf.org/campaigns

Sign an open letter in support of Richard M. Stallman
https://rms-support-letter.github.io/

Re: On the protection of emails in the archives

[Tim Cross]

Jean Louis <bugs@gnu.support> writes:

> Sorry Tim. While that is my opinion, it is not meant to be taken
> personally, I am corresponding with many people with Google account,
> that is really nothing personal.
>

Your statement was personal and if that was not your intent, then think
before you post and ensure what you write is what you mean. 

> My opinion is for safety of users and awareness, though. Would you
> stubmle upon similar opinions on websites, it would not be taken that
> way. I did not mean to.
>

Completely irrelevant. I did not join the org list to be lectured by you
on privacy or your Google paranoia. I'm sure you can find a more
appropriate outlet for such opinions. 


> Examples of privacy nightmare:
> https://medium.com/digitalprivacywise/why-you-should-stop-using-google-chrome-6c934c9a827c
>
> Example of surveillannce:
> https://en.wikipedia.org/wiki/PRISM_(surveillance_program)

I'm not at all interested in your opinion on Google. This is an org mail
list. If it does not relate to org or the list, I don't think it belongs
here. 

-- 
Tim Cross

Re: On the protection of emails in the archives

[Jean Louis]

* Guillaume MULLER <guillaume.muller@univ-st-etienne.fr> [2021-04-08 11:30]:
> Hi all,
> 
> I recently sent an email on this mailing list (see https://orgmode.org/list/b1e778c5-acbf-8a17-c9bf-dcb6693e9845@univ-st-etienne.fr/ )
> 
> Since then, I'm receiving spams on the email address I used to send the message.
> 
> After some research, it seems that this email address only appears on 2 websites, notably this orgmode.org mailing list archive.
> 
> Would it be possible to configure the archive to obfuscate / hide
> the email addresses inorder to protect its users?

While your assumption is that you are getting spam because your email
is published on those websites, this does not say it is true cause of
you getting spam.

It is enough that you give your email address to anybody, like a
friend or associate, and you can start getting spam.

Mailing list archives do not obfuscate email addresses, and in
automated data harvesting that is easily solved.

Please note, it is more important for people to communicate and be
able to reach each other than taking care of individual spam
problems.

My side spam is mostly being solved automatically, server side, by
using Spamhouse. You may advise to your email service provider to use
that feature or some other feature.

Spam problem is not a remote problem, not something on outside parties
to solve, it is to be solved on your side. You may train your email
client to recognize spam. Email is not and never was perfect.


-- 
Jean

Take action in Free Software Foundation campaigns:
https://www.fsf.org/campaigns

Sign an open letter in support of Richard M. Stallman
https://rms-support-letter.github.io/