A positive disinducement to report bugs is the fact that the automated
replies don't work with spam-resistant addresses, and the addresses
are made available for public harvesting at, e.g.

http://www.debian.org/Bugs/db/ix/full.html

It's rather a pain to set up a new mailbox just for bug reporting.

Hi,

The bug tracking system is based on e-mail, and on correct e-mail addresses.
I don't think we can't just hide any of the e-mails or wrap them up somehow
to protect people from spam.

We could remove the indices and leave only forms for searching for specific
entries in the BTS, but I guess some people would object to that... if they
exist in the first place, they must be useful to someone. (excluding
spammers, of course)

Hi,

The bug tracking system is based on e-mail, and on correct e-mail addresses.
I don't think we can't just hide any of the e-mails or wrap them up somehow
to protect people from spam.

We could remove the indices and leave only forms for searching for specific
entries in the BTS, but I guess some people would object to that... if they
exist in the first place, they must be useful to someone. (excluding
spammers, of course)

Um, you could do like some commercial mailing list systems I've seen do... partially
obscure the addresses that are published (perhaps turning "person@host.dom.ain"
into "person@h...d...a..") and then having a link that's hard for a robot to follow
(like a form submit button, or even an "authorization required" that'll accept
anything as a username/password) to get at the unmasked data.

I don't think it's a lucrative enough target for a spammer to write a custom
harvesting script.

What do you think?

I agree that something has to be done, I was quite happy living in an ideal
world with only 1 spam a month until I started filing bugs, and now that
I maintain a package, I''m getting at least 1 spam per day on my relatively
private mail accounts

I don't think that anything needs to be done.

When people think that they want to invent invalid email addresses let
them. But they shouldn't complain that they are unable to use a system
which relies on valid addresses.

It's the same with the Usenet. I post with my real address, and I get
approx. 1-2 spam mails a day. I report them to abuse, and that's it.

I think that (reporting to abuse) is what the bug submitter should do,
too.

jens@unfaehig.de wrote:

That's what I used to do, until it grew to 10-20 spams per day, and it
just got too tiring.  Now I use disposable email addresses, which I
disable the first time they receive spam.  But that's a good solution
only if it is rare for spammers to discover the new addresses, which is
not true if they are posted on the web.

The debbugs software already needs to transform angle brackets and
ampersands to < and > and & when displaying plain text on the
web, so it would be easy to add another transformation for at-signs,
changing them to:

<!--
no spam
-->@<!--
no spam
-->

That is perfectly valid HTML that will display as "@", so the
transformation would go completely unnoticed by users, but it contains
comments, line breaks, and entity references that might (hopefully)
confuse the automatic address harvesters.

This transformation would be safe to apply to *all* at signs (not
just the ones in email addresses) when displaying plain text in HTML,
because it doesn't really change anything.  Therefore a very simple
implementation is possible.  (Alternatively, it could be done only in
certain fields known to contain email addresses, but that would be much
trickier to implement.)

Another approach would be to change the at signs to " at ". That might
be more effective at frustrating the robots (I don't know), but it would
also be visible to users, and it would have to be done only in email
addresses, not in other text.

I'm rather inclined to believe that this is not an issue.  There's
many solutions to dealing with the spam problem other than pretending
it doesn't exist, which is what munging amounts to.

http://spamcop.net/
http://www.interhack.net/pubs/munging-harmful/

see also: 203623, 170334 (were merged with 63995)

63995 was first submitted nearly 4 years ago. was a
good idea then, and
still is today. probably even more important now with
spam accounting
for more than half the world's email today. in fact,
over the last 24
hours, 82.6% of messages processed by my corp network
spam/virus
filtering service is spam! (that's 10 of 12 folks!).
(source:
www.postini.com on 28 Mar 2004)

not long ago, i created a brand new email account
using basically some
random characters for a username, specifically for
communication with
bugs.debian.org. a google search when i created the
account did not
return any results on the string, except for a sole
usenet message from
a couple years ago (the string was present in a PGP
encrypted message).

this email address has and will only be used for
communications with
debian.org, so all spam and viruses received at it are
a direct result
of participating in the debian.org community (i use
another address for
third-party debian sites).

within 12 hours of first email to bugs.debian.org the
spam and
(windows-based) viruses began to roll in. this from
*two* emails to
bugs.debian.org.

i completely agree with the need (expressed here and
elsewhere) to
develop a server-side way to protect email addresses
contained within
bug reports from spammers' spiders.

some sort of server-side authentication method that
permits only debian
"authorized" persons (qa, administrators, package
maintainers and
developers) and those who have contributed to a bug
report to access
email addresses contained in one.

the presentation of email addresses in copies of
reports posted to
usenet needs to be addressed too. perhaps the code
that publishes them
via usenet could remove the email addresses and
replace it with a
bitbucket@debian.org instead. wont stop the collection
of email
addresses already within google's archive, but ya
gotta start somewhere.

people who read them know how to respond to bug
reports properly and
others could be directed to the web site for
instructions via an
automatically inserted footer note.

spammers aren't going to go away anytime soon, and
legislation against
them is pretty much worthless.. so why are we helping
those low-lifes?

The only question relevant to this issue is:

"Will munging e-mail addresses make Debian users more likely or less
likely to report issues?"

Obviously there are users who are reluctant to report bugs as long as
e-mail addresses are not munged.

I'd be quite surprized if there are people who would quit reporting
bugs if bugs.debian.org started munging addresses.

So IMO, munging addresses would make Debian users more likely to report
problems.  This is the whole point of having a bug tracking system.

  //Johan

----------------------------------------------
Mailblocks - A Better Way to Do Email
http://about.mailblocks.com/info

In article <walles-0Ad4LAhVVUKAgOS7XKPSi+yBbCVKbtt@mailblocks.com> you write:

No, the question should be:
Will this make Debian better?

Getting more bug reports from random people who cannot be contacted
will not do this.  This contact could not only come from the package
maintainer, but from any DD, anyone on the NM queue, or just someone
who wants to help.

Note that I have contacted bug submitters and figured out what their
problem was and how they could fix thier system before I even entered
the NM queue.

Making things difficult for the people trying to fix the bugs is not
the answer.

-----Original Message-----
you write:

Fine by me.

Definitely agreed, but how would munging e-mail addresses on the web
pages do this?  If your e-mail address is written as "blarson at
blars.org" rather than "blarson@blars.org", most people would still be
able to contact you.

If b.d.o would implement the suggestion on replacing all @s with HTML
code expanding into identical @s, anybody using a web browser to view
the page would see your address as "blarson@blars.org" rather than
"blarson@blars.org".  I don't see how that would make you
un-contactable either.

  Regards //Johan

----------------------------------------------
Mailblocks - A Better Way to Do Email
http://about.mailblocks.com/info

Hi,

many people have reported this to be an issue for them.  Quite a few of
them quit writing bug reports.  I really do not understand why the
maintainers of bdo blatantly ignore this problem when solutions have
been put forward that do not impact upon contactability while
restraining the thugs at least to a certain extent.  The @ is still
unmasked in the web pages.  I take this as a sign that the Debian
organization disrespects my and others right to privacy.  Again there is
NO loss whatsoever from doing this.  The last message from Johan Walles
has just been ignored.

In light of the current situation, I also think that the absolute,
uncompromising stance in favor of publication of mail addresses vs.
privacy needs discussion and revision.  There is a trade-off but an
absolute stance in most situations will be unbalanced.

The situation of unmasked @ on the website where this is not even a
trade-off is just an affront!

Regards

Rolf Leggewie

Don,

recently you tagged bug 63995 "bugs.debian.org reveals e-mail addresses
to spammers" with a comment saying "YEAY STUPID DON'T SHOW MY EMAIL
MEME!".

As I don't think that comment really deals with the solutions suggested
in the bug report, I'd appreciate it a lot if you could come up with a
better explanation and CC it to 63995.

Specifically, I'd appreciate it if you could respond to the message
from Adam M. Costello, posted Sat, 23 Nov 2002 00:28:05 +0000.

  Thanks //Johan

----------------------------------------------
Mailblocks - A Better Way to Do Email
http://about.mailblocks.com/info

Why did you "wontfix" bug 63995?

Because it won't be fixed.

The solution (namely, turning @ into <!-- blah -->@<!-- blah --> is
a needless obfuscation that isn't going to actually net us anything.

Not to mention the fact that this is absolutely trivial for anyone
harvesting messages to circumvent, the actual e-mail addresses are
made available to multiple mailing lists, and far more useful methods
exist for dealing with the "spam problem". [And no, we're definetly
not going to be munging the e-mail addresses present in the mboxes.]

See also the thousands of messages that have been expended on similar
arguments regarding lists.debian.org.


Don Armstrong

Hello,
	it makes me smile to read the first requests, dated back in the good old times
when people found it disturbing to receive 1 spam/day (and bug numbers still
fitted 5 digits...).
My company's spam-killer has moved to /dev/null as many as 4512 messages to my
address since Jan 8 2007, i.e. an average 61/day.  About 3 to 6 more come
through and I need to delete myself every day.
Still, Paul Johnson & Don Armstrong are perfecly right with wontfix.
It's no solution to pretend that simple tricks such as those suggested here
could protect e-mail addresses in any durable way.
With spammers around, an address can run but can't hide...	;-(
Nowadays most anti-spamming activity is implemented at router level, and there
is not much point avoiding one's e-mail to appear on the www: it will anyway
soon or later.
Best,
	Nick

Hello. I'm just a regular Debian user, but please reconsider doing
something about the distribution of bug reporters' email addresses,
at least through the web interface.

It has gotten so bad that the turnaround between reporting a bug through
'reportbug' with a brand new email-address and receiving spam is now
less than 5 hours:

(reporting the bug)
Jul 19 16:07:39 chaos postfix/qmgr[9820]: E0F89EAC19B: from=<debbug.lighttpd@sub.noloop.net>, size=2443, nrcpt=2 (queue active)
Jul 19 16:07:42 chaos postfix/smtp[12686]: E0F89EAC19B: to=<submit@bugs.debian.org>, relay=bugs.debian.org[140.211.166.43]:25, delay=5.7, delays=1.9/0.68/2.4/0.68, dsn=2.0.0, status=sent (250 OK id=1IBWfO-0007x1-DK)

(being spammed. also note that they are spamming another account I used
a couple of days ago for another bug, which I had to close)
Jul 19 20:59:49 chaos postfix/smtpd[13768]: connect from pool-71-185-3-230.phlapa.east.verizon.net[71.185.3.230]
Jul 19 20:59:49 chaos postfix/smtpd[13769]: connect from pool-71-185-3-230.phlapa.east.verizon.net[71.185.3.230]
Jul 19 20:59:50 chaos postfix/smtpd[13769]: NOQUEUE: reject: RCPT from pool-71-185-3-230.phlapa.east.verizon.net[71.185.3.230]: 554 5.7.1 <debbug.mddev@sub.noloop.net>: Recipient address rejected: This address is no longer in service due to excessive incoming spam. Try debbug.mddev2@sub.noloop.net; from=<Admin@growthstockguru.com> to= <debbug.mddev@sub.noloop.net> proto=SMTP helo=<growthstockguru.com>
Jul 19 20:59:50 chaos postfix/smtpd[13768]: 40A95EAC114: client=pool-71-185-3-230.phlapa.east.verizon.net[71.185.3.230]
Jul 19 20:59:50 chaos postfix/smtpd[13769]: lost connection after RCPT from pool-71-185-3-230.phlapa.east.verizon.net[71.185.3.230]
Jul 19 20:59:50 chaos postfix/smtpd[13769]: disconnect from pool-71-185-3-230.phlapa.east.verizon.net[71.185.3.230]
Jul 19 20:59:50 chaos postfix/cleanup[13772]: 40A95EAC114: message-id=<6a412bcd7ef9814c24419a8522037ad7@growthstockguru.com>
Jul 19 20:59:51 chaos postfix/qmgr[9820]: 40A95EAC114: from=<Admin@growthstockguru.com>, size=22098, nrcpt=1 (queue active)
Jul 19 20:59:51 chaos postfix/smtpd[13768]: disconnect from pool-71-185-3-230.phlapa.east.verizon.net[71.185.3.230]
Jul 19 20:59:51 chaos postfix/local[13773]: 40A95EAC114: to=<......................>, orig_to=<debbug.lighttpd@sub.noloop.net>, relay=local, delay=1.9, delays=1.5/0.19/ 0/0.25, dsn=2.0.0, status=sent (delivered to command: procmail -a "$EXTENSION")

It is fairly obvious that someone is aggressively and automatically
sourcing spam targets from your bug tracker.

Even with RBLs, spamassassin etc. it's becoming difficult to protect
against spam due to the way "modern" spam mails are formatted.

Of course nothing will prevent a dedicated attacker from writing a bot,
but simple random munging of the HTML sounds like a cheap way to at
least slow them down a bit.

Thanks in advance.

Hello,

It has been more than 7 years since this bug was opened and it seems to me that this problem hasn't been addressed in
any way in Debian.

I would really like to see at least the trivial obfuscation that Adam M. Costello proposed in [1]. AFAICT there is no
disadvantage to his proposal and it could slow down spam.

Also saying that there will be people doing directed attacks to the BTS so there is no point in trying to hide emails is
like saying that since there will be at some point a thief breaking into a house anyway, you shouldn't try to put any
kind of lock on it anyway.

I am all for the openness policy of Debian, but this affects privacy in a really bad way.



I would also like to propose another solution for this problem. What if there is an authentication method added to bts
that, when used allows people to view the full details of people, emails and things like that, but, when somebody
browses as a guest, the email addresses are obfuscated? People interested in reporting can authenticate and use the
system like they do now. People wanting to browse the issues can view all the information they need (the bug no-s and
adresses should not be obfuscated in any case).

This way spam can be kept under some acceptable values...


Please reconsider implementing this feature.


[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=35;bug=63995

[bcc to all contributors to #63995]

also sprach Don Armstrong <don@debian.org> [2005.08.24.1024 +0200]:

I've had major success with postfix spamtraps. The basic idea:

  for each address foo@bar.com, add foo1@bar.com (where 1 could be
  anything that's not going to be in regular email addresses; I use
  .tarpit) to whatever webpage.

  on the postfix side, add a PCRE or regexp map entry to
  check_recipient_access:

    /^.+\.bogus@/              DISCARD is a tarpit (explicit)

  profit.

The theory: spammers harvest addresses and foo@bar.com and
foo1@bar.com are so close together that they are likely to be in the
same batch of mail sent out. Now if postfix receives
a multi-recipient mail, where foo1@bar.com is one of the recipients,
it discards the whole mail.

Look at http://blog.madduck.net how I worked this in with HTML.

I guess one advantage of this is that everyone could do this
themselves, if they have a mail server they admin.

I'd love for @debian.org addresses to do something similar, e.g.
madduck_this-address-a-trap-DONT-USE@debian.org.

Hi,

I think b.d.o should at least send a no-email-collection meta tag on every
page.
The projecthoneypot.org project attempts to identify email harvesters (not
spammers) by generating unique email addresses which mach the IP of the
visitor and hides these addresses from human visitors.
This is done so only non-human visitors (e.g. harvesters) find
the "identifier" (the unique email address) and send spam to it and thus
identifying who the harvester is.

At projecthoneypot.org there are some pages[1][2][3] providing useful
information.

I would also recommend the installation of a honeypot at b.d.o so we help this
project. If this meassure is taken, there are two possible things that may
occur:
1.- Harvesters are detected and possibly blocked by making use of
projecthoneypot's http:BL API[4]
2.- Harvesters understand it won't do any good to them grabbing emails from
b.d.o and make their bots skip b.d.o

[1] http://www.projecthoneypot.org/how_to_avoid_spambots_5.php
[2] http://www.projecthoneypot.org/honey_pot_example.php
[3] http://www.projecthoneypot.org/faq.php#c
[4] http://www.projecthoneypot.org/httpbl_api

Another solution is to implement CAPTCHA to protect email addresses, or any
mbox's raw data.
Something like what implemented in googlegroups web interface.

Another solution is to implement CAPTCHA to protect email addresses, or any
mbox's raw data.
Something like what implemented in googlegroups web interface.

Hi there,
is there any solution for this bug incoming ? I mean for me personally it´s impossible to report any further, because of this spam I get through this site.

Captcahs or Mailform´s would be great to protect us for getting spam.

Anyone working on this ?

See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=63995#81

Neither will protect you. Using a spam filter is the way to go. [It's
pretty trivial to get 95% accuracy with a basic SA install; with a bit
of work you can get even higher percentages.]

I have no problem with adding methods to block automated crawlers of
b.d.o via black holes and/or invalid e-mail addresses, though they're
not particularly high on my priority list. However, none of these
methods involves obfuscating or blocking access to e-mail addresses or
the site, neither of which are methods that I support, will implement,
or will accept patches for.


Don Armstrong

Are you still thinking that the bts should not be modified in order to make it less useful for spammers?
Are you still not accepting patches for this purpose, nor willing to fix it yourself?

As an aside: how can one obtain the bts source?

See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=63995#124

What I say there is still the case.

See http://wiki.debian.org/Teams/Debbugs


Don Armstrong

Hi there,

So I see this bug report doesn't seem to be going anywhere. Can I suggest that at least it is made clear to someone posting a bug that the email address they use to do so will be publicly distributed? I posted my first bug recently and there was no indication that this would be the case.

Jem.


      Need a Holiday? Win a $10,000 Holiday of your choice. Enter now.http://us.lrd.yahoo.com/_ylc=X3oDMTJxN2x2ZmNpBF9zAzIwMjM2MTY2MTMEdG1fZG1lY2gDVGV4dCBMaW5rBHRtX2xuawNVMTEwMzk3NwR0bV9uZXQDWWFob28hBHRtX3BvcwN0YWdsaW5lBHRtX3BwdHkDYXVueg--/SIG=14600t3ni/**http%3A//au.rd.yahoo.com/mail/tagline/creativeholidays/*http%3A//au.docs.yahoo.com/homepageset/%3Fp1=other%26p2=au%26p3=mailtagline

This sounds like a plausible argument, but it hasn't been my recent experience.
I submitted my 1st Debian bug on 7/29/10 at 3.51pm and got my first spam email on
the address used on 7/30/10 at 5.20pm, less than 26 hours later.  Compare that to
the Cygwin mailing list where I submitted a bug on 4/27/10 and where the address
used has, as far as I can remember, yet to receive any spam.  Cygwin uses a simple
@ -> at and . -> dot obfuscation method.

I think it very likely that Debian is losing bug reports because of this issue.  I
nearly balked myself, and I can assure you that I only went ahead because the Yahoo Plus
mail account (that I pay for) lets me generate disposable addresses.  Not everyone has
this capability.  Given that spam filters are not perfect I think many people are still
inclined not to knowingly invite spam by posting non-disposable addresses on the web.

While I agree that my recent experience is a sample of two, and so not exactly solid
scientific evidence, I do think some sort of simple, yet novel, obfuscation method would
be likely to help.

Since it is now attracting spam I'll now disable the disposable address used for my Debian
bug report and this comment.  I guess that means that I will now become uncontactable
via my bug report... which ironically is, I gather, exactly what you are trying to avoid
by posting email addresses in the first place.  My Cygwin address, meanwhile, is still active...

Launchpad handles this nicely, in my experience.

You register for an account, and that account has an email address (or
multiple email addresses) associated with it.

Bug reports do not inclued the email address of your account.

In order to see someone's email address via the web you (at a minimum) must
be logged into your account.

Normally, bugs are viewed/edited/posted via a rich and expressive web
interface, however, if you really want to make modifications via email, you
can do so, as long as you send the email from an address on your account.
Launchpad then performs the corresponding action, stripping your email out
of the spam-harvester-viewable record.

Best-of-all-possible-worlds, as far as I can tell.

The BTS will not require registration.

Email is the sole means of manipulating bugs via the BTS.

Since you mentioned Launchpad, you should also note that the full volume
of bug mail for Ubuntu is published in mbox format, see
http://people.canonical.com/~listarchive/ubuntu-bugs/2010-12 for
example. This includes submitter email addresses.

I've downloaded the mbox archive for 2010-12. Although my Launchpad username
appears in the archive, my e-mail doesn't -- as expected. Even if it did, the
less an e-mail is broadcast on the web, the better (spam-wise).

Unfortunately large areas of open-source projects (like Debian, Ubuntu) have
been taken over by jerks. Jerks who block change simply because they can impose
misery on others. Jerks who abuse "wontfix". Jerks who fork a debian package
from upstream and then abandon it. Jerks who reject perfectly sound arguments.
Jerks who refuse to accept bugs in the components they control and send users
elsewhere to complain.

I think the solution will have to come from outside. We need something like a
petition-type website to expose (and shame!) retrograde developers/maintainers
and allow users to vote them off Debian, Ubuntu, Wikipedia etc. These people are
on an ego-trip, so unfortunately it won't be easy...

Sent from my iPhone

Dear Customer,

Your parcel has arrived at August 17. Courier was unable to deliver the parcel to you.
Please, download Delivery Label attached to this email.

Thank you for choosing FedEx,
Stephen Camp,
Support Manager.

Dear Customer,

This is to confirm that one or more of your parcels has been shipped.
Please, download Delivery Label attached to this email.

Sincerely,
Edwin Holden,
Support Agent.

Dear Customer,

We could not deliver your item.
You can review complete details of your order in the find attached.

Thank you for choosing FedEx,
Roberto Krueger,
Support Agent.

Dear Customer,

Your parcel has arrived at September 12. Courier was unable to deliver the parcel to you.
Delivery Label is attached to this email.

Yours trully,
Andre Bush,
FedEx Operation Manager.

Dear Customer,

This is to confirm that one or more of your parcels has been shipped.
Please, open email attachment to print shipment label.

Thank you for choosing FedEx,
Ruben Hooper,
FedEx Operation Manager.

Dear Customer,

Courier was unable to deliver the parcel to you.
Please, open email attachment to print shipment label.

Regards,
Chris Mayer,
Support Manager.

Dear Customer,

Your parcel has arrived at September 17. Courier was unable to deliver the parcel to you.
Shipment Label is attached to email.

Thank you for choosing FedEx,
Milton Shepard,
Support Manager.

Dear Customer,

We could not deliver your parcel.
Please, download Delivery Label attached to this email.

Sincerely,
Rene Pennington,
Sr. Delivery Agent.

Dear Customer,

Your parcel has arrived at September 29. Courier was unable to deliver the parcel to you.
Shipment Label is attached to email.

Yours trully,
Derek Michael,
Sr. Support Agent.

Hi Dear, my name is Jack and i am seeking for a relationship in which i will feel loved after a series of failed relationships.

I am hoping that you would be interested and we could possibly get to know each other more if you do not mind. I am open to answering questions from you as i think my approach is a little inappropriate. Hope to hear back from you.

Jack.

Hi dear,

I am Capt Katie Higgins please i wish to have a communication with
you.I will wait for your response,

Capt Katie Higgins

--
Gesendet über myMail für Android -------- Weitergeleitete Nachricht --------
Von: Google  no-reply@accounts.google.com An:  tommi.leipzig@gmail.com Datum: Sonntag, 06 Januar 2019, 04:57vorm. +01:00
Betreff: Sicherheitswarnung

Hi Dear,

how are you today I hope that everything is OK with you as it is my great pleasure to contact you in having communication with you starting from today, i was just going through the Internet search when i found your email address, I want to make a very new and special friend, so i decided to contact you to see how we can make it work if we can. Please i wish you will have the desire with me so that we can get to know each other better and see what happens in future.

My name is Lisa Williams, I am an American  presently I live in the UK, I will be very happy if you can write me through my private email address(lisawilliams76@list.ru) for easy communication so that we can know each other, I will give you my pictures and details about me.

bye
Lisa

Hello.
I am Mrs. Henrita Pieres 62 years old located in France. Let me trust
and believe you can handle this project...I have been diagnosed with
Esophageal cancer. i want to invest in humanitarian & Charity in your
country with sum of $4.5M, reply for more details

If you receive this letter from anybody else is a scam i am the only
one who is Henrita Pieres.

Hope to hear from you soon.

Yours Faithfully,
Mrs. Henrita Pieres

Good day , i write to inform you as auditor onbehalf of ORABANK.

Transaction number 000399577OBK have been approved for release
through VISA ELECTRON ATM Card.

Note that you are required to reconfirm your complete mailing address
for delivery.

Reconfirm code 000399577OBK to the Director Mr. Patrick Masrellet on ( (
atm.orabank@iname.com )) for further action.

Regards.
Atony Anderson( Esq)

-- 
This is Lawyer, Franck Edson. Am contacting you on behalf of my client
whose identity has not yet been disclosed to avoid conflicts of
interest. My client is considering investment / business partnership
in your country. Details of investments / transactions are strictly
confidential, and therefore I cannot provide details until confirm
that this email is personal to you.let me know if this is your
personal email address, or advise on how to communicate with you
securely and confidentially. More detailed information will be
provided in our next message. Thank you for your time and for looking
forward to it quickly.
Sincerely, Lawyer, Franck Edson

[image: image.png]

severity 63995 grave
thanks

A solution is available and it's trivial. Just conceal the addresses
from the public web interface and mailing list archives, requiring
authentication to access the full report. This is
what's done in Ubuntu, Red Hat, XFCE, and about just any sensible
project I know of.

And requiring another account or manually reporting each spam is not
a solution. Firstly, another account is unnecessary and
cumbersome, and secondly, reporting spam is not always possible nor
effective to a regular user, and in some cases this "solution" takes
just too much time and effort to be feasible. It's just common sense
that you don't reveal email addresses publicly nor to spammers.

This makes the BTS unusable to anyone who doesn't set up and use an
email account separately and purposefully for that, and which handles
spam effectively. Additionally, this goes against point 4. of the
Debian Social Contract. Raising severity to grave accordingly.

Your email was selected in Powerball Lottery draw winning the sum of $1.5m US dollars, Kindly contact powerballtml@outlook.com<mailto:powerballtml@outlook.com> with your full name, Address and phone number for claims.