Getting spammed by PetitionOnline.com's negligence

[DOSGuy]

PetitionOnline has been very good to this website over the years. They've hosted a number of our petitions for free. To keep everyone accountable and prevent people from posting frivolous petitions, they have a policy that authors must display their real name and address to the world. I created a special email address for that purpose.

As a person who is responsible and experienced with the internet, I get almost no spam. Even when I post my email address on this website, I mask the address from spambots by breaking it up, such as "address <at> classicdosgames (dot) com". PetitionOnline could easily create a PHP script to turn "@" into "<at>", and "." into "(dot)", like any responsible organization would. Not PetitionOnline, though. Due to their negligence, I get nearly a hundred pieces of spam per week! Some of them even have "petitiononline" in the subject line.

For your entertainment, let's follow along with the email conversation where I ask them to mask or disguise my email address. The tone is unnecessarily harsh, but I wanted to convey the seriousness of this problem. My information is censored to prevent any further collection by spambots.

December 10, 2006

I have gotten 87 emails in the last week at [email address]. I have never used that address anywhere except for PetitionOnline.com. My "Kroz Games Petition" has the following message:

The Kroz Games Petition to Apogee Software and Scott Miller was created by Classic DOS Games and written by [DOSGuy] (email address).

Either break up my email address to something like "petitions <at> classcidosgames (dot) com" or remove my address entirely. This is just a basic level of courtesy by any website to prevent its clients from receiving spam, and I am outraged that your organization is making no attempt to protect its clients.

I want a response to this email.

December 12, 2006

Dear DOSGuy,

Thank you for writing to PetitionOnline Support.

We are able to make some, minor changes to your petition text, such as
spelling or grammar corrections.

But once someone has signed a petition, we're not able to make
significant changes to the petition. If you'd like to make substantial
changes, the best solution is usually to create a new petition in our
system.

If you have a major update or additional information that is important
to share with signatories, under special circumstances, we may be able
to add that information to the main petition page, but outside of the
petition body.

To make the minor changes we'll need the following information:

1) The Petition URL.

2) A list of each change you wish to make. Be as descriptive as
possible.

Here is an example:
____________________________________________________________

http://www.PetitionOnline.com/mypetitio ... ition.html
(use your petition's actual URL here)

Please make the following changes:

1. Update my email address. (also applies to URLs)

Old Email:

me@myorganization.com

New Email:

myself@myneworganization.com

2. Correct the typ-o in the first paragraph, second sentence:

"it's" should be "its"
____________________________________________________________

If there are more than 10 spelling or word corrections, simply include
the entire corrected petition text. But please bear in mind that we
will need to carefully review the petition text, which does take time.

We appreciate that you've chosen to use PetitionOnline.com. As I'm sure
you understand, providing the services and support that we do requires
staff time and considerable computing resources, which are not free.

Please contribute at least $1.00 to PetitionOnline.com, to help maintain
this premiere free speech forum. Contributing is quick, easy, secure,
and private, either directly to PetitionOnline.com:
https://artifice.securesites.com/cgi-bi ... online.cgi

or if you prefer, through the Amazon.com Honor System:
https://www.amazon.com/paypage/P3KXN6BPYN3FLV

Please let us know whenever you may have other questions.

Best wishes,

Erin Wheeler
support@petitiononline.com

"This is the marketplace of free ideas" (tm)
http://www.PetitionOnline.com

https://artifice.securesites.com/cgi-bi ... online.cgi

+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
Artifice, Inc. ...the way of architecture
creative media for design and building . Eugene, Oregon, USA
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +

December 18, 2006

POL, you didn't read my email. I'm not asking you to change the text of my petition. I'm asking you to mask or disguise my email address in some way. I have 92 pieces of spam at [email address] between December 14 and December 18. I don't give this address to anyone. I don't use this address. I only created it for my petitions on Petition Online. Your organization's failure to take even the most basic steps to protect your clients has made us all targets for spambots to collect our addresses. Thousands of clients times hundreds of emails per week equals millions of pieces of spam per week (perhaps billions per year) because of you. The cost of bandwidth alone from your negligence must be costing ISPs a fortune. Smarten up, or you may get sued.

For the record, I will be donating money to PetitionOnline to compensate them for hosting our petitions.

[DOSGuy]

I have created a new petition at Protect PetitionOnline Authors' Email Address Petition to convince PetitionOnline to mask our email addresses. Their parser seems to have removed "<at>" from the petition text, so I have asked them to change it to "(at)". Please sign my petition!

[POL Support]

We do disguise the author's email address by using ASCII codes for the @ and . symbols. If you view the source of your petition, you will see your email address is actually listed as petitions& #64;classicdosgames& #46;com (minus the spaces which this forum would not draw at all properly without). This has been effective against bots and spiders grabbing email addresses. It appears they have raised the sophistication of the bots and spiders to decode the ASCII codes to make email addresses. If we change @ to (at) and . to (dot) they will just update their bots to take this into consideration.

We will look into new ways to disguise email addresses from spammers, but would prefer something that is not just a short-term fix.

[DOSGuy]

Thank you very much for responding.

I don't think spiders/bots are going to quickly crack your mask if you switch to something like "address (at) petitiononline (dot) com" unless someone is targeting your website specifically. Spiders search the whole internet, so if your mask is even slightly original, that should be enough to fool the spiders, so there's a "short-term" solution that you can implement immediately.

It should be reasonably easy to add a script that converts text into GIF so that addresses can be shown as an image instead of something comprehensible to spiders. That may be the long-term solution you're looking for.

My frustration was that no one seemed to be trying to stop the flood of spam. It seemed like I was going to need to add voices to my own in order to demonstrate the severity of the problem. I apologize for using your service to post a petition about your service, but I'm very glad that you took the time to respond to my concerns.

PetitionOnline has been very good to this website, and I do really appreciate the service you're providing. This website operates at a loss, so I regret that my donation can't be larger.

Thanks again, and best regards for 2007.

[POL Support]

I think our current version of using ASCII codes is more unique than (at) or <dot> and the spammers have cracked that. I fully expect them to crack (at) or <at> even quicker than our current scheme was cracked (if they have not done so already, which would surprise me given the frequency of this approach and the ease for them to change <at> to @). Given that we have more than 55,000 petitions the spammers have motivation to try to beat any solution we come up with.

Making an image is a possibility, although then users would not be able to copy and paste the address into their email program, and it is not that hard for bots to decode text in images, especially if you don't make it goofy captcha style text.

Another possibility would be making an online form that sends the author an email. To keep bots from spamming the form it would need a captcha or some other required human interaction. And of course we would need to redesign all the petition related pages to include access to this form, rather than just having the address in the footer.

We will continue to look into finding the best solution.

Mike

[POL Support]

...it should also be noted that it is possible spammers are not getting your email address from the petition page at all (given our encryption), but instead are getting it from the signature confirmation emails which have the author's emaila ddress as the Reply-To address.

Viruses and or spyware infecting the computers of people who sign your petition could collect your email address from the person's mailbox and send to a spammer. Or a spambot could sign your petition directly to collect author email addresses.

[DOSGuy]

Using <at> is kind of obvious, but I still think that something original should be successful for a while. How about "address -at- petitiononline -dot- com"? The contact address that I put on my website gets one or two spam emails per week. All I did was change the "@" to "<at>", and the "." to "(dot)". Of course, no one is specifically targeting my website, but even with 55,000 petitions, I'm not sure that anyone is specifically targeting POL.

Image spam has been the story of the year for 2006. Spammers dynamically create slightly different images to ensure that anti-spam programs can't identify them from a database. From http://www.thesitewizard.com/archive/regrets.shtml:

One of my newsletter readers has also suggested another alternative: you can always put your email address in a graphical image (such as a GIF) file and put it on your web page. Since it is unlikely that the spam spiders would go through the trouble of using an OCR to read the text on your images, your email address will probably be safe from their prying eyes. However, if you use this route, you should probably also have a feedback form somewhere so that visitors who rely on speech software to "read" your page (such as the visually impaired) can still contact you.

If specks or lines are randomly added to the image, like in a captcha, it's going to be too much effort for the majority of spammers to try to decode the image. The big money is in running botnets and letting them do all the work. These guys are looking for the easy targets, and there are millions of them. If there's anything that makes stealing addresses hard, they're not going to bother until the supply of easy addresses dries up.

I don't think they're getting my email address from the signature confirmation emails since most of my petitions have very few signatures (DOS being a niche hobby), but that sounds like a policy that needs to change. If they want to contact the author, they can find the email address on the petition page (which they were just at). They don't need to have it in their confirmation email (after they've already indicated their agreement with the cause). That's just hand-delivering them valid email addresses. I recommend removing the Reply-To address immediately. It's not necessary, and it's too dangerous. If every author is getting spammed as badly as I am, that's 55,000 x 100 emails per week = 5.5 million emails per week, or 2 billion emails per year. I'm not pinning all of that on POL, but it demonstrates how important it is for major websites to take the necessary precautions. With great power comes great responsibility.

[POL Support]

The author's email address is the reply-to address for signature confirmations because the vast majority of replies to signature confirmations are the signer making additional comments or asking additional questions about the petition issue. That is not something PetitionOnline support staff can deal with outside of forwarding it to the petition author. The remainder of replies are things like people saying they didn't sign, or they want their signature removed, which is something the petition author can deal with using their author administration scripts.

Once again, we do disguise the email addresses on the petition pages using ASCII code. spam bots will tend to look at the raw source code of a page to look for email addresses, and they will not find them in our page source as there is not @ symbol nor a dot.

I would be interested in seeing how much spam is the result of the disguised email address being on web pages versus how much is from the signature confirmation emails. Unfortunately the system does not support separate addresses int hese two locations (and we would need an author of a fiarly popular petition to agree to this).

[DOSGuy]

I understand. As I said, though, if they want the author's email address, they can go back to the petition page. It doesn't seem necessary to put it into the Reply To field. Just use a "no-reply@petitiononline.com" address.

[POL Support]

I understand. As I said, though, if they want the author's email address, they can go back to the petition page. It doesn't seem necessary to put it into the Reply To field. Just use a "no-reply@petitiononline.com" address.

A no-reply address would be counter to the point of the signature confirmation email. If someone did not sign the petition or otherwise wants their signature removed we don't want to make them have to jump through hoops to accomplish that.

At this point, I am not convinced that spam bots are getting email addresses from our pages (rather than from our signature confirmation emails), and I am not convinced that changing the way we disguise the addresses would make a difference for long if bots are getting addresses from our pages.

We long ago stopped showing email addresses of the signers who opted to make their address public, but we feel the petition author carries much more responsibility for the petition than an individual signer and must be able to be contacted by people interested in the petition.

We will continue to look into ways to minimize the spam problem.

[DOSGuy]

A no-reply address would be counter to the point of the signature confirmation email. If someone did not sign the petition or otherwise wants their signature removed we don't want to make them have to jump through hoops to accomplish that.

If you're really convinced that the source of the spam problem is the emails, how about putting this in each email:

"If you didn't sign this petition or have any questions concerning this petition, contact information for the author can be found at (author's_petition_page).html."

I would view this as a potential liability for Petition Online. I'm sure you know that spammers are often sued for millions of dollars by ISPs. Litigation could eventually trickle down to websites who contribute to spam indirectly by failing to protect email addresses, or the petition authors could launch a class action lawsuit.

[DOSGuy]

I was without email for a while during some computer problems I was having. Total spam emails received at my PetitionOnline email address between February 11 and February 20: 179.

[DOSGuy]

I switched from Outlook Express to Thunderbird as my email client on 14 October 2007. When I did that, I forgot to add my PetitionOnline address. Actually, I seem to recall not adding it on purpose since it only ever got spam. Anyway, after that I totally forgot about it until today.

So, I added my PetitionOnline address and received all of the mail that I missed over the last 14.5 months. Unbeknownst to me, I received 1516 messages during that period. After carefully perusing them, I can see that all of them were spam. So, after all this time, I'm still getting over 100 emails per month from the address that I created for PetitionOnline, which I have never given to anyone, which only appears on Classic DOS Games' petitions on PetitionOnline.

I've said it before and I'll say it again: PetitionOnline must stop publishing our email addresses on their site. Their negligence has resulted in 1516 messages, totalling 11.37 MB of spam in a little over a year. I would basically have no spam at all (and had no spam at all during that time) if not for PetitionOnline.

[Qbix]

A sad result. Think of the energy wasted to distribute all that spam.

[DOSGuy]

When I put my PetitionOnline address back in Thunderbird in January last year, I kept it for a while and deleted a mountain of spam every day, until I got tired of it and removed the account from Thunderbird on 4 July 2010. I happened to be in my hosting account and I remembered that I hadn't checked my emails from my Petition address in a while, so today's the day!

It took just over 20 minutes to download them all, but between 4 July 2009 and 4 July 2010, I received 4123 messages, totalling 58 MB of spam in one year. That means that the spam rate has increased to 343.5 messages per month, up from 104.5 in the previous sample period. Also, the size of the spam has increased significantly to 14 KB per message, up from 7.5 KB in the previous sample period.

It was 30 December 2006 when someone from PetitionOnline posted about the method that they use to disguise email addresses, but that method clearly isn't working if I'm still getting 11 messages per day at an address that only appears on petitions on their website.

Since this is an unprecedentedly large amount of spam, I took the time to look at it (while determining that 100% of it was indeed spam). Four emails are from 31 December 1969, and there is one from 1972, one from 1980, two from 2000, eight from 2001, six from 2002, one from 2003, six from 2004, two from 2005, one from 2006, one from 2008, three from the future in 2010, two from 2016, one from 2017, and one from 2036. 536 had no timestamp or a malformed timestamp, so Thunderbird dated them as NOW (i.e. today between 1:28 and 1:48 pm, as they were downloading).

169 of the emails contained an attachment, and the subject line of 142 of the emails started with "Dear Petitions".

In total, 610 had the word Viagra in the Sender's name. Of the 4123 messages, 117 came from "VIAGRA Official Site", 129 came from "Approved VIAGRA Store", 45 came from "Facebook", 46 came from "Instituto São Paulo", 44 came from "Silver Star Casting Company", 24 came from "Petitions", and a whopping 194 appeared to be coming from my own address. 102 had a From address that was written in Chinese. Also of interest among the lesser offenders, 12 came from "Internal Revenue Service" (which would be scary if I lived in the United States), 14 came from "Microsoft Update Center", and 7 came from a variation on "Paypal".