Beefy Boxes and Bandwidth Generously Provided by pair Networks
There's more than one way to do things
 
PerlMonks  

Re^2: Status of Recent User Information Leak (mass e-mail)

by tye (Cardinal)
on Jul 31, 2009 at 04:27 UTC ( #784806=note: print w/ replies, xml ) Need Help??


in reply to Re: Status of Recent User Information Leak
in thread Status of Recent User Information Leak

Do you have effective bulk e-mailing services to offer? We are still having problems just getting the first batch of 700-odd e-mails actually successfully sent due to anti-spam measures that are nearly ubiquitous.

Trying to figure out how to send 58,000 e-mails to people who, for the most part, haven't visited here in years is not my highest priority. There is plenty of other work to do in response to this incident, and most of it isn't happening as fast as I would like.

If you feel strongly that this needs to be done, than please demonstrate your sincerity by composing a proposed e-mail body and finding an effective bulk e-mail delivery method that the vast majority of PerlMonks users would not mind having their e-mail address provided to. If you or somebody else provides those two items, then I will try to find a resource to select and extract the pertinent e-mail addresses.

I personally believe that this incident is already very widely publicized and the number of people who would be reached by a mass e-mailing who are not already aware of the problem and who also left interesting personal information here that is still pertinent, would be vanishingly small. Never the less, I would like to e-mail everybody just in case there are some people in that category. So I would appreciate the help. But I will be spending the time that I already don't have on tasks related to this incident that I consider more important.

Thank you.

- tye        


Comment on Re^2: Status of Recent User Information Leak (mass e-mail)
Re^3: Status of Recent User Information Leak (mass e-mail)
by Polyglot (Monk) on Jul 31, 2009 at 05:46 UTC
    Tye,

    Does anyone here use Qmail on a linux server? If so, all it would take is to copy the 58,000 email addresses into a text file, one address per line, place it on the Qmail server as a mail list, and then bounce a generic email off the list. Everyone would receive the same message (not personalized) but it would be very efficient and only to them (like bcc:).

    I have my own box here at home, and I suppose if folks trusted me, I could send them out from here.

    Qmail allows mail lists for its user accounts (as I suppose other mail programs do as well). In Qmail, it is nearly as simple as this: adduser perlmonks, copy text file into perlmonks home directory as "newslist", then write an email to "perlmonks-newslist@qmailserver.domain.org" and watch the mail go out. (No guarantees that I'm not missing a step or two, but it's about that simple if qmail is already installed and running.)

    Features of Qmail, including the mail list (for which there is no size limit), can be found here: http://cr.yp.to/qmail.html. According to the statistics there, it might take under two hours to send the email out to all 58,000 addresses.

    Blessings,

    ~Polyglot~

    UPDATE: On second thought, I am remembering that I am not in a good position to send out bulk emails like this. Someone else would have to do it from a more trusted IP address. You see, I am in Taiwan, and many ISPs seem to block entire IP address ranges for Taiwan, as apparently much spam and mischief originates here. In other words, much of what I would send from here might not be delivered, or it would land in the "spam" box. But the Qmail solution would still be viable if used from a trusted source. ~ Polyglot ~

      Unless you limit the number of connections to each recipient host, you risk taking an email server hosting a large number of monks to its knees.

      Qmail is a very good internal system. I have stopped recommending it for external mail servers a long time ago. The internet infrastructure is just not resilient enough against a server like this that could present a very effective denial of service attack.

      This is from someone who was involved with qmail use and advocacy very early on. One of my first public perl scripts is in fact still being distributed (search for Brian T. Wightman on one of the qmail pages), although I no longer recommend its use - the SMTP world has changed :).

      --MidLifeXis

      The tomes, scrolls etc are dusty because they reside in a dusty old house, not because they're unused. --hangon in this post

        Maybe a silly suggestion, I'm no SMTP expert...

        What if 58 trusted monks around the planet would send 1000 emails each?

        We could start a group "Mailsender" where these monks could join, and they would get the required lists and email for qmail.

        Personally I would suggest that each should send 3x1000 emails for redundancy and to guaranty a high likelihood of deliverance.

        The email-text of each Mailsender should somehow differ to avoid spamfilter but should be a forward of perlmonks.

        This Mailsender group could be quickly reactivated in the "next incident"... ;)

        Cheers Rolf

Re^3: Status of Recent User Information Leak (mass e-mail)
by Argel (Prior) on Jul 31, 2009 at 19:21 UTC
    I personally believe that this incident is already very widely publicized....
    This is precisely why I asked about the legal ramifications in 784719. Specifically, are there any applicable state or federal laws that require notification? Establish what you have to do (or what your lawyers advise you to do) first before worrying about what you would like to do.

    Update: And if possible, after things have settled down let us know what the response was. This is a great opportunity to learn more about the legal side of security breaches like this, especially for open source foundations, organizations, etc.

    Elda Taluta; Sarks Sark; Ark Arks

Re^3: Status of Recent User Information Leak (mass e-mail)
by Zen (Deacon) on Jul 31, 2009 at 22:50 UTC
    http://www.expeditesimplicity.com/features.php

    $60 or use any of a number of linux freeware tools to send mail in phased batches, or from the pair server itself (notify them first).

    Body:

    Your Perlmonks account has been compromised! Your password, email address, and any information stored about you on our site was unencrypted and thus visible to the attackers. We have more information at the following link: http://www.perlmonks.org/?parent=784806

    We encourage you to change your password and visit our site for more information as it becomes available. This will be the last notification on the topic.

    ----------------------------------

    How's that? I may have done the link wrong. Updated link.

      Well, thank you for "trying". The first two non-internal links from google for expeditedsimplicity.com were 1) showing close ties to an unapologetic spammer and 2) panning the quality of their service.

      And you couldn't even be bothered to construct a working URL (so you obviously couldn't be bothered to even test the URL for the text you slapped together).

      And read other parts of this thread. Just sending out batches of e-mail would mostly just make the IPs doing the sending get tagged as spammers and result in lots of the e-mails not being delivered.

      I didn't respond at first because your level of effort here was clearly so low that I seriously doubted that your suggested service would be of any better quality than the rest of your "work". So I was hoping somebody might look into that service or have heard of it and save me the time.

      Luckily, the service was so obviously bad that you've only managed to waste a small amount of my time investigating the mass e-mailing service that you couldn't be bothered to spend a small amount of your time investigating. Sounds like a great idea to submit all our members' e-mail addresses to a service closely associated with spammers.

      Spending more time looking for such a service myself, the most promising I was able to find was http://constantcontact.com which notes "10,001-25,000 $150" and "25,000+ Call for pricing". I'll try to find more time later for looking further.

      - tye        

        Yes. I'm sure a mass email service can be used for good AND evil. Your pooh-poohing of doing it yourself on linux in phased batches means you leave a 3rd party as the only option, and whether or not you pay 50 or 200, it is a trust issue. Clearly, your plan all along was not to do it. You can attempt to blame me, but the lack of effort here is yours, starting with zero security and ending with facebook/xp limit message mails.
Re^3: Status of Recent User Information Leak (mass e-mail)
by Zen (Deacon) on Aug 06, 2009 at 13:13 UTC
    How's that mailing going?

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://784806]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others drinking their drinks and smoking their pipes about the Monastery: (11)
As of 2014-08-20 15:31 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The best computer themed movie is:











    Results (116 votes), past polls