when i registered with weblogs.com, i used my hotmail address. oddly enough, i got the same spam you got, today. should i be worried?
posted by dutchbint at 3:09 PM on June 7, 2001

I don't know, I just use MailBlox... disposable e-mail addresses. Someone sells my address, I kill it. No sweat.
posted by silusGROK at 3:12 PM on June 7, 2001

I haven't used the site in a while, but isn't there some sort of master listing of all registered weblogs? If so, it would be child's play for a third party — any third party — to harvest all the addresses exposed in that way.
posted by harmful at 3:17 PM on June 7, 2001

That's because all the email addresses are publicly accesible to any old web page scanner. Cam of Camworld covered this a little while back.
posted by owillis at 3:17 PM on June 7, 2001

sneakemail.com offers disposable eamil addys too.
posted by o2b at 3:18 PM on June 7, 2001

Even more distressing is the fact that it's been two weeks since notifying the Userland admins and have gotten no response -- not even bounce notices.
posted by Unxmaal at 3:18 PM on June 7, 2001

Owillis: Thanks for the hint.

Referencing Camworld - Thursday, February 15, 2001, I found this Userland list, which contains the email address for every Weblogs.com user.

Thanks for the security, guys. Even worse, the Userland people have known about this security hole for 4 months.
posted by Unxmaal at 3:30 PM on June 7, 2001

I received the same spam today (at my crap Yahoo address used for catching spam), and am also a weblog user. Too suspicious.
posted by arielmeadow at 3:51 PM on June 7, 2001

I too received two copies of that exact spam today, and I have two email addresses on that weblogs.com page. Oh well.
posted by mathowie at 4:05 PM on June 7, 2001

Oh, it gets better. Try to remove your userland account, or change the email address ... you can't! I sent Dave a note about this around six months ago, never heard back from him. The sub-honker filter also used to publicize email addresses, but it appears that it no longer does (and the site owner answers mail!).

When you sign up for weblogs.com, you're given the impression that you must include a valid email address to sign on properly, but from what I remember, this isn't the case. I didn't figure this out until it was too late.

I, too, have noticed a little surge of spam from the email address I used only for weblogs.com. But like Dave says in his reply to Cam, he's in the list as well. He suffers just like the rest of us. Dave knows your pain.

Does it seem like this is the only case of a service storing email addresses as files?
posted by user92371 at 4:25 PM on June 7, 2001

This is precisely why Winer should not be in the Weblogs business, the hosting business, or arguably, even the software business. He has a little knowledge, which is a most dangerous thing. He probably thought, "Hey, this is cool, a list of everyone's email address as a directory!"

He's not the first person who is seen as a pundit in technology to simply not "get it," or see the big picture through all the little trees. When he learns something (like how he learned how DNS worked a frighteningly short 2 or 3 years ago), he shares it to the world as though it were brand new. Then he does stuff (like hosting other people's content) without full understanding the ramifications and responsibilities that accompany such actions.

To hear that spammers are harvesting a ready-made list of mail addresses and Dave is doing nothing about it is not surprising. What is surprising is that people still host on his servers.
posted by yarf at 4:41 PM on June 7, 2001

Oops. Correction. The site that uses the XML data from weblogs.com is Have Browser
Will Travel. And it still is displaying email names.
posted by user92371 at 4:42 PM on June 7, 2001

Hey, I got that 1.4 cents mailer today, and I have a weblog listed as well, so I'm willing to say the two are positively related.
posted by Awol at 4:43 PM on June 7, 2001

it would only take a minute to make that directory un-browsable. *sigh*
posted by dutchbint at 4:43 PM on June 7, 2001

My bone to pick with Userland over this issue was the fact that they are storing, in a public place, the email addresses of all their users. I spent a considerable amount of effort purging my site(s) of email addresses that spambots (automated scripts that scrape web sites looking for email addresses) and I didn't like the fact that Userland had my email address(es) available in this way. I knew it was only a matter of time before the spammers discovered this. My solution was to email Dave privately and notify him of the possible issue, and to request that all my Userland user accounts be deleted. It took several requests, but Userland finally complied with my wishes. It looks now like Userland didn't bother to change the way they store user IDs, though, and are continuing to base it on an email address. I wouldn't have any issues with this method, if the email addresses were hidden in a database that a spambot couldn't scrape, but Userland seems to not care about the privacy and spam issues around this, and continues to act as if nothing is wrong. I, for one, am glad that my user profiles were deleted.

Perhaps the solution is for Userland to simply fix their user ID system and make this data more secure. Probably not very hard to do, but in the past they've turned a blind eye to this kind of thing. I don't expect much action on their part.

As with any free web service, it's up to the end user to pay attention to how much (and what kind of) information they are providing to the service operator. I realized the potential issue with the way Userland stores this data, notified the service provider, and warned my readers. I also made sure that Userland removed all instances of my user accounts from their free services. This is, and was, all I can do about the issue. It's up to Userland what happens next. Maybe if enough users complain about the obvious spam source, Userland will take action. Or maybe not.
posted by camworld at 4:53 PM on June 7, 2001

Here's a better link to the February 15, 2001 posting regarding this issue.
posted by camworld at 4:56 PM on June 7, 2001

Unxmaal,

I am so sorry, I have been using your domain when I fill out those coupons at the mall, you know, the ones where you get a chance for a vacation. I always use weblogs@yoursite.com as the address...

So sorry.
posted by DragonBoy at 5:00 PM on June 7, 2001

just out of curiosity - aren't there laws that deal with things like this, i.e. the collecting and storing of data? here in the uk we have the data protection act 1998 - is there something similar in the usa? would any legal eagles care to comment?
posted by dutchbint at 5:14 PM on June 7, 2001

Dragonboy: Thank you so much for those three lovely Hawaiian vacations! I always thought it was pure luck.
posted by Unxmaal at 5:21 PM on June 7, 2001

whenever I have to give my email address to a place that shouldn't really need it, I usually give it out in the form of support@weblogs.com, support@whatever.com, that way the only spam that gets sent is directed towards support. I don't always use support though, sometimes if I have other addresses for the place, I'll use that.

I don't know if it actually works, but at least I don't get on a list.
posted by ursulabuttpinch at 5:26 PM on June 7, 2001

Sigh. This really frustrates me--I've had my preferred address for at least three years now and never received more than three spams on it (despite being subscribed to numerous mailing lists and judiciously choosing a few Web sites to register with). Now, I've gotten five in the last week, including the long distance one. I didn't register with weblogs.com, but I'm certain I know where the address came from. Every EditThisPage site appears to spew forth a nice list of user email addresses at [domain]/stats/members (unless there's a way to disable it I'm not aware of). The worst part is, I saw this coming a mile away and decided to register anyway. Wes's site is so valuable--I just wish the underlying platform wasn't so careless about publishing addresses through no fault of his.
posted by disarray at 5:28 PM on June 7, 2001

Dutchbint: According to US Code, Title 5, Section 2a, "(b) Conditions of Disclosure. - No agency shall disclose any record which is contained in a system of records by any means of communication to any person, or to another agency" and so on.

IANAL, of course, but I think that according to this document, US law states that since Userland collects data from their users, they 1. must have a privacy policy, 2. must make every effort to secure user information, and 3. may not disseminate said user info unless they have obtained users' express permission.

According to the information I've found today, it seems that Userland fails to comply with any part of this law.
posted by Unxmaal at 5:32 PM on June 7, 2001

I got the exact same spam today... *sigh* Why isn't spam illegal, let alone facilitating it?
posted by D at 6:03 PM on June 7, 2001

Me too. In fact I got it twice, though my regular blog and as EiC of Records Ad Nauseam... Dave Winer is a bozo.
posted by Graham at 6:29 PM on June 7, 2001

Has anyone considered simply calling Userland and asking them about their policies?

Administrative Contact, Billing Contact:
Bierman, Robert (RB12363) bierman@USERLAND.COM
UserLand Software, Inc.
P.O. Box 1218
Burlingame, CA 94011
650-697-5263 (LAND) (FAX) 650-697-7169

Technical Contact:
Simmons, Brent (BS16588) brent@USERLAND.COM
UserLand Software, Inc.
P.O. Box 1218
Burlingame , CA 94011
206-706-7869
posted by Unxmaal at 6:48 PM on June 7, 2001

Well, of course we all know UserLand isn't going to fix any of it, because that would involve redirecting their development efforts.
posted by jjg at 7:55 PM on June 7, 2001

Considering that Dave is certainly going to read this thread if he hasn't already (hi, thanks for the spam!), calling would only annoy...

Oh, nevermind.
posted by sudama at 8:05 PM on June 7, 2001

Good grief, Unxmaal, surely you noticed that law only applies to government agencies? (And many of them fail to comply, viz. the brouhaha this week over Defense Department sites tracking visitor data.)

There really are very few laws governing private transactions as that between you or me and Userland. (For example, there are laws preventing the use of Social Security numbers as "universal identification", but many businesses require you to fork it over as a matter of policy, and if you choose not to they put every roadblock they can in your way. Many colleges, for instance, use your SSN as a student ID, and many states use it to generate the driver's license number.) There are slight efforts toward an anti-spam law, but unfortunately
it has the critical flaw that it will be legal for any business to spam you once, as long as they include a "remove" address. I can't wait.

Anyway, I laugh at you people complaining about a pitiful one or two spams in [some extended period]. I have an e-mail address that gets an average of over 12 spams a day. I'm just biding my time on that account until the ISP finally cuts me off (I haven't paid them in nearly two years) and shuts down my web pages.

By the way, if anyone has anything relevant to bring up, they can do it at discuss.userland.com. Er ...
posted by dhartung at 8:35 PM on June 7, 2001

My original point was to find out if others had gotten the same spam at the same time. I'd say the answer was a resounding 'Yes!'

I'm not overly concerned about law in regards to this matter; it's a simple enough task to shunt this mail to /dev/null.

As for spam, this is one of about forty per day. Soon, however, I shall procmail all two-letter domain names. Then my people will truly be free!
posted by Unxmaal at 9:30 PM on June 7, 2001

But the burning question is, where can you get long distance service for 1.4 cents per minute?
posted by kindall at 9:53 PM on June 7, 2001

I don't know about you fellas, but I assume I'm gonna get spam whenever I have to give out my email to a site. Filters are your friends.

Now, there are ways to edit a manila site such that you can minimise the harvesters ability to get mail.

-You can turn off the public member list (eg http://foaf.editthispage.com/stats/members -- yes, blatant plug, but a good example)

-You can edit the the various discussion group templates to not show the author or to modify the output of the manila {author} macro so that it doesn't linkto the member profile page which is identified by an email address. (never seen the modification done, so I don't actually know if it's possible).

- when you sign up, use a fake email address. It will bounce, and the administrator will know, but the username will still work...at least until the admin turns off, so email him and her and set them straight. Also if you use a fake email, when you forget your password you're stuffed.
posted by Foaf at 10:24 PM on June 7, 2001

Have had the same spam (just to say it), more disturbing for me is: the weblogs.com server is dead too often.
posted by ronsens at 3:58 AM on June 8, 2001

on UNIX systems the etc password and group files are typically readable to anyone with an active account so it is super easy to setup a script to read the entries and send an email to every user in say an 80,000 client cluster. I don't actively pursue this or understand UNIX and networking to have an idea of how I keep being the victim of bonnie@hotmail.com's spam but I'd guess that if guest access is allowed or any insecure service is on (telnet, ftp, etc) or depending on how the mailservers are setup there must be a bare minimum of 5 easy exploits to determine the address of the clients. at my Univ. our mailservers just authenticate with a domain ip, no login required, so I would guess that could be spoofed somehow allowing some script or something in to spam all 400,000 or so users.
posted by greyscale at 5:10 AM on June 8, 2001

I believe I used my hotmail account for weblogs. But whenever I can I use a string of html entities to describe my "real" address. That way it looks like my address and mailtos function properly. But spiders and other mining devices don't register it as such.

You, too, can get the proper string for your email address by going to Mailto Encoder.

<fingers crossed>I get very, very little spam on my main account because of this (and using my hotmail account when required to signup for various online things)</fingers crossed>
posted by Taken Outtacontext at 6:00 AM on June 8, 2001

The last time someone dared to criticize the free weblogs.com service, Winer turned up on some of the weblog mailing lists asking if he should just shut the service down. Is he about to start feeling underappreciated again?
posted by harmful at 7:23 AM on June 8, 2001

Also check:

http://www.ourfavoritesongs.com/users/
http://static.userland.com/weblogMonitor/ads/?D=A
posted by tranquileye at 7:37 AM on June 8, 2001

In fairness to Userland, the list at http://www.ourfavoritesongs.com/users/ is of Radio Userland users who explicitly chose to turn on upstreaming (uploading files from your RU client to a central server). It was impossible to do that without being aware your e-mail address would be published on the Web as part of the address of your upstreamed files.

Those of you who are drowning in spam should look into .procmail (if you're on a Linux or Unix box). Even if the only procmail filtering you do on incoming mail is to wipe out all mail that isn't explicitly addressed to you in the To or CC line of a letter, it wipes out 90 percent of the spam that comes in. Most spammers don't want to spend the CPU time required to e-mail each spam individually, so they load up a BCC line with hundreds of addresses at a time.
posted by rcade at 8:13 AM on June 8, 2001

The last time someone dared to criticize the free weblogs.com service, Winer turned up on some of the weblog mailing lists asking if he should just shut the service down. Is he about to start feeling underappreciated again?

It's easy to make fun of us, but it's really hard tense work to keep the free services running. If this turns into some kind of crusade, we absolutely will shut down the service. We need to cut back on centralized services, we'll do it whether or not people make it more difficult, but it helps to set priorities.
posted by davewiner at 8:49 AM on June 8, 2001

Oh for chrissakes, Dave, learn to take some constructive criticism. Leaving the email addresses of all of your users flapping in the breeze is a bad thing, that you should fix. I don't care how hard or tense it is to do the job poorly.
posted by websavvy at 8:58 AM on June 8, 2001

If you want email addresses for those "special occasions" (like avoiding spam), there is a report in today's MacFixit on just this problem.

Two free services for generating temporary addys are: Sneakermail and Mailexpire.
posted by Taken Outtacontext at 9:06 AM on June 8, 2001

I have an e-mail address that gets an average of over 12 spams a day.

Oh, gee, let me cry you a river. When yourname@yourdomain.com is getting upwards of 40 pieces of spam daily, I'll feel bad for you. Just don't e-mail me at dreama @ bluesilver.org to tell me about it. I'm trying to figure out the best way to go about shutting out all mail addressed to me at my own domain name because it is such a vast wasteland of garbage. I can't even begin to imagine all of the places that spambots could've picked up the address. Dammitall.

I think spam is more detrimental to heavy net users than virulent new ad schemes could ever be. To learn that a source of the spam hitting me could be weblogs.com and that Dave, et al, feel so offput that people would voice their concern/disgust/complaints about their lack of discretion with our information has me seeing about fifteen shades of red. (#ff0000 to #330000)
posted by Dreama at 9:10 AM on June 8, 2001

It's easy to make fun of us...

And sometimes, it's painfully difficult not to.
posted by harmful at 9:19 AM on June 8, 2001

For those of you who can run procmail, here is my .procmailrc, which blocks all spam by verifying the return address on mail from addresses it hasn't seen before. It's easy to set up, and works perfectly for me - I haven't seen a piece of spam in a long time.
posted by nicwolff at 9:30 AM on June 8, 2001

nicwolff, unfortunately Userland has my Yahoo email account, which while free is being used for some useful things and which I would rather not have to drop.

My WELL account, which I have had since the early-1990s, gets about 20 spams a day. I run it through Spamcop.net but it has gotten too much exposure, most likely through Network Solutions, and I am shutting it down soon.

I have been exchanging email with Dave Winer about this. I have nothing against Userland or Weblogs.com; I just don't want the email address exposed, but so far, I am being told that no action will be taken.
posted by tranquileye at 12:03 PM on June 8, 2001

I find it fascinating to see that Dave Winer feels quite comfortable in responding to a group of people when neither he nor any of his business associates responded to the several personal emails I've sent to them regarding this problem over the course of the last week.

Userland spam is no longer an issue, as weblogs@unxmaal.com is now an alias to dave@userland.com.
posted by Unxmaal at 1:55 PM on June 8, 2001

Dave has been making noises about shutting down the weblogs.com service and getting out of the weblog hosting business. Userland had enough foresight to register the weblogs.com domain some years back. However, it seems unfair to the weblog community for Userland to just sit on this domain and not do anything with it. If Userland does take these actions, I propose that they turn the operation of the domain over to someone who can make better use of it.
posted by camworld at 3:58 PM on June 8, 2001

"If Userland does take these actions, I propose that they turn the operation of the domain over to someone who can make better use of it." -- CamWorld

Interesting! Now the truth comes out. You want our domain names. ;->

Hey for the right price Cam, anything's possible.

Have a great day..
posted by davewiner at 4:23 PM on June 8, 2001

No no, Dave. You are misreading my intention. I want nothing to do with Userland or weblog-hosting. I do think, though, for the good of the weblog community, that you should give this idea some consideration if you do decide to kill weblogs.com. It's just a suggestion.
posted by camworld at 4:58 PM on June 8, 2001

Weblogs.Com: Opting-out of the XML listings.
posted by davewiner at 8:12 AM on June 9, 2001

Just for reference's sake, I'll throw this link into this thread -- tonight, I discovered the mother lode of all spam-harvestable Userland web pages:

the entire weblogs.com member list

(Be patient -- it may take a while to load, as there are 6,877 entries, at least as of right now.)
posted by delfuego at 12:39 AM on June 10, 2001

Winer calls us "a menacing crowd"
posted by owillis at 7:52 AM on June 15, 2001

the member list is no longer available. nor is it for any other userland-hosted sites that i just tried. i'm surprised dave didn't mention that anywhere. (but maybe he did and i missed it.)
posted by jimw at 1:30 PM on June 15, 2001