Just when you thought it was safe to go back into the water, having protected your email address in all the places it might appear publicly, such as your Web site, this CircleID article on P2P address harvesting, quoting a study done by Blue Security, suggests that spammers are grabbing addresses from poorly configured P2P sharing setups.
This is nothing new, of course, the idea of somehow protecting your email address from harvesting when you already communicate with people whose systems are insecure (and hence vulnerable to intentional harvesting or inadvertent exposure through mass-mailing viruses) is ludicrous. But the important aspect of this new strategy is that it not only exposes your address, but also the contexts in which it occurs naturally. Now, instead of just being able to spam you, the spammers can correlate your address to others in the same mailbox, and can send you mail purporting to be "from" your maiden aunt or boss, thereby making use of your local whitelists and filters to bypass spam filtering. Until some form of sender authentication is adopted, this is going to be the way of the world. And there's no guarantee that even that will solve this problem.
Posted by schampeo at 1:37 PM
This detailed discussion of the drawbacks of challenge/response as an anti-spam strategy is worth reading.
Posted by schampeo at 3:07 PM
Suresh Ramasubramanian, the force of nature antispam guy from Outblaze, does a number on the myth of SPF as the end of spam and discusses port 25 blocks as an antispam tactic in a recent article for circleid. Also of relevance is this eweek article by Larry Seltzer urging ISPs to block port 25 now.
Posted by schampeo at 11:35 AM