Extensions are recommended (, ) to use ids of the format firstname.lastname@example.org, where organization.tld is typically a valid domain name owned by the author. Unfortunately, spammers find these ids (more likely because people list them online than by actually unpacking extensions) and send email to them. I'm currently receiving over 200 spam emails a day sent to my addon id email addresses (which I have never publicised). While in theory this is easy to block, spammers also email hundreds of variants of the email addresses, rendering it very difficult to use a catch-all email address on the domain.
If id's continue to be in email address format, perhaps Mozilla should recommend (on the pages below) that users use a fake domain name, and/or domains like mydomain.nospam.com ?
P.S. Sorry if this isn't the right category - there wasn't anything very appropriate.
If you own a domain name and use it anywhere for anything you're going to get some spam. No way to avoid that. I don't think using a fake domain is a good idea here, because the point of using one you own is to prevent the possibility of someone else having it. I also don't foresee this format being dropped at any point, as that would obviously break quite a bit. If you're worried about spam from this I suggest you just use a generated xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx style GUID instead.
Yeah, AMO Policy isn't really the right place for this. If you're suggesting a page change to mention this problem then I guess filing it for MDC might be better.
I think AMO is promoting the email style GUID over the generated style. CCing nick.
(In reply to comment #2)
> I think AMO is promoting the email style GUID over the generated style.
Really? Where is this mentioned on AMO then?
(In reply to comment #2)
> I think AMO is promoting the email style GUID over the generated style. CCing
Yeah I don't think AMO advertises anything related to GUIDs, so it's a question of documentation, and I think MDC is a good place for this bug. I feel empathy with the authors, as I can see the effect of randomized spam attacks in my own log files daily ;) Promoting a dummy email address over a valid one may help keep unexperienced add-on authors from stepping into this "trap", so I am in favor of mentioning that on MDC.
Changing this on MDC would involve changing a lot of pages. I don't have time to deal with it right now, so this may sit around for a while unless someone else wants to deal with it; the email address route is recommended in a *lot* of places. :)
We don't promote anything, perhaps we put in a little helper text on the id field that suggests using generated GUIDs to avoid spam.
The email format is what we recommend because it works as a better identifier that a generated one. Using your personal email address as a public id is not a very good idea, specially if your add-on is open source and its source is published somewhere. I feel that this should be common sense and no further action is required, but I'll let the docs people make the call.
Updated both of the articles mentioned in c#0 to clearly say not to use email addresses.