Just received the below email from Spamwise. They harvested one of my email addresses from my blog, so they could send me an email, to tell me my email addresses could be harvested by Spammers, with the stated intention of reducing unnecessary emails.
So anyway, I try to be a good netizen, so I have changed the way I present my public facing email addresses using Javascript Obsfucation. Which means you need a Javascript enabled browser to view them. The theory in Javascript Obsfucation being that SPAM harvesters will not be able to read you email because it's sort of 3ncrypt3d. Of course spam harvesters are probably aware of this, and have methods of decoding the obsfucated email address. But hey I tried.
My only problem with the email is it seems to be formatted similar to the kind you would see debunked as a hoax on snopes.com. Typically a hoax emails claims to be from a bonafide corparation such as `Microsoft|IBM|HP|Adobe|Insert well know co. name here'. The spamwise.org email claims to be from a bonafide "IT Operation" and then does not list exactly what or who that operation is. A perusal of the listed website spamwise.org fails to enlighten me as to who or what they are. (maybe the text of that piece of information is coloured #FFFFFF on a #FFFFFF background because I can't see it).
Being cynical as I am, I'm suspicioning that spamwise.org is just a monetized website (it's got ad banners) that needs traffic, and by it harvesting email addresses and sending a `concerned citizen' email it's attempting to create income generating website traffic. I could be wrong. Let me know if I am.
You are receiving this message because a number of insecure 'EMAIL US' links have been found on WEBSITE PAGES by our automated scan.
The presence of these harvestable email-addresses on your website poses a direct threat to the integrity of your email-system, by making your site a target for spam.
If your email-addresses are already being heavily spammed, it is likely that these unprotected weblinks are the reason.
Even if not, then it is still imperative to correct the problem before harvesting takes place and the spam starts flooding-in.
The following page was scanned:
-and the following domain addresses were found:
You would be well-advised to raise these issues with the person or organization responsible for maintaining this website. For more information, and free tools with which to check your website's security against address-harvesting, visit http://spamwise.org
This message is sent only a small number of times, to specific addresses found at websites with an email-link security problem. Spamwise is an awareness-raising initiative run by a bona-fide IT operation, offering a professional standard of advice and services to business clients.
Is the real problem that the message was unexpected, or that as an experienced coder you were embarrassed about having such a security issue? After, everyone knows not to post email addresses into newsgroups. Try it, and see how long it takes before someone warns you to stop. Blogs, how do they differ in that respect? They do not.
Note that I say unexpected, not unsolicited, since it has been well-established that security notifications sent to the person responsible for the site are solicited by the very existence of the security issue. They are also not bulk messages, one specific message being sent in respect of one vuln. Therefore, they are not spam.
We do carry-out checks on reported security vulns, particularly on mailing-list sites or directories which are leaking multiple addresses to spammers. It's amazing the responses we get. (well, may be not) but even the ones who who swear, rant and rave at us in retaliation then go ahead and fix the problem. Which, is good. Especially where it's other peoples' addresses, not their own, that they are leaking to spammers by the bucketload. (not saying that you were doing that, of course)
Just for comparison, the Spamhaus DNSBL operators (or more likely their many unpaid deputies) are known to carry-out random relay-tests on mailservers, and not only to send notifications but also to blacklist the IPs of mailservers which fail such tests, regardless of whether or not the server is actually relaying spam. If that is regarded as legal (questionable, as it's never been tested in court) then I find it extremely hard to understand a complaint over a simple notification of a vuln.
Unlike DNSBL operators we don't do blacklisting (Which in our case would be of leaky business-directories, etc as opposed to IP ranges) It was discussed at one time, but dismissed as unethical. So, we just notify, and if they take no heed, not our problem. Usually they do, though.
Anyway, if you fixed the address-harvesting problem on our advice last September, then you should be gaining the benefits by now in terms of reduced spam volumes.
BTW, would have replied to this earlier if I'd known of its existence.