bbs.spamgourmet.com

[zaphod]

Hi there,

I expect that there is no easy solution to this, but I'll ask anyway in case I'm being dense (a real possibility ).

If someone emails me on one of my disposables and has a list of cc recipients is there anyway I can reply to all and still protect my real email address (i.e. can spamgourmet re-write the from reply-to fields for all of the recipients)?

A related question involves initiating a dialog with more than one person at a time. Is this possible, i.e. send to a bunch of people from one of my disposables?

Cheers,
Mark.

[josh]

I'll look at the code -- I take it you've seen such a message with a bunch of CC's, and the addresses are not redirection addresses?

We do pickup the "reply-to" address as well as the "from" address, so there's nothing wrong in principle with handling multiple addresses. We probably need to consider CPU usage and things before we introduce code that goes wild on an arbitrarily long list of addresses, of course.

To send mail to a bunch of different people requires a redirection address for each one of them (these could be prepared using the website). We make this difficult on purpose, to prevent a spammer from using our system to send out a bunch of unsolicited email -- we tried to draw the line in the right place, but it does pose a burden for legitimate purposes - hope you can understand why.

[zaphod]

I'll look at the code -- I take it you've seen such a message with a bunch of CC's, and the addresses are not redirection addresses?

Hi Josh. Thanks for your time and the great service you provide. In my work as a professor I'm regularly involved in email conversations with multiple participants via cc'ing. I've tested this myself using other email accounts I have - I've mailed one of my spamgourmet disposables and cc'ed to some of my other email addresses. If I reply from my protected email via spamgourmet's address masking then only the originating address gets the disposable as the reply-to/from and the cc'd recipients get to see my protected address.

We do pickup the "reply-to" address as well as the "from" address, so there's nothing wrong in principle with handling multiple addresses. We probably need to consider CPU usage and things before we introduce code that goes wild on an arbitrarily long list of addresses, of course.

Fair enough

To send mail to a bunch of different people requires a redirection address for each one of them (these could be prepared using the website). We make this difficult on purpose, to prevent a spammer from using our system to send out a bunch of unsolicited email -- we tried to draw the line in the right place, but it does pose a burden for legitimate purposes - hope you can understand why.

Hmm I see the problem but is it not possible (with the current system as it is) to write a script to access the web form and create, say, a million single-recipeint redirection addresses and then send spam through them? If it isn't, then I think time-based expiration (one week max) mailing list redirection addresses limited to 5 or 10 recipients would be a reasonable compromise - just my 2c worth.

Cheers,
Mark.

[josh]

We have throttling and alarms in place to detect a script trying to create a bunch of redirection addresses. A certain threshold could (can't remember right now) automatically trigger an account suspension, which would effectively invalidate all existing redirection addresses for the account. We set these thresholds high, because, happily, there's a large gap between what an active legitimate user would ever want to do and what a spammer would need to do.

The time based restriction is intriguing, but we'd have to do some re-writing, and would also need a strategy to handle the existing outstanding redirection addresses properly.

One thing worth noting is that if your email client (aka Mail User Agent, or MUA) allows you to temporarily specify a different From: address, that pretty much addresses the whole problem. I've been playing with Gmail recently, and they've added that functionality -- they require that you "validate" each address that you specify as an account (from which you can send), by clicking on a link they email to the address -- works like a champ with sg.

[zaphod]

One thing worth noting is that if your email client (aka Mail User Agent, or MUA) allows you to temporarily specify a different From: address, that pretty much addresses the whole problem. I've been playing with Gmail recently, and they've added that functionality -- they require that you "validate" each address that you specify as an account (from which you can send), by clicking on a link they email to the address -- works like a champ with sg.

I have been using GMail as well and using the "send from a different account" option. However, you might want to take a close look at the header that GMail's smtp sever generates - whilst it does place the nominated address in the reply to and from fields it also adds a "Sender" field which contains your GMail address - arghhh!!! It does this whether you send via the web interface or use a mail client. I don't think the "Sender" field is standard but I guess any software that spammers use to extract addresses would still grab anything that looks like an email address, regardless of the field.

However, setting a different from address in some mail clients does seem to be the answer (I use OS X's mail client). I've checked the raw headers generated via several different smpt servers and there is no sign of my real email address. I really like using GMail's web interface, but because of this issue I guess I will move back using a mail client and IMAP (I've heard that AIM's IMAP isn't too bad).

Thanks for your help.

Mark.