50 comments

[ 4.7 ms ] story [ 110 ms ] thread
There’s no comments here, so I found some background:

https://www.vox.com/2014/11/21/7259207/scientific-paper-scam

The paper was hilarious in itself. The context makes it even more interesting.
For the lazy:

> The journal, despite its distinguished name, is a predatory open-access journal, as noted by io9. These sorts of low-quality journals spam thousands of scientists, offering to publish their work for a fee.

> In 2005, computer scientists David Mazières and Eddie Kohler created this highly profane ten-page paper as a joke, to send in replying to unwanted conference invitations. It literally just contains that seven-word phrase over and over, along with a nice flow chart and scatter-plot graph

> According to the blog Scholarly Open Access, this PDF made the rounds, and an Australian computer scientist named Peter Vamplew sent it to the International Journal of Advanced Computer Technology in response to spam from the journal. Apparently, he thought the editors might simply open and read it.

> Instead, they automatically accepted the paper — with an anonymous reviewer rating it as "excellent" — and requested a fee of $150.

> and requested a fee of $150.

Did they pay? They really should have to get it published

"Correction: This article previously said the article was published by the journal. It was only accepted, because the author didn't want to pay $150."

I am not sure, but I think the GDPR mandates an unsubscribe link for unwanted automatic emails.
Any spam I get, I never unsubscribe. Too risky to instead get confirmed as active mail. Instead, those get blacklisted/reported as spam (though I recently found out that this can also leak your email address, fun edit: apparently that’s only an issue with the web.de and gmx.de services).

American companies are great of subscribing you to their spam mails without opt-in.

Wait, how reporting spam can leak the address? Asking for gmail of course.
he's probably saying about clicking "unsubscribe" which usually leads to spammer website. in return they know now that this email is active
A website, can just be a URL of, well... nothing. As long a web server is sitting there logging the requests.

spammer.douch.nozzle/collect_request/JoeShmo_1x1-transparent-UUID_0se9a009fjwljwlfl2f.gif

but all the info the douch needs is in the "UUID", the rest is easily obfuscated.

If your email client renders renders images willy nilly, the image is enough to confirm a valid target (clicking "unsubscribe" isn't necessary to become victim but is a hard lock-in mechanism (A human is on the hook...)).

And that's exactly why you don't load random web resources in emails.
> he's probably saying about clicking "unsubscribe"

No. I’m talking about abuse-mails, I’ll reply to the top-level comment

I don't get much spam, so I don't remember the last time I reported it, but IIRC when you do it on Gmail, it shows something to the effect of "thanks for the report, we'll try to unsubscribe you".

I reckon they might be using this: https://www.rfc-editor.org/rfc/rfc8058

This is pure speculation since I have no visibility into their inner workings, but it might just be possible that they would send a POST request on your behalf, at least to domains on some sort of a pre-approved list.

(comment deleted)
At work, we sometimes got abuse mails (the mails mention FBL: Feedback Loop [0]) which, while they do not contain addresses, contain message-id’s which can then be linked to the original mail.

But looking at the list of addresses we blacklisted because of them, I now realize that those are actually all web.de and gmx.de (crappy German freemailers), so it seems the leaks only happen with them.

[0]: https://en.wikipedia.org/wiki/Feedback_loop_(email)

It tells the adversary someone reads the emails on that mailbox.
Yes it does - unsubscribing should be JUST clicking a button.
Unsubscribe links are for cases where I've signed up willingly and later decided to cancel. If anyone automatically emails me they get reported as spam and blocked, no shot I'm trusting them to unsubscribe me.
Most spammers are still using standard tools with a working unsubscribe button. They just don't understand opt-in etiquette.
Is till prefer marking them as spam in hope that it increases chance that whoever submits spam and their content will be treated as spam in future.
I just do both
they should also mandate that a reply email with 'unsubscribe' as the first word will unsubscribe the 'sent from' address
Make a new Gmail filter that moves every email that contains word "unsubscribe" to spam.
The issue is the lack of law enforcement especially for smaller scale spammers. Also, the law against spam in USA is fairly weak (cold emails are allowed in mass, in general, with some requirements and restrictions).
The rule of the internet - you'll need to confirm your email for anything relevant or important, the email message might not arrive. Your email will be enrolled to any useless or malicious service and newsletter without any verification or consent.
I gave up on spam a few years ago. My gmail account which I got in the beta has 14000 unread emails in the inbox. I'm sure there are people out there with more. I used to delete/unsubscribe/report spam, but the amount just kept increasing, and I'm not the sort of person who can be bothered pruning his email inbox every day. If someone emails me something important, I usually still see it, or I search for it. If I'm unaware of it, well if it's really that important they'll call me. I've started to migrate to other addresses but I still use this monstrous account for a lot of things.
You must have had your email address on a website in plain text at some point.
If by plain text you mean in numerous leaks ... can confirm I have the same problem. Never otherwise been published online.

Also gmail spam filter isnt what it once was, or perhaps it is just the 1% failure rate shows up more when you get 100's of spam messages a day.

This has been my solution as well.

At some point in the last few (3-5 years?) I just gave up. My communication with important people hasn't really changed. I star important people by default and just glance over at them.

I've also trained those same important people that I always pick up my phone, so they feel like they can call me if it's urgent or important.

My output is higher now and I just don't think about email. Sometimes I miss things that people ask of me. They either come back around, because they are actually important, or they die on the vine.

I'm also very specific about what/who an important person is, so there just aren't that many important emails.

Everyone should have at least a few more spare accounts for these proposes.
slightly unrelated, I've been experimenting with using Lob's mailing API to send in real life ddoss attacks of people's mail services. While this is really expensive, sending roughly 1 million letters/postcards in one batch will set you back ~500k, it will lead the USPS sending a pallet of mail onto the porch of someone you hate. Spread out the sends a bit and you get so many wads of mail that the USPS comes awfully close to just putting you on a do not mail list. Not getting election mail, medicine, important notices, package deliveries, getting marked as undeliverable on their address verification service etc it can become quite annoying.

It was the one feature I never got full buy in when working there, but if anyone has half a mil to spare, you can run some very fun experiments with mail.

I have found Apple's "Hide my Email" feature to be really nice for this stuff. It allows you to generate an unlimited number of unique email addresses that relay email to your registered one, without exposing the actual address. It then integrates natively with forms, so I pretty much use a unique email address for each service. Then if I ever get spammed, I can just disable the relay and poof.

If you ask me this, should just be standard.

Yahoo mail offers a similar thing. It's a lot of effort to generate and track unique addresses whenever you sign up for something though.
Agreed, I think browsers should have a popup about the method you used to last sign in

Did you use Oauth that time? Which Oauth service?

Did you use an email? Were you on your phone and actually used the Apple Id “Oauth” looking button and gave a relay email?

Were you lazy and used your phone browser’s autofill and password manager?

Were you NOT lazy and an unhidden email and separate third party password manager?

AnonAddy and SimpleLogin also offer this, it's very neat. Added bonus that, assuming each email is service_name@domain.com, you'll know exactly who has leaked your email if you start getting random spam.
Also, I just found out it is really nice that, when you order stuff from a bunch of sites, and you get a shipping update from a shipping company, without info about which of your orders it is about, you can immediately see that from the email address.
I had a business owner confront me over this (but the Gmail version where the format is name.service@gmail.com). Basically I was using a taxi service to get a one-time ride to the airport, they required an email address, so I did the usual name.tonystaxiservice@gmail.com (or whatever it was). The business owner contacted me over the telephone to 'confirm' my email address, seemed to understand what the purpose of the dot was because they expressed repeatedly that they're not a spammer, they won't sell my email, etc. and ultimately removed the dot from my email in their records because that's where I found an emailed receipt.

This was all before Apple's feature came to be. I just hope this kind of email 'protection' becomes more mainstream.

Yes, I often find it a bit awkward to give such addresses in person because I know they won't understand and may think it's a joke or whatever. There was one time I had to give an email address to book a PCR Covid test. When I got to the testing centre they were very confused by the address and insisted on sending me a test email that I could show to them to prove that I has access to the address. Thankfully I've not had anything as extreme as your situation though! Makes me wish this was easier to do with phone numbers...
Also Firefox Relay! https://relay.firefox.com/

(Which is a shameless plug, since I work on that, but I know there are quite a few people here who trust Mozilla and for whom it's relevant.)

And if you use it to generate email masks in your browser, it can remember what website you created on without exposing that to the sender, and without a trail linking the email address to your other addresses.

I did this in postfix when I moved off Google after they removed free tier.

I also added a rule to make every sub-email into its own subdirectory so it is super easy to manage

Do you have any recommendations on how to get setup with postfix? I've been wanting to set up my own email service for a different reason.
as for Dovecot (IMAP) honestly their page has good instruction. It's very modular program but I just used basics. https://doc.dovecot.org/configuration_manual/quick_configura...

Postfix itself is, uh, well I knew it well coz we also use it at work, but it was a bit of work, as my setup was a bit specific. The config itself was simple (mostly off their docs again), but I did a bit of customization.

I did extremely simple auth with just a text file with list of all the accounts + a bunch of aliases. Auth was provided by dovecot

    ...
    passdb {
      driver = passwd-file
      args = /etc/dovecot/passwd
    }
    userdb {
      driver = static
      args = uid=vmail gid=vmail home=/home/vmail/%u
    }
    ...

    # auth for postfix submission
    service auth {
      unix_listener /var/spool/postfix/private/auth {
        group = postfix
        mode = 0660
        user = postfix
      }
    }
that just allowed to give smtpd auth this as extra parameters:

    +  -o smtpd_sasl_type=dovecot
    +  -o smtpd_sasl_path=private/auth

In the "other direction" (postfix sending mails to dovecot for delivery) I set up this in master.cf

    dovecot unix    -       n       n       -       -      pipe
      flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/dovecot-lda -f ${sender} -d ${user}@${nexthop} -m tag.${extension}

that is entirely standard except one thing, -m tag.${extension} is a bit of a "trick"; it will create any +address as a directory under tag/ (if you have "lda_mailbox_autocreate" set to "yes" in "protocol lda"

So, for example email to "me@domain.com" would land in INBOX but "me+badsite@example.com" would land in tag/badsite directory.

that just needs something like

    dovecot_destination_recipient_limit = 1
    virtual_mailbox_domains = example1.com, example2.com
    virtual_transport = dovecot
    virtual_alias_maps = hash:/etc/postfix/virtual
to set up
Dave used to do a custom version of this (I heard rumors that he stopped, I’m not sure). You’d put your email in a web form and his web server would create a temporary email address that would forward to his actual email for like 24hrs and then stop. You’d receive an email with the temporary address so you could send him whatever email you wanted to send him.

A pain, but he was serious about hating email spam.

I've got a cron job on my server that configures (current date)@(my domain) for one day. Works great!
Context for those who are not in academia: these days there are hundreds of low quality, shady "journals" that find your email on published papers and other academic databases, and then do half-arsed targeting to spam you every few weeks "inviting you" to submit to their overly generic random journal or inviting you to a "conference".
How do you actually report spammers in 2022? There used to be an email you could forward them to but that is apparently unmanned. FTC has a report service but surprisingly there is no way to report common email spam, only fraud etc.