Wednesday, July 19, 2006

email addresses

From: "Wendell Huffman"

Is it necessary to include everyone's email address with their postings? It doesn't bother me that the postings are "signed" (from so and so), but I just discovered that that is invariably followed with our email addresses. I'm not happy about that discovery. No wonder spammers are finding me!



Blogger CPRR Discussion Group said...

You are certainly correct that e-mail addresses appearing on websites are subject to abuse by spammers. Sorry – spam is certainly a huge problem, but this is a tradeoff that everyone using the internet faces, as keeping your e-mail address secret prevents people from contacting you. If you succeed perfectly in keeping all your e-mail addresses off the web, it may be harder for spammers to find you – although they often succeed in guessing addresses that are not published online. But keeping your e-mail address off the web is almost impossible if you participate in online discussions.

If you really want to keep your e-mail address off the web, it essentially means that you can't ever post on a website, because if it ever appears even once on a single website, it is out there forever. To give you an idea of just how difficult this is to achieve, we found that your e-mail address has been online on multiple discussion websites for at least six years.

Attempting to keep e-mail addresses off the web is also now probably useless, because spammers use virus infected e-mails to steal all the e-mail addresses from infected computers. So you also wouldn't be able to ever send e-mail to anyone unless you were certain that the e-mail recipient would never succumb to a virus infection. We know that people who write to us have virus infected computers that give our e-mail addresses to spammers, because we get spam to e-mail addresses that were never posted on a webpage.

In any case, we can't unring this bell, because such a decision would have to have been made 18 months ago before we set up the discussion group. Also, the Google company we use to manage our discussion group,, does not even allow added comments to be edited after they are posted, so there is no mechanism to remove all the e-mail addresses even if this were not of doubtful utility as well as prohibitively time consuming. When doing automatic message posting, our provider, which we understand to be the premiere and largest such service, also provides no capability to suppress e-mail addresses. It does allow "anonymous" web posting of comments, but we find that people very rarely make use of that capability.

If you have noticed increased spam recently, it is doubtful that the discussion group relates to this, as your e-mail address has been online for so many years.

Until some of the newer technical approaches to spam reduction are widely accepted by the Internet Service Providers, so that mail being sent must be cryptographically authenticated as to the source, the best advice is to take advantage of a good spam filtering service, such as the excellent service that we use.


7/20/2006 12:53 AM  
Blogger CPRR Discussion Group said...

From: "Wendell Huffman"

Actually, I post on many discussion groups, primarily Yahoo groups but also a few independent ones. In Yahoo groups one can click on a poster's name as a link and open a message screen which enables a private communication without revealing the receipient's email. I'm not sure if such a sent message shows the sender's email or not. In any event one the email addresses are not published. reveals members' email addresses with messages, but as an image – it is not searcable.

When I google my email address, I find all of my postings on the CPRR group as well as a few from genealogical bulletin boards that I posted within the text of messages (an unnecessary mistake as they, too, allow private communication between posters).

Frankly if is wasn't for all the genalogical queries in which I did post an email address, I'd seriously consider getting a new email address and then being very careful where I put it. I probably made a mistake the other day in emailing this group from work as now that address is probably published as well.


7/20/2006 8:26 AM  
Blogger CPRR Discussion Group said...

Windows security has been so lax that a new computer attached to the internet using a broadband connection and default settings likely will become virus infected within the first half hour. So getting a new e-mail address and keeping it off the web won't prevent spam because your new e-mail address will likely be quickly harvested by spammers using viruses infecting the computers of people you e-mail.

Also, it doesn't matter where you sent the e-mail from, as it is the "from" address that you enter into your e-mail software during account setup that is seen, and that "from" address can by any e-mail address that you select.

This is not a simple or easy tradeoff. Some of the alternative approaches make it impossible to respond off list, so unpublished messages are impossible. Some make anonymous comments almost impossible. Keeping the e-mail addresses secret may mean that replies are never seen by the original poster. Others options, such as used by the R&LHS discussion group on Yahoo! post the e-mail addresses, but then keep the entire message inaccessible with the result that all the accumulated knowledge may be lost to posterity and can't be searched using Google, etc. We found these consequences highly undesirable, so made a different tradeoff. The whole point of website privacy statements is to disclose the tradeoffs so that individuals can make their choices.

We're surprised to receive your comments now, a year and a half after the fact. At the time you wrote: "Will this be an public fourm that 'outsiders' can view? I think that would be good – as it might actually generate interest, but we should know that. And others might not like that." The discussion group was created at your suggestion, which we think was an excellent one, and made a public forum as you asked, so it would have been helpful if you have such strong views about this to have scrutinized what was set up at your behest and to have made such additional recommendations known at the inception so that they could have been taken into account.

7/20/2006 8:41 AM  
Blogger CPRR Discussion Group said...

P.S. Your new work e-mail address that you are worrying about keeping secret is published on the Nevada State Railroad Museum website.

7/20/2006 8:52 AM  
Blogger CPRR Discussion Group said...

I see no good reason to be receiving email from the group at two different email addresses. Please delete my hotmail address from your
address book.


7/31/2006 9:27 AM  
Blogger CPRR Discussion Group said...

List has been revised as requested according to your preference to use just the one e-mail address. (The default is to receive CPRR Discussion Group messages at all the e-mail addresses from which posts are received.)

Possible reasons that people would want e-mails sent to two addresses include increased reliability so that if one e-mail address stops working (server outage, mailbox full, blacklist error, overzealous spam filter, etc.) they won't miss receiving the other copy of the e-mail – or if they choose to access their different e-mail accounts from different computers at different times and want to receive some e-mails more promptly. Also, people sometimes want a duplicate e-mail sent to a Hotmail account address to allow them to easily check their e-mail using Hotmail while they are traveling and only have access using a web browser.

Administrative requests that are not of general interest should be sent to, to avoid automatic forwarding to all list members.

7/31/2006 9:31 AM  
Blogger CPRR Discussion Group said...

From: "Paul S Martineau"

I am getting notices of bounced messages from the list. ... I have a thread I want to open, but have been reluctant due to the problem. Shall I go ahead and open it anyway?

—Paul Martineau, Reno, NV

8/14/2006 9:51 AM  
Blogger CPRR Discussion Group said...

Subject: Bounced messages

Feel free to keep using the CPRR Discussion Group – the messages are getting through to all the members.

Sorry. This is a recurrent problem that we are forced to work around. The issue is that various internet service providers use blacklists in an attempt to block high volume spammers. Unfortunately, they often misidentify spammers and mistakenly block large volumes of legitimate e-mail passing between internet service providers. This erroneous blacklisting is currently happening between Affinity and Comcast. When we see this happening, we report the problem to both ISP's (which unfortunately can take the ISP's a week to fix and often recurs after being fixed) and immediately put a workaround in place that duplicates the blocked path using a different (third) ISP so that the Discussion Group messages are actually being delivered to all the members of the group despite the bounce messages. Sorry for the nuisance bounce messages caused by Comcast's mistake, but rest assured that the Discussion Group is fully functional. If you want to add your voice to the complaints, feel free to contact Comcast – we (and Affinity) have notified them about their error in blocking all e-mail handled by Affinity mail servers at least six times already. Very frustrating!

8/14/2006 10:02 AM  
Blogger CPRR Discussion Group said...

From: Amy Goldsmith

Thank you again for your lovely website.

One vital request and suggestion... can you please modify my email addresses as posted to your discussion board? I am grateful for the wonderful responses I received from several on your discussion board... but I also note that a recent search indicated that your site was virtually the only one web-wide that contained my verbatim email addresses.

Since my mail was posted to your website, there has been an unbelievable wave of spam in my box, possibly because the emails can now be harvested by web bots and crawlers. :(

If you'd be willing change the email addresses as posted, and perhaps change them routinely in future, I and others would be thoroughly grateful.

The following is advice on the topic which I received from Joe Wein, who has helpful pages re: spam and email scams out there:

yes, there are ways to make addresses unharvestable, even if a mailing list archive / guestbook / blog is publicly available on the web.

One approach is for the site to store the address in its database and only publish a link with some key that identifies the database entry. Thus if someone replies to your posting the site can retrieve the email address from the database to let you know someone replied, but others won't see your address.

Another approach is to obscure the address and show it as something like

amy at mac dot com
amy (at)

which a human can still make sense of, but a robot usually can not.

I have more recently seen

Thank you,

Amy G.

7/31/2007 11:57 PM  
Blogger CPRR Discussion Group said...

Spam is certainly a huge nuisance for everyone, and we can certainly sympathize as we are bombarded daily ourselves. There are some technical solutions possible such as authenticating senders, but this can only be implemented by the major internet service providers.

You may find a spam filtering service to be of some help. We use the excellent service which is provided to us as part of a society membership ( This may become widely available as Postini was just purchased by Google.

We have modified your e-mail address on our website as you requested, but we are rather dubious that such obfuscation efforts are effective in combating spammers. It would be fairly easy for spammers to write software to find and harvest such modified addresses. Captcha type of image display of e-mail addresses would prevent such harvesting, but we don't currently have a practical way to implement this.

Spammers also create e-mail addresses and try them (validating them if they don't bounce), so any e-mail address that can be guessed will eventually be spammed. A name followed by a short number as in Amy and 118 certainly will be guessed eventually even if it does not appear online. So the only way to avoid spam is to use a frequently changed crytographically strong (unguessable) random e-mail address such as could be created using a password generator. Such e-mail addresses are probably not commonly selected because a difficult frequently changed e-mail address is not easy for people to use.

8/01/2007 12:12 AM  
Anonymous Anonymous said...

From: [name and e-mail address withheld]
Subject: Your privacy policy

I sent a query previously not realizing that my full name and email address would be published. I was surprised also when I began receiving lots of spam emails from banks telling me to change my password and offers from princes in Nigeria. I did not read your privacy policy at the time. Why would I? I was simply sending a question to the webmaster.

Now that I have come back and read your privacy policy, I can't imagine who, besides spammers, benefits from it. And, it is highly unusual, so that people would not anticipate the way you use information. There is no reason to publish people's email addresses. I am sad to see this, and it's totally changed my view of your museum. I have provided many rail images for other sites, but wouldn't think of doing it here.

Based on the adamant stance of your privacy policy, I can only imagine that you have received many complaints. To disregard the privacy concerns of your readers seems downright mean spirited.


P.S. By the way, where is YOUR name and private email address in all of this?

5/25/2016 12:05 AM  
Anonymous Anonymous said...

The CPRR Discussion Group allows e-mail addresses as it permits and facilitates personalized replies to be delivered in response to comments, and also enables unpublished replies. There's not much point to providing responses with no way to readily deliver them to the person making an inquiry.

Very sorry to learn of your unhappiness with writing to an online discussion group, and only wish that you had first educated yourself about online privacy and heeded the advice and cautions we provided online, including the clear privacy warnings to "Only send content intended for publication." Unless you are very expert technically, take careful precautions (such as the 15 privacy and security measures recommended in the Privacy Policy), and are 100% successful in avoiding making mistakes, online discussion is just not a forum that can provide privacy.

The website's privacy policy addresses your concerns at length and cautions to "refrain from ever using your actual name in an e-mail, e-mail address, or post, and instead use multiple different common name alter ego pseudonyms and e-mail accounts for your various online activities and personae." E-mails should never be used for private communication as they are completely unprotected by design, just like postcards. If you think our privacy policy "highly unusual" then you'll be shocked to read what the Office of Chief Counsel, IRS Criminal Tax Division has written: "internet users do not have a reasonable expectation of privacy in ... communication ... such as email messages ... "

But we think it unfair when you write to an online discussion, fail to use the provided anonymous comment feature, ignore the privacy warnings, and try to blame us for doing exactly as promised. It's also very surprising to receive a message about privacy concerns from a gmail account, as Google reads every one of your "private" e-mails to harvest your correspondence to make billions of dollars by targeting you with advertising.

Gmail does have some of the best e-mail spam filtering available. Since you describe "receiving lots of spam" we wonder if you have inadvertently turned off your gmail spam filtering.

You asked about our private e-mail address as if it were hidden, but you found it on our website and wrote to it.

You are mistaken in thinking that we have received many privacy complaints; we receive an estimated one privacy complaint per million museum visitors. Here is what people actually write.


5/25/2016 12:15 AM  
Anonymous Anonymous said...

Follow-up regarding the above privacy complaint:

Searches of the CPRR Discussion Group as currently online, and also of archived prior versions for the gmail "from" address of the person writing the complaint, reveals that [e-mail address withheld] was never published online.

5/25/2016 8:13 AM  
Anonymous Anonymous said...

I expect this sort of thing from a large corporation like Google, but not from an individual. Although I do read privacy statements from online sites where I am signing up for an account, I expect that smaller sites and blogs will have more consideration for individual privacy. There is no good reason to reveal this information, and I humbly request that you remove my "post", which I didn't intend to be a post. This has been my primary email account for years, and I'm not thrilled at the prospect of having to change it.

5/25/2016 10:30 AM  
Anonymous Anonymous said...

As explained, all of this was always entirely under your control. Please respect your obligations when dealing with others and stop e-mailing and posting online information that you don't want other people to see.

As also explained, we have very good reason to reveal this information, i.e., to make it possible that responses to inquires can reliably reach the original poster, and to facilitate unpublished communications.

Have no idea why you harbor the misconception that "I expect that smaller sites and blogs will have more consideration for individual privacy." Keeping personally identifiable information private has been found to be impossibly difficult, even with the resources of the U.S. government or a huge company. Look up the OPM and Anthem privacy breeches as examples. Expecting that smaller sites and blogs that lack such resources could do better is just unrealistic, when the federal government demonstrably can't even keep every single one of its secret agents' personal dossiers from being stolen online. That's why we went to such great lengths to warn you in our privacy policy about what you must not do if you value your privacy. Since you specifically mention Google and its privacy policies, you should be aware that, our discussion group website is provided by a Google company, and the museum includes Google advertisements and Google searches.

That said, as best we can determine your e-mail address is not and never has been on our website. So this entire exchange seems rather pointless.

Furthermore, you have voluntarily posted your e-mail address on two other websites. (Spelling out the e-mail address is well known to spammers harvesting from websites.)

Once published and harvested by spammers, it does little good to remove information, as multiple copies of the removed information persist. As explained in our privacy policy, you really can't expect to be able to unpublish from the internet.

Changing your e-mail address would likely be a wasted effort. To keep an e-mail address away from spammers, it also has to be unguessable and not be in the e-mail inbox of anyone else you have ever written to whose computer or account has been hijacked or infected with malware.

Our website does prohibit spamming, but is otherwise powerless do anything about spammers. Again, the best practical remedy available is for you to make use of the available spam filters to block spam.

5/25/2016 10:37 AM  

Post a Comment

<< Recent Messages