Bug: Obfuscation emails by adding "removethis" actually spams legit domains like removethis.de

TWiki obfuscates emails bar@fooPLEASENOSPAM.com and bar@fooPLEASENOSPAM.de by transforming them into bar@fooPLEASENOSPAM.removethis.com & bar@fooPLEASENOSPAM.removethis.de. But removethis.de (at least) exists and its webmaster is pissed off by all the spams he receives

Test case

http://wikix.ilog.fr/wiki/bin/view/Main/WebIndex

Environment

-- ColasNahaboo - 17 Apr 2005

Impact and Available Solutions

Follow up

See the received mail:

From: "Ulrich Heidenreich" <postmaster@removethis.de>
To: wikix@ilog.removethis.fr
Subject: Lots of forged mailaddresses on http://wikix.ilog.fr/wiki/bin/view/Main/WebIndex 
Date: Fri, 15 Apr 2005 20:25:28 +0200

Hi there!

I'm not quite sure if I'm reaching the responsible person for that large
amount of email addresses beeing presented to spammers on your(?) page
named http://wikix.ilog.fr/wiki/bin/view/Main/WebIndex

I am getting tons of Spam which is adressed to - e.g. - 

andre.ulrich@stud.uni-goettingen.removethis.de
AndyBurkhardt@web.removethis.de
podelski@mpi-sb.mpg.removethis.de 
brewka@informatik.uni-leipzig.removethis.de
... to be continued.

If you are responsible for this website, then I'll urgently bet you, 
not to abuse my domain "removethis.de" to prevent your members(?) from
getting spam. It's me, who is getting this spam instead, and I'm really
not amused.

Thanks in advance.

Sincerely,
U. F. Heidenreich
-- 
Sorry: English isn't my native language.
So please don't feel confused by that
dialect, I'm perhaps using instead ;-)

Fix record

Discussion

Perhaps one solution would be to generate emails to a known "spam honey pot", so at the same time protectiong users from spam and semnding spam to a place keeping track of spammers for future legal action?

-- ColasNahaboo - 17 Apr 2005

The TWiki.cfg lines for this are:

#                   Prevent spambots from grabbing addresses, default "":
#                   e.g. set to "NOSPAM" to get "user@somewhereNOSPAM.com"
$noSpamPadding    = "";

As you can see, TWiki (02-Sep-2004) ships without spam proofing enabled and doesn't appear to recommend 'removethis' - in fact, the comment indicates that it's very unlikely an existing domain would get any spam since no dot is used in suffixing the 'NOSPAM'.

This is a non-bug unless someone can show how the shipped TWiki code does this with default config.

UPDATE: In fact, it is most likely a misconfiguration of this site.

-- RichardDonkin - 17 Apr 2005

An alternative - applicable to home pages where most email addresses show - is to not reveal the email address in any form but rather to provide a form through which the user can be contacted. The form could lead to TWiki sending an email to the user's address.

-- MartinCleaver - 17 Apr 2005

There will always be some email addresses in wiki content, homepage or not, and these deserve a proper obfuscation. For a spam crawler the most reasonable thing to do is to look for @ (at) and then process the strings to its left and right. So adding stuff like NOSPAM or a literal AT or DOT or whatever is coming short. An obvious solution is to remove any "at" from the content and replace it with a picture of an "at". The "at" symbol should only be visible during edit. This is an easy hack on the mailToLink handler(s) ...

-- MichaelDaum - 18 Apr 2005