[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Asrg] Email passwords
Phillip Hallam-Baker said:
> I think that the problem being addressed here is simply the how do I publish
> my email address on my Web site and not get spammed problem.
Er, no. I'm concerned with "how do I have/keep my static email address
over many years and yet dump spam?" Different question.
> There are plenty of solutions here, why bother with the password?
All the solutions stink (including email passwords, by the way).
For me, email passwords make a combination of other approaches
(which I also use) more tolerable.
> just publish your email address as a gif.
I do shroud my email address, but that's not enough:
1. I already had an email address, widely captured by spammers,
before I shrouded my address. Spammers don't take you off their lists normally,
even if you're foolish enough to ask them to, so once your
email address is known, you're doomed unless you do SOMETHING.
2. Email addresses leak all over the place. Many mailing list archives
will leak your address. Well-meaning people send email addresses in
email to others, which eventually get posted to publicly-accessible forums
(like archives). Email addresses are in many people's address book;
spammers break into these systems and exploit/capture the address books
on a massive scale. Most mail is sent as cleartext, making
email addresses easy to capture while being delivered.
Many documents (ChangeLogs, etc.) including email addresses, and
it can be difficult to get them removed from the universe.
In short, an email address was never intended to be kept as a long-term
secret, and the infrastructure doesn't do anything to help.
3. I don't want to constantly change my email address; it needs to
be stable. Thinking of this as a security problem, we normally have
a separate _identification_ and an _authorization token_
(like a password). That way, we can change the authorization token
(password) without changing the identification, and the identification
doesn't need to be kept secret.
> As a broad scale solution though, not good. First you have to be able to
> filter by the password, second people have to know that they should use the
> password.
It won't work for all, but you'd be surprised how easy that is to do.
The first condition is met by almost everyone: Mozilla & Outlook
support the necessary functionality, as do Runbox & Yahoo, and
I'm sure many others support it too. My web page describes how to
do it for those 4 cases, it's pretty easy.
As far as "knowing that they should use the password", that's obviously
a weakness of the scheme, but I've found it's not too bad (YMMV).
The main way people get my email address is by going to a webpage that
also gives the email password. My main page has a "contact me" link,
which then links to http://www.dwheeler.com/contactme.html
(see that as an example).
Also, in my implementation, they don't HAVE
to use the email password - my spam filters still give them a chance,
and friends & family don't go through the same scrutiny.
But all spam filters have a false positive rate, and the email password
makes the false positive rate less dangerous.
---- David A. Wheeler
_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg