Re: [anti-abuse-wg] how to detect spambots - SPAMTrusted
Jeffrey Race wrote:
This simple wheel reinvented many times; need only to apply current knowledge. If someone will work with me we can submit the described RFC as is or improved as needed
<http://www.camblab.com/misc/univ_std.txt> based on <http://www.camblab.com/nugget/spam_03.pdf>
Great. I see two points here: - the group should define regulations to force RIPE-members to detect spam originating from their own IPs - the group should force members to have a working abuse email address (its sad, that the once defined abuse-mailbox field in RIPEs whois never made it to be a needed field, this should be changed ASAP) Our own blacklist under http://www.dnsbl.de sends out thousands of spam reports daily to the email addresses of the network administrators found in RIPEs whois. Most email address do not work (user unknown, mailbox full aso), a lot do send auto-replier with ticket numbers (telefonica is great with this), but never an email, that the case has been solved, most do not react. Currently there are only 2% answering or fixing the problem. Why do we not recommend to implement a system at RIPE, where abuse reports could be CCed to (including the netblock and the email address a report was sent too, the system then could check, if it was the right address and store a timestamp, any ISP should then be informed how he could send an email to RIPE to inform that hes working on it or that the case was fixed) so that RIPE can messure, wich ISP is really fixing abuse cases ? And: if any ISP collects more than 100 cases that are open for more than two weeks without any reaction, the problem network blocks are simply revoked by RIPE ;o) RIPE should be able to implement such a harsh system, because any member signed to not pollute the internet already. Kind regards, Frank
Jeffrey Race
-- Mit freundlichen Gruessen, -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank@powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== Public PGP Key available for frank@powerweb.de
Frank/Jeffrey, Frank Gadegast wrote the following on 04/03/2009 09:19:
Jeffrey Race wrote:
This simple wheel reinvented many times; need only to apply current knowledge. If someone will work with me we can submit the described RFC as is or improved as needed
<http://www.camblab.com/misc/univ_std.txt> based on <http://www.camblab.com/nugget/spam_03.pdf>
<snip>
(its sad, that the once defined abuse-mailbox field in RIPEs whois never made it to be a needed field, this should be changed ASAP)
<snip>
Why do we not recommend to implement a system at RIPE, where abuse reports could be CCed to (including the netblock and the email address a report was sent too, the system then could check, if it was the right address and store a timestamp, any ISP should then be informed how he could send an email to RIPE to inform that hes working on it or that the case was fixed) so that RIPE can messure, wich ISP is really fixing abuse cases ?
And: if any ISP collects more than 100 cases that are open for more than two weeks without any reaction, the problem network blocks are simply revoked by RIPE ;o)
It sounds quite like you have a policy proposal in mind here and the Policy Development Process (PDP) is the way to progress this, should you wish. More information on the PDP can be found here: http://www.ripe.net/ripe/docs/pdp.html Obviously the WG chairs are available to help you with this process. Certainly there would be opportunity to discuss such things in the WG session at RIPE 58. Regards, Brian.
Hello, From many previous discussions I have a hard time believing that you will ever reach consensus on the definition of what spam is. Trying to ban it would therefore be a even more difficult task. I think the government is doing a good enough job defining basic rules. Customers actually pay me to reject your email. Isn't that great! If you stop sending, my income will decrease. That makes me sad. Please don't stop (really)! With regards to a valid contact email address, not valid abuse emailaddress, I still believe that it should be optional. Cheers, Frank Gadegast wrote:
Jeffrey Race wrote:
This simple wheel reinvented many times; need only to apply current knowledge. If someone will work with me we can submit the described RFC as is or improved as needed
<http://www.camblab.com/misc/univ_std.txt> based on <http://www.camblab.com/nugget/spam_03.pdf>
Great.
I see two points here:
- the group should define regulations to force RIPE-members to detect spam originating from their own IPs - the group should force members to have a working abuse email address
(its sad, that the once defined abuse-mailbox field in RIPEs whois never made it to be a needed field, this should be changed ASAP)
Our own blacklist under http://www.dnsbl.de sends out thousands of spam reports daily to the email addresses of the network administrators found in RIPEs whois. Most email address do not work (user unknown, mailbox full aso), a lot do send auto-replier with ticket numbers (telefonica is great with this), but never an email, that the case has been solved, most do not react.
Currently there are only 2% answering or fixing the problem.
Why do we not recommend to implement a system at RIPE, where abuse reports could be CCed to (including the netblock and the email address a report was sent too, the system then could check, if it was the right address and store a timestamp, any ISP should then be informed how he could send an email to RIPE to inform that hes working on it or that the case was fixed) so that RIPE can messure, wich ISP is really fixing abuse cases ?
And: if any ISP collects more than 100 cases that are open for more than two weeks without any reaction, the problem network blocks are simply revoked by RIPE ;o)
RIPE should be able to implement such a harsh system, because any member signed to not pollute the internet already.
Kind regards, Frank
Jeffrey Race
On Wed, Mar 04, 2009 at 05:44:28PM +0100, Jørgen Hovland wrote:
From many previous discussions I have a hard time believing that you will ever reach consensus on the definition of what spam is. Trying to ban it
Definition, yes. UBE is usually easier to define and is practically equivalent to spam. But pretty much everyone recognizes a spam if they see one. It is therefore easy for a human to detect spam and take corrective action against a spammer or spamming host.
With regards to a valid contact email address, not valid abuse emailaddress, I still believe that it should be optional.
What should be optional? The abuse address? The contact address? The validity? I think it's very reasonable to require all netblocks to have a valid contact email address. (PS- Jørgen: your mail server rejected my direct message to you. You may want to fix that) -- Jan-Pieter Cornet <johnpc@xs4all.net> !! Disclamer: The addressee of this email is not the intended recipient. !! !! This is only a test of the echelon and data retention systems. Please !! !! archive this message indefinitely to allow verification of the logs. !!
Jan Pieter Cornet wrote:
On Wed, Mar 04, 2009 at 05:44:28PM +0100, Jørgen Hovland wrote:
From many previous discussions I have a hard time believing that you will ever reach consensus on the definition of what spam is. Trying to ban it
Definition, yes. UBE is usually easier to define and is practically equivalent to spam. But pretty much everyone recognizes a spam if they see one. It is therefore easy for a human to detect spam and take corrective action against a spammer or spamming host.
With regards to a valid contact email address, not valid abuse emailaddress, I still believe that it should be optional.
What should be optional? The abuse address? The contact address? The validity? I think it's very reasonable to require all netblocks to have a valid contact email address.
Please do not forget, that the abuse field shoud be machine readable, currently the abuse address is somewhere hiddden in remark fields, normal email-fields or other things. This is pretty much work for a programmer, if he likes to report spam automatically. Most provider do not like it, when its machine readable, because spammer will flood these addresses and these addresses cannot be used together with content filters, because reports contain snippets from real spam quite often. So: these addresses will be quite a pain, but: thats an OLD argument and: if any provider will do something against spam originating from his IPs, there will be much less reports coming in ;o) Kind regards, Frank
(PS- Jørgen: your mail server rejected my direct message to you. You may want to fix that)
-- Mit freundlichen Gruessen, -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank@powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== Public PGP Key available for frank@powerweb.de
Automated spam reports lead to errors We get loads of them regarding mailscanner.info which has never sent a single email in its entire life Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection http://www.blacknight.com/ http://blog.blacknight.com/ Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 1 4811 763 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845
Michele Neylon :: Blacknight wrote:
Automated spam reports lead to errors
We get loads of them regarding mailscanner.info which has never sent a single email in its entire life
Hm, thats bad for you, but its not an argument for a machine readable abuse field. It should be up to anybody to report spam, automatically or manually, but at least he should have the possibility. And whats better than a mandatory field. Many netblock entries contain a log of different email address, so that a normal user cannot even decide wich one to take. And: do you know how many RIPE whois entries have no email address at all ? Well I do. I always thought, that at least a normal email address field is mandatory, but we have 12504 RIPE netblocks here in our database without ANY email address. And they are not unused, that are netblocks we get spam from ! And this is to my knowledge since 2 years and didnt change. We reported this to RIPE a couple of times. Only answer was: we think about what we can do. Forming an anti-abuse group is then kind of a laugh, isnt it ? Kind regards, Frank
Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection http://www.blacknight.com/ http://blog.blacknight.com/ Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 1 4811 763 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845
-- Mit freundlichen Gruessen, -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank@powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== Public PGP Key available for frank@powerweb.de
Jørgen Hovland wrote:
Jan Pieter Cornet wrote:
On Wed, Mar 04, 2009 at 05:44:28PM +0100, Jørgen Hovland wrote:
From many previous discussions I have a hard time believing that you will ever reach consensus on the definition of what spam is. Trying to ban it
Definition, yes. UBE is usually easier to define and is practically equivalent to spam. But pretty much everyone recognizes a spam if they see one. It is therefore easy for a human to detect spam and take corrective action against a spammer or spamming host.
Thats where I believe you are not entirely correct. UBE is permitted in my country (not all types of course, greasy ones etc). Yes, it is
Well not in ours. Our systems are getting misused, overloaded and we have to work against it, this does cost time, resource and yes, money. And other providers are responsible for it, where ever they reside, it does not matter, legal issues can always be taken (ok, not really practically to sue somebody in China, Russland or Turkey, but possible). But at least: spamming is illegal in Germany, and any German provider or provider in another country with similar regulations should be forced to prevent his users from spamming.
usually what you/I define as spam. However, some customers still want it (I sometimes monitor whitelists in order to correct blacklists). Who are we to override the end-users decisions? Only the government should do that, and sometimes even they shouldn't.
Surely it should be up to the end user, if he likes to have a spam filter on its incoming mail, but thats not the point. You can scan any incoming mail, just to see, if its originated from your own dial-in IPs, that all. You do not need to modify any received mail. Scanning must be done automatically and thats even legal in Germany ;o)
With regards to a valid contact email address, not valid abuse emailaddress, I still believe that it should be optional.
What should be optional? The abuse address? The contact address? The validity? I think it's very reasonable to require all netblocks to have a valid contact email address.
Any email address. Yes it is reasonable, but I still think it should be optional. Thats also what we decided last time the topic was brought up.
Jesus, no ! That is simply wrong because it will raise even more ignorance to abuse. An address or phone number is not enough. What are doing, when somebody abuses your servers ? Atacks and hacks them, infiltrate webservers with viruses ? Send a letter mail ? Get in an airplane ? Phone somebody wich only speaks a foreign language ? No, a real abuse-field is a must and it MUST be read, and it must be possible to proof, that somebody reacts.
Perhaps people have changed their opinion now. I was actually amazed that the suggestion to make it mandatory was rejected.
(PS- Jørgen: your mail server rejected my direct message to you. You may want to fix that)
It gets fixed by the system when I send you this email. I get ~8000 spam daily. I have to be a little strict :-)
See ? So you are against a mandatory field ? Im getting only 2-5 spams a day, that really reach me. 2000 are getting blocked or sorted out straight away. But the time for these filters just ruins us all. Kind regards, Frank
Cheers,
-- Mit freundlichen Gruessen, -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank@powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== Public PGP Key available for frank@powerweb.de
Frank, On 04/03/2009 8:43, "Frank Gadegast" <ripe-anti-spam-wg@powerweb.de> wrote: [...]
No, a real abuse-field is a must and it MUST be read, and it must be possible to proof, that somebody reacts.
If you want to change the requirements for the RIPE database then you need to take it up in the Database WG: http://www.ripe.net/ripe/wg/db/index.html Regards, Leo
--On 4 March 2009 17:43:50 +0100 Frank Gadegast <ripe-anti-spam-wg@powerweb.de> wrote:
Thats where I believe you are not entirely correct. UBE is permitted in my country (not all types of course, greasy ones etc). (.cx)
Well not in ours. (.de)
In the UK, unsolicited electronic marketing messages are illegal - bulk or otherwise - when they're sent to personal addresses. There's guidance on "unsolicited", "marketing", and "personal". Unsolicited Business to Business marketing is permitted. The law applies to all electronic messaging, not just email. The term marketing is broadly defined, and includes messages soliciting votes in elections, and charity appeals. Furthermore, a "simple means of opting out" must be supplied with EVERY marketing message. For example, even SMS messages usually carry an opt out message like "text STOP to nnnnn". I think it's sensible apply the law without regard to quantity, for several reasons: 1. The recipient can't know whether the message is "Bulk" or not, and they should be able to make a complaint based on information that they have access to. A message doesn't annoy a recipient less when they're the only recipient - at least not if they don't know that. 2. It would be hard to define "Bulk", given that senders can send variants of messages, and can send them at staggered intervals. The higher the threshold is set, the harder it is to obtain evidence to convict. 3. Bulk mailers are inherently more likely to attract complaints. They're more likely to have complaints against them upheld, and penalties are likely to be more serious. Therefore there's no necessity to add legislative discrimination. On the other hand, they may have more resources to defend an action against them. -- Ian Eiloart IT Services, University of Sussex x3148
Hi, On Wed, Mar 04, 2009 at 04:46:37PM +0100, Jan Pieter Cornet wrote:
Definition, yes. UBE is usually easier to define and is practically equivalent to spam. But pretty much everyone recognizes a spam if they see one. It is therefore easy for a human to detect spam and take corrective action against a spammer or spamming host.
This is actually *way* oversimplifying things. Some SPAMs are obvious, of course, but there is a wide area of "grey" in between - some people send advertising e-mails that part of their receipients find quite interesting (because the mails meet their interests), while others consider them SPAM. OTOH, we get SPAM complaints for info mails that people actually and provably subscribed to(!) [commercial service, people subscribe, forget about it, and later just report to spamcop instead of unsubscribing]. Gert Doering -- NetMaster -- Total number of prefixes smaller than registry allocations: 128645 SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279
On Tuesday 10 March 2009 09.49, Gert Doering wrote:
Hi,
On Wed, Mar 04, 2009 at 04:46:37PM +0100, Jan Pieter Cornet wrote:
Definition, yes. UBE is usually easier to define and is practically equivalent to spam. But pretty much everyone recognizes a spam if they see one. It is therefore easy for a human to detect spam and take corrective action against a spammer or spamming host.
This is actually *way* oversimplifying things.
Some SPAMs are obvious, of course, but there is a wide area of "grey" in between - some people send advertising e-mails that part of their receipients find quite interesting (because the mails meet their interests), while others consider them SPAM.
I object to this view. UCE is always spam even if some recipients "think" they like it. Just look at all the suckers that get fooled by scams ! UCE or spam is illegal in some countries, however legal authorities does not seem willing to hunt and procecute.
OTOH, we get SPAM complaints for info mails that people actually and provably subscribed to(!) [commercial service, people subscribe, forget about it, and later just report to spamcop instead of unsubscribing].
That's a problem with opt-in lists too, but that is something list-owners has to adopt to. The general public should not be carrying the burden just because "it simpler for list-owners". Any sender of mail has to take it's own costs.
Gert Doering -- NetMaster
-- Peter Håkanson There's never money to do it right, but always money to do it again ... and again ... and again ... and again. ( Det är billigare att göra rätt. Det är dyrt att laga fel. )
On 10/03/2009 11:17, "peter h" <peter@hk.ipsec.se> wrote: [...]
UCE or spam is illegal in some countries, however legal authorities does not seem willing to hunt and procecute.
I've spoken with a number of police officers involved in tackling e-crime issues and on the whole it seems to be a resource issue rather than a willingness issue. Training a police officer how to handle an investigation into something quite 'virtual' is not an easy or cheap task. This means there aren't very many trained officers and so they tend to be assigned to investigating the most serious offences. Regards, Leo
Leo Vegoda wrote:
On 10/03/2009 11:17, "peter h" <peter@hk.ipsec.se> wrote:
Hi,
UCE or spam is illegal in some countries, however legal authorities does not seem willing to hunt and procecute.
No, they are willing but they are unable in most cases.
I've spoken with a number of police officers involved in tackling e-crime issues and on the whole it seems to be a resource issue rather than a willingness issue. Training a police officer how to handle an investigation into something quite 'virtual' is not an easy or cheap task. This means there aren't very many trained officers and so they tend to be assigned to investigating the most serious offences.
Spam and Abuse is forbidden in Germany. We had a lot of cases, from normal data crime (like competitors trying to spy some data from our customers) to illegal archiving to hacks, scans and password attacks, where we helped customers to identify problems and tried to bring the attacker to court according to German law. So we were always involved and cooperated quite close with the legal entities here. I can only say, that the entities in Germany are well equipped and trained, know defny what they are doing and are very willing. We had a lot of very positive results, if the attack started in Germany or other european countries, wich have similar laws. And the entities always have one big problem: - most attacks are started via abuse dial-in IPs somewhere in the world where they cannot work together with the provider, because provider has no interest So, its always the same, its not that the legal entities are not willing, its the providers, that are not willing to help to trace any abuse back to the real originator. This is one more reason to stop all spambot networks so that nobody can hide anymore ... Kind regards, Frank
Regards,
Leo
-- Mit freundlichen Gruessen, -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank@powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== Public PGP Key available for frank@powerweb.de
On Wed, 11 Mar 2009 11:07:14 +0100, Frank Gadegast wrote:
And the entities always have one big problem: - most attacks are started via abuse dial-in IPs somewhere in the world where they cannot work together with the provider, because provider has no interest
So, its always the same, its not that the legal entities are not willing, its the providers, that are not willing to help to trace any abuse back to the real originator.
And so the ONLY solution to this behavior is to motivate them to cooperate by adopting a universal rule that if you are such an ISP, your traffic is refused until you come into compliance. Other domains of human activity use the same rule e.g. you don't get a driver's license until you pass the test, and if you are a drunk driver it is withdrawn. (See earlier reference for a simple system to implement this.) Jeffrey Race
Jeffrey Race wrote:
On Wed, 11 Mar 2009 11:07:14 +0100, Frank Gadegast wrote:
And the entities always have one big problem: - most attacks are started via abuse dial-in IPs somewhere in the world where they cannot work together with the provider, because provider has no interest
So, its always the same, its not that the legal entities are not willing, its the providers, that are not willing to help to trace any abuse back to the real originator.
And so the ONLY solution to this behavior is to motivate them to cooperate by adopting a universal rule that if you are such an ISP, your traffic is refused until you come into compliance. Other domains of human activity use the same rule e.g. you don't get a driver's license until you pass the test, and if you are a drunk driver it is withdrawn. (See earlier reference for a simple system to implement this.)
Yes, and thats exactly what this abuse group has to define ! A driver license for ISPs, they have to commit and pass a test before they get any more IP services. And RIPE has to watch their behaviour and revoke addresses that are being massively misused. Problem: no RIPE member wants to get more work (reporting or reacting to abuse) and no RIPE member is willing to have the fees raised, so the RIPE can setup such a monitoring system. And ? there we are again. This group is useless, if the members are not willing to do anything against abuse (do you remember this little survey I had a week ago ? we received exactly ONE answer !) All together that are two out of what ? a hundred ? a thousand ? How many are on this list ? Kidn regards, Frank
Jeffrey Race
-- Mit freundlichen Gruessen, -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank@powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== Public PGP Key available for frank@powerweb.de
--On 10 March 2009 20:17:50 +0100 peter h <peter@hk.ipsec.se> wrote:
UCE or spam is illegal in some countries, however legal authorities does not seem willing to hunt and procecute.
Under article 13 of EU DIRECTIVE 2002/58/EC, I think that the sending of UCE is illegal in every member state of the EU, which exemption where the recipient is an existing customer of the organisation sending the email. Even then, the sender has to give an opt out option with every email, and may only market "similar products or services". I don't know anywhere that this is properly enforced, though. -- Ian Eiloart IT Services, University of Sussex x3148
Hi, Ian Eiloart wrote:
Under article 13 of EU DIRECTIVE 2002/58/EC, I think that the sending of UCE is illegal in every member state of the EU, which exemption where the recipient is an existing customer of the organisation sending the email. Even then, the sender has to give an opt out option with every email, and may only market "similar products or services".
I don't know anywhere that this is properly enforced, though.
The OPTA[1], regulator of electronic communications in The Netherlands, has a website[2] where Dutch private persons can complain about spam received from Dutch sources. Quickly looking back, I see that in the past they have fined an organisation for 510.000 euro [3] and another ruling was confirmed by a court, for a 75.000 euro fine[4]. I can't find an English reference to that though. So something is definitely happening there :) [1] http://www.opta.nl/asp/en/ [2] http://www.spamklacht.nl/ (only Dutch) [3] https://www.spamklacht.nl/asp/nieuws/id/51 [4] https://www.spamklacht.nl/asp/nieuws/id/54 cheers, Erik Romijn
Erik Romijn wrote: Hi, Ian Eiloart wrote:
Under article 13 of EU DIRECTIVE 2002/58/EC, I think that the sending of UCE is illegal in every member state of the EU, which exemption where the recipient is an existing customer of the organisation sending the email. Even then, the sender has to give an opt out option with every email, and may only market "similar products or services".
I don't know anywhere that this is properly enforced, though.
The OPTA[1], regulator of electronic communications in The Netherlands, has a website[2] where Dutch private persons can complain about spam received from Dutch sources. Quickly looking back, I see that in the past they have fined an organisation for 510.000 euro [3] and another ruling was confirmed by a court, for a 75.000 euro fine[4]. I can't find an English reference to that though. So something is definitely happening there :) [1] http://www.opta.nl/asp/en/ [2] http://www.spamklacht.nl/ (only Dutch) [3] https://www.spamklacht.nl/asp/nieuws/id/51 [4] https://www.spamklacht.nl/asp/nieuws/id/54 cheers, Erik Romijn Hello, For as far as I can see the OPTA is only working on spam if it comes from the Netherlands AND it is received by a person in the Netherlands. This should be changed so the receiver could live outside the Netherlands. Also small companies in the Netherlands (as long as it is for te law the same as a person) can complain at spamklacht.nl. Dutch: eenmanszaken/vof mogen ook geen spam ontvangen, hetzelfde geld voor rechtspersonen vanaf 1 juli. On the 1st July the law in the Netherlands will be changed so all spam is illegal :). With kind regards, Mark Scholten Stream Service
Ian Eiloart wrote the following on 11/03/2009 11:42:
Under article 13 of EU DIRECTIVE 2002/58/EC, I think that the sending of UCE is illegal in every member state of the EU, which exemption where the recipient is an existing customer of the organisation sending the email. Even then, the sender has to give an opt out option with every email, and may only market "similar products or services".
I don't know anywhere that this is properly enforced, though.
There was a lot of flexibility in how the Member States were allowed to right the directive into law. Some went with opt-in, others with opt-out. And in some cases (probably most) the recepient was defined as the actual subscriber, so your business address was not considered to be a personal address. However enforcement and implementation still varies widely over the EU. As I mentioned at RIPE 57 we would be interested in hearing from people about their own experiences across the RIPE region regarding legislation and enforcement. If there was interest time could easily be put aside in the WG session at RIPE 58 for a number of short updates? Brian.
Hi Ian, hi guys, we actually enforce rules regarding bulk emails through the Certified Senders Alliance. Enforcement can naturally be applied only to those senders participating in the CSA - however, in Germany our service has become the de facto industry standard for email marketers, and the amount of emails sent by certified senders is huge. Thus, we have gained a very good leverage over this industry. we at eco maintain a general complaints hotline, and I can't remember having seen any complaint by users or ISPs about a missing opt-out link only. Complaints are about UCEs, and not missing opt-out possibilities. So I guess we are pretty much the only body dealing with the enforcement of those rules like opt-out links, and we have effective sanctions for not sticking to the rules (and opt-out is definitely one of those rules!). Actually, our set of rules goes beyond the stipulations made by the EU directive. And we keep on tightening the rules: SPF has now become mandatory for senders (ISPs are left with the choice whether to use this info); DKIM and double-opt-in, for example, are now recommended criteria and will be turned into mandatory criteria with the next revision of the admission criteria. We consider this industry standard approach more efficient than any legislative approach. Rgds Sascha eco association -----Ursprüngliche Nachricht----- Von: anti-abuse-wg-admin@ripe.net [mailto:anti-abuse-wg-admin@ripe.net] Im Auftrag von Ian Eiloart Gesendet: Mittwoch, 11. März 2009 12:43 An: peter h; anti-abuse-wg@ripe.net Betreff: Re: [anti-abuse-wg] how to detect spambots - SPAMTrusted --On 10 March 2009 20:17:50 +0100 peter h <peter@hk.ipsec.se> wrote:
UCE or spam is illegal in some countries, however legal authorities does not seem willing to hunt and procecute.
Under article 13 of EU DIRECTIVE 2002/58/EC, I think that the sending of UCE is illegal in every member state of the EU, which exemption where the recipient is an existing customer of the organisation sending the email. Even then, the sender has to give an opt out option with every email, and may only market "similar products or services". I don't know anywhere that this is properly enforced, though. -- Ian Eiloart IT Services, University of Sussex x3148
To add my 2 cents: We enforce limits on outgoing email via our SMTP servers both quantitative and qualitative. Regular users can send only a limited number of messages per minute that do not contain viruses and the spamassassin score is below a certain threshold. Still there is the issue of bulk mail servers for Businesses, but we do not guarantee service there. I.e. we tell our customers that if they manage to blacklist the server then de-listing it is a low priority issue with my team.
--On 11 March 2009 15:44:04 +0100 Sascha Wilms <Sascha.Wilms@eco.de> wrote:
Hi Ian, hi guys,
we actually enforce rules regarding bulk emails through the Certified Senders Alliance. Enforcement can naturally be applied only to those senders participating in the CSA - however, in Germany our service has become the de facto industry standard for email marketers, and the amount of emails sent by certified senders is huge. Thus, we have gained a very good leverage over this industry.
Well, that's all good. I see that in order to discover who's using your service, I have to agree not to blacklist any of your users. That's not so good. I'm not sure that I'd be interested in whitelisting anyone who's signed up to improve their marketing outreach. However, the fact that you require your users to publish SPF records is good. Are most of your members in Germany? This probably would be something I'd be interested in if you had a significant number of UK members. I do think that you need to get your English language documentation looked at by a native English speaking lawyer.
we at eco maintain a general complaints hotline, and I can't remember having seen any complaint by users or ISPs about a missing opt-out link only. Complaints are about UCEs, and not missing opt-out possibilities. So I guess we are pretty much the only body dealing with the enforcement of those rules like opt-out links, and we have effective sanctions for not sticking to the rules (and opt-out is definitely one of those rules!).
Actually, our set of rules goes beyond the stipulations made by the EU directive. And we keep on tightening the rules: SPF has now become mandatory for senders (ISPs are left with the choice whether to use this info); DKIM and double-opt-in, for example, are now recommended criteria and will be turned into mandatory criteria with the next revision of the admission criteria.
We consider this industry standard approach more efficient than any legislative approach.
Rgds Sascha eco association
-----Ursprüngliche Nachricht----- Von: anti-abuse-wg-admin@ripe.net [mailto:anti-abuse-wg-admin@ripe.net] Im Auftrag von Ian Eiloart Gesendet: Mittwoch, 11. März 2009 12:43 An: peter h; anti-abuse-wg@ripe.net Betreff: Re: [anti-abuse-wg] how to detect spambots - SPAMTrusted
--On 10 March 2009 20:17:50 +0100 peter h <peter@hk.ipsec.se> wrote:
UCE or spam is illegal in some countries, however legal authorities does not seem willing to hunt and procecute.
Under article 13 of EU DIRECTIVE 2002/58/EC, I think that the sending of UCE is illegal in every member state of the EU, which exemption where the recipient is an existing customer of the organisation sending the email. Even then, the sender has to give an opt out option with every email, and may only market "similar products or services".
I don't know anywhere that this is properly enforced, though.
-- Ian Eiloart IT Services, University of Sussex x3148
-- Ian Eiloart IT Services, University of Sussex x3148
I know that for some it's a hard fact not to be allowed to block CSA whitelisted entries any more. But because senders know exactly this, they know what they have from being CSA whitelisted and what they stand to lose if they get kicked off the list when not complying with the rules. It is this huge leverage we gain. Currently, we have only significant German ISPs, but at least one major European incumbent is about to join. We hope to extend the reach of our list to other providers, so that we can increase the leverage. I have talked to some British providers, but so far no commitment (though the British marketers are very keen on having something like the CSA in the UK). As I said, it is really an industry standard we are promoting here, and the more ISPs join, the better we are able to establish the standard on an international level. If you guys have more feedback, you are welcome! rgds Sascha -----Ursprüngliche Nachricht----- Von: iane@sussex.ac.uk [mailto:iane@sussex.ac.uk] Gesendet: Mittwoch, 11. März 2009 16:21 An: Sascha Wilms; anti-abuse-wg@ripe.net Betreff: Re: AW: [anti-abuse-wg] how to detect spambots - SPAMTrusted --On 11 March 2009 15:44:04 +0100 Sascha Wilms <Sascha.Wilms@eco.de> wrote:
Hi Ian, hi guys,
we actually enforce rules regarding bulk emails through the Certified Senders Alliance. Enforcement can naturally be applied only to those senders participating in the CSA - however, in Germany our service has become the de facto industry standard for email marketers, and the amount of emails sent by certified senders is huge. Thus, we have gained a very good leverage over this industry.
Well, that's all good. I see that in order to discover who's using your service, I have to agree not to blacklist any of your users. That's not so good. I'm not sure that I'd be interested in whitelisting anyone who's signed up to improve their marketing outreach. However, the fact that you require your users to publish SPF records is good. Are most of your members in Germany? This probably would be something I'd be interested in if you had a significant number of UK members. I do think that you need to get your English language documentation looked at by a native English speaking lawyer.
we at eco maintain a general complaints hotline, and I can't remember having seen any complaint by users or ISPs about a missing opt-out link only. Complaints are about UCEs, and not missing opt-out possibilities. So I guess we are pretty much the only body dealing with the enforcement of those rules like opt-out links, and we have effective sanctions for not sticking to the rules (and opt-out is definitely one of those rules!).
Actually, our set of rules goes beyond the stipulations made by the EU directive. And we keep on tightening the rules: SPF has now become mandatory for senders (ISPs are left with the choice whether to use this info); DKIM and double-opt-in, for example, are now recommended criteria and will be turned into mandatory criteria with the next revision of the admission criteria.
We consider this industry standard approach more efficient than any legislative approach.
Rgds Sascha eco association
-----Ursprüngliche Nachricht----- Von: anti-abuse-wg-admin@ripe.net [mailto:anti-abuse-wg-admin@ripe.net] Im Auftrag von Ian Eiloart Gesendet: Mittwoch, 11. März 2009 12:43 An: peter h; anti-abuse-wg@ripe.net Betreff: Re: [anti-abuse-wg] how to detect spambots - SPAMTrusted
--On 10 March 2009 20:17:50 +0100 peter h <peter@hk.ipsec.se> wrote:
UCE or spam is illegal in some countries, however legal authorities does not seem willing to hunt and procecute.
Under article 13 of EU DIRECTIVE 2002/58/EC, I think that the sending of UCE is illegal in every member state of the EU, which exemption where the recipient is an existing customer of the organisation sending the email. Even then, the sender has to give an opt out option with every email, and may only market "similar products or services".
I don't know anywhere that this is properly enforced, though.
-- Ian Eiloart IT Services, University of Sussex x3148
-- Ian Eiloart IT Services, University of Sussex x3148
Hello Sascha, As soon as the requirement we don't block/blacklist any IP/ISP on your list is removed we will implement to reduce the spam score emails get with spam assassin in our setup. We use multiple blacklists to tag email with spam assassin and some whitelists to lower the spam score on email. With kind regards, Mark Scholten Stream Service -----Original Message----- From: anti-abuse-wg-admin@ripe.net [mailto:anti-abuse-wg-admin@ripe.net] On Behalf Of Sascha Wilms Sent: woensdag 11 maart 2009 16:57 To: 'iane@sussex.ac.uk'; anti-abuse-wg@ripe.net Subject: AW: AW: [anti-abuse-wg] how to detect spambots - SPAMTrusted I know that for some it's a hard fact not to be allowed to block CSA whitelisted entries any more. But because senders know exactly this, they know what they have from being CSA whitelisted and what they stand to lose if they get kicked off the list when not complying with the rules. It is this huge leverage we gain. Currently, we have only significant German ISPs, but at least one major European incumbent is about to join. We hope to extend the reach of our list to other providers, so that we can increase the leverage. I have talked to some British providers, but so far no commitment (though the British marketers are very keen on having something like the CSA in the UK). As I said, it is really an industry standard we are promoting here, and the more ISPs join, the better we are able to establish the standard on an international level. If you guys have more feedback, you are welcome! rgds Sascha -----Ursprüngliche Nachricht----- Von: iane@sussex.ac.uk [mailto:iane@sussex.ac.uk] Gesendet: Mittwoch, 11. März 2009 16:21 An: Sascha Wilms; anti-abuse-wg@ripe.net Betreff: Re: AW: [anti-abuse-wg] how to detect spambots - SPAMTrusted --On 11 March 2009 15:44:04 +0100 Sascha Wilms <Sascha.Wilms@eco.de> wrote:
Hi Ian, hi guys,
we actually enforce rules regarding bulk emails through the Certified Senders Alliance. Enforcement can naturally be applied only to those senders participating in the CSA - however, in Germany our service has become the de facto industry standard for email marketers, and the amount of emails sent by certified senders is huge. Thus, we have gained a very good leverage over this industry.
we at eco maintain a general complaints hotline, and I can't remember having seen any complaint by users or ISPs about a missing opt-out link only. Complaints are about UCEs, and not missing opt-out
So I guess we are pretty much the only body dealing with the enforcement of those rules like opt-out links, and we have effective sanctions for not sticking to the rules (and opt-out is definitely one of those rules!).
Actually, our set of rules goes beyond the stipulations made by the EU directive. And we keep on tightening the rules: SPF has now become mandatory for senders (ISPs are left with the choice whether to use this info); DKIM and double-opt-in, for example, are now recommended criteria and will be turned into mandatory criteria with the next revision of the admission criteria.
We consider this industry standard approach more efficient than any legislative approach.
Rgds Sascha eco association
-----Ursprüngliche Nachricht----- Von: anti-abuse-wg-admin@ripe.net [mailto:anti-abuse-wg-admin@ripe.net] Im Auftrag von Ian Eiloart Gesendet: Mittwoch, 11. März 2009 12:43 An: peter h; anti-abuse-wg@ripe.net Betreff: Re: [anti-abuse-wg] how to detect spambots - SPAMTrusted
--On 10 March 2009 20:17:50 +0100 peter h <peter@hk.ipsec.se> wrote:
UCE or spam is illegal in some countries, however legal authorities does not seem willing to hunt and procecute.
Under article 13 of EU DIRECTIVE 2002/58/EC, I think that the sending of UCE is illegal in every member state of the EU, which exemption where the recipient is an existing customer of the organisation sending
Well, that's all good. I see that in order to discover who's using your service, I have to agree not to blacklist any of your users. That's not so good. I'm not sure that I'd be interested in whitelisting anyone who's signed up to improve their marketing outreach. However, the fact that you require your users to publish SPF records is good. Are most of your members in Germany? This probably would be something I'd be interested in if you had a significant number of UK members. I do think that you need to get your English language documentation looked at by a native English speaking lawyer. possibilities. the email.
Even then, the sender has to give an opt out option with every email, and may only market "similar products or services".
I don't know anywhere that this is properly enforced, though.
-- Ian Eiloart IT Services, University of Sussex x3148
-- Ian Eiloart IT Services, University of Sussex x3148
--On 11 March 2009 16:56:53 +0100 Sascha Wilms <Sascha.Wilms@eco.de> wrote:
I know that for some it's a hard fact not to be allowed to block CSA whitelisted entries any more. But because senders know exactly this, they know what they have from being CSA whitelisted and what they stand to lose if they get kicked off the list when not complying with the rules. It is this huge leverage we gain.
So, what's the sanction against me if I apply my spam filters to one of your members? Just that you don't send me list updates? I could live with that. I'd not be able to enter any contractual obligation, though.
Currently, we have only significant German ISPs, but at least one major European incumbent is about to join. We hope to extend the reach of our list to other providers, so that we can increase the leverage. I have talked to some British providers, but so far no commitment (though the British marketers are very keen on having something like the CSA in the UK).
I'm slightly confused here. Your members are ISPs or Marketers? Perhaps you're referring to users of the whitelists here? If they're ISPs, does that mean that the rules are applied to all email sent through the ISP's servers? If they're ISPs, then are you requiring that they block outbound port 25 non-whitelisted addresses? And rate limiting domestic clients? That would be something I'd be very keen to encourage.
As I said, it is really an industry standard we are promoting here, and the more ISPs join, the better we are able to establish the standard on an international level. If you guys have more feedback, you are welcome!
rgds Sascha
-----Ursprüngliche Nachricht----- Von: iane@sussex.ac.uk [mailto:iane@sussex.ac.uk] Gesendet: Mittwoch, 11. März 2009 16:21 An: Sascha Wilms; anti-abuse-wg@ripe.net Betreff: Re: AW: [anti-abuse-wg] how to detect spambots - SPAMTrusted
--On 11 March 2009 15:44:04 +0100 Sascha Wilms <Sascha.Wilms@eco.de> wrote:
Hi Ian, hi guys,
we actually enforce rules regarding bulk emails through the Certified Senders Alliance. Enforcement can naturally be applied only to those senders participating in the CSA - however, in Germany our service has become the de facto industry standard for email marketers, and the amount of emails sent by certified senders is huge. Thus, we have gained a very good leverage over this industry.
Well, that's all good. I see that in order to discover who's using your service, I have to agree not to blacklist any of your users. That's not so good. I'm not sure that I'd be interested in whitelisting anyone who's signed up to improve their marketing outreach.
However, the fact that you require your users to publish SPF records is good.
Are most of your members in Germany? This probably would be something I'd be interested in if you had a significant number of UK members.
I do think that you need to get your English language documentation looked at by a native English speaking lawyer.
we at eco maintain a general complaints hotline, and I can't remember having seen any complaint by users or ISPs about a missing opt-out link only. Complaints are about UCEs, and not missing opt-out possibilities. So I guess we are pretty much the only body dealing with the enforcement of those rules like opt-out links, and we have effective sanctions for not sticking to the rules (and opt-out is definitely one of those rules!).
Actually, our set of rules goes beyond the stipulations made by the EU directive. And we keep on tightening the rules: SPF has now become mandatory for senders (ISPs are left with the choice whether to use this info); DKIM and double-opt-in, for example, are now recommended criteria and will be turned into mandatory criteria with the next revision of the admission criteria.
We consider this industry standard approach more efficient than any legislative approach.
Rgds Sascha eco association
-----Ursprüngliche Nachricht----- Von: anti-abuse-wg-admin@ripe.net [mailto:anti-abuse-wg-admin@ripe.net] Im Auftrag von Ian Eiloart Gesendet: Mittwoch, 11. März 2009 12:43 An: peter h; anti-abuse-wg@ripe.net Betreff: Re: [anti-abuse-wg] how to detect spambots - SPAMTrusted
--On 10 March 2009 20:17:50 +0100 peter h <peter@hk.ipsec.se> wrote:
UCE or spam is illegal in some countries, however legal authorities does not seem willing to hunt and procecute.
Under article 13 of EU DIRECTIVE 2002/58/EC, I think that the sending of UCE is illegal in every member state of the EU, which exemption where the recipient is an existing customer of the organisation sending the email. Even then, the sender has to give an opt out option with every email, and may only market "similar products or services".
I don't know anywhere that this is properly enforced, though.
-- Ian Eiloart IT Services, University of Sussex x3148
-- Ian Eiloart IT Services, University of Sussex x3148
-- Ian Eiloart IT Services, University of Sussex x3148
So, what's the sanction against me if I apply my spam filters to one of your members? Just that you don't send me list updates? I could live with that. I'd not be able to enter any contractual obligation, though.
I was referring with the sanctions to the senders when they don't stick to the rules. The ISPs sign a license agreement with us that states that they deliver without tagging and update and use the list - taking into account two exceptions: users want to have this blocked; or the use of the whitelist puts the network's stability of the ISP at risk in some way. So far, the situation that we would have to sanction ISPs for not sticking to the license agreement has not occurred.
I'm slightly confused here. Your members are ISPs or Marketers? Perhaps you're referring to users of the whitelists here?
Both, ISPs and senders are our members. ISPs download the information contained in the whitelist, and senders apply for certification to get listed. We are the body in between that organises the central whitelisting for the participating ISPs so that they don't need to do this themselves. Member ISPs are the users of our whitelist. ________________________________________ Von: iane@sussex.ac.uk [iane@sussex.ac.uk] Gesendet: Mittwoch, 11. März 2009 18:52 An: Sascha Wilms; anti-abuse-wg@ripe.net Betreff: Re: AW: AW: [anti-abuse-wg] how to detect spambots - SPAMTrusted --On 11 March 2009 16:56:53 +0100 Sascha Wilms <Sascha.Wilms@eco.de> wrote:
I know that for some it's a hard fact not to be allowed to block CSA whitelisted entries any more. But because senders know exactly this, they know what they have from being CSA whitelisted and what they stand to lose if they get kicked off the list when not complying with the rules. It is this huge leverage we gain.
So, what's the sanction against me if I apply my spam filters to one of your members? Just that you don't send me list updates? I could live with that. I'd not be able to enter any contractual obligation, though.
Currently, we have only significant German ISPs, but at least one major European incumbent is about to join. We hope to extend the reach of our list to other providers, so that we can increase the leverage. I have talked to some British providers, but so far no commitment (though the British marketers are very keen on having something like the CSA in the UK).
I'm slightly confused here. Your members are ISPs or Marketers? Perhaps you're referring to users of the whitelists here? If they're ISPs, does that mean that the rules are applied to all email sent through the ISP's servers? If they're ISPs, then are you requiring that they block outbound port 25 non-whitelisted addresses? And rate limiting domestic clients? That would be something I'd be very keen to encourage.
As I said, it is really an industry standard we are promoting here, and the more ISPs join, the better we are able to establish the standard on an international level. If you guys have more feedback, you are welcome!
rgds Sascha
-----Ursprüngliche Nachricht----- Von: iane@sussex.ac.uk [mailto:iane@sussex.ac.uk] Gesendet: Mittwoch, 11. März 2009 16:21 An: Sascha Wilms; anti-abuse-wg@ripe.net Betreff: Re: AW: [anti-abuse-wg] how to detect spambots - SPAMTrusted
--On 11 March 2009 15:44:04 +0100 Sascha Wilms <Sascha.Wilms@eco.de> wrote:
Hi Ian, hi guys,
we actually enforce rules regarding bulk emails through the Certified Senders Alliance. Enforcement can naturally be applied only to those senders participating in the CSA - however, in Germany our service has become the de facto industry standard for email marketers, and the amount of emails sent by certified senders is huge. Thus, we have gained a very good leverage over this industry.
Well, that's all good. I see that in order to discover who's using your service, I have to agree not to blacklist any of your users. That's not so good. I'm not sure that I'd be interested in whitelisting anyone who's signed up to improve their marketing outreach.
However, the fact that you require your users to publish SPF records is good.
Are most of your members in Germany? This probably would be something I'd be interested in if you had a significant number of UK members.
I do think that you need to get your English language documentation looked at by a native English speaking lawyer.
we at eco maintain a general complaints hotline, and I can't remember having seen any complaint by users or ISPs about a missing opt-out link only. Complaints are about UCEs, and not missing opt-out possibilities. So I guess we are pretty much the only body dealing with the enforcement of those rules like opt-out links, and we have effective sanctions for not sticking to the rules (and opt-out is definitely one of those rules!).
Actually, our set of rules goes beyond the stipulations made by the EU directive. And we keep on tightening the rules: SPF has now become mandatory for senders (ISPs are left with the choice whether to use this info); DKIM and double-opt-in, for example, are now recommended criteria and will be turned into mandatory criteria with the next revision of the admission criteria.
We consider this industry standard approach more efficient than any legislative approach.
Rgds Sascha eco association
-----Ursprüngliche Nachricht----- Von: anti-abuse-wg-admin@ripe.net [mailto:anti-abuse-wg-admin@ripe.net] Im Auftrag von Ian Eiloart Gesendet: Mittwoch, 11. März 2009 12:43 An: peter h; anti-abuse-wg@ripe.net Betreff: Re: [anti-abuse-wg] how to detect spambots - SPAMTrusted
--On 10 March 2009 20:17:50 +0100 peter h <peter@hk.ipsec.se> wrote:
UCE or spam is illegal in some countries, however legal authorities does not seem willing to hunt and procecute.
Under article 13 of EU DIRECTIVE 2002/58/EC, I think that the sending of UCE is illegal in every member state of the EU, which exemption where the recipient is an existing customer of the organisation sending the email. Even then, the sender has to give an opt out option with every email, and may only market "similar products or services".
I don't know anywhere that this is properly enforced, though.
-- Ian Eiloart IT Services, University of Sussex x3148
-- Ian Eiloart IT Services, University of Sussex x3148
-- Ian Eiloart IT Services, University of Sussex x3148
I'm not sure that I'd be interested in whitelisting anyone who's signed up to improve their marketing outreach.
Just to put this right: we do not certify ANYONE. We only certify those senders who reveal themselves as trustworthy. We take a very thorough look at who applies for certification. We reject applicants when they cannot comply with our requirements, or when we get the impression that they are not trustworthy. And for those who get through the certification procedure anyway: we still have our sanctioning mechanisms. Sascha -----Ursprüngliche Nachricht----- Von: iane@sussex.ac.uk [mailto:iane@sussex.ac.uk] Gesendet: Mittwoch, 11. März 2009 16:21 An: Sascha Wilms; anti-abuse-wg@ripe.net Betreff: Re: AW: [anti-abuse-wg] how to detect spambots - SPAMTrusted --On 11 March 2009 15:44:04 +0100 Sascha Wilms <Sascha.Wilms@eco.de> wrote:
Hi Ian, hi guys,
we actually enforce rules regarding bulk emails through the Certified Senders Alliance. Enforcement can naturally be applied only to those senders participating in the CSA - however, in Germany our service has become the de facto industry standard for email marketers, and the amount of emails sent by certified senders is huge. Thus, we have gained a very good leverage over this industry.
Well, that's all good. I see that in order to discover who's using your service, I have to agree not to blacklist any of your users. That's not so good. I'm not sure that I'd be interested in whitelisting anyone who's signed up to improve their marketing outreach. However, the fact that you require your users to publish SPF records is good. Are most of your members in Germany? This probably would be something I'd be interested in if you had a significant number of UK members. I do think that you need to get your English language documentation looked at by a native English speaking lawyer.
we at eco maintain a general complaints hotline, and I can't remember having seen any complaint by users or ISPs about a missing opt-out link only. Complaints are about UCEs, and not missing opt-out possibilities. So I guess we are pretty much the only body dealing with the enforcement of those rules like opt-out links, and we have effective sanctions for not sticking to the rules (and opt-out is definitely one of those rules!).
Actually, our set of rules goes beyond the stipulations made by the EU directive. And we keep on tightening the rules: SPF has now become mandatory for senders (ISPs are left with the choice whether to use this info); DKIM and double-opt-in, for example, are now recommended criteria and will be turned into mandatory criteria with the next revision of the admission criteria.
We consider this industry standard approach more efficient than any legislative approach.
Rgds Sascha eco association
-----Ursprüngliche Nachricht----- Von: anti-abuse-wg-admin@ripe.net [mailto:anti-abuse-wg-admin@ripe.net] Im Auftrag von Ian Eiloart Gesendet: Mittwoch, 11. März 2009 12:43 An: peter h; anti-abuse-wg@ripe.net Betreff: Re: [anti-abuse-wg] how to detect spambots - SPAMTrusted
--On 10 March 2009 20:17:50 +0100 peter h <peter@hk.ipsec.se> wrote:
UCE or spam is illegal in some countries, however legal authorities does not seem willing to hunt and procecute.
Under article 13 of EU DIRECTIVE 2002/58/EC, I think that the sending of UCE is illegal in every member state of the EU, which exemption where the recipient is an existing customer of the organisation sending the email. Even then, the sender has to give an opt out option with every email, and may only market "similar products or services".
I don't know anywhere that this is properly enforced, though.
-- Ian Eiloart IT Services, University of Sussex x3148
-- Ian Eiloart IT Services, University of Sussex x3148
On Wednesday 11 March 2009 15.44, Sascha Wilms wrote:
Hi Ian, hi guys,
we actually enforce rules regarding bulk emails through the Certified Senders Alliance. Enforcement can naturally be applied only to those senders participating in the CSA - however, in Germany our service has become the de facto industry standard for email marketers, and the amount of emails sent by certified senders is huge. Thus, we have gained a very good leverage over this industry.
we at eco maintain a general complaints hotline, and I can't remember having seen any complaint by users or ISPs about a missing opt-out link only. Complaints are about UCEs, and not missing opt-out possibilities. So I guess we are pretty much the only body dealing with the enforcement of those rules like opt-out links, and we have effective sanctions for not sticking to the rules (and opt-out is definitely one of those rules!).
Actually, our set of rules goes beyond the stipulations made by the EU directive. And we keep on tightening the rules: SPF has now become mandatory for senders (ISPs are left with the choice whether to use this info); DKIM and double-opt-in, for example, are now recommended criteria and will be turned into mandatory criteria with the next revision of the admission criteria.
We consider this industry standard approach more efficient than any legislative approach.
Rgds Sascha
If germany is so good at stopping spam, how come that providers like schlund is still out-of-jail ? ( i have more examples of spam originating in germany) -- Peter Håkanson There's never money to do it right, but always money to do it again ... and again ... and again ... and again. ( Det är billigare att göra rätt. Det är dyrt att laga fel. )
peter h wrote:
On Wednesday 11 March 2009 15.44, Sascha Wilms wrote:
Hi Ian, hi guys,
we actually enforce rules regarding bulk emails through the Certified Senders Alliance. Enforcement can naturally be applied only to those senders participating in the CSA - however, in Germany our service has become the de facto industry standard for email marketers, and the amount of emails sent by certified senders is huge. Thus, we have gained a very good leverage over this industry.
we at eco maintain a general complaints hotline, and I can't remember having seen any complaint by users or ISPs about a missing opt-out link only. Complaints are about UCEs, and not missing opt-out possibilities. So I guess we are pretty much the only body dealing with the enforcement of those rules like opt-out links, and we have effective sanctions for not sticking to the rules (and opt-out is definitely one of those rules!).
Actually, our set of rules goes beyond the stipulations made by the EU directive. And we keep on tightening the rules: SPF has now become mandatory for senders (ISPs are left with the choice whether to use this info); DKIM and double-opt-in, for example, are now recommended criteria and will be turned into mandatory criteria with the next revision of the admission criteria.
We consider this industry standard approach more efficient than any legislative approach.
Rgds Sascha
If germany is so good at stopping spam, how come that providers like schlund is still out-of-jail ? ( i have more examples of spam originating in germany)
Hi, this is pretty easy. You will need a person or company willing to go to the police or contact a lawyer, before this can worked on by legal entities. And: you can only complain for those case, that happened to you and not in general. Users are usually uninformed about their possibilities and only complain a lot. Spam is not being recognized by the masses as being a crime so far. Thats why we need a solution to measure the spam polution of providers in general and need a more international solution that really hurts those provider. RIPE would be great, ECO too ... Kind regards, Frank Mit freundlichen Gruessen, -- PHADE Software - PowerWeb http://www.powerweb.de Inh. Dipl.-Inform. Frank Gadegast mailto:frank@powerweb.de Schinkelstrasse 17 fon: +49 33200 52920 14558 Nuthetal OT Rehbruecke, Germany fax: +49 33200 52921 ====================================================================== Public PGP Key available for frank@powerweb.de
On 12/03/2009 1:15, "Frank Gadegast" <ripe-anti-spam-wg@powerweb.de> wrote: [...]
Users are usually uninformed about their possibilities and only complain a lot. Spam is not being recognized by the masses as being a crime so far.
And based on what I see, they tend to send abuse reports to the wrong place because they don't now how to read e-mail headers and the on-line tools they use often don't read them correctly either. I don't think end users should have to know how to read e-mail headers but I know that they often try to in an attempt to reduce the amount of spam they receive and then get very confused and frustrated when they get a note back telling them they sent the complaint to the wrong place. Regards, Leo
On Thursday 12 March 2009 16.37, Leo Vegoda wrote:
On 12/03/2009 1:15, "Frank Gadegast" <ripe-anti-spam-wg@powerweb.de> wrote:
[...]
Users are usually uninformed about their possibilities and only complain a lot. Spam is not being recognized by the masses as being a crime so far.
And based on what I see, they tend to send abuse reports to the wrong place because they don't now how to read e-mail headers and the on-line tools they use often don't read them correctly either. I don't think end users should have to know how to read e-mail headers but I know that they often try to in an attempt to reduce the amount of spam they receive and then get very confused and frustrated when they get a note back telling them they sent the complaint to the wrong place.
Regards,
Leo
A suggestion might be to A/ encourage users to report spam via a tool s.a. spamcop where the mail & headers are interpreted correctly and B/ ask spamcop to send a copy of reports referring to RIPE-blocks to european police and let them take action. Something has to be done (or e-mail as we see it is dead). Posession of unsecure computers connected to public network should be an offense. A broken into PC sending malware manifests all proof needed of guilt. ISP also has a role, detect and prevent abuse of all sorts. A simple block-port25 ( and forcing outbound mail to be relayed over ISP-mailservers) would contribute a lot. Spammers themselfs should be targeted, all of them uses a channel for money, it should be fairly easy for police to follow that chain. I want action this day !
-- Peter Håkanson There's never money to do it right, but always money to do it again ... and again ... and again ... and again. ( Det är billigare att göra rätt. Det är dyrt att laga fel. )
--On 12 March 2009 08:37:51 -0700 Leo Vegoda <leo.vegoda@icann.org> wrote:
I don't think end users should have to know how to read e-mail headers
No, the authors of email clients need to expose the data from mail headers in a way that's meaningful to the user. For example, it would be so nice if they had a button to unsubscribe from a mailing list - using the list-unsubscribe header to do the right thing. -- Ian Eiloart IT Services, University of Sussex x3148
So what about Gmail? -- Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection http://www.blacknight.com/ http://blog.blacknight.com/ Intl. +353 (0) 59 9183072 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 1 4811 763 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845
--On 16 March 2009 12:31:32 +0000 "Michele Neylon :: Blacknight" <michele@blacknight.ie> wrote:
So what about Gmail?
Dunno, what about them? Some context to your question might be useful. I use Gmail, but not their web client.
-- Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection http://www.blacknight.com/ http://blog.blacknight.com/ Intl. +353 (0) 59 9183072 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 1 4811 763 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845
-- Ian Eiloart IT Services, University of Sussex x3148
participants (14)
-
Angelos Karageorgiou -
Brian Nisbet -
Erik Romijn -
Frank Gadegast -
Gert Doering -
Ian Eiloart -
Jan Pieter Cornet -
Jeffrey Race -
Jørgen Hovland -
Leo Vegoda -
Michele Neylon :: Blacknight -
peter h -
Sascha Wilms -
Stream Service