The Dangers of Email Addresses in RSS Feeds

2 minute read

There has been an update, so please read to the bottom of the post. I leave the original entry above for posterity.

Frassle is a neat service. What is not neat is that they seem to resell email addresses. My domain allows me to use any address at it (they all get redirected to a central address). This allows me to tailor a name to each service. The old tact was to use a Yahoo or Hotmail account (which didn’t have any accountability). My convention right now is either service1 or service.login1.

Some addresses that were slightly exposed at one point, contact and photoadmin, regularly get email about updating their bank, ebay, and paypal records, with a handy, dandy link to do it right from the email. Real nice. eyeroll

For the first time, I received some spam from a service email, frassle1. Not cool. I will be emailing the operator of the site to get an explanation. I’ll keep y’all updated. In the meantime, if you want to use their service, use a throwaway address like a Yahoo account.

Update: As Shimon explains in the comments, the email was not sold. I apologize for accusing him of such. In fact, he was doing the right thing to an ill effect.

The problem lies in RSS 2.0, which mandates an email address in the author element as well as in the managingEditor and webMaster elements. Luckily, they are optional, but the fact that they can’t simply be a name as written in the specification, sucks. Surely, the creators of RSS 2.0 forsaw that a machine parseable format would lend itself to spambots harvesting feeds for email addresses.

Shimon was filling in this element with the registration email, which according to the specification, was proper and good. He was supplying all the information that was available. A good thing to do in most cases. He has altered the feeds to remove this optional element. Other sites take an alternative tact and instead fill in a bogus email address just to make the feed validate. There’s something quite clearly wrong with RSS 2.0 when feed authors are forced to use bogus data.

Update Part Deux: Shimon wrote a blog entry about the link (discovered via Technorati prompting me again to perhaps drop trackbacks and use Kramer). He’s a good guy for taking my original accustion with such grace and being up front with his users. He even lives in the Boston area like yours truly.

Well, if you consider the Boston area the eastern half of Massachusetts. No “boondocks” quips from the peanut gallery.