Re: [anti-abuse-wg] When email verification behavior is abusive
In message , ac <ac@main.me> writes
ESP and email relay services should verify recipient email addresses prior to sending bulk emails to any random email address.
ESPs that simply start dumping bulk emails on victims often end up listed on RBLs for abusive behavior.
But, when is verification emails themselves, spamvertising or email abuse?
when people don't want them in their mailbox in a world of machine learning and email flows measured in the tens of billions, the only practical way of identifying abuse is to examine user feedback ... ... if you're not in the billions regime then you can try and write down complex rules to guide your users and your abuse teams, but even then flexibility is key because otherwise you end up arguing with an abuser who is skating just on the right side of some arbitrary value
Our own email policy defines verification abuse as "more than 3 verify your email account" emails in the same 24 hour period and verify your email account emails lasting longer than five 24 hour periods.
Do you think this is reasonable? Too reasonable? More? Less?
it depends on the size of the company/mailing list ... 3 new signups in a day may be a red letter day, or it may merely indicate that something broke at thirteen minutes past midnight
If you receive say 4 "verify your email account" emails in 5 minutes, is this abuse?
this question suggests that you might be seeing an outer ripple of an incident which is the modern form of mail bombing this is where users receive tens of thousands of verification emails in a hour or so ... sometimes this is just because the user is disliked, but it can be an attempt to hide other transactional email (associated with fraud or domain name theft) amongst all the noise few mail systems provide suitable tools to end users to deal with this regrettably few sign-up systems have (even weak) CAPTCHA systems to prevent automated attacks.... (something which an ISP providing hosting might usefully start requiring of its customers : rather more practical than trying to set some arbitrary number on emails sent) there is a proposal for assisting with automated filtering https://tools.ietf.org/html/draft-levine-mailbomb-header-01 but it's not currently getting all that much traction. -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755
On Wed, 18 Jul 2018 11:27:15 +0100 Richard Clayton <richard@highwayman.com> wrote:
ESP and email relay services should verify recipient email addresses prior to sending bulk emails to any random email address. ESPs that simply start dumping bulk emails on victims often end up listed on RBLs for abusive behavior. But, when is verification emails themselves, spamvertising or email abuse? when people don't want them in their mailbox in a world of machine learning and email flows measured in the tens of billions, the only practical way of identifying abuse is to examine user feedback ... ... if you're not in the billions regime then you can try and write down complex rules to guide your users and your abuse teams, but even
In message , ac <ac@main.me> writes then flexibility is key because otherwise you end up arguing with an abuser who is skating just on the right side of some arbitrary value
lets use a real world and existing example: Me/I (Andre) goes and adds richard@highwayman.com as my 'recovery' email on Google. Google then goes and dumps 5 verification emails on richard@highwayman.com in say 10 minutes (as they indeed sometimes do...) Would you, Richard, consider Google's behavior as Abuse? If you just received one email (or maybe two?) - Where is the arbitrary number where you personally would consider a verification email, as abusive behavior? Or is five okay? is ten okay? So, basically the question is, for the average person, or abuse admin, etc. - what is that arbitrary number? on average?
Our own email policy defines verification abuse as "more than 3 verify your email account" emails in the same 24 hour period and verify your email account emails lasting longer than five 24 hour periods. Do you think this is reasonable? Too reasonable? More? Less? it depends on the size of the company/mailing list ... 3 new signups in a day may be a red letter day, or it may merely indicate that something broke at thirteen minutes past midnight If you receive say 4 "verify your email account" emails in 5 minutes, is this abuse? this question suggests that you might be seeing an outer ripple of an incident which is the modern form of mail bombing this is where users receive tens of thousands of verification emails in a hour or so ... sometimes this is just because the user is disliked, but it can be an attempt to hide other transactional email (associated with fraud or domain name theft) amongst all the noise few mail systems provide suitable tools to end users to deal with this regrettably few sign-up systems have (even weak) CAPTCHA systems to prevent automated attacks.... (something which an ISP providing hosting might usefully start requiring of its customers : rather more practical than trying to set some arbitrary number on emails sent) there is a proposal for assisting with automated filtering https://tools.ietf.org/html/draft-levine-mailbomb-header-01 but it's not currently getting all that much traction.
thanks for this, will have a look :) Andre
In message , ac <ac@main.me> writes
lets use a real world and existing example:
Me/I (Andre) goes and adds richard@highwayman.com as my 'recovery' email on Google.
Google then goes and dumps 5 verification emails on richard@highwayman.com in say 10 minutes (as they indeed sometimes do...)
I expect they actually send 1 email to each of 5 different accounts which you collect into a single mailbox... in similar circumstances I have never seen more than one email.
Would you, Richard, consider Google's behavior as Abuse?
no, it's clearly your fault for adding my email -- if you did it deliberately then that's abuse, if you typo-ed my email address then that's just one of those accidents that happened in the real world note that in such circumstances you could well have allowed me to take over your account ... which naturally I would not take advantage of
If you just received one email (or maybe two?) - Where is the arbitrary number where you personally would consider a verification email, as abusive behavior? Or is five okay? is ten okay?
if you receive more than one email per recovery account then something is broken at Google -- making a fault report is far more useful than deeming Google to be abusive (which will not make anything change) -- Dr Richard Clayton <richard.clayton@cl.cam.ac.uk> Director, Cambridge Cybercrime Centre mobile: +44 (0)7887 794090 Computer Laboratory, University of Cambridge, CB3 0FD tel: +44 (0)1223 763570
On Wed, 18 Jul 2018 12:06:29 +0100 Richard Clayton <richard@highwayman.com> wrote:
In message , ac <ac@main.me> writes
lets use a real world and existing example: Me/I (Andre) goes and adds richard@highwayman.com as my 'recovery' email on Google. Google then goes and dumps 5 verification emails on richard@highwayman.com in say 10 minutes (as they indeed sometimes do...)
I expect they actually send 1 email to each of 5 different accounts which you collect into a single mailbox... in similar circumstances I have never seen more than one email.
Hmm, no. Google in fact, does send 5 verification emails in the same ten minutes. (bearing in mind that I have email headers, etc) Either way, this is not about google, (although maybe it is...) So to victim-with-no-google-account@victim-own-domain receives 5 verify your email account from the same IP number/email server, in ten minutes. Is this abuse or not?
Would you, Richard, consider Google's behavior as Abuse?
no, it's clearly your fault for adding my email -- if you did it deliberately then that's abuse, if you typo-ed my email address then that's just one of those accidents that happened in the real world
So, the sender of the 5 verification emails in ten minutes has no onus to check that they do not behave or allow abuse through their services? Anyway, what I really wanted to know is what is that arbitrary number? (for me it is actually 3... - some other people I have spoken to, consider two in the same day abuse... yet some other people say only one...) So, the goal with this thread is to gauge what the abuse list thinks? What is the arbitrary number?
note that in such circumstances you could well have allowed me to take over your account ... which naturally I would not take advantage of
In my example, the email address is actually a spamtrap and was added to stolen data (in a stolen/for sale database) The fact that Google is choosing to send 5 verification emails to this very specific spam trap, is of more interest than the actual verification emails. But it does beg the obvious question: How many verification emails can a service send before that service is considered acting abusively?
If you just received one email (or maybe two?) - Where is the arbitrary number where you personally would consider a verification email, as abusive behavior? Or is five okay? is ten okay? if you receive more than one email per recovery account then something is broken at Google -- making a fault report is far more useful than deeming Google to be abusive (which will not make anything change)
Of late google is less responsive to abuse complaints. Maybe they just dislike me, which is fine - But some of their current behavior skates past ethics and imnsho borders the illegal/anti-social Anyway, as I said, this is not about Google but more about that magical number? Andre
Absolutely agree that nowadays we should be more careful. Especially when it touches upon the problem of the information. Besides, our own information. It also about our mobile phones. We use for different goals, but don't even imagine how dangerous it could be when the unknown number calls you. Thank God, we can escape some problems with calculating person https://ukareacodes.org/ by using reverse service. Sent via RIPE Forum -- https://www.ripe.net/participate/mail/forum
There is no reason to worry about. Such a funny message from admin, mb? If you`re a paranoid person, keep calm. I had a message like this too. Nothing extraordinary. but if you so think out about this. Just relax like me. I`m doing this with nice girls from this Escort service https://escortinhamburg.info , check this out Sent via RIPE Forum -- https://www.ripe.net/participate/mail/forum
participants (4)
-
ac -
Alan Walker -
Richard Clayton -
Ximikeig Lambert