Spam gaurd?

Would it be too much of a problem to institute something of a spam

blocker for listed email addresses? Something as simple as replacing

the '@' in displayed email addresses with "(at)" would fool spammers

scanning the site for victims. Let's face it; restricting access to

email addresses to registered users is not much of a hindrance;

spammers recognize the site as a treasure trove of photographers to

market to, and have no hesitations about registering only to grab

email addresses. I've only been a member of photo.net for a few

weeks using a brand new email address, yet I've already started

receiving photography based spam. All I ask is the ability to spam

gaurd the publicly displayed email address. thanks.

We're thinking of turning off the display of email addresses entirely, and making the process for a member to obtain the address of another member a more tedious one so as to slow down or defeat address harvesting programs.

 

Your idea of replacing the '@' with 'at' wouldn't help much. A hypothetical spammer already would have to use non-standard harvesting software that knows how to log into photo.net, so dealing with a slightly mangled address isn't much of an additional hurdle.

Yeah, I know that the "(at)" suggestion was somewhat simplistic; however, there are ways creatively conceal your true address from spammers. I come from a slashdot/kuro5hin background, and many users there, including myself, mask their email address by inserting removable letters or message. for example, "yRoEuMrOaVdEdTrHeIsSs@doman.com". While this might be a bit of a hassle, not too many spam harvesting programs have the ability to easily deal with it. In fact, I know a number of users who have ROT-13'd their addresses. This, however, might be a bit too technical for most photo.net users. But this post is just indulging my ideas; the eventual change you've mentioned will no doubt help the problem, and I'm glad that it's being taken into account. Thanks.

Photo.net has been a responsible community so far. Turning it into an anonymous nobody-trusts-nobody public billboard would be easy, but there is no way back to a trustful community after you've done that. This would destroy the spirit.

<p>

Yes, I've received perhaps four or five spams from small photo dealers over as many years. Those have been harvested from photo.net. This is not much and I would rather propose to deal with these isolated cases by contacting the offender individually, rather than hiding everyone's email.

<p>

If you have to go the shut off route, please leave the option to continue listing emails openly for those members who prefer that (I would be one).

Anthony, can you please repost here the spam you got (as an attachment, all headers included please).

I've tested a feature in the last hour or so where the email address on the community member page is now replaced by a link to "request" the address.

 

The code that responds to this link will display the address if you have (a) retrieved it before; or (b) you have been a photo.net member for at least 48 hours and have not requested more than 20 new addresses on the same day. In the second case, it also throws in a 20-second delay. This limits the number of addresses any one person can retrieve to 20, and makes getting those 20 a bit slow.

 

We would also be logging all the address requests.

 

What do you think? Should I put it into production?

Vadim - unfortunately I already deleted the spam. However, I do remember that it was an advertisement for a stock photo company - something about marketing your photos and making money. It also included a disclaimer at the bottom from the sender about how they "only wanted to send it once, delete it if you don't want it" - standard spam tactics. Unfortunately, I, as I do with most spam, deleted it on sight.

 

Brian - that sounds great. It should hopefully work better than some approval process (i.e. when someone wants an email address, the address holder must approve giving it out to them) or my own address obfuscation methods. I'd love to see it in action, and if you need any help coding or testing it, let me know.

As I said, I'm not a fan of any restrictive measures which are not absolutely necessary. I stopped uploading pictures after photo.net disallowed HTML in the fields, which was not really necessary (it happened after a one-time prank; you could disallow only comment tag in the fields, but disabled all HTML instead).

<p>

The way emails are harvested now is through a <a href="http://www.photo.net/directory/lookup.tcl?last_name=&email=a">user directory</a>. You may want to put restrictions there first. Now it takes about 36 requests ans some waiting to get all the emails and names in the database, as a compact ordered list.

<p>

I don't know the extent of the problem, but if it's what I think it is - rare isolated cases - then putting preventive restrictions is an BAFH practice to me.

Just think about an <strong>elegant</strong> solution - one that no user except one who wants to download the whole database <em>would ever notice.</em>

Vadim, I didn't mention that in my test code, I also turned off the display of email addresses in the User Directory. Can you think of a legitimate reason why someone would have a legitimate need for more than 20 email addresses of photo.net members in a 24 hour period? (Keeping in mind that this is only NEW addresses, and doesn't include the addresses he has been allowed to see previously.)

Brian, that e-mail request delay is very nifty. Good job!

Well, it looks less ugly than I expected. Nit-picking:

<ul>

<li>It says <em>(20-second delay)</em> even for those addresses that were previously requested. You could just list these emails instead of the request link. Imagine a person who has reached the daily limit: how would he know that previously requested addresses are still available?

<p>

<li>Here is a slightly inconsequent wording:

<blockquote>

<em>

We apologize for the inconvenience, but in order to deter email address harvesters, our software limits the number of addresses you can have in any 24 hour period, and you have exceeded the limit today.

<p>

Please back up using your browser, correct it, and resubmit your entry.

</em>

</blockquote>

</ul>