justin_lee Posted October 25, 2004 Share Posted October 25, 2004 This question was brought up in this <a href="http://www.photo.net/bboard/q-and-a-fetch-msg?msg_id=0059vx">thread</a>, but I couldn't find anything after that.<p> My question/suggestion relates to the manner photo.net handles e-mail addresses in the classified. This recently caused me some concern as I changed the e-mail address to something unique solely for my photo.net account a few days ago and just got some spam sent to it. Obviously, I this caused me to do some digging as to why a brand new e-mail address could be exploited so quickly.<p> I'd posted a couple ads a month and a half ago that expired before I changed my e-mail address, so my first hunch was to look there. When viewing a user's profile, it desplays their history of classified ads. When viewing that history, it amends the end of the ad with:<p> <em>Originally posted Date by <strong>e-mail address</strong> (user name)</em><p> To me, this defeats the purpose of forcing someone to request a user's e-mail address from the server (thereby causing an e-mail notice to go to the user who's e-mail address was just requsted) when you can just follow the links through their history. Additionally, the e-mail address is dynamic/taken from the database, so no matter how many times I change my e-mail address and no matter how old the ads are, it will always show the most current one. <p> I would think that this is a great exploit for any e-mail harvesters, because the more involved your are with the forums and classifieds on this site, the greater the chances are of having your e-mail harvested.<p> Cheers,<p> Justin Lee Link to comment Share on other sites More sharing options...
justin_lee Posted October 25, 2004 Author Share Posted October 25, 2004 Yet somehow I missed this <a href="http://www.photo.net/bboard/q-and-a-fetch-msg?msg_id=009rWV">thread</a> posted only days and two lines below mine. Sigh. I... feel... so... dumb. But I think I came up with the answer. Link to comment Share on other sites More sharing options...
bobatkins Posted October 25, 2004 Share Posted October 25, 2004 As pointed out in an above thread, your new email address appears in your classifieds ads history, and that makes it publicly accessible. I presume that ads are indexed by your unique user ID number, and that unique ID number is then associated with your *current* email address. Someone must be trawling through the classifieds and classifieds history. Maybe a log analysis will figure out who it is. The "spam trap" addresses don't get spammed because they aren't used to post classifieds. I think Brian is going to have to sit down and figure out how this one can be resolved. Just removing the email address from old (deleted) ads would be a quick and simple fix. It used to be that you had to use a photo.net form to contact someone advertising in the classifieds, i.e. you didn't get their email address. Maybe we'll have to go back to that, with an option to post a direct contact email address if you want to risk spam. Link to comment Share on other sites More sharing options...
peter_evans4 Posted October 25, 2004 Share Posted October 25, 2004 Another potential problem is that so many addresses are guessable. Your names are Justin and Lee; mine are Peter and Evans, I'm sure that for any domain name known to spammers (which means most domain names), justin@, lee@, peter@, and evans@ are already spammed before they're ever used legitimately. Perhaps justinlee@ is as well, as are justinleigh@, justinlea@, etc. etc. Thus something like justleavemealonewillya@ could be better. Link to comment Share on other sites More sharing options...
justin_lee Posted October 25, 2004 Author Share Posted October 25, 2004 I actually haven't received too many generated e-mail addresses hitting my domain. The most common ones though, are info@ and webmaster@ Tracking down spammers was so much easier in the 90's. Some of them actually used their own ISP/e-mail address to send out the spam back then! sigh. Link to comment Share on other sites More sharing options...
Nicholas Barry Posted October 25, 2004 Share Posted October 25, 2004 That was a good catch, Justin. At least I know where my spam is coming from. I guess I can just set up a procmail filter to redirect to /dev/null all mail addressed to my photo.net registered address. But that kinda cuts down on some of the usefulness of photo.net (though nobody ever mails me anyway). I guess once Brian changes this misfeature I can delete that procmail entry. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now