Forgot your password?
typodupeerror
Privacy The Internet

Sites Leaking Users' Email Addresses 194

Posted by Zonk
from the put-some-tape-on-that dept.
Pisang writes "CNet is running a story about how spammers and phishers can learn about our surfing habits to better target their attacks. According to the article, web sites that use e-mail addresses as IDs are vulnerable to attacks that could leak their users' email addresses. These attacks are performed by requesting a password reminder for an address or trying to register with it."
This discussion has been archived. No new comments can be posted.

Sites Leaking Users' Email Addresses

Comments Filter:
  • register with (Score:3, Interesting)

    by I_am_Rambi (536614) on Sunday May 29, 2005 @08:25AM (#12669276) Homepage
    All the more reason to register with root@127.0.0.1
    • Re:register with (Score:3, Insightful)

      by moranar (632206)
      So that when you do lose the password, you cannot get a new one. That sounds practical!
      • Re:register with (Score:2, Interesting)

        by brain007 (798589)
        Personally, I've very rarely needed to use that. Only when the site wants a password that's 6-8 chars, with 3 of them being a symbol or something that goes against my normal password convention do I ever need a reminder. But those sites are so rare that I generally just remember those passwords as being something off of my normal scheme.

        I think it would be more time and bandwidth efficient to just throw emails to a@blah, aa@blah, etc and see which ones dont bounce back then to go through a login script f
        • I just use my hotmail account (to the name of "klaatu barada nikto" :) ) for this stuff, and other accounts for real email.
          • Re:register with (Score:4, Informative)

            by theguyfromsaturn (802938) on Sunday May 29, 2005 @11:04AM (#12669888)
            I just use my Yahoo Address Guarded account for this kind of stuff. Address guard is neet. You do get the registration e-mail and you can reactivate the specific e-mail that will get your forgotten password when you need it, and deactivate it at all other times. If you don't know about the Address Guard, go to your Yahoo mail, and under Options go to address guard and read the explanations. I highly recommend it. I have one, "basename"-forgottenpasswords@yahoo.com that I use for this specific case. Once the account is created with hta ID and you've replied to the e-mail, you can erase that entry (and never receive e-mail there). If you forget your password, go back to AddressGuard, add forgottenpasswords (or whatever you choose to call it) as one of your addresses, and on the site request your address again. It has changed the way I e-mail. Nobody gets my Yahoo ID based name. All get base-name, extension name compound addressguard address. It makes disposing of undesireable e-mails very very easy.
            • And if you don't use yahoo, or want this style service for any type of e-mail address, there's spamex.com for $9.95 a year. I've been using it for 2 years now with no complaints.
    • Re:register with (Score:3, Insightful)

      by NetNifty (796376)
      Probably won't work on a lot of sites though, as quite a few require you to confirm that you own the email account by clicking a URL within the email they send you, or entering a code from it on their site.
      • Probably won't work on a lot of sites though, as quite a few require you to confirm that you own the email account by clicking a URL within the email they send you, or entering a code from it on their site.

        Yes. You'd better register with something@mailinator.com.
    • Or my favorites:
      help@127.0.56.2
      autoresponder@127.0.0 .1
      i-know-you-fsckers-have-a-catch-all@localhost

    • Naaww. My favorite to register on misc. sites is the e-mail address of "Bill.Gates@microsoft.com".

      Now, before you complain, think of it this way: those Borg admins have to have something to do to break the constant monotony of installing buggy patches to Exchange. :-)
    • But when I forget my password and type that into the box it'll go out to every sysadmin out there...
    • Even better: root@224.0.0.1.
    • http://www.bilsystem.com/paypal_export.php [bilsystem.com] This dude puts up the paypal username and addresses.
  • by Anonymous Coward on Sunday May 29, 2005 @08:27AM (#12669280)
    All the more reason to have a disposeable hotmail account. Only some few personal friends have my "real" email. I've been doing this for years, and never get any spam.
    • Here's some blatant avertising for a spam protection service I use, http://spamgourmet.com/ [spamgourmet.com]. You pick out an address to fill in in servicekey.messages_allowed.accountname@spamgourme t.com format, and it forwards messages_allowed messages from the servicekey account, then discards all further ones. I use this for a gmail account I have, and I've never gotten a single spam message to it. Ever.
  • like this one? (Score:3, Interesting)

    by dj245 (732906) on Sunday May 29, 2005 @08:30AM (#12669285) Homepage
    list off all students at Maine Maritime Academy [mma.edu] Directly linked from http://www.mma.edu/ [mma.edu] (Academics/Student Schedules on the java menu)
    • Aren't you going to be mister popular!?!

      Thanks from the spammer geeks that read /. that may not have stumbled across that directory.

      Thanks from the students who are probably now going to get a new surge of spam.

      My employer has a similar type of diretory. I made my point that it was too easy for spammers to collect email addresses. Of course no one believed me. Now everyone one at my work complains about spam. The upper admins want a "silver bullet" spam solution and it takes forever for things to get eva
      • Silver Bullet Spam Solution:
        Only deliver mails encrypted with the user PGP key to them. Everyone else gets an auto-reply to inform them about this policy and the location of the key.
        • I don't know where you work but in most workplaces executive types (and their assistants) refuse to be bothered by such incoveniences.

          If it doesn't work automagically then it is not acceptable to them.

          You and I know the realitiies of dealing with the scum of the Internet but it is going to take a while longer for everyone else to catch up.

  • Another problem (Score:5, Interesting)

    by Antony-Kyre (807195) on Sunday May 29, 2005 @08:32AM (#12669295)
    While we're on the topic of security, here is another bad problem.

    When you register for an account at a website, and that account doesn't ever expire, yet your e-mail address is one that expires if you don't check it, this creates a problem, especially if you have site updates.

    Hypothetically, someone registers an account at a travel website. Their e-mail address is used, and it doesn't matter if it is used for a username or not. This account at the travel website never expires, even if you never go back to it again. Yet the company will keep sending you updates concerning their business. Well, if you let your e-mail address expire, and someone else registers it later on, they won't have trouble doing a password request which will allow them into your account, which will contain your personal information.
    • Re:Another problem (Score:3, Insightful)

      by idonthack (883680)
      Well, if you let your e-mail address expire, and someone else registers it later on, they won't have trouble doing a password request which will allow them into your account, which will contain your personal information.

      This is the reason that most ISPs and web mail providers don't allow anybody to register an email that's been registered at any time in the past.

    • Have you ever allowed your email address to expire, and, if so, did someone else claim your email address and then go to websites asking them to send your passwords to that old email address?

      If so, the law offices of James Sokolove would like to help. Please contact us at http://www.jimsokolove.com/contact/ [jimsokolove.com].

      Note that if you cannot remember your account password at jimsokolove.com, then the law offices of James Sokolove will be happy to send a password reminder to your registered email address.

      Thank

    • Re:Another problem (Score:3, Insightful)

      by fishdan (569872) *
      I assume you're talking about Hotmail, who I know has a pretty rigorous expiration policy. Are you telling me that when they expire an account, they then recycle the name???

      I can't believe that's true, even of MSFT -- email addresses should NEVER be reused. Even at my old company where we used "bad" email addresses like "dan@mycompany.com," even if dan left, we'd never reissue that email address, even if it was the new CEO. you just can't do that!

      I would however be somewhat concerned about expiring

      • Yes, the Hotmail (not @msn.com) usernames that expire are reusable.

        What is it right now? 30 days for e-mail to be deleted? 45 days for the account to expire completely so it can be reregistered? Am I correct on this?

        I can agree with e-mail being deleted from the account after a certain period, since it is their space being used up.

        I cannot agree with the account expiring in such a short period. Doesn't it take like 7 years for someone to be declared legally dead? I personally would like to see Hotmail ac
        • It wasn't like that before...

          I had accounts just sitting there for years before. (I suppose that's why they instituted that policy)
    • Happened to me on a site called slashdot. I used to be just 'rikkus', but I forgot to change my registered email address before it was no longer valid and I'd forgotten my password. Now I have no way to retrieve it. Oops. I prefer the 'pet's name' type questions, even though I've never actually had a pet.

      Rik

    • by Anonymous Coward on Sunday May 29, 2005 @11:17AM (#12669970)

      As an on-again, off-again Wikipedian [wikipedia.org] responsible for countless edits as well as several full articles, I used to be happy to leave administrative matters there to others. Such was my bliss, anyway, until I stumbled upon something extremely troubling--something that forced upon me an awareness of the project's astonishingly careless attitude toward privacy and security. This is the product, apparently, of an obsession with countering vandalism so all-consuming that administrators are even willing to expose unlucky bystanders to identity theft.

      This is what I discovered.

      A Wikipedia developer, intending to catch sockpuppet accounts (multiple accounts created by the same individual), queried the user database for a list of accounts whose passwords matched passwords belonging to known vandals and trolls. Hoping the results would be useful to others, he published his findings [wikipedia.org] on his user page. Of course, such a list necessarily included anyone who happened to be using, merely by coincidence, the same passwords as the targeted individuals. As a matter of fact, it seems likely that the dragnet caught at least some people by chance alone. But only the people on the list could know for sure.

      That in itself sounds unfortunate, but none too dangerous. The horrifying punchline is this: in publishing the results of his query, the developer had effectively given these vandals and trolls a list of usernames with whom they shared a password. And once so equipped, the vitals of each compromised account--including the email address--were just a login away.

      Leaking people's passwords, usernames, and email addresses to anyone is damaging enough, let alone to established miscreants.

      Anywhere else, a mistake like this would be acknowledged, the offending information removed, and the potential victims notified. Not so on Wikipedia, where the list spawned nothing but a protracted debate [wikipedia.org] and then a vote to remove the page [wikipedia.org]. In a second blow to Wikipedia's reputability--the first being the mistake itself--the vote finally succumbed to addled logic and shortsightedness, as did a motion to restrict its visibility to site administrators. And so the page has remained linked and visible now for almost a full year, a threat to any innocents listed therein and an affront to anyone with an interest in their privacy and personal security.

      Imagine if you were on that list. (In fact, maybe you are.) Wouldn't you wonder how it was possible for Wikipedia to expose your password to malicious users for the better part of a year? Wouldn't you marvel that no one had alerted you?

      I don't mean to single anyone out here, which is why I've refrained from mentioning the name of the careless developer. The real indictment, in my view, is of the process that:

      1. Allowed such an egregious breach of privacy;
      2. Failed to correct it, even after it came to attention;
      3. Failed to notify those whose passwords had been leaked.

      It is my opinion that this incident is only symptomatic of a larger problem: Wikipedia's tradition of policymaking by ad hoc polling. It is also, perhaps, a harbinger of disasters to come. A draft privacy policy [wikimedia.org] offers some hope, but interest in its adoption appears to have stagnated.

      For the foreseeable future, then, it would be unwise for anyone to entrust their privacy to the Wikipedia site, when the project's developers and administrators have so clearly demonstrated a severe unfitness to guard it, to say nothing of a callous contempt for the real-world safety of contributors.

      ----
      Note: If my anonymity gives you pause to question my credi

      • wow thanks for the heads up, luckily those are really shitty passwords, and mine are atleast alittle better than that.

        so I'm not on the list.
      • I remember, when I was designing the login system for a website of mine (which has since been taken down), I hashed the user's password along with their username, simply so that I wouldn't be able to tell who had the same password (and thus, neither would anyone else who got my database somehow.)

        You just don't give out info about people's passwords. At all. Yeesh.
    • Well, if you let your e-mail address expire, and someone else registers it later on, they won't have trouble doing a password request which will allow them into your account, which will contain your personal information.

      Yet another good reason to always have a personal email address at a domain name you control. I've used one of two or three domain names for years - when I let an address expire, it's really, REALLY gone. A domain name is cheap, $10/year or less. Most registrars will allow "forward" accoun
  • Password reminders (Score:5, Interesting)

    by NetNifty (796376) on Sunday May 29, 2005 @08:36AM (#12669308) Homepage
    Maybe this security issue could be solved by instead of sticking up a message saying "email not found" if the email is entered incorrectly, it could randomly generate the "secret questions".

    Another problem with "password reminders" I find is that people put far too obvious answers - for example when I was back at school I managed to gain access to someone's hotmail account because their "secret question" was "what do I do at the weekends?" and he'd been on local TV, newspapers and school newsletter about his football (soccer) refereeing.
    • Easy secret questions for password reminders, or even moderately difficult secret questions, creates problems.

      Like "What is my favorite movie?" then the person lists her favorite movie in her profile.

      What they need to do is require four secret questions, all needing to be answered correctly to go on.

      A good reminder is not to have a secret question that a background search or a Google search will turn up.
      • HOW does this help? (Score:3, Informative)

        by argent (18001)
        What they need to do is require four secret questions, all needing to be answered correctly to go on.

        As soon as they get the FIRST question they have the information they need, that this is a valid email address.

        If you don't put the email address in in the first place, then you don't need any secret questions at all.
        • Sorry, I didn't phrase what I said correctly.

          I meant all four secret questions need to have all of them answered correctly to go on. Meaning if you get one right, and the other three wrong, it will still say wrong. It won't give any hint that one of those were right. Kind of like how Yahoo! doesn't tell you that part of it is right, when filling our the birthdate, location, and such.
          • I meant all four secret questions need to have all of them answered correctly to go on.

            1. The phisher doesn't need to answer any of them. As soon as they get the questions they know the email address is valid.

            2. If someone's trying to recover their password, how the hell do you think they're going to remember what they answered four questions months or years ago? "First grade English teacher? Wasn't that Atkins? Or did I say Rhonda Atkins? Oh, to hell with is..."
            • One: Uou are correct. My idea doesn't help that situation. But my idea would help another problem that was brought up.

              Two: Most people tend to have one teacher as their first grade teacher, and still we tend to go by the last name. So if someone were to use that, they'd most likely use just the last name. And if someone can't remember the secret answers to their secret questions four months after the fact, there are probably worse problems going on.
              • But my idea would help another problem that was brought up.

                I don't see that it helps anyone.

                The "secret question" technique is pointless online, whether you have one, two, four, or a thousand questions. The only point to it in the real world is that there's no unique token they can exchange with the person calling to "prove" who they are. Mailing a unique token to the requestor's email address is more than enough security for all the sites I know of that use this technique, they don't need a "secret ques
                • I see nothing wrong with the concept of using biometrics for password requests, as long as it's optional.
                  • Even if it's optional, many people are stll going to find themselves in a REALLY tough identity theft situation due to the fact that you can't change your fingerprints as easily as a credit card.

                    I don't think it's OK to have a system that's going to hurt a lot of people just because I'm aware of the problems and can avoid using it.
    • by argent (18001) <peter.slashdot@2006@taronga@com> on Sunday May 29, 2005 @09:13AM (#12669444) Homepage Journal
      Maybe this security issue could be solved by instead of sticking up a message saying "email not found" if the email is entered incorrectly, it could randomly generate the "secret questions".

      I've got a better idea. Don't require the user to give you their email address EXCEPT for initial registration. Don't use their email address as their ID. Don't ask for email address for password reset*. Just take the user ID, send the message, and have done with it.

      This is a case where there's really no good and easy way to fix the security problem except by backing up and not doing the thing that causes the problem. This is like someone's saying "I want to leave my front door open while I'm not at home, so my cat can get in and out." and then coming up with "Well, you can set up a webcam to close the door when something bigger than a car comes up" instead of "Don't DO that, use a cat-flap".

      ----
      * Why sites do that, I don't know... there's no extra security from having a login name AND and email address typed in by the user, since the verification mail won't go to anyone but the real user... all it does for me is make me generate a new account 'cos I don't know what email address I used to sign up with because of exactly this kind of problem.
    • by Fred_A (10934)
      Much simpler : ask for your password with a signed message.

      When you create your account, give your public key with it. From then on, they know who you are (at least in a digital way). The services public key can likewise be gotten from their site or a keyserver.

      This can presumably be thwarted too but it would be much more difficult.
    • The proper thing to do is have all password requests result in a "password sent to email address" style reply, whether the account exists or not. That way someone requesting a password doesn't know which accounts are valid. Any sort of "account not found" message sent to an untrusted client is simply bad security by the site designer.
  • by fishdan (569872) * on Sunday May 29, 2005 @08:39AM (#12669319) Homepage Journal
    I'm sure this is going to degenerate into a "are emails good to use for login" battle (we've certainly hashed this out in our office several time), so I thought I'd start the Pros/Cons list here

    pros for using email as login:

    1. guaranteed unique, though you'd be a fool to not have check.
    2. users forget it slightly less
    3. you have to send verification/password anyway
    cons for using email as login:
    1. What if a user has more than one email address?
    2. Email addresses make reasonable unique keys, but slow indexes, especially since many are very similar
    3. users may use disposable [spamgourmet.com] email addresses and suddenly you cannot contact them

    After reading the article, I've just adjusted my registration page (on my work site, not on sportsdot [sportsdot.org], my perl ain't what it should be) to not give the "pick another account name" if a user tries to register and existing email address. Both success and failure now go to the "Your password has been mailed to ." I send either a success or "this account is already in use" message to the email address. I also stuck on a 3 registration attempts per day per email address whether success or failure to prevent me from inadvertantly spamming.

    • ok, I'm adding one more thing -- if an email address does not exist (I get a user does not exist message from the recieving mail server) I'll store that for 24 hours too. Doesn't do much for the "I accept it all" email servers, but it's something.
    • I don't think that second con is an issue, you'd use a hash table rather than the emails directly.
      • You're correct for a GOOD implementation, but I've seen MANY tables with :

        `email` varchar(255) NOT NULL,

        as the primary key. How the database then deals with that is an internal issue. I agree with you, best practice is to use something like :

        `emailHash` bigint NOT NULL,

        • You're not helping there...

          If you create an index on a varchar 'email' field, the the SQL server creates the hashes for you, an with probably with considerably greater efficiency as it has raw database access.

          A string select on an indexed field should be no slower than an integer one, if your SQL database is worth a damn. Using your own hashes may be a lot slower - how are you dealing with collisions for example? A round trip to the server to find 10 records with the same hash is a *lot* slower than jus
    • you should probably also limit reminder emails per IP address per day.
    • by argent (18001) <peter.slashdot@2006@taronga@com> on Sunday May 29, 2005 @09:04AM (#12669412) Homepage Journal
      cons for using email as login

      Here's another one, and it ties into the original posting: it's the same problem as using biometrics for identification: using an ID or password that's hard to change. You don't want to use that kind of ID casually, because you want to make sure that people who have your ID have an incentive to be at least as careful with it as you would be.

      If you use your thumbprint to pay for a drink at a bar, how good a job do you think the bar is going to do about making sure someone else doesn't game their sensor with a bit of latex on their fingertip? If someone steals your credit card, you can cancel it and get a new credit card. If someone steals your thumbprint you're hosed.

      This is the same kind of thing. If someone finds out that there's someone with the handle "fishdan" on slashdot, they don't have anything useful. If they have your email address, they have something useful that's hard to change (look at me, I'm using year-tagged email addresses and I'm thinking of going to month tags). Plus, if you DO change your email address you have to change it EVERYWHERE (which is why I've got spam filters that reject entire countries for my main email address... because I've had it for about as long as personal domains have been available and I'm really loath to dump it).

      And because of all this, what this means is that all email addresses have to be treated as disposable, even the supposedly private ones you use for account registration only. Which means that now your email address has the same problem as any other name: you have to remember a bunch of them, you have to remember where you used them, and if you only keep 'em long enough for the verification you can't relogin with the old address.
      • That's a very interesting theoretical point, and the biometric issue is very insightful.

        In practice, regarding emails, I'm not sure how real a threat it is -- Even though someone may "know" my email address, they won't have access to my email? They can send fake email from me, but the don't have my PGP. Aside from be a potential recepient of SPAM, what is the harm to me that someone knows my email address? Leaving unsolicted email out of the equation for a moment, your email address HAS to be known by

        • I'm not sure how real a threat it is -- Even though someone may "know" my email address, they won't have access to my email?

          Read the original article.

          The idea is that people are using this technique to target spam and phishing techniques based on where the email addresses in their databases are pointing to. Whether or not you personally care about YOUR address being "surgically targeted", the bigger problem is the effect on the net when a large number of people are targeted like this.

          1. Spam becomes mor
    • This isn't just about using email addresses as login though - the attacks suggested in the article work on any site that allows you to enter your email address in order to receive a forgotten password. This includes Slashdot [slashdot.org], but they have sensibly added a script prevention measure.

      (Their implementation of the image/text challenge is awful, though - most of the time, the text is in all caps, but the response is only accepted in lowercase.
    • fishdan wrote "Email addresses make reasonable unique keys, but slow indexes, especially since many are very similar"

      Perhaps they'd make poor keys if you used a tree, but they'd be fine if you used a hash. Its not as if you'll ever want a range of addresses, so a hash would be fine.

  • by ranson (824789) * on Sunday May 29, 2005 @08:46AM (#12669342) Homepage Journal
    Another issue I have is that some very popular sites that require registration (MySpace, Xanga, several banking sites, etc) do not do e-mail address validation. Given that I have a very very very 'easy to use' e-mail address with my company (e.g., firstname@reallybigisp.net), I get about 30 registrations per day from people who just enter it in instead of their own for whatever reason. And then i get all of their account updates, "you have 4 new responses to your profile!", etc. If every site with user registrations would use the "please validate your account by going to this url" system, it would save a lot of people like myself a lot of hassle of having to go in and cancel the accounts. That has required me to do things like calling up a bank on the phone and trying to convince them that I'm not really the guy who filled out the web form with the wrong e-mail address, and the guy who did really doesn't own that e-mail address. After about 20 minutes of arguing I can finally get those taken care of.
    • Get their password via the "send password by email" option if there is any and either just change the email address on their site if possible or change the settings so that you don't get emails from them...although this could be quite problematic with 30 registrations / day.
    • Given that I have a very very very 'easy to use' e-mail address with my company (e.g., firstname@reallybigisp.net),

      Is that you bob@aol.com?
  • My experience has been that if I keep an email address away from the web, and never, ever let it appear on any website or directory anywhere, that email address will never, ever get spammed or phished. It helps if the address isn't just a single first name, of course. I used to have my email address on my website until I was getting about two hundred spams a day, and once I changed my email address, put up a harvester-proof form on my website, and notified all of my contacts of my new address, I never got s
    • I did this with my Gmail account, I only use it for storage and haven't given it to anyone. It is Issssss@gmail.com where I = my first initial and ssssss = my surname.

      I still get 30 spam e-mails a day (for the record Gmail only lets about 2 or 3 into my Inbox). My guess is it's because my ISP email (also: Issssss@myisp.com) has been used in a dictionary.

      Spammers obviously know people are going to be signing up to Gmail.
    • My experience has been that if I keep an email address away from the web, and never, ever let it appear on any website or directory anywhere, that email address will never, ever get spammed or phished.

      Until the machine of one of your contacts gets pwned and your address gets out into the wide world. Although I do the same as you, I still have to rely on a good Bayesian filter.


      • Typically if your on a provider with a large user base youw ill get spam regardless of the address used because they will even try generating address'.

        They don't do it to smaller providers though.
  • "CNet is running a story about how spammers and phishers can learn about our surfing habits to better target their attacks"

    I believe you miswrote spammers. The word you are looking for is shark and/or dolphin. People get spammers, sharks and dolphins mixed up all the time. You can tell them apart from the dorsal fin.

    • People get spammers, sharks and dolphins mixed up all the time.

      OK, but what the hell is the difference between a dolphin and a porpise?

      Oh, and hopefully the chef knows the difference between a dolfin and a dolphin.
  • by mjh (57755) <mark.hornclan@com> on Sunday May 29, 2005 @09:01AM (#12669400) Homepage Journal
    I know that this is going to start a religious flame war. And I apologize in advance. But since I started using challenge/response (specifically TMDA [tmda.net]) I just don't care. I give anyone my email whenever they want. I register on websites with an address that expires. [tmda.net] So it works for long enough for them to send whatever it is that I need from them and then stops working after that.

    Do I still get spam? Yes. The 419 scammers can get through. I see one of them once every 6 months or so. I just blacklist them. 2 spams a year is much easier to deal with than 12000. Do I see automated spam? Nope. Haven't seen one of those in my mailbox since 2001.

    IMHO, C/R is the best tool that I've seen to allow me to not worry about giving out my email address to others. I wish there was a way in which we could create a small experiment on the internet in which everyone used C/R, and see what happened to spam. My prediction: it would disappear. And when that happened, no one would be afraid to give out their email address. No one would be worried about companies leaking their email addresses. This story would not be interesting enough to make the front page of /.

    (FWIW, I fully understand the argument that says that C/R is bad. [netcom.com] I do not agree with it's accuracy nor it's validity. I'm happy to argue about the merits of C/R, but recognize that a lot of these arguments have been addressed by TMDA and other well behaved C/R. [templetons.com])
    • I simply use "<site name>@reg.surname.com" for example "yahoo@reg.smith.com". Using the reg. subdomain keeps the domains e-mail address space available for more important things.

      I quite fancy using "<first name>@<site name>.surname.com" like "john@yahoo.smith.com" that way I can have all my family using the same method but, unfortunately, my e-mail provider [fastmail.fm] can't support it (yet).

      The subdomain will specify the label or folder.
    • I know that this is going to start a religious flame war. And I apologize in advance. But since I started using challenge/response (specifically TMDA [tmda.net]) I just don't care. I give anyone my email whenever they want.

      Greylisting [puremagic.com] is a very powerful spam reduction technique that works transparently. The OpenBSD spamd [openbsd.org] daemon has a greylisting modus, and has reduced my spam to a trickle.

      Challenge/response can be quite irritating, in particular when someone post to a public mailing list and use

      • by mjh (57755)

        Greylisting is a very powerful spam reduction technique that works transparently.

        Forgot to mention: I use greylisting also. I like it's transparency. However I've found that I have to tweak the wait time. The default time prevents delivery from too many real users. I've settled on 3 mins as a reasonable time.

        I don't like heuristic systems (e.g. spamassassin). When they produce a false positive, no one knows. Neither the sender nor the recipient knows that a legit email has been incorrectly iden

    • I think I shall upgrade official corporate policy to block domains which send C/R crap. I can very well do without the crap that comes into my unfilterable mailbox adding to my workload.
      • I blacklisted it ages ago.

        My mailing list was getting it in response to all sorts of stuff.. verification emails, standard mailings, etc. The response I got back from some people when I asked them to whitelist the list members was *another* C/R email!

        Worse was that most viruses spoof their email address now and C/R systems just become spam generation machines when faced with that influx of virus payload. One of these was so bad I had to report the offender to an antispam list and get him blacklisted (ov
        • Yeah, but we are big enough that we need to worry about stupid ISPs like Earthlink who run C/R. And we have a lot of inbound spam, so dealing with stuff that can be cleaned out first with major impact is better. C/R is fairly low volume compared to that.
  • Sold anyway (Score:2, Interesting)

    by dark grep (766587)
    I just assumed any site I provided my email to for 'free' access to something, sold that email address to some direct marketing agency anyway. Who reads all the fine print of the privacy statements on most sites? Don't they say details will be kept strictly 'for use by the comany and its affiliates'? The affiliate being a direct marketing company of course.
  • I registered for a site today that forced you to enter your email address, and then confirm it, before you gave them any other details. I hope they have some reasonable limits, or this could be used to annoy people.
  • I am a CMS designer and let me just say: DUH.

    Of course if you post a user's email addy, a spammer is going to find it.

    Another step that should be taken, to prevent phishing, is to move to a copy/paste method for VALIDATION. Right now user validation is handled with a clickthrough. This leads to users relying on clickthroughs to get things from your website.

    My new cms [scottleonard.ca] is currently being forked into two versions:
    1. GS 1.9.9 Beta : rapid content management for small business
    2. GS Blog 0.9.1: rapid content manag
  • Yay for sneakemail (Score:5, Interesting)

    by PhracturedBlue (224393) on Sunday May 29, 2005 @10:01AM (#12669662)
    This is why I use sneakemail [sneakemail.com] for every registration I ever enter. Sneakemail is a (free) mail-forwarding service, that will generate an unlimited number of randomized email addresses, and forward them to 1 of 10 of your addresses. Every forwarded mail has a tag (specificed by you) attached to the subject for easy filtering. The 'From' addresses are mapped os that a responses from you gets sent to sneakemail (where it gets re-sent back to the recipient with the 'random' e-mail address (and all header information removed). In other words, sneamemail is a kind of anonimizer proxy for email. I like this service because (a) I never have to give out my real email address, (b) I know which sites are giving away my email address, (c) I can disble, block, or delete an email address that is being used for spam, and (d) it makes it difficult for anyone to associate an email address to me (In the cases where I don't want to give my real name). Admittedly, you can accomplish all of the above if you have your own domain name, and create addresses for every account (except that (d) becomes a bit harder, as it requires fake information in your domain registration). This is superior to throw away email addresses, which only work for (a), and which if you ever need to receive email from them (say because you lost your password, or they use email as login) you need to remember the address somehow. I can always log into sneakemail and see a list of all the addresses I have, neatly categorized.
    • My ISP and email provider both allow me to use email aliases that send everything in front of the @subdoamin.domain.net part to one account. I can filter out a lot of shit on their server, and categorise the rest in my email program. If someone sends me spam, i can quickly trace the origin of the leak, as I routinely put their domainname in the username part.

      99% of the spam I get comes from some porn sites I once bought something from. They overbilled and sold my addres, so now I put all the porn I downlo
  • Gmail (Score:4, Informative)

    by Anonymous Coward on Sunday May 29, 2005 @10:44AM (#12669811)
    Just add "+$SUFFIX" to your username. Example: username+somplaceregistration@gmail.com Then if you start getting spam at that address, jsut adda filter to delete mail to the "+someplaceregistration" suffix. Unfortuantely, some sites don't accept email addresses with "+" in them.
  • for IM alias phishers to just plug IDs into Yahoo or AOL IM - have a bot or boiler room chatter talk with you through IM and try to scam you either A) Out of money or B) Into visiting some porn site.
  • The more I read, the more I discover, the easier and cheaper it becomes to contact us, the more beseiged we become by these spammers and phishers, the more convinced I am that the only possible response is to ban all email and calls from businesses. None should get through. Not a one.

    We could make a "slight" exception for opt-in newsletters, but any sort of commercial message that has not been explicitly asked for, and signed for in the clearest possible way, should open the sender up to extreme fines. It
  • Why do I need an account in the first place? I have far too many accounts as it is, I don't need more.

    Case in point: I wanted some book not in any local store, and had a 10% Barns and Noble online discount. I quit the order when they asked for a password. I gave them my address and credit card number. That is all they need to ship the order, I don't want a stupid account, I want the book. There is nothing of my they need to save. I know my address, I have more passwords than I can remember.

    Even

  • This is very easy for site operators to fix.

    The website simply needs to return the same message regardless of whether a username/email is registered or not. Its not highly user friendly, but its a reasonable tradeoff to prevent giving information to people who are not authorised to receive that information. The website can simply say that "if the account name@email.com exists, a password reset email has been sent". It could then explain that it is unable to reveal if an email address is valid to protect th
  • because I got one of those password reset emails from /. a few days ago, even though I didnt request it.
  • Am I the only one that considered this to be obvious downfall of giving a site your email address?

Real Programmers don't write in PL/I. PL/I is for programmers who can't decide whether to write in COBOL or FORTRAN.

Working...