Hi Bernd,
> <FORM METHOD="POST" ACTION="/cgi-bin/Nomailto.pl">
> <INPUT TYPE="HIDDEN" NAME="user" VALUE="bernd.paysan">
> <INPUT TYPE="HIDDEN" NAME="host" VALUE="gmx.de">
> [...]
>
>I took a look at the HTML source that is generated for a message, and
>I could easily extract my e-mail address out of a message [...]
Also, the sender's email address is embedded at the top of the page,
scrambled by rot13 encryption. For example:
<!-- MHonArc v2.4.3 -->
<!--X-Subject: week's news -->
<!--X-From-R13: Xrss Pervqraonpu <wrssNwno.bet> -->
<!--X-Date: Wed, 29 Sep 1999 23:09:45 -0700 -->
<!--X-Message-Id: [EMAIL PROTECTED] -->
<!--X-Content-Type: text/plain -->
<!--X-Head-End-->
>Adapting a harvesting perl script for this is just a matter of
>minutes, then. I suggest encrypting the informations and decrypt it
>in the cgi-bin on your server to generate the mailto: URL.
Both rot13 and splitting up the email address in the POST form
are examples of weak encryption. I consider there to be only two
types of encryption -- weak (breakable) and strong (unbreakable).
I believe that the weak encryption will stop all stock spambots.
You are correct that a programmer could write a custom spambot to
crack the encryption. However, even if the encryption was strong, a
custom spambot could just submit the POST form and record the mailto:
URL returned.
Now, if I ran all incoming email through an anonymizing remailer, that
would probably do the trick -- at the cost of making it impossible to
reply to a piece of email. But, I'd prefer not to give up this
functionality -- it feels a little bit like giving in to terrorists.
Maybe there is room in the world for an anonymizing list archiving
service, but it's not a niche I purposely want to get into!
I like to think of the current anti-spambot measures as one of those
expensive U-shaped bicycle locks. It's reasonably difficult to
break(1) but by no means insurmountable. If the spammer is in the
United States, there may also be some discouragement provided by our
legal system. I would like to think that the spammer will choose an
easier target. Thus far, the situation appears to be working well. Of
course, I should probably mention that someone stole my bicycle a few
years ago despite the U-lock...
Anyway, your point is taken and I will try to amend the FAQ to more
realisticly reflect the situation. Thanks for the feedback.
Cheers,
Jeff
PS Your "Why Forth" page is fascinating.
(1) Not everyone can whip out a custom spam harvester in perl in a few
minutes. Custom programming does represent some effort.
