The Dangers of Email Addresses in RSS Feeds
There has been an update, so please read to the bottom of the post. I leave the original entry above for posterity.
Frassle is a neat service. What is not neat is that they seem to resell email addresses. My domain allows me to use any address at it (they all get redirected to a central address). This allows me to tailor a name to each service. The old tact was to use a Yahoo or Hotmail account (which didn’t have any accountability). My convention right now is either service1 or service.login1.
Some addresses that were slightly exposed at one point, contact and photoadmin, regularly get email about updating their bank, ebay, and paypal records, with a handy, dandy link to do it right from the email. Real nice. eyeroll
For the first time, I received some spam from a service email, frassle1. Not cool. I will be emailing the operator of the site to get an explanation. I’ll keep y’all updated. In the meantime, if you want to use their service, use a throwaway address like a Yahoo account.
Update: As Shimon explains in the comments, the email was not sold. I apologize for accusing him of such. In fact, he was doing the right thing to an ill effect.
The problem lies in RSS 2.0, which mandates an email address in the author element as well as in the managingEditor and webMaster elements. Luckily, they are optional, but the fact that they can’t simply be a name as written in the specification, sucks. Surely, the creators of RSS 2.0 forsaw that a machine parseable format would lend itself to spambots harvesting feeds for email addresses.
Shimon was filling in this element with the registration email, which according to the specification, was proper and good. He was supplying all the information that was available. A good thing to do in most cases. He has altered the feeds to remove this optional element. Other sites take an alternative tact and instead fill in a bogus email address just to make the feed validate. There’s something quite clearly wrong with RSS 2.0 when feed authors are forced to use bogus data.
Update Part Deux: Shimon wrote a blog entry about the link (discovered via Technorati prompting me again to perhaps drop trackbacks and use Kramer). He’s a good guy for taking my original accustion with such grace and being up front with his users. He even lives in the Boston area like yours truly.
Well, if you consider the Boston area the eastern half of Massachusetts. No “boondocks” quips from the peanut gallery.
Derik,
Frassle does not sell email addresses; the addresses are being picked up from RSS feeds by spammers. By default, frassle uses your registration email address for the RSS 2.0 managingEditor and webMaster elements, so your email address becomes public.
Of course, it’s not good enough to be simply negligent rather than malicious, so I’ve removed these two elements from the RSS feeds frassle generates. Eventually, I might make it an option to turn these on, but if you take a look at your RSS feed now: http://frassle.net/Directory/rss?id=3329 it should not contain your email address.
Thanks for alerting me to the issue, and if you think the change I made addresses the problem, I’d appreciate it if you updated the title of your blog post. While I am sorry frassle made this mistake, we don’t sell email addresses and never will.
Shimon Rura, creator and maintainer of frassle.
Thanks Simon, I will be updating the article!
That is a really cool idea, to use email addresses specific to the service.
You should use more than just the domain name when you create a unique email address. Someone else could make you think your address is being sold simply by trying different domains. See http://f79f65a2ea59016f063cb987424ed7b2.PlanetMike.com for details on how I register at web sites. Mike
Mike, that is simply brilliant. My question is though, do you write down these addresses to track them back to the source?
There’s a Konfabulator Widget that shares “Throw away” email accounts to popular sites; you can even create one and share it.
[...] link [...]