Discussion:
Water tight opt-in (yet another FUSSP)
(too old to reply)
Alessandro Vesely
2013-12-21 13:13:23 UTC
Permalink
Hi and season greetings to all!

This Final Ultimate Solution to the Spam Problem is based on two
existing techniques:

1. tagged email addresses
http://wiki.asrg.sp.am/wiki/Tagged_addresses

2. web-based subscriptions to newsletters and other marketing stuff.

#1 can be provided by either the user's MSA or a third party. In
either case, each tagged address should be registered in a DB, along
with some notes such as which company was the address given to.

#2 is obviously the main way that marketers use to collect addresses
legally. The FUSSP[1] consists in enticing those marketers to declare
the domain name and a List-Id, envelope sender, or similar token that
can be used for email authentication[2]. With such additional data,
the user-side server (their MSA or 3rd party) can have the user login
and confirm the subscription --a step that many marketers still omit
because they fear that users won't click on a link they found in an
email message.) It will then be able to check sender's compliance.

The term "water tight opt-in" was coined by David Hofstee on SDLU, and
the mechanism is further described in my wiki[3]. I think you don't
have to read the latter to guess how subscribing, checking, and
certifying that a proper subscription was performed can work. A
reason why marketers would want those subscription certificates is the
upcoming Canadian law enforcement.

It seems to me it would only take some commitment and cooperation to
have it started. I'm unable to find the proper anchor for this FUSSP
in Vernon's page[1], not even the first (I didn't "discover", just
stumbled upon it.) Can you help?

Best wishes
Ale

--
[1] http://www.rhyolite.com/anti-spam/you-might-be.html
[2] https://en.wikipedia.org/wiki/Email_authentication
[3] http://fixforwarding.org/wiki/Water_tight_opt-in
--
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Seth
2013-12-22 17:27:53 UTC
Permalink
Post by Alessandro Vesely
It seems to me it would only take some commitment and cooperation to
have it started. I'm unable to find the proper anchor for this FUSSP
in Vernon's page[1], not even the first (I didn't "discover", just
stumbled upon it.) Can you help?
Probably my idea from over a decade ago (I have no idea how long):
confirmation requests would be sent to the user's ISP, who would
generate the confirmation web link and send it to the user. The
confirmation would go through the ISP, so the ISP would *know* that this
user subscribed to this list.

The purpose wasn't "proof", but rather to allow users to subscribe to
lists that other users (at the same ISP) called spam, without the ISP
filtering mail to the users who legitimately subscribed. Likewise,
"this is spam" reports from users known to have subscribed would be met
with "you subscribed to <list> on <date>; do you want to unsubscribe?"
rather than outward reports of spam.

Providing the recipient ISP is trustworthy, this would also provide
proof of opt-in for a third party.

It isn't close to FUSSP, since it addresses only list mail. While I'm
subscribed to hundreds of lists using tagged addresses, much of my spam
still comes to my untagged people-and-discussion-lists address.

Seth
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Alessandro Vesely
2013-12-23 11:46:19 UTC
Permalink
Post by Seth
Post by Alessandro Vesely
It seems to me it would only take some commitment and cooperation to
have it started. I'm unable to find the proper anchor for this FUSSP
in Vernon's page[1], not even the first (I didn't "discover", just
stumbled upon it.) Can you help?
confirmation requests would be sent to the user's ISP, who would
generate the confirmation web link and send it to the user. The
confirmation would go through the ISP, so the ISP would *know* that this
user subscribed to this list.
Yeah, there are lots of similar variations. The advantage of this
arrangement is that the ISP (well, the mailbox provider) can confirm
the user really wants to subscribe at a moment when he or she knows
what subscription they're talking about.
Post by Seth
The purpose wasn't "proof", but rather to allow users to subscribe to
lists that other users (at the same ISP) called spam, without the ISP
filtering mail to the users who legitimately subscribed.
It is somewhat hazy how to identify a mail stream. DKIM's d= tag plus
a signed List-Id would be a candidate. That's needed because tagged
addresses can leak and be abused too.
Post by Seth
Likewise, "this is spam" reports from users known to have
subscribed would be met with "you subscribed to <list> on <date>;
do you want to unsubscribe?" rather than outward reports of spam.
And cooperation would also allow varying degrees of unsubscription,
for example one might still accept really astounding announcements on
the subject. IMHO, such feature should be regarded as a very valuable
asset by marketers, as it provides a means to legitimately contact a
potentially huge number of people, in some occasions. Spam reports
can help modulate the frequency of messages so as to suit each user's
concept of "really astounding".

As a last resort, users can unilaterally withdraw misbehaving tagged
addresses. That is their guarantee.

The first thing to do is probably to convince more users to use tagged
addresses whenever they won't be published. TrashMail's two-click
paste is very attractive in that respect, but it needs an add-on.
OTOH, if web forms provided that functionality, it would be easier for
mailbox providers to be second movers. A chicken and egg question.
Post by Seth
Providing the recipient ISP is trustworthy, this would also provide
proof of opt-in for a third party.
You mean the third party would have to ask the ISP? A marketer could
hand digitally signed statements to an ESP, which, in turn would just
need to run a script in order to extract a clean list automatically.
Post by Seth
It isn't close to FUSSP, since it addresses only list mail. While I'm
subscribed to hundreds of lists using tagged addresses, much of my spam
still comes to my untagged people-and-discussion-lists address.
Hm, yes, you're right, even for an overloaded acceptation of the term
"list" that encompasses all legitimate bulk mail. However, if
receivers can tell what mail is solicited, detecting spam reduces to
recognizing what mail is bulk. 50% of the work done, I'd say :-)

Ale
--
http://fixforwarding.org/wiki/Water_tight_opt-in

-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Richard Clayton
2013-12-23 12:40:36 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Post by Alessandro Vesely
Post by Seth
confirmation requests would be sent to the user's ISP, who would
generate the confirmation web link and send it to the user. The
confirmation would go through the ISP, so the ISP would *know* that this
user subscribed to this list.
Yeah, there are lots of similar variations. The advantage of this
arrangement is that the ISP (well, the mailbox provider) can confirm
the user really wants to subscribe at a moment when he or she knows
what subscription they're talking about.
In both "data protection" and "privacy" regimes you would need the
subscriber's explicit and informed permission to proactively reveal to
the ISP (a third party) which mailing lists had been subscribed to.

- --
richard Richard Clayton

Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755

-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1

iQA/AwUBUrgvROINNVchEYfiEQJNOACgtjeATtc5ibEtG9Geb5Ns6ByfAHAAnjPP
0j6qtFHVA88cpWaGsdtKQIMq
=MRHw
-----END PGP SIGNATURE-----
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Alessandro Vesely
2013-12-25 12:58:59 UTC
Permalink
Post by Richard Clayton
Post by Alessandro Vesely
Post by Seth
confirmation requests would be sent to the user's ISP, who would
generate the confirmation web link and send it to the user. The
confirmation would go through the ISP, so the ISP would *know* that this
user subscribed to this list.
Yeah, there are lots of similar variations. The advantage of this
arrangement is that the ISP (well, the mailbox provider) can confirm
the user really wants to subscribe at a moment when he or she knows
what subscription they're talking about.
In both "data protection" and "privacy" regimes you would need the
subscriber's explicit and informed permission to proactively reveal to
the ISP (a third party) which mailing lists had been subscribed to.
Correct. The mailbox provider agreement would have to be amended so as
to state such clause. Consent is straightforward for unilateral
developments such as the TrashMail add-on. When "ISP confirmation"
(this water tight opy-in, that is) will be available, a user should be
able to explicitly request to skip it --and presumably use traditional
COI instead. That also covers possible implementation bugs.

In practice, it is very difficult for users --or anyone acting on their
behalf-- to obtain a list of current subscriptions: Waiting for
reminders takes time and is not reliable. Consistent use of water tight
opt-in would overcome that limitation.

Ale
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Gordon Peterson
2013-12-29 17:56:25 UTC
Permalink
This whole thing seems to me like a solution in search of a problem. I
don't believe that most ISPs want to serve as intermediaries between
their users and (legitimate, at least) list services.

I've been involved with (say) Yahoogroups for more than ten years. You
subscribe, you get an e-mailed confirmation request, you reply to that
by e-mail, and you're in. You unsubscribe either at the website, or
with an e-mail message (again, confirmed). Just not a problem.

I'm far more annoyed at bogus spam e-mails (and junk faxes, already
illegal, but that's a separate issue), which are either hawking stuff I
don't really want, or (increasingly) are malicious lures trying to get
me to open a malicious attachment, or go to a malicious website which
would doubtless infect my computer.

Those of us that use Thunderbird mail client software, in the case of
prolific repeating list services and companies that don't respect
unsubscribe requests, it's easy enough to set up a mail filter rule that
just t-cans all incoming mail from that address or domain. Agreed that
the bandwidth still gets wasted, but I'm not convinced at this point
that it's material, compared to much bulkier stuff (streaming video,
high-res photos, etc) which occupy probably a lot more of the total.

Personally, I'm getting increasingly more concerned about CryptoLocker
and its ilk, and its implications for the new year 2014. I suppose it's
easy enough to just say that it's going to be a Darwinian thing which
will discourage the terminally clueless types (but there are a LOT of
those, still) and tend to make them abandon the PC/Windows platform, but
of course that's not a long-term solution, because the malware guys will
just move to iOS or Android or whatever the new vulnerable platform is.

I'm also concerned about some of these types of malware getting loose in
cloud services, and starting to spread (infection, or even just damage)
that way.

Speaking about probably-malicious spam, does anybody here know WTF is
the deal with all the wildly divergent (but similar-looking, often) spam
e-mails with links to unknown/suspicious websites, where the link URL
contains a lot of long numbers, garbled vaguely-relevant word fragments,
and incoherent quasi-random punctuation? I've gotten a lot of them
about wood project plans, political lures, and all other sorts of
stuff. Anybody know what the deal is with those?
The morning daily digest
Volume 1 : Issue 40 : "mime" Format
201312/5 : Re: Water tight opt-in (yet another FUSSP)
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Dave Warren
2013-12-30 00:59:55 UTC
Permalink
This whole thing seems to me like a solution in search of a problem. I
don't believe that most ISPs want to serve as intermediaries between
their users and (legitimate, at least) list services.
While I agree that most ISPs don't want to be involved, the reality of
it is that filtering bulk mail is a far easier problem to solve than
filtering spam, but a lot of bulk mail is actually wanted/desired.

As a mailbox provider, it would make my life a lot easier if I could
whitelist every piece of bulk mail that a user actually wants upfront,
allowing me to blacklist (or score down) with impunity.

Unfortunately, this is a FUSSP since it would require virtually all bulk
senders to comply in order for recipients to yield benefit from it.
--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

Never try to extort more than it would cost to have you killed.

-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Seth
2013-12-30 01:15:27 UTC
Permalink
Post by Dave Warren
As a mailbox provider, it would make my life a lot easier if I could
whitelist every piece of bulk mail that a user actually wants upfront,
allowing me to blacklist (or score down) with impunity.
Unfortunately, this is a FUSSP since it would require virtually all bulk
senders to comply in order for recipients to yield benefit from it.
Nope; suppose only one bulk sender and one ISP used it. They'd benefit:
the sender would have (a little) less valid email blocked, the ISP's
customers would have (a little) less wanted email lost. The incentive
for each additional sender or ISP to join gets even higher as adoption
increases.

There is no necessity that even a large percentage of either adopt it in
order for the adopters to benefit.

Now, before an ISP could use it to strongly score down bulk mail that
didn't use it, there would have to be wide adoption by senders; but the
ISP could use it to weakly score down bulk mail that didn't use it (and
reject entirely bulk mail claiming to be from senders who do when the
mail doesn't validate).

Seth


-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Alessandro Vesely
2013-12-31 13:00:30 UTC
Permalink
Post by Seth
Post by Dave Warren
As a mailbox provider, it would make my life a lot easier if I could
whitelist every piece of bulk mail that a user actually wants upfront,
allowing me to blacklist (or score down) with impunity.
Unfortunately, this is a FUSSP since it would require virtually all bulk
senders to comply in order for recipients to yield benefit from it.
the sender would have (a little) less valid email blocked, the ISP's
customers would have (a little) less wanted email lost. The incentive
for each additional sender or ISP to join gets even higher as adoption
increases.
There is no necessity that even a large percentage of either adopt it in
order for the adopters to benefit.
Yup, and in the case of no bulk senders implementing it, an ISP can
still enrich its offering with this additional feature.
Post by Seth
Now, before an ISP could use it to strongly score down bulk mail that
didn't use it, there would have to be wide adoption by senders; but the
ISP could use it to weakly score down bulk mail that didn't use it (and
reject entirely bulk mail claiming to be from senders who do when the
mail doesn't validate).
I doubt any sender could ever claim that to do subscriptions in a given
way /only/, because people may want to subscribe the way they like.

Ale
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Chris Lewis
2013-12-30 01:29:40 UTC
Permalink
Post by Gordon Peterson
Speaking about probably-malicious spam, does anybody here know WTF is
the deal with all the wildly divergent (but similar-looking, often) spam
e-mails with links to unknown/suspicious websites, where the link URL
contains a lot of long numbers, garbled vaguely-relevant word fragments,
and incoherent quasi-random punctuation? I've gotten a lot of them
about wood project plans, political lures, and all other sorts of
stuff. Anybody know what the deal is with those?
The wood project plans thing, at least, is Snowshoe spam. Dodgy
products, spewed from many places, but not botted. Haven't looked deep
enough into it to see if there's any outright scamming going on (eg: $1
product you buy, with hidden credit charges - see the dark lord link below).

The gibberish and such is to defeat checksumming and other bulk email
detection. Even in the links it can be used for that purpose in
addition to such things as providing keys as to _who_ accessed the link etc

The Stansberry stuff is financial scams. Etc.
Post by Gordon Peterson
http://www.theatlantic.com/magazine/archive/2014/01/the-dark-lord-of-the-internet/355726/
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Alessandro Vesely
2013-12-31 12:55:56 UTC
Permalink
Post by Gordon Peterson
This whole thing seems to me like a solution in search of a problem. I
don't believe that most ISPs want to serve as intermediaries between
their users and (legitimate, at least) list services.
I've been involved with (say) Yahoogroups for more than ten years. You
subscribe, you get an e-mailed confirmation request, you reply to that
by e-mail, and you're in. You unsubscribe either at the website, or
with an e-mail message (again, confirmed). Just not a problem.
98% agree, as Yahoogroups and classical mailing lists (like this one)
are respectful of users' privacy. There are still two points (to 100%):
One is that list owners have no evidence of subscription, should it be
needed. The other point is that IMAP and webmail users can get the
ability to direct specific mail streams to specific folders in their
mailbox, at the same time as they confirm subscriptions.
Post by Gordon Peterson
Those of us that use Thunderbird mail client software, in the case of
prolific repeating list services and companies that don't respect
unsubscribe requests, it's easy enough to set up a mail filter rule that
just t-cans all incoming mail from that address or domain.
Some senders use several domains and IP addresses. And some users read
mail from multiple clients. For disrespectful senders, eliminating the
corresponding disposable address is way more effective. That's where
this solution pays off, also due to the fortunate coincidence that such
senders often promise to never disclose addresses. Since, unlike
mailing lists, personal replies are not possible, users can exploit
obscurely tagged addresses without worries.

Ale
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Neil Schwartzman
2013-12-31 18:34:35 UTC
Permalink
Alessandro,

I’d like to ask you a fundamental question - what problem are you trying to solve?


Neil Schwartzman
Executive Director
Coalition Against Unsolicited Commercial Email
http://cauce.org
Tel : (303) 800-6345
Post by Alessandro Vesely
Post by Gordon Peterson
This whole thing seems to me like a solution in search of a problem. I
don't believe that most ISPs want to serve as intermediaries between
their users and (legitimate, at least) list services.
I've been involved with (say) Yahoogroups for more than ten years. You
subscribe, you get an e-mailed confirmation request, you reply to that
by e-mail, and you're in. You unsubscribe either at the website, or
with an e-mail message (again, confirmed). Just not a problem.
98% agree, as Yahoogroups and classical mailing lists (like this one)
One is that list owners have no evidence of subscription, should it be
needed. The other point is that IMAP and webmail users can get the
ability to direct specific mail streams to specific folders in their
mailbox, at the same time as they confirm subscriptions.
Post by Gordon Peterson
Those of us that use Thunderbird mail client software, in the case of
prolific repeating list services and companies that don't respect
unsubscribe requests, it's easy enough to set up a mail filter rule that
just t-cans all incoming mail from that address or domain.
Some senders use several domains and IP addresses. And some users read
mail from multiple clients. For disrespectful senders, eliminating the
corresponding disposable address is way more effective. That's where
this solution pays off, also due to the fortunate coincidence that such
senders often promise to never disclose addresses. Since, unlike
mailing lists, personal replies are not possible, users can exploit
obscurely tagged addresses without worries.
Ale
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Alessandro Vesely
2014-01-01 11:19:12 UTC
Permalink
Hi Neil,
I’d like to ask you a fundamental question - what problem are you trying
to solve?
I'm not sure how to call it, "legitimate spam"? I mean bulk mail, sent
using true names, possibly authenticated, sometimes wanted. For
example, most web sites require some kind of subscription in order to
post any content (because of web-spam) they may use OpenID, COI, or
whatever, and collect posters' addresses. Those addresses are treated
with varying degrees of conscientiousness by different operators. The
problem is to allow people to keep control of their mailboxes without
limiting their ability to subscribe at will.

Does that answer your question?

Happy new year
Ale
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Martijn Grooten
2014-01-01 20:28:11 UTC
Permalink
Post by Alessandro Vesely
I'm not sure how to call it, "legitimate spam"? I mean bulk mail, sent
using true names, possibly authenticated, sometimes wanted.
Do you have any reason to assume that there is a strong colleration between 'wanted' and 'having given verifiable permission'?

For this supposed FUSSP assumes that there is. I doubt that this is the case.

I agree that making the right decision on these kinds of emails is perhaps the biggest challenge for spam filters (though not necessarily the most important one). But I am not convinced that this proposal would do a better job at this than what spam filters do now, which is make an educated guess based on the reputation of the sender, the content of the email and, sometimes, the preferences and behaviour of the recipient.

Apart from this there are also, as has been mentioned, practical issues. As well as issues to do with privacy and data protection.

And, perhaps most importantly, the fact that giving certain senders direct access to many people's inboxes introduces a dangerous single point of failure that those with malicious intentions will be all to eager to try to exploit.

Martijn.

-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Alessandro Vesely
2014-01-03 11:28:35 UTC
Permalink
Hi,
Post by Alessandro Vesely
I'm not sure how to call it, "legitimate spam"? I mean bulk mail, sent
using true names, possibly authenticated, sometimes wanted.
Do you have any reason to assume that there is a strong correlation
between 'wanted' and 'having given verifiable permission'?
For this supposed FUSSP assumes that there is. I doubt that this is the case.
The FUSSP does not assume all messages are wanted. Check out
TrashMail.net: They usually set short-lasting permissions, both as
the number of incoming messages allowed as well as the physical time
allotted.

Let me clarify that the TrashMail add-on is _very_ convenient and
hardly beatable. Its only shortcoming is that legitimate spammers may
perceive it as repressive, since it returns a surrogate address and
precludes any cooperation. That said, I don't think spammers will
rush for the required web-form upgrades, if cooperation is opened up.
Yet, opening that possibility will further weaken excuses like "we
cannot do COI because users are advised to never click on links
received by email".
I agree that making the right decision on these kinds of emails is
perhaps the biggest challenge for spam filters (though not
necessarily the most important one). But I am not convinced that this
proposal would do a better job at this than what spam filters do now,
which is make an educated guess based on the reputation of the
sender, the content of the email and, sometimes, the preferences and
behaviour of the recipient.
Bayesian guessing is mumbo jumbo compared to algorithms that know what
they do, or maybe that's me.
Apart from this there are also, as has been mentioned, practical
issues. As well as issues to do with privacy and data protection.
Yes. Suggestions and workarounds are welcome :-) In particular, on
how to integrate the add-on's JavaScript with a webfinger-like thing.

For privacy, however, the issue cuts both ways. A sender who agrees
to cooperatively accept obscure, tagged addresses is waiving its
ability to enhance customer profiling by exchanging data with other
operators, which is based on email addresses comparison. OTOH, the
changes implied by letting your mailbox provider manage your
subscriptions are rather formal than actual, if you consider ISPs can
sniff COI messages anyway.
And, perhaps most importantly, the fact that giving certain senders
direct access to many people's inboxes introduces a dangerous single
point of failure that those with malicious intentions will be all to
eager to try to exploit.
I don't think I got that. D'you mean "direct access" as an
alternative to letting some social network notify for them?

Ale
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Martijn Grooten
2014-01-04 23:38:37 UTC
Permalink
Post by Alessandro Vesely
I don't think I got that. D'you mean "direct access" as an
alternative to letting some social network notify for them?
No. This might be me not understanding the proposal correctly, but it sounded that as a recipient, you would give some senders a (tagged) address that would make the email go straight to your inbox. In that case, some ISPs will have a large collection of such addresses, that someone with malicious intention would like to obtain.

But again, I might not have understood the proposal very well.

Given my scepticism about the need for such a solution in the first place, I'd be hesitant to ask you to write down the details. But if you're really keen, I guess that would help the discussion.

Martijn.

-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Alessandro Vesely
2014-01-06 12:57:40 UTC
Permalink
Post by Martijn Grooten
Post by Alessandro Vesely
I don't think I got that. D'you mean "direct access" as an
alternative to letting some social network notify for them?
No. This might be me not understanding the proposal correctly, but
it sounded that as a recipient, you would give some senders a
(tagged) address that would make the email go straight to your
inbox.
Maybe because I mentioned delivering into a given IMAP folder? That
is a directive for the mailbox provider, not the sender. It uses the
identifiability of mail streams (e.g. by domain/list-id). Then, yes,
the sender may get a more direct path to that folder, compared to the
possibly longer and winding path of unknown mail, but still through
regular SMTP.
Post by Martijn Grooten
Given my skepticism about the need for such a solution in the first
place, I'd be hesitant to ask you to write down the details. But if
you're really keen, I guess that would help the discussion.
I tried and better http://fixforwarding.org/wiki/Water_tight_opt-in

I have no idea how clear I managed to make it, also because my English
is what it is. I welcome your skepticism, and would be grateful if
you could use it to find the lame passages of that page.

Ale
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Martijn Grooten
2014-01-06 14:14:46 UTC
Permalink
Post by Alessandro Vesely
I tried and better http://fixforwarding.org/wiki/Water_tight_opt-in
I have no idea how clear I managed to make it, also because my English
is what it is. I welcome your skepticism, and would be grateful if
you could use it to find the lame passages of that page.
Thanks for this.

And don't worry about your English - it is fine. I think the current proposal is clear and well-written. It doesn't go into details very much, but I can imagine we could fill in those details if we really wanted to.

I still don't think we do though.

Firstly, I think this proposal tries to address a problem that is very small. Laura's comments - thanks for which - confirm me in this belief.

Secondly, I don't believe the solution and its consequences will be easily understood by the average user of email. At a first glance, it might make sense to use an email address that expires after a month for a one-off purpose from a web store. Except that sometimes the customer might like the purchase so much, they decide to buy more stuff, only to find out the order confirmation emails stop arriving. Or the store might have a good reason to contact the consumer - a data breach, a fault discovered in the product - and the emails fail to arrive.

I assume the small minority of email users who do understand the consequences of this AND who think the problem of (this kind of) spam justifies using tagged addresses can use something like trashmail.

Martijn.

-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Neil Schwartzman
2014-01-03 14:42:33 UTC
Permalink
Post by Alessandro Vesely
Hi Neil,
Post by Neil Schwartzman
I’d like to ask you a fundamental question - what problem are you trying to solve?
I'm not sure how to call it, "legitimate spam"? I mean bulk mail, sent
using true names, possibly authenticated, sometimes wanted. For
example, most web sites require some kind of subscription in order to
post any content (because of web-spam) they may use OpenID, COI, or
whatever, and collect posters' addresses. Those addresses are treated
with varying degrees of conscientiousness by different operators.
their systems, their rules. having a verifiable permission token will not make a jot of difference to any of the big receivers, and I doubt any of the smaller ones either.

I can have confirmed opt-in and still spam a recipient. those ‘gift cards do it all the time. 'Click here to obtain a $25 Best Buy Card’ is usually followed by ‘confirm your email address and mobile phone number, so we can provide offers from our partners’. which is usually followed with a metric ton of spam (and I use that word advisedly).

I can have confirmed opt-in and diverge from the stated intent of my list, say, cars, now carrying content about every type of car accessory, because I thought recipients might find that interesting. I can have confirmed opt-in, and never mention the frequency with which mailings will take place, then begin sending, on the hour. That’s spam, too.
Post by Alessandro Vesely
The
problem is to allow people to keep control of their mailboxes without
limiting their ability to subscribe at will.
Does that answer your question?
not really, no. what is the problem with subscribing at will? I do it all the time.

Functional unsubscribe is a provision of numerous laws.I may have confirmed opt-in, but when a recipient says ‘stop’ I am legally bound to do so; COI doesn’t trump ‘unsubscribe’

So, unless I’m missing something here, I don’t see the problem, let alone clearly understand the solution.
Dave Warren
2014-01-03 18:33:06 UTC
Permalink
Post by Neil Schwartzman
not really, no. what is the problem with subscribing at will? I do it all the time.
Functional unsubscribe is a provision of numerous laws.I may have
confirmed opt-in, but when a recipient says ‘stop’ I am legally bound
to do so; COI doesn’t trump ‘unsubscribe’
So, unless I’m missing something here, I don’t see the problem, let
alone clearly understand the solution.
The problem is that a lot of senders simply don't stop; they create a
new list a few moons down the road and subscribe their entire (past and
present) customer base and start spamming via that channel, addressing
complaints with a "This was a newly created list, we honour opt-out and
will remove you immediately", right up until the next time they create a
list.

The problem is that they'll send a "Christmas Card" which "isn't spam,
it's just seasons greetings...", with coupons.

The problem is that unsubscribing doesn't undo the subscription. When
you sign up for something and miss a "Sure, share my info with you and
your 100,000 best paying friends", an unsubscribe doesn't wander out
that same chain, you end up with a scorched-earth mailbox of things you
"might be interested in", each needing a separate opt-out.

The problem is companies like Twitter, Facebook, LinkedIn, Amazon, etc
that create new categories of notifications and subscribe everyone to
them by default, despite the fact that you've opted out of all of their
mail in the past, using the "customer relationship" as justification.
And so it is, legally, but the spam still isn't wanted by the recipient.

The problem is the laws are ignored by small companies because no one
enforces anything and there's no private right of action available to
John Recipient, and law enforcement doesn't have the resources to care.

So some mechanism of giving the recipient control, a way to say "I
terminate my relationship with this sender, period" would be of great
benefit to my users.

In the mean time, you get people who have a "spam" email address and
just change it every once in a while. The system works, but every
legitimate, responsible, respectable sender loses his eyeballs when the
bad ones wreck it.

So the problem I'd like to solve? The problem is that *wanted* mail
comes from senders that don't honour opt-outs in the way *recipients*
want/expect. I want wanted mail to make it through as much as I don't
want unwanted mail. Senders have shown they aren't responsible, so I
want recipients to be responsible. I want *wanted* mail to have good
Inbox placement without risking draconian spam filters on my end.
--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Barry Shein
2014-01-04 19:58:42 UTC
Permalink
The reasons you list, and more, are why I've long advocated a much
more restrictive definition of spam and why I'm usually kind of
laughed off the stage when I try to describe it but in a nutshell if
it's not being (significantly) paid for and is intended to make a
commercial entity money directly or indirectly then it's spam.

Obviously one can write 500 pages splitting hairs on that but you get
my point I hope even if you don't agree, a much, much more draconian
definition.

I think what I feared 15+ years ago is coming to pass.

Basically, what attracted the loathsome to spam has now attracted the
respectable members of society which is generally what any such
distinction comes down to, we respect Amazon, we don't respect the guy
hawking herbal weight loss products, but also those with bad
intentions of course.

It's nearly free, you can send out literally a billion a day for chump
change (relative to other forms of marcomm), it's low maintenance, it
replaces something much more expensive (e.g., paper "junk" and
administrative mail.)

Consequently so-called "legitimate" spam is not only being inundated
and obscured by so-called "non-legitimate" spam, but also by other
"legitimate" spam.

Who even reads any email from, say, banks or airlines etc you do
business with?

I rarely do unless I have some very specific reason (e.g., I recently
bought a ticket) and even then think long and hard as to whether the
sender is authentic if it calls for any sort of action on my part.

I suppose one can shrug and say who cares, that sounds self-limiting.

But I think when something is so nearly free...well, quantity does
eventually become quality.

And isn't this something so-called legitimate senders should have some
interest in?

Amazon et al do have billions on the line and this is part of that
picture. Some chicken-boner not so much. And of course end-users.

My point is I don't even think much of so-called polite society -- a
term used in internet governance for "legitimate" interests -- is
really thinking along these lines outside of people like us.

I go to meetings like ICANN, try to stir up a discussion of spam and
you get mostly blank affect which can be interpreted as something
ranging from "it's the way it is you can't do anything about it" to
"not my problem" to "psst, I make money off it indirectly so STFU" to
the usual minor nod to phishing or other easily identified immoral
activities, "it's law enforcement's problem".

They're having a potentially valuable resource degraded to below any
utility value, not just by miscreants but also by their own use.

It's been said a million times before but it's the Tragedy of the
Commons writ big and at this point the primary focus on miscreants is
almost a red herring.
--
-Barry Shein

The World | ***@TheWorld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada
Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Steve Atkins
2014-01-04 21:43:36 UTC
Permalink
Post by Barry Shein
The reasons you list, and more, are why I've long advocated a much
more restrictive definition of spam and why I'm usually kind of
laughed off the stage when I try to describe it but in a nutshell if
it's not being (significantly) paid for and is intended to make a
commercial entity money directly or indirectly then it's spam.
Obviously one can write 500 pages splitting hairs on that but you get
my point I hope even if you don't agree, a much, much more draconian
definition.
If you’re considering email that people have asked to receive,
are happy receiving and which all entities involved with it are
quite happy to be involved with the delivery of as “spam”, then
you’re far enough from anything remotely operational as to be
entirely irrelevant to actual problems.

Laughing you off the stage is the only reasonable response
to that line of argument, I’m afraid.

Cheers,
Steve

-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Barry Shein
2014-01-04 23:23:54 UTC
Permalink
Steve Atkins
2014-01-05 01:12:11 UTC
Permalink
Post by Steve Atkins
If you’re considering email that people have asked to receive,
are happy receiving and which all entities involved with it are
quite happy to be involved with the delivery of as “spam”, then
you’re far enough from anything remotely operational as to be
entirely irrelevant to actual problems.
If you'd been following the discussion you would know that the note I
was responding to listed several areas of grey covering a wide range
currently considered by unilateral fiat to be email you are happy
with, such as when you order a book on UI design and the seller sends
you nearly daily pitches for every vaguely related book their fuzzy
matchers can possibly come up, as well as passing your contact info on
to many others they consider partners and leaving it up to you to try
to opt-out of each of them.
Some of those concerns are certainly valid - but if you want people
to take your views on them seriously you might want to rethink
your terminology. Bundling *all* email which has the potential of
generating revenue from the sender - including everything from 1:1 mail
from my sales rep at one of my suppliers through to botnet generated
malware - into a single concept is unlikely to lead to useful discussion
either.

Cheers,
Steve

-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Barry Shein
2014-01-05 01:51:20 UTC
Permalink
Post by Steve Atkins
Some of those concerns are certainly valid - but if you want people
to take your views on them seriously you might want to rethink
your terminology. Bundling *all* email which has the potential of
generating revenue from the sender - including everything from 1:1 mail
from my sales rep at one of my suppliers through to botnet generated
malware - into a single concept is unlikely to lead to useful discussion
either.
Sez who.

It's fundamentally about the receiver being able to control what they
receive. And what intermediaries (e.g., those who host your email box)
will carry.

They don't need anyone not directly involved to decide what should be
exempt from that control.

That's my point.

And that whatever the intent, no matter how noble, there are so many
thousands of "legitimate" emailers, as well as miscreants, that email
has become increasingly unusuable outside of focused interactions such
as this or one on one email.

As I said I'd set that boundary somewhere very different than you
would, most likely. So, it's the old mechanism vs policy discussion.

At any rate, as soon as one is discussing legitimate versus
non-legitimate senders and similar I think they're wading into a
quagmire, yet again.

But just to bring this down to earth, I am trying to introduce some
different ways of thinking about the problem.

Telling me they're not consistent with the almost total disaster of
spam fighting over the past ~15 years really isn't a compelling
refutation.
--
-Barry Shein

The World | ***@TheWorld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada
Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Chris Lewis
2014-01-05 23:57:15 UTC
Permalink
Post by Barry Shein
Post by Steve Atkins
Some of those concerns are certainly valid - but if you want people
to take your views on them seriously you might want to rethink
your terminology. Bundling *all* email which has the potential of
generating revenue from the sender - including everything from 1:1 mail
from my sales rep at one of my suppliers through to botnet generated
malware - into a single concept is unlikely to lead to useful discussion
either.
Sez who.
It's fundamentally about the receiver being able to control what they
receive. And what intermediaries (e.g., those who host your email box)
will carry.
They don't need anyone not directly involved to decide what should be
exempt from that control.
I don't see that the proposal at hand, nor much else discussed here is
Post by Barry Shein
That's my point.
isn't really on-point.
Post by Barry Shein
And that whatever the intent, no matter how noble, there are so many
thousands of "legitimate" emailers, as well as miscreants, that email
has become increasingly unusuable outside of focused interactions such
as this or one on one email.
Of course there are thousands of legitimate mailers. There are billions
of receivers too. If anything, that ratio seems really low.

And as a point of fact, my email is MUCH more useable than it used to be.
Post by Barry Shein
As I said I'd set that boundary somewhere very different than you
would, most likely. So, it's the old mechanism vs policy discussion.
I think you're setting that boundary somewhere around the "commercial
transactions shouldn't be taking place on the Internet" zone. Even to
old-fart curmudgeons like me that position seems a trifle extreme.
Post by Barry Shein
At any rate, as soon as one is discussing legitimate versus
non-legitimate senders and similar I think they're wading into a
quagmire, yet again.
The terminology is gibberish, and everybody in this conversation seems
to have radically different definitions of it.

I buy woodworking tools from Lee Valley. They email me a monthly
newsletter and every once in a while and occasionally emails about specials.

I _want_ that. I _asked_ for that. Are they a sender? Of course. Can
I block their email if I don't want it? Yup. Can I unsubscribe? Yup.
Do they share my email with others? Nope. They sure and hell ain't
illegitimate senders. So what are they? There is _only_ one
alternative with a binary terminology. A legitimate sender.

Horrors. And there's lots of them. Horrors!

But precisely how are they ruining it for everyone? Sure, it costs me
to receive their email and they make a lot more money if I buy one
(drool drool, that hand plane costs more than my whole computer - maybe
when I win a lottery), but it's one of the reasons why I have email in
the first place.

Actually, rather than a horror, it's a good example of the Internet &
commerce working together rather well.

Then, there's Grace in the Kitchen, a cool store of good kitchen gear,
and houses "Serious Cheese". How serious? You needed reservations to
watch them split the Grana Padano. Yum!

Their email is done by Mailchimp. And _perfectly_. They even COI'd a
POS email email acquisition. And don't share my email address.

And we bought some Grana Padano, a pound of which is worth more than
many of our reader's networking for a month. So yes, they made money
off the transaction, none of which reimbursed my network connection. So?

Legitimate? Well, they're not illegitimate, so that leaves only one
alternative.
Post by Barry Shein
But just to bring this down to earth, I am trying to introduce some
different ways of thinking about the problem.
I hate to say it, this different way you're speaking of isn't making any
sense yet.
Post by Barry Shein
Telling me they're not consistent with the almost total disaster of
spam fighting over the past ~15 years really isn't a compelling
refutation.
Murder is still with us. Are the laws against murder a total disaster?
I think not. And besides, the amount of crap getting thru to inboxes
is FAR less than it was years ago, despite the hugely increased volumes
on the wire.
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Martijn Grooten
2014-01-04 23:26:13 UTC
Permalink
Post by Dave Warren
The problem is that a lot of senders simply don't stop; they create
a new list a few moons down the road and subscribe their entire
(past and present) customer base and start spamming via that
channel, addressing complaints with a "This was a newly created
list, we honour opt-out and will remove you immediately", right up
until the next time they create a list.
Since we are, at least supposed to be, a bunch of research "gurus", do you have any research to back this up? Something that shows that either "a lot of senders" engage in this kind of behaviour, or that the few senders who do create a lot of problems.

In my experience, while this kind of spam is a nuisance, it isn't something that bothers people very much, it doesn't create serious bandwidth/storage issues and it is not a real security risk.

Martijn.

-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Laura Atkins
2014-01-05 04:24:03 UTC
Permalink
Post by Martijn Grooten
Post by Dave Warren
The problem is that a lot of senders simply don't stop; they create
a new list a few moons down the road and subscribe their entire
(past and present) customer base and start spamming via that
channel, addressing complaints with a "This was a newly created
list, we honour opt-out and will remove you immediately", right up
until the next time they create a list.
Since we are, at least supposed to be, a bunch of research "gurus", do you have any research to back this up? Something that shows that either "a lot of senders" engage in this kind of behaviour, or that the few senders who do create a lot of problems.
Interestingly enough, I've taken one of my spamtraps and am testing that very thing with actual spam. I'm about 2 month into data collection and will probably watch what happens over the next month or two before publishing what I'm seeing. But as of now the amount of mail in that account is decreasing, not increasing. We'll see what happens over time.

In terms of non-spam senders, I sign up tagged addresses to many of my customer lists. Very rarely have these addresses ended up getting mail after I unsubscribe. Certainly there's the very rare "network notification" but I have yet to see any real issues with unsubs being transferred to new lists. I see a lot more crap coming into addresses that were stolen from places I've purchased from (redenvelope, I'm talking to you) than crap coming into customer addresses.
Post by Martijn Grooten
In my experience, while this kind of spam is a nuisance, it isn't something that bothers people very much, it doesn't create serious bandwidth/storage issues and it is not a real security risk.
Agreed.

laura
--
Laura Atkins ***@carrotcafe.com

"If you do not choose to lead, you will forever be led by others.
Find what scares you and do it. And you *can* make a difference,
if you choose to do so." JMS

-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Dave Warren
2014-01-07 00:13:02 UTC
Permalink
Post by Laura Atkins
Interestingly enough, I've taken one of my spamtraps and am testing that very thing with actual spam. I'm about 2 month into data collection and will probably watch what happens over the next month or two before publishing what I'm seeing. But as of now the amount of mail in that account is decreasing, not increasing. We'll see what happens over time.
In terms of non-spam senders, I sign up tagged addresses to many of my customer lists. Very rarely have these addresses ended up getting mail after I unsubscribe. Certainly there's the very rare "network notification" but I have yet to see any real issues with unsubs being transferred to new lists. I see a lot more crap coming into addresses that were stolen from places I've purchased from (redenvelope, I'm talking to you) than crap coming into customer addresses.
I wonder if the reason you're not seeing this problem is that you're
subscribing to lists in the first place?

I've never had issues when I've signed up for a mailing list and
unsubscribed, it's the cases where I've signed up as a customer (to a
service, not to a mailing list) that I've gotten added to mailing lists
and been unable to leave.

A few antidotal examples from my personal mailboxes (I'd suggest
skimming because I'm just ranting now about some places where I can
clearly identify the source of the address):

A DVD rent-by-mail (Netflix without the streaming) has been particularly
bad, every time they switch ESPs they dump their customer list into the
new ESP as a fresh list of safe addresses. I ceased using their services
5-7 years ago, closed my account, and unsubscribed repeatedly.

Another example is the outfit that handles warranty work for a major
hard drive manufacturer. I never gave them my email address in the first
place, but they sent me a "Your drive was received, and a replacement
will be sent" confirmation, which is how I know who they are and where
they got my email address. "As a customer" I'm entitled to their spam on
a variety of topics, and their opt-out either doesn't work (times out),
or it "works", and I get a new topic in a couple months. And how do I
avoid getting re-added to their list? Waive my warranty rights the next
time a drive fails? (Now I use a tagged address -- But the first time it
was my real address)

Another company signed me up for their spam at two addresses for one
warranty claim, 1) at the address I provided them, and 2) at the address
they scraped from the invoice I sent them as proof of purchase. They
honoured the opt-out of the newsletter, but when they have a recall on
any product, I get a notice with a coupon, and sometimes 2-3 more "one
time mailing" that "isn't spam" and has "no need to unsubscribe because
this message is only sent once"

I signed up a tagged address to a big and tall clothing store, started
getting newsletters from their sister store that didn't sell anything in
my size. That took a chance meeting with their marketing director to get
me unsubscribed, as they took every purchase at the big and tall version
of the store as permission to re-subscribe me to their normal-sized suit
store's list (yet oddly, they don't re-add me to the big and tall
store's list, which I would actually like to be on!) -- Luckily this one
was a tagged address.

Or how about Target? They hit me with their breech notification at an
address that they've never been given, despite the fact that I haven't
shopped at Target in over a year since the breech started, and don't
live in the same country as the affected stores -- Not advertising, but
bulk, commercial, and most definitely unsolicited. I'd expect better
targeting from a company that figured out a girl was pregnant and told
her family before she did.

I also get a huge amount of spam at my firstname.lastname over
@gmail.com, an address I've never used for anything except as a test
account at Gmail and for other Google services. But it gets entered by a
lot of people who share my name, but apparently not a high enough IQ to
figure out their own email address. So there are a lot of places that
believe I'm a customer, and just won't take "I'm not now, nor will I
ever be" as an answer, much of which doesn't even have an opt-out link.

Are receipts "transactional" anymore once the company has been notified
that I'm not their customer? I'd argue not. But most online stores have
no way to remove an email address, only to change it.

This is the stuff that's the most difficult to address, and the stuff
that keeps coming back from the dead. I get invitations to movie
premiers and screeners, about a dozen resumes a month, restaurant
invitations, shipping confirmations, etc, much of it follows up with
"Since you're a customer, you get this stuff and have no choice about
it" newsletters. I get tips on maintaining my car (don't have a license,
never owned a car), that dealership "can only change my email address"
but can't remove it from their systems, and
***@dealership-name wasn't acceptable either, oddly enough.
Yup, I was feeling especially professional that day, but in fairness,
this wasn't the first, or second or even third time I contacted them
about it. It was a few years ago, but "even though my warranty expired
and I'm no longer required to get an oil change with them" they'd "love
to keep giving me great service".

One guy was dumb enough to have business cards printed with my email
address. He handed them out for over a month before I finally got enough
info out of a recipient (a photo of the card!) to reach him by phone and
yell at him.

I almost got one guy to stop by having a restaurant talk to him after
making an online reservation. I had a quick chat with the restaurant
manager right before the reservation's time, the manager understood and
talked to him, he said that he already knew Dave. Maybe he did, maybe he
didn't, but I didn't hear from them again.

Then the same guy ordered a cake for delivery to that same restaurant a
month or so later! I came --><-- close to contacting the bakery and
adding "I'm gay!" to the cake and changing it to a picture of a head
poking out of a closet. But I just contacted the bakery and asked them
if they could print a card with a message; I figured he could pay the
$3.50 or whatever fee. I still get spam from the bakery for mother's
day, valentine's day and the like, despite the fact that the baker I
talked to understood the problem, and I even unsubscribed from the first
spam they sent with an unsubscribe link. But hey, I'm a "customer" so it
can't possible be anything but legitimate. (Actually this was 3-4 years
ago, I think the email dried up about 1-2 years ago, but not for many
moons after the unsubscribe)

So yes, despite many people in the industry claiming this type of spam
isn't a problem and that everyone honours unsubs, it is, and they don't,
and as a recipient my only recourse is to change addresses and be more
selective about what address I give out in the future.

But of course the big money is on sending as much spam as possible
within as wide a path as possible, and so any suggestion of actually
verifying a recipient wants advertising before sending it is laughed off
as a "Well I don't see a problem when I don't look very hard" by one of
the professionals who makes money from the same industry that makes
their money sending unwanted spamvertising in the first place.
</rant></soapbox>
--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Neil Schwartzman
2014-01-11 14:23:54 UTC
Permalink
it is laughed off as a "Well I don't see a problem when I don't look very hard" by one of the professionals who makes money from the same industry that makes their money sending unwanted spamvertising in the first place.
Since I work for a major receiver would my laughing this off be more credible (not that I accept for a moment that Laura’s comments lack credibility, or yours being mean-spirited and insulting)?

From what I can parse this proposal involves receivers changing infrastructure to fix a problem for which we already have a solution, AND it makes receivers the de facto curators of permission, which may have associated legal liabilities. So, more cost, and potential exposure with no benefits to our customers? Proposing this would be career suicide.

Allow me to have a long belly laugh.

The sender of email has, as part of their normal operating responsibilities and costs, the need to collect and retain permission data, mostly for legal purposes (permission doesn’t figure into SMTP nor reputational decisions for message disposition). Under Canada’s Anti-spam Legislation, there is a follow-the-money régime. Were a receiver to be the holder of permission data, and somewhere along the line screwed it up, implementation of this scheme may leave them exposed to investigations and administrative monetary penalties.

I see zero motivating factors to help Senders deal with any problems at their end, and many potential negatives.

Neil Schwartzman
Executive Director
Coalition Against Unsolicited Commercial Email
http://cauce.org
Tel : (303) 800-6345
Twitter : @cauce
Dave Crocker
2014-01-11 14:29:55 UTC
Permalink
Folks,

Please stop.

This is an IETF mailing list. The IETF has rules about proper conduct
on its mailing lists. Attacking participants is not permitted.

As soon as things devolve into personal attacks, the proper response is
no response.

d/
Post by Neil Schwartzman
it is laughed off as a "Well I don't see a problem when I don't look
very hard" by one of the professionals who makes money from the same
industry that makes their money sending unwanted spamvertising in the
first place.
Since I work for a major receiver would my laughing this off be more
credible (not that I accept for a moment that Laura’s comments lack
credibility, or yours being mean-spirited and insulting)?
From what I can parse this proposal involves receivers changing
infrastructure to fix a problem for which we already have a solution,
AND it makes receivers the de facto curators of permission, which may
have associated legal liabilities. So, more cost, and potential exposure
with no benefits to our customers? Proposing this would be career suicide.
Allow me to have a long belly laugh.
The sender of email has, as part of their normal operating
responsibilities and costs, the need to collect and retain permission
data, mostly for legal purposes (permission doesn’t figure into SMTP nor
reputational decisions for message disposition). Under Canada’s
Anti-spam Legislation, there is a follow-the-money régime. Were a
receiver to be the holder of permission data, and somewhere along the
line screwed it up, implementation of this scheme may leave them exposed
to investigations and administrative monetary penalties.
I see zero motivating factors to help Senders deal with any problems at
their end, and many potential negatives.
Neil Schwartzman
Executive Director
Coalition Against Unsolicited Commercial Email
http://cauce.org
Tel : (303) 800-6345
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Alessandro Vesely
2014-01-11 18:03:41 UTC
Permalink
Post by Neil Schwartzman
From what I can parse this proposal involves receivers changing
infrastructure to fix a problem for which we already have a solution,
Well, that's not really an infrastructural change, it is just a minor
software modification. I mean, for senders who can accept a non-PII
email address --just an anonymous private channel between them and
their customer, kept under their customer's control rather than theirs.

Whatever is the solution we have, it must leave something to be
desired, given that many people use tagged addresses by hand.
Post by Neil Schwartzman
AND it makes receivers the de facto curators of permission, which may
have associated legal liabilities. So, more cost, and potential
exposure with no benefits to our customers? Proposing this would be
career suicide.
Allow me to have a long belly laugh.
Far from me the idea to stop you laughing, I believe it's healthy :-)

However, from a user's POV, the tradeoff is to have a single curator
of choice instead of a bunch of senders, some of which are newcomers
and some of which are untrustworthy. Would users migrate if your
competitors offered this extra feature?
Post by Neil Schwartzman
The sender of email has, as part of their normal operating
responsibilities and costs, the need to collect and retain permission
data, mostly for legal purposes (permission doesn’t figure into SMTP
nor reputational decisions for message disposition).
Permission data collected by a sender on its own can be easily forged.
I'm always surprised to I hear it bears some legal value. A
confirmation signed by a recipient-side curator would allow a sender
to accomplish that need in a well-defined way.
Post by Neil Schwartzman
Under Canada’s Anti-spam Legislation, there is a follow-the-money
régime. Were a receiver to be the holder of permission data, and
somewhere along the line screwed it up, implementation of this
scheme may leave them exposed to investigations and administrative
monetary penalties.
Yes. The holder of permission data has to be the operator of the MX
pointed to by the tagged address, for this scheme to work. Part of
that role could be outsourced.

I'm unable to think of any computer-aided tagged-address scheme where
the data is maintained on recipient's storage. I suspect that those
who use tagged addresses consistently --whom I envy-- use just their
brains.
Post by Neil Schwartzman
I see zero motivating factors to help Senders deal with any problems
at their end, and many potential negatives.
It takes two to SMTP.

Ale
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
John Levine
2014-01-11 18:15:16 UTC
Permalink
Post by Alessandro Vesely
Well, that's not really an infrastructural change, it is just a minor
software modification.
Um, in the world I work in, "minor software modification" and
"infrastructural change" are synonyms.

R's,
John
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Neil Schwartzman
2014-01-11 22:08:28 UTC
Permalink
Post by Alessandro Vesely
Whatever is the solution we have, it must leave something to be
desired, given that many people use tagged addresses by hand.
That almost sounds like the Pauline Kael protestation about Nixon (no-one I know voted for him). Honestly, there may be a lot of people who use them in your circles, which probably are constituted by a lot of email professionals but tagged addresses are pretty much a fringe activity.

Apple iCloud offers five aliases to go along with each account, I’m sure at least some people use those to hand out to people they deem dodgy, then ditch them if they turn out to be correct, but for the most part people use freemail accounts like that. I’m sure Richard could comment in vague terms about the great Yahoo! clawback of 2013, which probably had some amount of account abandoment due to spam, not sure if that is the same thing as setting up an address to receive mail of a circumspect nature, but a subset must have been that too.
Post by Alessandro Vesely
Permission data collected by a sender on its own can be easily forged.
I'm always surprised to I hear it bears some legal value. A
confirmation signed by a recipient-side curator would allow a sender
to accomplish that need in a well-defined way.
These people have a partial solution; they aren’t the trusted third party one might hope for (some Costa Rican guy who does web design) but it is a start at something I’ve been formulating for a while in light of a need for a trusted permission repository.

http://www.optguard.com/?vsmaid=12

forged subscription information doesn’t scale and wouldn’t deflect an investigation by sa, the CRTC who will be relying upon ISP complaint data as well as a purpose-built spamtrap network, and data from a variety of major sources.

IOW - a sender under investigation could fake one, or even a hundred subscriptions, but for them to do spamming that is worth anything they need to do it at scale and that makes catching them easy.

Also, an innocent sender will be able to pull out IP-based information on opens and clicks that should for the most part concur with the signup data.
John Levine
2014-01-12 02:05:17 UTC
Permalink
Chris Lewis
2014-01-12 02:47:20 UTC
Permalink
forged subscription information doesn�t scale and wouldn�t deflect an investigation by sa, the CRTC
who will be relying upon ISP complaint data as well as a purpose-built spamtrap network, and data
from a variety of major sources.
I dunno. I recall Laura reporting on a bunch of forged subscriptions
done so well that the only reason she was sure it was dirty is that
one of the subscription addresses they forged was hers.
The reality is that it's trivially forgeable. So are signatures, credit
cards and driver's licenses.

But we muddle along anyway.

In other words, it doesn't have to be/shouldn't be the only evidence
you're relying on. On a case-by-case basis, there will usually be other
information that will help you prove that a batch of subscriptions are
good or bad.

I caught Richter touting subscription addresses of 192.168.0.0/16.
Others touting IP addresses in the wrong continent. Others touting COI
registrations from 15 years after the domain went defunct. Or just the
one time where the person involved said "no I didn't".

Throw doubt on a handful and they all become suspect.

Large scale spammers will garner a lot of complaints. Some of them will
almost certainly destroy the credibility of supposed registration data
for the rest.

I'm with Neil, I don't think forged subscriptions scale very well.

-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Alessandro Vesely
2014-01-13 15:06:27 UTC
Permalink
Post by Chris Lewis
I recall Laura reporting on a bunch of forged subscriptions done
so well that the only reason she was sure it was dirty is that
one of the subscription addresses they forged was hers.
The reality is that it's trivially forgeable. So are signatures, credit
cards and driver's licenses.
But we muddle along anyway.
Yes, that is necessary. /Requiring/ unforgeable proofs of consent
would hamper well-established practices. That doesn't mean
unforgeable proofs should be rejected.
Post by Chris Lewis
In other words, it doesn't have to be/shouldn't be the only evidence
you're relying on. On a case-by-case basis, there will usually be other
information that will help you prove that a batch of subscriptions are
good or bad.
I caught Richter touting subscription addresses of 192.168.0.0/16.
Others touting IP addresses in the wrong continent. Others touting COI
registrations from 15 years after the domain went defunct. Or just the
one time where the person involved said "no I didn't".
Throw doubt on a handful and they all become suspect.
Not sure. As long as unscrupulous marketers are able to append an
email address to a web visit (possibly deploying some questionable
software), they can simulate a plausible subscription. They can use
complaint rates to keep beneath the radar. It seems OptGuard would
certify such registrations without turning a hair.

I agree credit cards are similarly flawed. However, client-side banks
do register history so that users can check the details of recent
transactions. Because people are picky about their money.

Signatures (both digital and hand made) and digital driver's licenses
work better.
Post by Chris Lewis
Large scale spammers will garner a lot of complaints. Some of them will
almost certainly destroy the credibility of supposed registration data
for the rest.
I'm with Neil, I don't think forged subscriptions scale very well.
Right. The point is just that that design is one-sided. A better
method can be introduced gradually, alongside of the existing one.

Ale
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Dave Warren
2014-01-24 19:02:40 UTC
Permalink
Post by Neil Schwartzman
it is laughed off as a "Well I don't see a problem when I don't look
very hard" by one of the professionals who makes money from the same
industry that makes their money sending unwanted spamvertising in the
first place.
Since I work for a major receiver would my laughing this off be more
credible (not that I accept for a moment that Laura’s comments lack
credibility, or yours being mean-spirited and insulting)?
Fair enough: I wasn't intending to write a mean or insulting message,
but I did. And worse, it was directed at someone who I respect, but in
this instance disagreed with.

I am genuinely sorry and I do apologize; I didn't mean to go on the
attack against the person, just the position. I was rude and offensive,
and I am sorry.
--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren
Neil Schwartzman
2014-01-25 15:23:12 UTC
Permalink
thanks Dave. Apologies such as yours are all too rare these days.


Neil Schwartzman
Executive Director
Coalition Against Unsolicited Commercial Email
http://cauce.org
Tel : (303) 800-6345
Post by Neil Schwartzman
it is laughed off as a "Well I don't see a problem when I don't look very hard" by one of the professionals who makes money from the same industry that makes their money sending unwanted spamvertising in the first place.
Since I work for a major receiver would my laughing this off be more credible (not that I accept for a moment that Laura’s comments lack credibility, or yours being mean-spirited and insulting)?
Fair enough: I wasn't intending to write a mean or insulting message, but I did. And worse, it was directed at someone who I respect, but in this instance disagreed with.
I am genuinely sorry and I do apologize; I didn't mean to go on the attack against the person, just the position. I was rude and offensive, and I am sorry.
--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren
Barry Shein
2014-01-11 19:14:23 UTC
Permalink
If I may summarize, yes, there's a lot of gray area to the simple
"unsolicited commercial bulk email".

I don't even know if there'd be general agreement that signing up for
(e.g., doing business with seems to be signing up) ads from a
generally-agreed-to-be-legitimate-company, opting out later, but still
receiving ads is "spam" or is it just "welcome to life buddy there can
be some disappointments along the way".

There's also the quantity becomes quality issue.

Some company you did biz with then passing your name to some related
company might just be a nuisance.

The combinatorics of the Fortune 5,000 (and every used car dealership)
doing it could become something more than a nuisance.

I claim that in a few years more of you will agree with me.

Companies are still only beginning to discover email as a potential,
almost zero cost, marketing tool, and it's an N factorial problem.

We'll wish we hadn't set the thresholds before understanding how bad
it would become.
--
-Barry Shein

The World | ***@TheWorld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada
Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Chris Lewis
2014-01-11 19:49:59 UTC
Permalink
Post by Barry Shein
I don't even know if there'd be general agreement that signing up for
(e.g., doing business with seems to be signing up) ads from a
generally-agreed-to-be-legitimate-company, opting out later, but still
receiving ads is "spam" or is it just "welcome to life buddy there can
be some disappointments along the way".
Even CANSPAM considers that to be spam.
Post by Barry Shein
Some company you did biz with then passing your name to some related
company might just be a nuisance.
The combinatorics of the Fortune 5,000 (and every used car dealership)
doing it could become something more than a nuisance.
I claim that in a few years more of you will agree with me.
I would have agreed with you several years back, but, it's been my
experience since that it doesn't happen as often as you seem to be
implying.

Perhaps my threshold of what's "legitimate" is higher than others.

If you sign up for cheezburgertemple or "you have won a laptop", I think
you get what you deserve.

But I'm not seeing it.

Of course, I always look in the fine print for "we don't share your
address with anybody". And so far, none of them have.

The IETF does tho ;-)

[Most of my spam comes from email addresses leaked from mailing lists or
scraped from web sites.]

-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Richard Clayton
2014-01-11 20:13:38 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Post by Barry Shein
I don't even know if there'd be general agreement that signing up for
(e.g., doing business with seems to be signing up) ads from a
generally-agreed-to-be-legitimate-company, opting out later, but still
receiving ads is "spam"
it's not permitted to keep on sending under the EU directive

it's not permitted to keep on sending under CAN-SPAM

it's not permitted to keep on sending under the Canadian statute

how much "general agreement" do you want ?
Post by Barry Shein
There's also the quantity becomes quality issue.
Some company you did biz with then passing your name to some related
company might just be a nuisance.
that's not permitted under the EU Data Protection directive -- your
jurisdiction may vary on how personal data may be processed (you may
wish to lobby your representatives)

BTW if it's not a related company but another part of the same company
then the EU Directive (on direct marketing) covers that as well -- the
email must be for a "similar product or service", and of course
unsubscribe must be honoured

[I expect John will be along shortly with a wiki link for this; it's all
pretty ancient stuff -- apart from the Canadian rules which are new]

- --
richard Richard Clayton

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. Benjamin Franklin

-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1

iQA/AwUBUtGl8uINNVchEYfiEQKojACfTRETclstDJMP6x+lkrQvdBguFWcAnjlA
cw2byTwdLOMp9SevGxuAvsNE
=8vMM
-----END PGP SIGNATURE-----
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Neil Schwartzman
2014-01-11 21:38:04 UTC
Permalink
Neil Schwartzman
Executive Director
Coalition Against Unsolicited Commercial Email
http://cauce.org
Tel : (303) 800-6345
Post by Richard Clayton
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Post by Barry Shein
I don't even know if there'd be general agreement that signing up for
(e.g., doing business with seems to be signing up) ads from a
generally-agreed-to-be-legitimate-company, opting out later, but still
receiving ads is "spam"
it's not permitted to keep on sending under the EU directive
it's not permitted to keep on sending under CAN-SPAM
it's not permitted to keep on sending under the Canadian statute
how much "general agreement" do you want ?
Companies are still only beginning to discover email as a potential,
almost zero cost, marketing tool,
Barry, that statement might have been true 15 years ago. I don’t mean this as a personal slight, but many of the suppositions I’ve seen on this thread and others of late not reflect the current email ecosystem so much as that of the late 1990s.

I’ll make some statements here, debate, disagree as you wish

HISTORICAL
The problem of botnet spam hitting recipient mailboxes has been solved, or at least remediated to the point that it is pretty much a non-issue.

CURRENT
Affiliate spam is a problem. the follow-the-money régime of Canada’s Anti-Spam Legislation will have a very chilling effect on such programs. DirecTV will be held accountable for spam sent in their name; at $10,000,000 per email. Problem solved.

Account-take over (tickling tiny amounts of spam out over illicit accounts and accounts with compromised credentials)
Still a problem

Spam from legitimate companies
As noted before CANSPAM, the EU Privacy Directive and CASL cover this well, CASL gives enforcement agencies the tools, and the threat to use them. FYI, I am conducting a statistical study to see the effect of the law for the Canadian Government.

Phishing/Spear Phishing
Big problem

Mobile Spam
Huge in Asia/Africa, we’ve only seen the leading edge of it in North America. The spam is about to hit the fan bigtime.

FUTURE
Social media spam
Big problem now, will become a huge problem over the next three years

IPv6 mail
John says it is a thing, Richard says it isn’t.

I think it is a thing and will become a huge thing as developing nations decide they don’t want to grovel for IPv4 IP space.

I personally believe we will go to an all-whitelist world, wherein most IPv6 space will be in deny ACL tables.

Bottom line for me? If you want to be talking about anything at all forward thinking - social, mobile, and IPv6. Everything else has the benefit of almost 20 years work on it, and is well fixed, or at least fixed to as best a point as we can hope to do (yes, of course both spammers and spam filter makers will innovate).
Paul Ferguson
2014-01-12 15:59:40 UTC
Permalink
Post by Neil Schwartzman
HISTORICAL
The problem of botnet spam hitting recipient mailboxes has been solved,
or at least remediated to the point that it is pretty much a non-issue.
I'm not sure that is true at all -- there are still successful spambots
which are *HIGHLY* successful in getting millions of malicious messages
into recipient mailboxes around the world daily.

Perhaps I misunderstood you point here?

- ferg
--
Paul Ferguson
'Get off my lawn!'
PGP Public Key ID: 0x54DC85B2

-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Barry Shein
2014-01-13 04:29:42 UTC
Permalink
Post by Neil Schwartzman
HISTORICAL
The problem of botnet spam hitting recipient mailboxes has been solved, =
or at least remediated to the point that it is pretty much a non-issue.
Hitting the wire continues to be a problem.

We still see headlines about "huge botnet shut down", why do they
operate?

Althought botnets are a particularly pernicious vector they seem to
move on to other methods also such as exploiting holes in web site
software in large numbers.
Post by Neil Schwartzman
CURRENT
Affiliate spam is a problem. the follow-the-money r=E9gime of Canada=92s =
Anti-Spam Legislation will have a very chilling effect on such programs. =
DirecTV will be held accountable for spam sent in their name; at =
$10,000,000 per email. Problem solved.
Well, potentially solved, but good news.
Post by Neil Schwartzman
Account-take over (tickling tiny amounts of spam out over illicit =
accounts and accounts with compromised credentials)=20
Still a problem=20
I guess a form of snowshoe-ing and probably related to my earlier
comment about exploiting those zillions of web sites at hosting
companies whenever they find a hole in some popular web site package.
Post by Neil Schwartzman
Spam from legitimate companies
As noted before CANSPAM, the EU Privacy Directive and CASL cover this =
well, CASL gives enforcement agencies the tools, and the threat to use =
them. FYI, I am conducting a statistical study to see the effect of the =
law for the Canadian Government.
One of my interests is more in the realm of what happens when you're
just overwhelmed by email which is reasonably legitimate under current
definitions.

But I can't argue the future if others don't see it that way.

I suppose we'll have to wait and see and perhaps I'll get to say "I
told you so!" in a few years.

But "free" has always had a certain appeal, even among those with
honorable intentions.
Post by Neil Schwartzman
Phishing/Spear Phishing
Big problem
Indeed.

We can throw in email with embedded viruses which very lately seems to
have gained a burst in popularity, some gang I assume.

Anyone see the incessant "Your Court Date" and similar in the past few
weeks with embedded zip files with viruses?

I believe popular anti-virus programs warned/blocked, they weren't
particularly sophisticated.

But of course they're fishing (not phishing) for vulnerable sites.

I assume for botnets.

But botnets is solved? Confusing.
Post by Neil Schwartzman
Mobile Spam
Huge in Asia/Africa, we=92ve only seen the leading edge of it in North =
America. The spam is about to hit the fan bigtime.
I agree.
Post by Neil Schwartzman
FUTURE
Social media spam
Big problem now, will become a huge problem over the next three years
I agree, it's a greenfield.
Post by Neil Schwartzman
IPv6 mail
John says it is a thing, Richard says it isn=92t.
I think it is a thing and will become a huge thing as developing nations =
decide they don=92t want to grovel for IPv4 IP space.
I think it's a thing.

It's likely to provide more address mobility and that's the
stock-in-trade of a lot of the worst spammers.

Related is CGN, commercial grade NAT, which covers a lot of the mobile
world.

I suspect it helps as much as it hurts, it forces gazillions of
devices through an ISP's NAT architecture where it can be inspected
and filtered.

Merely unusually high traffic patterns might in a perfect world
attract attention -- a phone no matter how smart sending out many
emails per minute for many minutes ought to raise a flag.

OTOH it provides amplification opportunities. Those CGNs are attached
to big honking pipes at places like Verizon or NTT et al.

Although not spam per se we just saw NTP ampification DDoS attacks in
the past few weeks:

http://arstechnica.com/security/2014/01/dos-attacks-that-took-down-big-game-sites-abused-webs-time-synch-protocol/

or

http://tinyurl.com/ojmfbts
Post by Neil Schwartzman
I personally believe we will go to an all-whitelist world, wherein most =
IPv6 space will be in deny ACL tables.
It's a big space and will probably get very complicated.

As an aside, that's why simple address expansions like IPv6 are
doomed, they become segmented, this many bits devoted to this and that
many bits devoted to that de facto or de (um, standardo?)

So any white list might have to understand an ever growing
efflorescence of, for example, service providers and sub-service
providers carving up of address space as roles get farmed out
globally.
Post by Neil Schwartzman
Bottom line for me? If you want to be talking about anything at all =
forward thinking - social, mobile, and IPv6. Everything else has the =
benefit of almost 20 years work on it, and is well fixed, or at least =
fixed to as best a point as we can hope to do (yes, of course both =
spammers and spam filter makers will innovate).
Really only if you limit the discussion to what's hitting the mailbox
and technical or sledgehammer legal approaches which no doubt work for
some things (if spam is outlawed only outlaws will spam.)

What ties them all together, potentially, is any economic ecology
which shifts the game. But that's a hard row to hoe.
--
-Barry Shein

The World | ***@TheWorld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada
Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Chris Lewis
2014-01-13 05:02:07 UTC
Permalink
Post by Barry Shein
Anyone see the incessant "Your Court Date" and similar in the past few
weeks with embedded zip files with viruses?
AA/Delta/USAir, Court date and several others. The malware was Asprox.
Malware spewed by compromised web sites for the most part, Asprox botnet
did ordinary spam.

We generally do not distinguish contents between malware, ordinary spam,
and other things on the spam blocking side.

For example Cutwail spams a bit of every kind of abuse imaginable.
Post by Barry Shein
I believe popular anti-virus programs warned/blocked, they weren't
particularly sophisticated.
Popular DNSBLs blocked too.
Post by Barry Shein
But of course they're fishing (not phishing) for vulnerable sites.
No, vulnerable people who click on things. Asprox doesn't do website
takeovers.
Post by Barry Shein
I assume for botnets.
But botnets is solved? Confusing.
Not solved: significantly on the decline.

-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Alessandro Vesely
2014-01-13 14:30:46 UTC
Permalink
Post by Neil Schwartzman
Everything else has the benefit of almost 20 years work on it, and
is well fixed, or at least fixed to as best a point as we can hope
to do (yes, of course both spammers and spam filter makers will
innovate).
20 years is also the time it takes for a patent to expire. The
relevant methods can enjoy a revival as they get unencumbered.

Ale
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
John Levine
2014-01-12 02:01:37 UTC
Permalink
Post by Richard Clayton
[I expect John will be along shortly with a wiki link for this; it's all
pretty ancient stuff -- apart from the Canadian rules which are new]
It should be at http://www.inboxproject.org/. If not, suggestions for
material that the law students who do the research and updates to look
at so they can improve what's there are always welcome.

The Inbox Project is unrelated to ASRG other than that my fingerprints
are all over both of them. Inbox is a joint project of CAUCE and the
Cornell law school, with enough commercial sponsors to pay people to
maintain it.
--
Regards,
John Levine, ***@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. http://jl.ly
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Barry Shein
2014-01-13 03:55:19 UTC
Permalink
Post by Richard Clayton
Post by Barry Shein
I don't even know if there'd be general agreement that signing up for
(e.g., doing business with seems to be signing up) ads from a
generally-agreed-to-be-legitimate-company, opting out later, but still
receiving ads is "spam"
it's not permitted to keep on sending under the EU directive
it's not permitted to keep on sending under CAN-SPAM
it's not permitted to keep on sending under the Canadian statute
how much "general agreement" do you want ?
Not being argumentative but I think we're talking past each other.

How likely is it to be prosecuted? ``Ooops, we were sloppy with our
database, sorry, we're working on it...''

Is there any record kept of CAN-SPAM and other prosecutions? Other
than just searching raw data (e.g., court records) oneself?
Post by Richard Clayton
Post by Barry Shein
There's also the quantity becomes quality issue.
Some company you did biz with then passing your name to some related
company might just be a nuisance.
that's not permitted under the EU Data Protection directive -- your
jurisdiction may vary on how personal data may be processed (you may
wish to lobby your representatives)
The key word there is "related", I could have used a better word.
Post by Richard Clayton
BTW if it's not a related company but another part of the same company
then the EU Directive (on direct marketing) covers that as well -- the
email must be for a "similar product or service", and of course
unsubscribe must be honoured
Ok, you got what I meant.

Perhaps we're splitting hairs.

Except these are billion dollar companies and I have no idea if Pepsi
and Doritos are "similar products" (both owned by Pepsico.)

But if they're not then let's also not underestimate the extent to
which many brands are owned by few companies such as Diageo, dozens of
some of the most well-known alcoholic beverage brands, Guiness,
Smirnoff, Johnnie Walker, Grand Marnier (distributor), etc etc etc.

I know, "what was the question again?"

I agree.

I suspect what saves us from total disaster is some mixture of email
not actually being very effective for mass marketing (perhaps), and
companies not yet exploiting it fully (my worry.)
--
-Barry Shein

The World | ***@TheWorld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada
Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
John Levine
2014-01-13 05:21:24 UTC
Permalink
Post by Barry Shein
How likely is it to be prosecuted? ``Ooops, we were sloppy with our
database, sorry, we're working on it...''
In practice, not very. Lawsuits are expensive, and judges are not
inclined to levy huge penalties against defendants who were just
sloppy as opposed to actively crooked.
Post by Barry Shein
Is there any record kept of CAN-SPAM and other prosecutions? Other
than just searching raw data (e.g., court records) oneself?
There are a few blogs, and the Inbox Project web site I mentioned.
Post by Barry Shein
I suspect what saves us from total disaster is some mixture of email
not actually being very effective for mass marketing (perhaps), and
companies not yet exploiting it fully (my worry.)
Given the amount of money that big companies spend on ESPs, I don't
think you have to worry that they haven't noticed that email is a
possible marketing channel. A lot of email marketing from familiar
companies is pretty cruddy, but that should come as no surprise, since
a lot of marketing of any form is pretty cruddy.

R's,
John
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Chris Lewis
2014-01-13 15:19:13 UTC
Permalink
Post by John Levine
Post by Barry Shein
How likely is it to be prosecuted? ``Ooops, we were sloppy with our
database, sorry, we're working on it...''
In practice, not very. Lawsuits are expensive, and judges are not
inclined to levy huge penalties against defendants who were just
sloppy as opposed to actively crooked.
True, but when you manage to get the monolith moving, things tend to get
crunched.

Ours at least seems to be very lazy most of the time, but when the rules
say that once they hit a certain threshold number of complaints they
_must_ fully investigate, and they see a pattern of BS...

CRTC has handed down a number of rather stiff fines recently in related
areas for similar things. Of course this hasn't happened with CASL/spam
per-se, since CASL isn't in force yet. But everything seems to indicate
that they want to start with a bang. And it comes with PROA.

There is a "oops, I goofed" clause in CASL. We grilled them on it, and
they were quite clear that that it couldn't be used forever.
Post by John Levine
Post by Barry Shein
I suspect what saves us from total disaster is some mixture of email
not actually being very effective for mass marketing (perhaps), and
companies not yet exploiting it fully (my worry.)
Given the amount of money that big companies spend on ESPs, I don't
think you have to worry that they haven't noticed that email is a
possible marketing channel. A lot of email marketing from familiar
companies is pretty cruddy, but that should come as no surprise, since
a lot of marketing of any form is pretty cruddy.
I think that most of the more mature marketing communities are also
aware of the pitfalls of doing it wrong, and have a disinclination to
outright spam. I remember the attitude of our more senior marketers
being horrified by the notion of spamming - "why on earth would we want
to piss off our customers?". Mind you, that was B2B, and the
sensibilities are be a bit different.

Now of course the problems are far more well known, and the marketers
get spammed too.

In environments such as ours, there was a small amount of outright
spamming, but those were junior marketing wannabes in out of the way
places who weren't being supervised by their elders nor following the rules.

That changed <evil grin>

-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Barry Shein
2014-01-13 18:56:55 UTC
Permalink
Without going tit-for-tat which seems to sometimes elicit defensive
reactions...

I think some of you live in a more rational world than I do.

For example, I get 2-3 phone calls a day maybe 5 days/week, sometimes
it stops for a few days here and there, from something called "Credit
Card Services" pitching some service to lower rates.

This has been going on for at least 2 years. If you google "credit
card services phone calls" you'll see this is true for millions of
people and if not for any of you in the US I'd be surprised.

I am on the FTC dont-call list but as far as I can tell they use some
credit card acct I do have to skirt that, we have a "prior business
relationship".

They have an unsub button (push 2!), pushed it many times, no luck.

Now by the reasoning presented here that makes no sense: Legitimate
companies don't want to ANNOY you, right?

Wrong.

Near as I can tell it must work or they wouldn't go on for years doing
this.

Similar happens for the several week run-up to election day, I can get
10 or more calls a day, political campaign calls are immune from FTC
Don't Call of course -- the laws were written by political
campaigners!

I think it works.

Annoying the *** out of people seems to work, i.e., it gets them what
they want (paying customers, votes) or they deeply believe it does.

So forgive me if I get a bit skeptical when someone tells me how big
email marketers et al will be careful to not actually ANNOY people and
that's only the purview of criminal or near-criminal types.

It's wishful thinking IMHO.

And if we wait for it to be measurable it'll be too late.

It will be standard industry practice like with telemarketing and any
attempt to curtail it will be trying to shut down a, by then, already
very profitable industry.

Good luck with that as they send lawyers, guns (ok, lobbyists), and
money to protect a business activity that's making them billions.
--
-Barry Shein

The World | ***@TheWorld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada
Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
John Levine
2014-01-13 21:30:15 UTC
Permalink
Post by Barry Shein
For example, I get 2-3 phone calls a day maybe 5 days/week, sometimes
it stops for a few days here and there, from something called "Credit
Card Services" pitching some service to lower rates.
That sounds like "Rachel from Card Services", a well known complete
100% scam. The FTC has whacked Rachel repeatedly, but the problem is
that there are a lot of different people doing the same scam, often
with the same recording.
Post by Barry Shein
So forgive me if I get a bit skeptical when someone tells me how big
email marketers et al will be careful to not actually ANNOY people and
that's only the purview of criminal or near-criminal types.
Well, currently we're 1 for 1 with the annoying marketers being
criminals. Got any other examples?

R's,
John

-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Barry Shein
2014-01-14 18:38:34 UTC
Permalink
Post by John Levine
Post by Barry Shein
For example, I get 2-3 phone calls a day maybe 5 days/week, sometimes
it stops for a few days here and there, from something called "Credit
Card Services" pitching some service to lower rates.
That sounds like "Rachel from Card Services", a well known complete
100% scam. The FTC has whacked Rachel repeatedly, but the problem is
that there are a lot of different people doing the same scam, often
with the same recording.
Fair enough but we're not stopping a lot of this, apparently this
whacking isn't helping. But it's not email spam per se so just an
analogy.
Post by John Levine
Post by Barry Shein
So forgive me if I get a bit skeptical when someone tells me how big
email marketers et al will be careful to not actually ANNOY people and
that's only the purview of criminal or near-criminal types.
Well, currently we're 1 for 1 with the annoying marketers being
criminals. Got any other examples?
I did just mention Angie's List sending to unverified addresses,
Inside Apple did it for years and assured me (indirectly through
someone high up at Apple) that they had no interest in cleaning it up
tho I think the list has ceased operating in the past year or so?

Those are particularly vexing because although an end user can block
them of course there's no end user involved in that complaint. And a
site like mine is loathe to block them because no doubt a lot of
customers would like to hear from Apple or Angie's List.

I think you're missing my deeper point which is the lack of any
"organic" push back, any economy.

The main reason you don't get big dump trucks showing up at your door
with junk mail is because it'd cost the senders too much.

There's no real need to block them or make laws against sending you
unsolicited paper mail, or not the typical case anyhow.

<GRATUITOUS ANECDOTE>

In the early 90s I had a mailing list company take my shell acct
"password" file and attach our mailing address to every name.

The post office showed up with a truck with dozens and dozens of those
mail trays, each the size of a large washtub, filled with around 2,000
catalogs from someone, maybe it was more I didn't count them.

The PO refused to stop delivering them, basically, they had to unload
the truck, sorry!

I called the actual company whose catalog it was, obviously they'd
been scammed by the mailing list company, and they arranged to come
get them. They were very nice about it and probably figured they could
re-use the catalogs.

It was amusing with my office hallway stacked with catalogs for a few
days and my landlord frantically demanding to know what the plan was.

</GRATUITOUS ANECDOTE>

But I wouldn't call that a common case.
--
-Barry Shein

The World | ***@TheWorld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada
Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
John R. Levine
2014-01-14 18:42:10 UTC
Permalink
Post by Barry Shein
I think you're missing my deeper point which is the lack of any
"organic" push back, any economy.
Well, there's everyone's bad idea of e-postage. I wrote a white paper
about it a decade ago, and nothing of importance has changed. I realize
that it would be nice to have some way to deal with the Angie's lists and
LinkedIns, but that's one of the few places where laws can help, since
they're big enough to be worth taking to court.

And you may just be lucky. I have a bunch of catchall domains and Angie
never bothers me.
Post by Barry Shein
The PO refused to stop delivering them, basically, they had to unload
the truck, sorry!
Yeah, there are specific laws about that. Fortuniately, they don't apply
to e-mail regardless of what some spammers might wish.

R's,
John
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Barry Shein
2014-01-14 20:28:04 UTC
Permalink
Post by John R. Levine
Post by Barry Shein
I think you're missing my deeper point which is the lack of any
"organic" push back, any economy.
Well, there's everyone's bad idea of e-postage. I wrote a white paper
about it a decade ago, and nothing of importance has changed.
Well, DKIM is more or less isomorphic to e-postage.

What it lacks is any sort of economy other than some vague hand-wave
to self-interest.

Sometimes I think the e-mail spam problem is a lot closer to the
intellectual property counterfeiting problem.

It's so easy to print music CDs or T-shirts with logos etc.
--
-Barry Shein

The World | ***@TheWorld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada
Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Steve Atkins
2014-01-14 20:56:34 UTC
Permalink
Post by Barry Shein
Post by John R. Levine
Post by Barry Shein
I think you're missing my deeper point which is the lack of any
"organic" push back, any economy.
Well, there's everyone's bad idea of e-postage. I wrote a white paper
about it a decade ago, and nothing of importance has changed.
Well, DKIM is more or less isomorphic to e-postage.
No, it’s pretty much entirely unrelated.

e-postage is about imposing a monetary cost - directly or indirectly - of
some sort on the sender for each email sent, in order to provide a
financial disincentive to the sender for sending each email. (Most
implementations of it are worthless, for a variety of reasons. Those
based on real currency have been tried, but with little real world
enthusiasm.)

DKIM does not impose any particular cost on the sender (over a trivial
amount of CPU for signing the message) - that’s the point, it’s supposed
to be fairly cheap to implement. It identifies the responsible
party or parties for the message.
Post by Barry Shein
What it lacks is any sort of economy other than some vague hand-wave
to self-interest.
Sometimes I think the e-mail spam problem is a lot closer to the
intellectual property counterfeiting problem.
It's so easy to print music CDs or T-shirts with logos etc.
(For anyone who needs a refresher on authentication concepts, this
white paper from five years ago covers most of them:
http://www.maawg.org/sites/maawg/files/news/MAAWG_Email_Authentication_Paper_2008-07.pdf
I’m not sure if there’s anything more recent other than blog posts. Anyone?)

Cheers,
Steve-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Seth
2014-01-14 20:02:57 UTC
Permalink
Post by Barry Shein
Fair enough but we're not stopping a lot of this, apparently this
whacking isn't helping.
If the government or the banks actually wanted it stopped, it would take
maybe a couple of months. But they don't care enough. (The NSA could
stop it even faster, if it wanted to make itself popular.)

Seth
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Martijn Grooten
2014-01-13 21:37:15 UTC
Permalink
Post by Barry Shein
So forgive me if I get a bit skeptical when someone tells me how big
email marketers et al will be careful to not actually ANNOY people and
that's only the purview of criminal or near-criminal types.
It's wishful thinking IMHO.
And if we wait for it to be measurable it'll be too late.
What if we build a system that makes sure annoying people doesn't
scale? So that if you annoy a lot of people, or are otherwise sloppy
in your sending practises, your email will be blocked.

What if we have already built such a system?

Martijn.

-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Barry Shein
2014-01-14 18:42:27 UTC
Permalink
Post by Martijn Grooten
Post by Barry Shein
So forgive me if I get a bit skeptical when someone tells me how big
email marketers et al will be careful to not actually ANNOY people and
that's only the purview of criminal or near-criminal types.
It's wishful thinking IMHO.
And if we wait for it to be measurable it'll be too late.
What if we build a system that makes sure annoying people doesn't
scale? So that if you annoy a lot of people, or are otherwise sloppy
in your sending practises, your email will be blocked.
What if we have already built such a system?
Blocked at what level? The mailbox? Many, myself included, don't
consider that a sufficient solution.

But it is true that the stock-in-trade of the most annoying bulk
spammers is address mobility.

But blocking the address mobile is easier said than done which of
course is why they rely on it as a technique.
--
-Barry Shein

The World | ***@TheWorld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada
Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Martijn Grooten
2014-01-14 20:24:43 UTC
Permalink
Post by Barry Shein
Blocked at what level?
Blocked at any level: the outbound MTA, the inbound MTA's perimiter, the
inbound MTA itself or the mailbox. And sometimes at the court. Blocking
spam tends to take a multi-layered approach.
Post by Barry Shein
The mailbox? Many, myself included, don't consider that a sufficient
solution.
I feel we're repeating ourselves in this discussion, but perhaps you
could explain why you don't consider this sufficient. Preferably backed
up by some actual data relevant to how email is being used today and why
you have a reason to believe this will change.

Martijn.


-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Seth
2014-01-13 22:14:14 UTC
Permalink
Post by Barry Shein
For example, I get 2-3 phone calls a day maybe 5 days/week, sometimes
it stops for a few days here and there, from something called "Credit
Card Services" pitching some service to lower rates.
They are pure criminal scam organizations. (Yes, not one; the whole
system is sold as a turnkey operation.) The FTC shuts them down and
assesses million-dollar fines against the corporation which just
disappears and the same people start up under a new name.
Post by Barry Shein
Now by the reasoning presented here that makes no sense: Legitimate
companies don't want to ANNOY you, right?
They aren't legitimate. Just which legitimate company are you annoyed
at because of them? See?
Post by Barry Shein
Near as I can tell it must work or they wouldn't go on for years doing
this.
So does bank robbery.

Seth
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Alessandro Vesely
2014-01-04 12:18:46 UTC
Permalink
Hi Neil,
Post by Neil Schwartzman
Post by Alessandro Vesely
I’d like to ask you a fundamental question - what problem are you trying
to solve?
I'm not sure how to call it, "legitimate spam"? I mean bulk mail, sent
using true names, possibly authenticated, sometimes wanted. For
example, most web sites require some kind of subscription in order to
post any content (because of web-spam) they may use OpenID, COI, or
whatever, and collect posters' addresses. Those addresses are treated
with varying degrees of conscientiousness by different operators.
their systems, their rules. having a verifiable permission token
will not make a jot of difference to any of the big receivers, and
I doubt any of the smaller ones either.
Yes. No, receivers don't use verifiable permission tokens, they issue
them. Receivers get list identifiers in return. Recipients say how
much a list is "wanted" at subscription time. A list identifier
paired with email authentication can help setting a message score.

At that point, users have three options with unwanted list mail
destined to a disposable address:

1. They can unsubscribe or adjust their preferences at the list's
site.

2. They can signal list messages as spam. This may result in a spam
report that the list manager can use to tune the list's volume.

3. They can alter the list's "wantedness". This includes disposing
of the address for good.
Post by Neil Schwartzman
I can have confirmed opt-in and still spam a recipient. those ‘gift
cards do it all the time. 'Click here to obtain a $25 Best Buy
Card’ is usually followed by ‘confirm your email address and mobile
phone number, so we can provide offers from our partners’. which is
usually followed with a metric ton of spam (and I use that word
advisedly).
That illustrates the problem well. And COI is relatively uncommon
among those bands.
Post by Neil Schwartzman
I can have confirmed opt-in and diverge from the stated intent of
my list, say, cars, now carrying content about every type of car
accessory, because I thought recipients might find that
interesting. I can have confirmed opt-in, and never mention the
frequency with which mailings will take place, then begin sending,
on the hour. That’s spam, too.
It is common practice to segment a list into various sublists. It may
be acceptable if all of the sublists are declared at subscription
time. Otherwise it is poor list management, which forces users to go
for option 3 above.
Post by Neil Schwartzman
Post by Alessandro Vesely
The problem is to allow people to keep control of their mailboxes
without limiting their ability to subscribe at will.
Does that answer your question?
not really, no. what is the problem with subscribing at will? I do it all the time.
Functional unsubscribe is a provision of numerous laws. I may have
confirmed opt-in, but when a recipient says ‘stop’ I am legally
bound to do so; COI doesn’t trump ‘unsubscribe’
So, unless I’m missing something here, I don’t see the problem, let
alone clearly understand the solution.
I think Dave depicted the problem well. For the solution, perhaps I
could put it this way: Now that address harvesting is somewhat
démodé, we may consider instructing users to never type their true
email address into a web form. (If average users were able to paste,
there wouldn't be so many web forms asking to type the address twice.)

Legitimate spammers tend to consider disposable addresses as a kind of
fraud. Let me quote this:

TowerData has done extensive research and data collection on spam
traps, frequent complainers, honeypots, bots, and disposable
emails to help you maintain a worry free and clean email list.
http://www.towerdata.com/email-validation/email-list-cleaning/

The rough idea is to offer some functionality (verifiable permission
tokens, spam reports, and the like) such that honest spammers can
accept, or even prefer to cooperate with mailbox providers, rather
than oppose to them. Of course, if a mailbox provider offers too
much, its clients will quickly migrate elsewhere; but if it offers too
little, spammers won't take it. So the question is what the right
balance is, and how it can be implemented in a tunable, yet simple way.

Thank you for your patience
Ale
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Paul Ferguson
2014-01-12 16:01:02 UTC
Permalink
Post by Neil Schwartzman
HISTORICAL
The problem of botnet spam hitting recipient mailboxes has been solved,
or at least remediated to the point that it is pretty much a non-issue.
I'm not sure that is true at all -- there are still successful spambots
which are *HIGHLY* successful in getting millions of malicious messages
into recipient mailboxes around the world daily.

Perhaps I misunderstood your point here?

- ferg
--
Paul Ferguson
PGP Public Key ID: 0x54DC85B2

-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Chris Lewis
2014-01-12 16:37:46 UTC
Permalink
Post by Paul Ferguson
Post by Neil Schwartzman
HISTORICAL
The problem of botnet spam hitting recipient mailboxes has been solved,
or at least remediated to the point that it is pretty much a non-issue.
I'm not sure that is true at all -- there are still successful spambots
which are *HIGHLY* successful in getting millions of malicious messages
into recipient mailboxes around the world daily.
Perhaps I misunderstood your point here?
At it's peak, Srizbi was pushing 60 billion spams/day by itself.
Rustock similar. "Millions per day" is still well under 1%.

A study performed several years ago demonstrated that ~1% of botnet spew
was getting thru to end users.

Attached is spambot flow over the past 5 years.

Instead of 10+ botnets spewing massive volumes, there's only one or two
significant botnets left (Kelihos & Cutwail).

What spambots are you talking about?

Have we won the war against windoze botnets yet? No. But botnet spam
getting thru to the end-user is a minor issue these days. Compromised
web servers and user accounts are the thing nowadays.

If botnet spew is still a big factor in your inbox, you need a better
spam filter.
Paul Ferguson
2014-01-12 16:44:17 UTC
Permalink
Post by Chris Lewis
Post by Paul Ferguson
Post by Neil Schwartzman
HISTORICAL
The problem of botnet spam hitting recipient mailboxes has been solved,
or at least remediated to the point that it is pretty much a non-issue.
I'm not sure that is true at all -- there are still successful spambots
which are *HIGHLY* successful in getting millions of malicious messages
into recipient mailboxes around the world daily.
Perhaps I misunderstood your point here?
At it's peak, Srizbi was pushing 60 billion spams/day by itself.
Rustock similar. "Millions per day" is still well under 1%.
A study performed several years ago demonstrated that ~1% of botnet spew
was getting thru to end users.
Attached is spambot flow over the past 5 years.
Instead of 10+ botnets spewing massive volumes, there's only one or two
significant botnets left (Kelihos & Cutwail).
What spambots are you talking about?
Well, Kelihos & Cutwail, of course. :-)

So, taken in that context, I see Neil's point. I am not familiar with
the trending data over time regarding delivery... messaging abuse is not
really my area of expertise here, just commenting on what I do see, and
that is still a lot of daily malicious spam delivery via Cutwail and
Kelihos.

- ferg
Post by Chris Lewis
Have we won the war against windoze botnets yet? No. But botnet spam
getting thru to the end-user is a minor issue these days. Compromised
web servers and user accounts are the thing nowadays.
If botnet spew is still a big factor in your inbox, you need a better
spam filter.
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
--
Paul Ferguson
PGP Public Key ID: 0x54DC85B2

-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Chris Lewis
2014-01-12 16:58:50 UTC
Permalink
Post by Paul Ferguson
Post by Chris Lewis
What spambots are you talking about?
Well, Kelihos & Cutwail, of course. :-)
So, taken in that context, I see Neil's point. I am not familiar with
the trending data over time regarding delivery... messaging abuse is not
really my area of expertise here, just commenting on what I do see, and
that is still a lot of daily malicious spam delivery via Cutwail and
Kelihos.
Deliveries or attempts to deliver?

I appreciate that if you're looking on the wire, at times it can look
pretty bad. But most of Cutwail and Kelihos are pretty tightly
dialed-in and/or relatively static, and the amount getting through even
modestly competent spam filters is extremely low.

The volumes on the wire are still stupidly ridiculous, but little of it
is getting anywhere.

The battle lines have shifted dramatically since, say, 2-3 years ago.

If you're still getting a lot of bot spam delivery in your inbox, you
need a better spam filter. It just so happens I have one in my back
pocket ;-)
-
This is the asrg mailing list. To change your subscription settings, see
http://lists.services.net/cgi-bin/mj_wwwusr/domain=lists.gurus.org
Loading...