Terry Zink: Security Talk

Discussing Internet security in (mostly) plain English

Don’t hide your email address – good advice or not?

Don’t hide your email address – good advice or not?

  • Comments 3

Last week, a write on at the Guardian wrote an article that he never bothers to hide his email address.  He publishes it on his website for all to see and he doesn’t think that it matters all that much.  Hiding his email address has little incremental value of not receiving any more spam than he has to compared to publishing it and receiving feedback for the things that he writes.  Here are some excerpts:

Last week, I needed to get in touch with a colleague, an academic who'd recently changed universities; I didn't have his current email address, so I sent him a tweet: "Don't have your new email, can you drop me a line at …?"

And yes, I did get in touch with my friend but I also got a flurry of emails and tweets from people who were shocked to their boots that I had [gasp] published my email address. I even got an automated email from a twitterbot directing me to a website advising me on all the horrible unsolicited email I could expect to get if I made my email address public (the irony of sending this advice in an unsolicited email was apparently lost on the bot's author).

The main reason to keep one's email address secret is to hide from the spambots – those nefarious snafflers of unguarded email addresses that act as input for all the unsolicited email that unscrupulous huxters and scammers firehose over our inboxes.

Well, he’s hit the nail on the head dead on.  If he publishes it, spammers will harvest it and start spamming it.  So, how does he avoid getting his inbox overflowing with spam?

Like everyone, I have spam filters. I use three lines of defence: first, I have greylisting switched on for my mail server (this is a simple server configuration that sends a "busy, try again in 15 minutes" message the first time another mail server tries to communicate with it in a 24-hour period; this gets rid of over 90% of the 20,000-plus spams directed at me every day).

Greylisting (or graylisting, for those of us who are not apart of the Commonwealth), is a technique wherein whenever you get an incoming email, the sending IP, sending email address and recipient are examined.  If the sender has never been seen before by the recipient, the receiving MTA issues a 400 level response which means “Please go away and try again later.”  The theory is that a legitimate sender will interpret this as a temporary error while a spambot will not retry since it is contrary to their cost model to do so (they have to send as much mail as possible and don’t have time to wait around and resend).  This technique is reasonably effective although at scale you have to juggle around lots and lots of data and your data structures become very large.  In addition, this technique will not work against compromised accounts from large webmail services since they are legitimate mailers and will try again later.

Second, I have the spam filter built into Thunderbird, the free/open mailer from the Mozilla people (the same people behind Firefox).

Hmm, I am not a big fan of Thunderbird’s spam filter because it flags nearly every legitimate bulk mail I ever receive as Junk.

Finally, I have a blacklist of terms and from-addresses for filtering out commercial offerings from firms who think that buying a single machine screw or teacup means you want to hear from them twice a week for the rest of time.

Ah, yes, the problem of gray mail (not to be confused with graylisting as they are completely separate).  Perhaps the better term for it is bacn.

I don't really care how much spam gets eaten by my filters – all I care about is how much spam gets through; that is, how much spam I have to clear out by hand. If the server is culling 16,000 or 160,000 spams a day, it makes no difference to me. On the other hand, if the 100-300 spams I manually kill every day turned into 1,000-3,000, it would seriously undermine my productivity.

Hmm, okay, so he manually kills 100-300 spams every day?  If I had to kill that many spams per day manually, it would seriously drag down my productivity.  So much so that I’d probably stop using that email address.

Indeed, the main category of spam that makes it through the filter comes from PR people who have bought it as part of a list of journalists who they might pitch and who are hoping to get a product mentioned on Boing Boing. This is the hardest stuff to filter, since it comes from so many valid email addresses, each message containing unique body text that mentions me by name.

Indeed, this is the hardest stuff to filter because the mail is not necessarily spam.  The U in UCE stands for unsolicited, not unwanted.  What is spam to you is not spam to me (since I signed up for it and you probably did and just forgot or gave away your business card at a convention and had someone opt you in without your knowledge which is a douchey thing to do but not 100% spamming behavior).  That’s the reason why it doesn’t show up on any IP blocklists – the IPs are worthy of being called spammers.  If they were, somebody running a reputable list would have listed them.  This is also why graylisting doesn’t work – the IP addresses have a history of sending you mail.

Today, one of the biggest complaints we get from customers is around filtering of bacn.  It’s something that we are going to address.

Meanwhile, obfuscating email addresses costs something: it costs me the time it takes to *** around with trying to come up with a bot-proof, human-readable encoding of my address, and it costs my correspondents whatever time they spend unscrambling my system.

Well, he’s got a point here.  Humans have to decode your obfuscated email address and will probably get it right, but isn’t it so much easier to click on a mailto: link rather than having to type it out manually?  Besides which, if you’re going to make it easy enough to decode, some bot herder can probably code up a solution to do the same.

Personally, I don’t think he made the case that there’s no point to not publishing an email address.  The 100 spams per day that I’d have to manually kill is a turn off.  Although if all of these 100 mails are bacn, and I had a bacn filter (let’s call it a frying pan) then maybe it might be worthwhile after all.

I haven���t gone through the whole article and you can read it for yourself if you so choose.  But I hit upon the main points.

Leave a Comment
  • Please add 8 and 7 and type the answer here:
  • Post
  • I don't go as far as him: I usually write local-part (at) domain or something (though my work address is on our website*) but don't do any further obfuscation than that. I don't think it's worth the effort and the stress (I know people who take care not to publish their 'official' email address anywhere and then get totally upset when it 'leaks'). Also, I wonder if in the long run it makes a significant difference. Once your address is on a spammer's list, it is on it. It doesn't matter that they could easily add it another 73 times.

    * because I am working in anti-spam, I have an interest in spam, especially in those spam messages that make it through filters. I think I'd give the wrong message if I said "I want to get spam" but let's say I prefer spammers to send their spam to me (or to you, for that matter) than to my mum.

  • > Humans have to decode your obfuscated email address and will probably get it right,

    > but isn’t it so much easier to click on a mailto: link rather than having to type it out manually?

    The answer to this is, of course, to have a script in the webpage that automatically de-obfuscate the addresses.

    Of course, a harvesting bot could execute the script, but it would need to execute javascript, and a Turing-complete bot could be used to play some interesting tricks (harnessing spammers' computing power to useful tasks!).  More seriously, this won't happen: like graylisting, bypassing this would run contrary to their cost model.

  • The problem with saying "Won't mailto: fix the problem" is that most people don't have an email client configured for their personal computers. I'm the only person I know who has an email client on their personal computer. Whenever I have to do IT support for family/friends, and they're walking through getting their email, they always sign in through a web browser.

    Find a webpage with a mailto:, take a non technical relative, and have them click on the link on their computer. The look of confusion they get as the browser freezes, and a wizard pops up to configure Outlook/Live Mail, teaches them to be afriad of mailto: links and that they should never click on one again.

    I think that mailto: would be a great solution, if you could configure Windows to use a url as your default mail client.

Page 1 of 1 (3 items)