Re: E-mail harvesting on PG lists?

I created an account for perl-cpan and it got hit with spam/phishing
attempts in less than a week.

There's not a lot that can be done about it. It's a losing battle to try
and fight. There are some things you can do, but it won't be 100%
effective. The closer you get to 100% effective, the more likely you are
to throw the baby out with the bathwater.

I started using dedicated addresses a few years ago. Anytime I sign up
for something, I use an address dedicated for that purpose. Then, when I
start seeing spam patterns, I know where the address was used. In the
case of mailing lists, there's not much to hide. However, when you sign
up for something with a legit store, and then 2 or 3 months later you
start getting bombarded with spam having nothing to do with that store
-- it's a pretty safe bet where the spammer got your address (unless you
use a very easy to guess address like a simple first name or something).

The other problem is dictionary attacks. There are distributed networks
of bots that do nothing except try a dictionary of names against your
mailserver. You can see how coordinated they are when you are getting
dictionary scans from IP addresses all over the globe, starting with A,
and not overlapping words.
They are getting more devious too. I found one that had a bug in their
tool so it was obvious the connections were linked and they overlapped
names every so often (unless it was a single bot net running two
separate lists, which is also possible).

It's ugly. No matter how you slice.

Greg