Just Assume the Spammers Are Going to Get Your Email Address
from the resistance-is-futile dept
There's been quite a flame-war going on over at TechCrunch, where Mike Arrington has claimed that the way Apple deals with invalid URLs for users' public iDisk pages makes it "a dead simple way for spammers to easily spider" Apple's iDisk site to compile a list of all MobileMe usernames (and, therefore, email addresses) for spamming purposes. TechCrunch readers are split about whether this is a serious problem or a non-issue. I think Arrington is right that this wasn't the best design decision, but the hyperbole seems unwarranted. In the first place, this doesn't give anyone a way to spider the iDisk site. All it enables is a brute-force dictionary attack, which is going to be a lot slower and will only catch those whose addresses contain dictionary words. Moreover, as various people have pointed out, similar criticisms could be levied at other companies that also provide ways the bad guys could determine the validity of email address—although Google's email validity checker does present the user with a CAPTCHA after about 10 tries.
I think it's important not to lose sight of the big picture here. No, we don't want to make it too easy for spammers to scrape our email addresses from the web. But at the same time, as the use of email becomes more and more pervasive, there are more and more ways for our addresses to "leak" into underground spammer communities. And once your email address has leaked out, a version of the darknet thesis takes over, and at that point you can just assume all the spammers are going to get your address sooner or later. So it's hard to get too worked up about the problem TechCrunch is identifying here. I've long since stopped trying to shield my primary email address from spammers, and relied on my client-side spam filter to weed out the spam for me. Apple should probably make some changes to the iDisk site, but this is not a serious privacy flaw, and it pales in comparison to the other problems MobileMe has been having recently.