E-mail harvesting in classifieds

[justin_lee]

This question was brought up in this <a

href="http://www.photo.net/bboard/q-and-a-fetch-msg?msg_id=0059vx">thread</a>,

but I couldn't find anything after that.<p>

 

My question/suggestion relates to the manner photo.net handles e-mail

addresses in the classified. This recently caused me some concern as I

changed the e-mail address to something unique solely for my photo.net

account a few days ago and just got some spam sent to it. Obviously, I

this caused me to do some digging as to why a brand new e-mail address

could be exploited so quickly.<p>

 

I'd posted a couple ads a month and a half ago that expired before I

changed my e-mail address, so my first hunch was to look there. When

viewing a user's profile, it desplays their history of classified ads.

When viewing that history, it amends the end of the ad with:<p>

 

<em>Originally posted Date by <strong>e-mail address</strong> (user

name)</em><p>

 

To me, this defeats the purpose of forcing someone to request a user's

e-mail address from the server (thereby causing an e-mail notice to go

to the user who's e-mail address was just requsted) when you can just

follow the links through their history. Additionally, the e-mail

address is dynamic/taken from the database, so no matter how many

times I change my e-mail address and no matter how old the ads are, it

will always show the most current one. <p>

 

I would think that this is a great exploit for any e-mail harvesters,

because the more involved your are with the forums and classifieds on

this site, the greater the chances are of having your e-mail harvested.<p>

 

Cheers,<p>

 

Justin Lee

[justin_lee]

Yet somehow I missed this <a href="http://www.photo.net/bboard/q-and-a-fetch-msg?msg_id=009rWV">thread</a> posted only days and two lines below mine. Sigh. I... feel... so... dumb. But I think I came up with the answer.

[bobatkins]

As pointed out in an above thread, your new email address appears in your classifieds ads history, and that makes it publicly accessible. I presume that ads are indexed by your unique user ID number, and that unique ID number is then associated with your *current* email address. Someone must be trawling through the classifieds and classifieds history. Maybe a log analysis will figure out who it is.

 

The "spam trap" addresses don't get spammed because they aren't used to post classifieds.

 

I think Brian is going to have to sit down and figure out how this one can be resolved. Just removing the email address from old (deleted) ads would be a quick and simple fix.

 

It used to be that you had to use a photo.net form to contact someone advertising in the classifieds, i.e. you didn't get their email address. Maybe we'll have to go back to that, with an option to post a direct contact email address if you want to risk spam.

[peter_evans4]

Another potential problem is that so many addresses are guessable. Your

names are Justin and Lee; mine are Peter and Evans, I'm sure that for

any domain name known to spammers (which means most domain

names), justin@, lee@, peter@, and evans@ are already spammed before

they're ever used legitimately. Perhaps justinlee@ is as well, as are

justinleigh@, justinlea@, etc. etc. Thus something like

justleavemealonewillya@ could be better.

[justin_lee]

I actually haven't received too many generated e-mail addresses hitting my domain. The most common ones though, are info@ and webmaster@

 

Tracking down spammers was so much easier in the 90's. Some of them actually used their own ISP/e-mail address to send out the spam back then! sigh.

[Nicholas Barry]

That was a good catch, Justin. At least I know where my spam is coming from. I guess I can just set up a procmail filter to redirect to /dev/null all mail addressed to my photo.net registered address. But that kinda cuts down on some of the usefulness of photo.net (though nobody ever mails me anyway). I guess once Brian changes this misfeature I can delete that procmail entry.