help-debbugs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#14811: Debbugs <at> spam countermeasure inadequate

From: Bob Proulx
Subject: bug#14811: Debbugs <at> spam countermeasure inadequate
Date: Fri, 19 Jul 2013 18:44:08 -0600
User-agent: Mutt/1.5.21 (2010-09-15) 
Glenn Morris wrote:
> address@hidden wrote:
> > On 2013 April 22 I filed an emacs bug using an email address
> > specifically generated for that purpose and used for nothing else.

I don't see the usefulness of using fingerprinted email addresses when
sending messages out to the world.  Because out of the thousands of
potential readers of the message all it takes is one of them to be
reading the message on a virus infected system.  At that point the
email address is very likely to be used by the spammer driving the
botnet behind the virus.

> > On 2013 May 18 I started receiving spam messages on that email
> > address. The most likely explanation is that an email address
> > harvester is overcoming the <at> countermeasure.

Or that your email was read by someone on a virus infected MS-Windows
computer system and the virus harvested your address.

> I'm sympathetic. I don't like spam, and we should certainly not make it
> totally trivial to harvest addresses (like bugs.debian.org does), but I
> feel that in this day and age everyone has to expect some spam and have
> a method for dealing with it.

I agree.  I wanted to add a few thoughts.

I think it is unreasonable to expect that email may be sent and that
the sender's email address will never be known.  Once you send an
email then there are so many things that can happen to cause the
sending email address to become known.  Like the virus example.  But
that is simply one of many possibilities.  Genies are easy to let out
of the bottle but quite hard to put back in them.

Also it is impossible for a free(dom) software project to operate
without transparency.  And that very transparency requires that email
addresses will be seen somewhere along the way.  It isn't possible to
keep something secret when the very basis of the project is that it is
available to the community to contribute.  Community projects operate
in a public setting.  Anything else would be a completely different
thing.

Someone will suggest going to a very closed web based bug tracking
system.  That has been tried.  But it has its own set of negatives
associated with it.  That is why the email based debbugs is so
attractive.

> Emacs bug reports appear on several other sites that are not under our
> control, and further obscuring debbugs.gnu.org will have zero impact on
> them. For example, the gnu.emacs.bugs newsgroup (how I wish it would go
> away), and gmane.org, which uses the same <at> mechanism.

I also wish the newsgroup gateway would go away.  I really wish it had
never been implemented.

> So no matter what we do on debbugs.gnu.org, we cannot promise that
> reporting an Emacs bug will never lead to you getting a spam email.
> Sorry.

And the same thing for sending to any mailing list under the gnu.org
umbrella.  It just isn't possible.

Bob
reply via email to
[Prev in Thread] Current Thread [Next in Thread]