> The journal, despite its distinguished name, is a predatory open-access journal, as noted by io9. These sorts of low-quality journals spam thousands of scientists, offering to publish their work for a fee.
> In 2005, computer scientists David Mazières and Eddie Kohler created this highly profane ten-page paper as a joke, to send in replying to unwanted conference invitations. It literally just contains that seven-word phrase over and over, along with a nice flow chart and scatter-plot graph
> According to the blog Scholarly Open Access, this PDF made the rounds, and an Australian computer scientist named Peter Vamplew sent it to the International Journal of Advanced Computer Technology in response to spam from the journal. Apparently, he thought the editors might simply open and read it.
> Instead, they automatically accepted the paper — with an anonymous reviewer rating it as "excellent" — and requested a fee of $150.
Any spam I get, I never unsubscribe. Too risky to instead get confirmed as active mail. Instead, those get blacklisted/reported as spam (though I recently found out that this can also leak your email address, fun edit: apparently that’s only an issue with the web.de and gmx.de services).
American companies are great of subscribing you to their spam mails without opt-in.
but all the info the douch needs is in the "UUID", the rest is easily obfuscated.
If your email client renders renders images willy nilly, the image is enough to confirm a valid target (clicking "unsubscribe" isn't necessary to become victim but is a hard lock-in mechanism (A human is on the hook...)).
I don't get much spam, so I don't remember the last time I reported it, but IIRC when you do it on Gmail, it shows something to the effect of "thanks for the report, we'll try to unsubscribe you".
This is pure speculation since I have no visibility into their inner workings, but it might just be possible that they would send a POST request on your behalf, at least to domains on some sort of a pre-approved list.
At work, we sometimes got abuse mails (the mails mention FBL: Feedback Loop [0]) which, while they do not contain addresses, contain message-id’s which can then be linked to the original mail.
But looking at the list of addresses we blacklisted because of them, I now realize that those are actually all web.de and gmx.de (crappy German freemailers), so it seems the leaks only happen with them.
Unsubscribe links are for cases where I've signed up willingly and later decided to cancel. If anyone automatically emails me they get reported as spam and blocked, no shot I'm trusting them to unsubscribe me.
The issue is the lack of law enforcement especially for smaller scale spammers. Also, the law against spam in USA is fairly weak (cold emails are allowed in mass, in general, with some requirements and restrictions).
The rule of the internet - you'll need to confirm your email for anything relevant or important, the email message might not arrive. Your email will be enrolled to any useless or malicious service and newsletter without any verification or consent.
I gave up on spam a few years ago. My gmail account which I got in the beta has 14000 unread emails in the inbox. I'm sure there are people out there with more. I used to delete/unsubscribe/report spam, but the amount just kept increasing, and I'm not the sort of person who can be bothered pruning his email inbox every day. If someone emails me something important, I usually still see it, or I search for it. If I'm unaware of it, well if it's really that important they'll call me. I've started to migrate to other addresses but I still use this monstrous account for a lot of things.
At some point in the last few (3-5 years?) I just gave up. My communication with important people hasn't really changed. I star important people by default and just glance over at them.
I've also trained those same important people that I always pick up my phone, so they feel like they can call me if it's urgent or important.
My output is higher now and I just don't think about email. Sometimes I miss things that people ask of me. They either come back around, because they are actually important, or they die on the vine.
I'm also very specific about what/who an important person is, so there just aren't that many important emails.
slightly unrelated, I've been experimenting with using Lob's mailing API to send in real life ddoss attacks of people's mail services. While this is really expensive, sending roughly 1 million letters/postcards in one batch will set you back ~500k, it will lead the USPS sending a pallet of mail onto the porch of someone you hate. Spread out the sends a bit and you get so many wads of mail that the USPS comes awfully close to just putting you on a do not mail list. Not getting election mail, medicine, important notices, package deliveries, getting marked as undeliverable on their address verification service etc it can become quite annoying.
It was the one feature I never got full buy in when working there, but if anyone has half a mil to spare, you can run some very fun experiments with mail.
I have found Apple's "Hide my Email" feature to be really nice for this stuff. It allows you to generate an unlimited number of unique email addresses that relay email to your registered one, without exposing the actual address. It then integrates natively with forms, so I pretty much use a unique email address for each service. Then if I ever get spammed, I can just disable the relay and poof.
AnonAddy and SimpleLogin also offer this, it's very neat. Added bonus that, assuming each email is service_name@domain.com, you'll know exactly who has leaked your email if you start getting random spam.
Also, I just found out it is really nice that, when you order stuff from a bunch of sites, and you get a shipping update from a shipping company, without info about which of your orders it is about, you can immediately see that from the email address.
I had a business owner confront me over this (but the Gmail version where the format is name.service@gmail.com). Basically I was using a taxi service to get a one-time ride to the airport, they required an email address, so I did the usual name.tonystaxiservice@gmail.com (or whatever it was). The business owner contacted me over the telephone to 'confirm' my email address, seemed to understand what the purpose of the dot was because they expressed repeatedly that they're not a spammer, they won't sell my email, etc. and ultimately removed the dot from my email in their records because that's where I found an emailed receipt.
This was all before Apple's feature came to be. I just hope this kind of email 'protection' becomes more mainstream.
Yes, I often find it a bit awkward to give such addresses in person because I know they won't understand and may think it's a joke or whatever. There was one time I had to give an email address to book a PCR Covid test. When I got to the testing centre they were very confused by the address and insisted on sending me a test email that I could show to them to prove that I has access to the address. Thankfully I've not had anything as extreme as your situation though! Makes me wish this was easier to do with phone numbers...
(Which is a shameless plug, since I work on that, but I know there are quite a few people here who trust Mozilla and for whom it's relevant.)
And if you use it to generate email masks in your browser, it can remember what website you created on without exposing that to the sender, and without a trail linking the email address to your other addresses.
Postfix itself is, uh, well I knew it well coz we also use it at work, but it was a bit of work, as my setup was a bit specific. The config itself was simple (mostly off their docs again), but I did a bit of customization.
I did extremely simple auth with just a text file with list of all the accounts + a bunch of aliases. Auth was provided by dovecot
In the "other direction" (postfix sending mails to dovecot for delivery) I set up this in master.cf
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/dovecot-lda -f ${sender} -d ${user}@${nexthop} -m tag.${extension}
that is entirely standard except one thing, -m tag.${extension} is a bit of a "trick"; it will create any +address as a directory under tag/ (if you have "lda_mailbox_autocreate" set to "yes" in "protocol lda"
So, for example email to "me@domain.com" would land in INBOX but "me+badsite@example.com" would land in tag/badsite directory.
Dave used to do a custom version of this (I heard rumors that he stopped, I’m not sure). You’d put your email in a web form and his web server would create a temporary email address that would forward to his actual email for like 24hrs and then stop. You’d receive an email with the temporary address so you could send him whatever email you wanted to send him.
A pain, but he was serious about hating email spam.
Context for those who are not in academia: these days there are hundreds of low quality, shady "journals" that find your email on published papers and other academic databases, and then do half-arsed targeting to spam you every few weeks "inviting you" to submit to their overly generic random journal or inviting you to a "conference".
How do you actually report spammers in 2022? There used to be an email you could forward them to but that is apparently unmanned. FTC has a report service but surprisingly there is no way to report common email spam, only fraud etc.
50 comments
[ 4.7 ms ] story [ 110 ms ] threadhttps://www.vox.com/2014/11/21/7259207/scientific-paper-scam
> The journal, despite its distinguished name, is a predatory open-access journal, as noted by io9. These sorts of low-quality journals spam thousands of scientists, offering to publish their work for a fee.
> In 2005, computer scientists David Mazières and Eddie Kohler created this highly profane ten-page paper as a joke, to send in replying to unwanted conference invitations. It literally just contains that seven-word phrase over and over, along with a nice flow chart and scatter-plot graph
> According to the blog Scholarly Open Access, this PDF made the rounds, and an Australian computer scientist named Peter Vamplew sent it to the International Journal of Advanced Computer Technology in response to spam from the journal. Apparently, he thought the editors might simply open and read it.
> Instead, they automatically accepted the paper — with an anonymous reviewer rating it as "excellent" — and requested a fee of $150.
Did they pay? They really should have to get it published
"Correction: This article previously said the article was published by the journal. It was only accepted, because the author didn't want to pay $150."
American companies are great of subscribing you to their spam mails without opt-in.
spammer.douch.nozzle/collect_request/JoeShmo_1x1-transparent-UUID_0se9a009fjwljwlfl2f.gif
but all the info the douch needs is in the "UUID", the rest is easily obfuscated.
If your email client renders renders images willy nilly, the image is enough to confirm a valid target (clicking "unsubscribe" isn't necessary to become victim but is a hard lock-in mechanism (A human is on the hook...)).
No. I’m talking about abuse-mails, I’ll reply to the top-level comment
I reckon they might be using this: https://www.rfc-editor.org/rfc/rfc8058
This is pure speculation since I have no visibility into their inner workings, but it might just be possible that they would send a POST request on your behalf, at least to domains on some sort of a pre-approved list.
But looking at the list of addresses we blacklisted because of them, I now realize that those are actually all web.de and gmx.de (crappy German freemailers), so it seems the leaks only happen with them.
[0]: https://en.wikipedia.org/wiki/Feedback_loop_(email)
https://en.wikipedia.org/wiki/CAN-SPAM_Act_of_2003
Also gmail spam filter isnt what it once was, or perhaps it is just the 1% failure rate shows up more when you get 100's of spam messages a day.
At some point in the last few (3-5 years?) I just gave up. My communication with important people hasn't really changed. I star important people by default and just glance over at them.
I've also trained those same important people that I always pick up my phone, so they feel like they can call me if it's urgent or important.
My output is higher now and I just don't think about email. Sometimes I miss things that people ask of me. They either come back around, because they are actually important, or they die on the vine.
I'm also very specific about what/who an important person is, so there just aren't that many important emails.
It was the one feature I never got full buy in when working there, but if anyone has half a mil to spare, you can run some very fun experiments with mail.
If you ask me this, should just be standard.
Did you use Oauth that time? Which Oauth service?
Did you use an email? Were you on your phone and actually used the Apple Id “Oauth” looking button and gave a relay email?
Were you lazy and used your phone browser’s autofill and password manager?
Were you NOT lazy and an unhidden email and separate third party password manager?
This was all before Apple's feature came to be. I just hope this kind of email 'protection' becomes more mainstream.
(Which is a shameless plug, since I work on that, but I know there are quite a few people here who trust Mozilla and for whom it's relevant.)
And if you use it to generate email masks in your browser, it can remember what website you created on without exposing that to the sender, and without a trail linking the email address to your other addresses.
I also added a rule to make every sub-email into its own subdirectory so it is super easy to manage
Postfix itself is, uh, well I knew it well coz we also use it at work, but it was a bit of work, as my setup was a bit specific. The config itself was simple (mostly off their docs again), but I did a bit of customization.
I did extremely simple auth with just a text file with list of all the accounts + a bunch of aliases. Auth was provided by dovecot
that just allowed to give smtpd auth this as extra parameters: In the "other direction" (postfix sending mails to dovecot for delivery) I set up this in master.cf that is entirely standard except one thing, -m tag.${extension} is a bit of a "trick"; it will create any +address as a directory under tag/ (if you have "lda_mailbox_autocreate" set to "yes" in "protocol lda"So, for example email to "me@domain.com" would land in INBOX but "me+badsite@example.com" would land in tag/badsite directory.
that just needs something like
to set upA pain, but he was serious about hating email spam.
https://kevincox.ca/2022/07/07/signed-email-addresses/
Basically signed addresses are exempt from regular spam filtering. If they are abused they are blocked.
https://reportfraud.ftc.gov/#/faq
https://isotropic.org/papers/chicken.pdf