Contacting David A. Wheeler

You can contact me at my email address, in fact, I gladly welcome personal email intended specifically for me!

You don't need to contact me to create links to my material, though. Please create and publish hypertext (URL) links to anything on my site - you have my permission! (The web was specifically designed to support deep linking, and "fair use" explicitly permits quotes of small things like URLs, so no permission is required anyway. I write this to increase the happiness of (1) the lawyers who are ignorant about the Internet and (2) the unfortunate people subjugated by such lawyers.)

Make sure you have the right person

Please make sure you really intend to talk with me. I’m not:

  1. David E. Wheeler, who develops Bricolage (an OSS/FS CMS package). We both use Perl, and both develop FLOSS programs.
  2. David John Wheeler (deceased) who invented the TEA and XTEA encryption algorithms and co-invented the subroutine.
  3. David M. Wheeler, who wrote the ACSAC 2001 paper "Java Security Extensions for a Java Server in a Hostile Environment" (I have written an ACSAC 2005 paper on countering trusting trust, a Java security tutorial, and a book on how to write secure programs).
  4. Dave Wheeler, who specializes in Microsoft's .NET stuff (Dave writes training courses, books, and articles about .NET).
I never go by Dave, and I always use my middle initial (A) in written material - hopefully that will help people distinguish between us.

How to contact me

As long as you aren't sending me spam, my email address is “dwheeler”, followed by the “at” sign, followed by “dwheeler.com”, and please include my current ham password (email password) somewhere in the subject line. My current ham password is:

It is zzy, preceded by xy, as a single word; this is a small homage to the old text adventure game ADVENT.

Email privacy: None by default

I assume that messages sent to me may be shared with the public unless you tell me otherwise.

I often keep private email private, as a courtesy to the sender, but I don't think I'm legally obligated to do so. Please let me know (in the email) if you really want me to keep something private; I get a lot of email, and if you can't take the time to tell me "please keep this private", please don't expect me to take the time to keep it private either. I simply don't have the time to constantly email back to everyone who sends me an email, just to find out if I can post it. Courts and government agencies typically work the same way; they typically require senders to mark stuff that's private / confidential / whatever when it's sent, because it's too hard to handle things otherwise.

Sometimes I'll keep messages private because I can guess that you intended for them to be private. But don't expect me to do so; I'm only human, and I will guess wrong sometimes. If you want me to keep your message private, tell me that in your message.

What's this ham password stuff?

The ham password is simply a password that shows me that you’re not an automated system sending me unsolicited bulk email (”spam”). You can surround the ham password with parentheses to make it clearer. You are not permitted to send unsolicited bulk email (UBE, commonly referred to as spam) to any of my email addresses, or to sell my email addresses to people who do.

Why do I have an ham password? Basically, I receive a horrendous amount of spam, so I use various filters and automatically throw away, without review, all email that looks like spam. I’m sorry, but it has to be that way. Including my ham password in a subject line is not a guarantee that I’ll see it, but it greatly increases the odds. Be sure that your message doesn’t look like spam! For example, use a very specific subject line (not “hi”, URGENT, a blank line, or other nondescript things). Send the message as ordinary text; I normally ignore HTML text, and messages with just a URL will be trashed too. Use English; I don’t read anything else well (my technical French is only tolerable), and I get a lot of non-English spam. Never send me executable attachments like “.exe” files; those are immediately tossed (no one should ever execute arbitrary code sent by email, since email is easily spoofed and malware can send email from a compromised machine). Useful attachments (like patches to my source code) are very welcome, but the main body of your text will need to convince me that I should open the attachment. When in doubt, I throw it out.

Placing the ham password in the body of the message will not help; a spammer could include lots of guesses in a message body. The ham password only has an effect if it's in the subject line, and due to subject line lengths (which I can impose!), they can’t do much automated guessing without sending a ton of messages (and I would notice that too). Once spammers start exploiting a ham password, I just change it.

If you’re interested in learning more about my approach to countering spam, see my essay Countering Spam Using Ham Passwords (Email Passwords), as well as my background essay on stopping spam. You’ll notice that the image above is a simple kind of Captcha, a test to determine if the reader is human or not (to counter automated email address capturing tools).

By the way, never send email to badaddress@dwheeler.com. That’s a dead giveaway that you’re a spammer, because no one has a legitimate need to send email there. Don’t worry, I’m aware that spammers often forge the “from” address.

Warning to spammers

DO NOT SPAM By sending spam (spam is unsolicited bulk email, both commercial and noncommercial) to any of my email addresses (extracted from any source, including website pages or postings), you agree to pay a fee of USD $10,000.00 per message you send to me and USD $100,000.00 per instance you sold this address. I consider such actions actionable trespass to personal property, theft of private resources, and willful harassment. If you’re sending an email to many people (say over 1000), and they didn’t specifically grant you permission to do so, you’re a spammer. Spam is theft - stop spam now! Feel free to see my essay about spam.

Spam is any unsolicited bulk email. If I didn't sign up for your list (or in some other way specifically authorize you to send me information), and you're sending the same logical message to more than a thousand people, you're a spammer. Spammers are by definition unethical, and in many locales criminal; please do something positive for the world instead!

Legal threats

Sometimes I get nonsense legal threats emailed to me. I reserve the right to publicly publish any threats sent to me, without permission of the sender (even if the sender says it's private), to encourage the ridicule, scorn, and shaming of such people. I know my rights; see Chilling Effects and the EFF's Legal Guide for bloggers for more.

Feel free to visit my home page.