Free special one-time email address: A new spam approach?

Ye' old general discussion board. Basically, for everything that isn't covered elsewhere. Come here to shoot the breeze, shoot your mouth off, or whatever suits your fancy.
This forum is not for asking programming related questions.

Moderator: General Moderators

Post Reply
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Free special one-time email address: A new spam approach?

Post by Oren »

So I've seen someone trying to sell Spaml.com on sitepoint.
Spaml.com wrote:Spaml is an automatic disposable email solution where you don't have to click. When you visit this site the above generated email address is automatically saved to your clipboard.

All you have to do is "Paste" in where ever an email address is requested (forms, forums etc) and when you get the email it will show up here instantly in this box.
So now a simple confirmation email is not good enough and we have a new issue to deal with.
What do you think? Is there anything to do against it? Does it even worth the effort? Even before that, you could go and open a new email account just so you could register on some site which you don't want it to have your real email.

Thoughts, suggestions and comments are welcome... :P

P.S Here, if you want to buy it :P : http://www.sitepoint.com/marketplace/auction/9583
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

Don't they still have to handle the confirmation manually? It shouldn't be *that* bad.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Except if the server needs to email them about password resets or other things. Now, if you were able to continue to access the address, that's a bit different.. but there are services which do that already.
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Post by Oren »

So I guess we shouldn't do anything special to treat such scenarios.
User avatar
The Phoenix
Forum Contributor
Posts: 294
Joined: Fri Oct 06, 2006 8:12 pm

Re: Free special one-time email address: A new spam approach

Post by The Phoenix »

Oren wrote:So I've seen someone trying to sell Spaml.com on sitepoint.

So now a simple confirmation email is not good enough and we have a new issue to deal with.
Not good enough for what?

The goal of email confirmation (usually) is to confirm that you can reach a user at a particular email address. It helps reduce the number of bots because it increases the difficulty for them to sign-up.

There are other solutions that do similar (although the no-click approach is interesting), so it just reduces some of the difficulty. Think of it as an arms race. We get better, and so do the spammers.
Oren wrote:What do you think? Is there anything to do against it? Does it even worth the effort? Even before that, you could go and open a new email account just so you could register on some site which you don't want it to have your real email.
Well, there are three communities to deal with:

1. Spammers. Use moderation systems which prevent content showing up immediately. Thats independent of the sign-up process, and should reduce any potential for spam by a huge amount. That coupled with the complex sign-up requiring email confirmation, and it should reduce the value to a spammer by enough to keep them out. Add in a feature that watches for behavior like multiple signups, sending to large numbers of people, and so forth, and you should be golden.

2. Real users that you want to reach (but that don't want to be spammed). Don't spam them. Use a random re-confirmation every 30+X days, to ensure that they didn't use a throw-away address, and once it is confirmed say, 3 times, they are a legit user with a legit email address. Then avoid sending them content they won't want, so they don't change to a throwaway address.

3. Users that are absolutely exhausted with maintaining 100+ logins. Don't force them to! Unify your logins across your site (forum+wiki+blog+++++), or better yet, use OpenID, so they can have one (reasonably secure) login for *all* sites.

In either case, a little bit of extra verification of humanity will result in a higher signal to noise ratio. :)

This is really nothing new. curl/wget/snoopy, and some good scripting skills could handle the signup, email access, and so forth up until now. This just lowers the bar a little further for the spammers, and makes life easier for users that are tired of hundreds of logins.
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Re: Free special one-time email address: A new spam approach

Post by Oren »

The Phoenix wrote:Don't spam them.
Why do you think I spam people?
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: Free special one-time email address: A new spam approach

Post by Benjamin »

Oren wrote:
The Phoenix wrote:Don't spam them.
Why do you think I spam people?
I know what you did last summer :wink:

Seriously though, he is just talking best practices. Not saying that YOU spam people.
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Re: Free special one-time email address: A new spam approach

Post by superdezign »

The Phoenix wrote:Use a random re-confirmation every 30+X days, to ensure that they didn't use a throw-away address, and once it is confirmed say, 3 times, they are a legit user with a legit email address. Then avoid sending them content they won't want, so they don't change to a throwaway address.
Why re-confirm? If they're spammers, you'd know by then.
And we don't need the user's email at all except for when it comes to the initial confirmation and password retrieval. Throw-away e-mails shouldn't matter as long as the user is a legitimate person, and doesn't care about password retrieval.
thiscatis
Forum Contributor
Posts: 434
Joined: Thu Jul 20, 2006 11:00 am

Post by thiscatis »

isn't this what http://www.guerrillamail.com/ has been providing us with?
Been a bookmark for some time now
User avatar
The Phoenix
Forum Contributor
Posts: 294
Joined: Fri Oct 06, 2006 8:12 pm

Re: Free special one-time email address: A new spam approach

Post by The Phoenix »

superdezign wrote: Why re-confirm? If they're spammers, you'd know by then.

And we don't need the user's email at all except for when it comes to the initial confirmation and password retrieval. Throw-away e-mails shouldn't matter as long as the user is a legitimate person, and doesn't care about password retrieval.
Depends on what you are doing.

If you are running an online business, you might need to contact the user to let him know to change his password in a few months. Or if its a social networking site, you might be sending out notices that they have new friends. Forum? Got a private message, or a thread they are following has been updated.

ALL of those are reasons why you'd need more than a throwaway address, and none (if reasonably implemented) are really spam.

Further, we don't always know a spammer right away. Some bots are quite nasty now, signing up for accounts, and then waiting months to go back, and take the account to spamming the boards. On phpbb for example, one bot setup a dozen accounts, and waited over a month before using all those accounts to spam. Perhaps Attacker-A who got the logins sold the list to Attacker-B, to perform the actual spamming. Not uncommon.

So reconfirmation can make sense, and be worthwhile. Those are just common examples. Online games, Dating sites, Social news (digg/slashdot), even job hunting sites. All have valid reasons to do so.

Thats why you (may/may not) want to get around disposable email addresses by adding additional checks. IF you need further verification.

The only new twist SpamL offers is that it reduces the number of 'clicks' a spammer/harvester has to perform.
User avatar
onion2k
Jedi Mod
Posts: 5263
Joined: Tue Dec 21, 2004 5:03 pm
Location: usrlab.com

Post by onion2k »

The 'plus address' approach is the best I've seen. GMail supports it. If your email address is "onion2k@gmail.com" you can sign up with "onion2k+phpdn@gmail.com" and the email will arrive at your normal inbox. That way you can tell where any spam has originated from. Then you can contact the site you signed up to with the particular + string and say "You sold my email address, I'm never using your service again you dumb smurfs."
Post Reply