Re: [anti-abuse-wg] Email Spam & Spam Abuse Definitions
The twitter example is not advertising a product or service. It is conveying information about a product/service that the person has already hired. If twitter sends unsolicited emails to someone when they have not requested that service, or have indicated they no longer want the service, then it is spam. --------- Original Message --------- Subject: [anti-abuse-wg] Email Spam & Spam Abuse Definitions From: "ac" <ac@main.me> Date: 4/27/19 4:22 am To: anti-abuse-wg@ripe.net Hi, From a recent rant in the WG, something of interest was posted;
opinions on the proper definition of spam. Mr. Andre's preferred definition appears to allow for "one time" invitations to be blasted to everyone in the universe. Nonetheless, in Mr. Andre's considered opinion, "Email Spam is not the same as Spam Abuse" and a "... one
In my opinion, the sending of a confirmation email, from say Twitter, to confirm that the actual email address does indeed exist and that their further communications will be solicited - as well as including links to remove/stop further communications: Would be spam (it is still an unsolicited email) - but that single confirmation email is not abuse in itself. Even though Twitter may send 1000's of these to 1000's of different email addresses... I do not think that there is anyone, that works with actual spam abuse, in this WG that disagrees completely with my opinion above. Also, I wanted to add another useful resource link for anyone that is still learning about email abuse: https://www.ripe.net/publications/docs/ripe-409 What is frequently missed is that BULK EMAIL itself, is not the issue, but that the keyword is "unsolicited" - For example if you were to relay 1000 Invoices or 1000 status notifications or 1000 opted in mailing list recipients, this would/should not be considered spam or abuse. Then, of course, imnsho UBE itself is outdated as the spammers use 'drip' systems by spinning out 10000's of emails from 10000's of ip's Which various RBL cater for by speedily listing and de-listing resources and then there are all the shiny new tech things, which probably needs a new thread: Automated comment spam or AI based web form spam is a growing issue and is something that merits discussion and a watchful eye... Andre
On Sat, 27 Apr 2019 20:54:40 -0700 "Fi Shing" <phishing@storey.xxx> wrote:
The twitter example is not advertising a product or service. It is conveying information about a product/service that the person has already hired. If twitter sends unsolicited emails to someone when they have not requested that service, or have indicated they no longer want the service, then it is spam.
Does not matter if a spammer is advertising a product or a service or stalking/harassing or sending 5000 emails in error. So, what I am saying is the 'intent' of the sender is not relevant at all. What is relevant is that the recipient is receiving emails that they did not as for, does not want and is causing them costs - as recipients generally pay for the bandwidth to receive email. The point of the Twitter example is : Cyber criminal creates fake Twitter account using random victim email address. Random victim now starts receiving copious amounts of spam from Twitter. Do you agree? - and if not can you please explain with your own example? Practically, at the moment and afaik, for the past few months, Twitter is actually sending an initial email verification email...but, they never used to before. And, in the rest of my post below, everything else is fine? Thanks :) Andre
Spam & Spam Abuse Definitions From: "ac" <ac@main.me> Date: 4/27/19 4:22 am To: anti-abuse-wg@ripe.net
Hi,
From a recent rant in the WG, something of interest was posted;
opinions on the proper definition of spam. Mr. Andre's preferred definition appears to allow for "one time" invitations to be blasted to everyone in the universe. Nonetheless, in Mr. Andre's considered opinion, "Email Spam is not the same as Spam Abuse" and a "... one
In my opinion, the sending of a confirmation email, from say Twitter, to confirm that the actual email address does indeed exist and that their further communications will be solicited - as well as including links to remove/stop further communications:
Would be spam (it is still an unsolicited email) - but that single confirmation email is not abuse in itself.
Even though Twitter may send 1000's of these to 1000's of different email addresses...
I do not think that there is anyone, that works with actual spam abuse, in this WG that disagrees completely with my opinion above.
Also, I wanted to add another useful resource link for anyone that is still learning about email abuse:
https://www.ripe.net/publications/docs/ripe-409
What is frequently missed is that BULK EMAIL itself, is not the issue, but that the keyword is "unsolicited" - For example if you were to relay 1000 Invoices or 1000 status notifications or 1000 opted in mailing list recipients, this would/should not be considered spam or abuse.
Then, of course, imnsho UBE itself is outdated as the spammers use 'drip' systems by spinning out 10000's of emails from 10000's of ip's Which various RBL cater for by speedily listing and de-listing resources and then there are all the shiny new tech things, which probably needs a new thread:
Automated comment spam or AI based web form spam is a growing issue and is something that merits discussion and a watchful eye...
Andre
Okay, so I am assuming then that my definitions of spam are accurate. In what phishing@storey.xxx said, the keyword was: "person has already hired" My point is that even "verify your email address" could be Spam Abuse. Recently I received around 14 "verify your email address" emails in the same 15 minutes... I would say that sending so many "verify" emails, in such a short time, is Spam Abuse And; my point is that even the first "verify your email" is Spam (it is or could be unsolicited), but that the first "verify" email in itself, is not Spam Abuse per se... This is a much under discussed issue, as there is no clear standard or acceptable "industry practise" with regards to how many spam emails in what amount of time, is considered "reasonable" In an attack against myself, personally (es, go figure, everyone does not love me :) ) I received a few "verify" emails from hundreds of legit services, websites and mailing lists... So, this is an attack vector, when looking to attack a victim... (Of course, I have, by now, figured out a method to deal with this type of attack and mitigate it, against myself, but for many people on this list, such a type of attack could prove to be challenging...) Is anyone willing to venture a number and time period for what would be considered 'fair' in terms of sending verification emails? Andre On Sun, 28 Apr 2019 07:09:04 +0200 ac <ac@main.me> wrote:
On Sat, 27 Apr 2019 20:54:40 -0700 "Fi Shing" <phishing@storey.xxx> wrote:
The twitter example is not advertising a product or service. It is conveying information about a product/service that the person has already hired. If twitter sends unsolicited emails to someone when they have not requested that service, or have indicated they no longer want the service, then it is spam.
Does not matter if a spammer is advertising a product or a service or stalking/harassing or sending 5000 emails in error.
So, what I am saying is the 'intent' of the sender is not relevant at all.
What is relevant is that the recipient is receiving emails that they did not as for, does not want and is causing them costs - as recipients generally pay for the bandwidth to receive email.
The point of the Twitter example is : Cyber criminal creates fake Twitter account using random victim email address.
Random victim now starts receiving copious amounts of spam from Twitter.
Do you agree? - and if not can you please explain with your own example?
Practically, at the moment and afaik, for the past few months, Twitter is actually sending an initial email verification email...but, they never used to before.
And, in the rest of my post below, everything else is fine?
Thanks :)
Andre
Spam & Spam Abuse Definitions From: "ac" <ac@main.me> Date: 4/27/19 4:22 am To: anti-abuse-wg@ripe.net
Hi,
From a recent rant in the WG, something of interest was posted;
opinions on the proper definition of spam. Mr. Andre's preferred definition appears to allow for "one time" invitations to be blasted to everyone in the universe. Nonetheless, in Mr. Andre's considered opinion, "Email Spam is not the same as Spam Abuse" and a "... one
In my opinion, the sending of a confirmation email, from say Twitter, to confirm that the actual email address does indeed exist and that their further communications will be solicited - as well as including links to remove/stop further communications:
Would be spam (it is still an unsolicited email) - but that single confirmation email is not abuse in itself.
Even though Twitter may send 1000's of these to 1000's of different email addresses...
I do not think that there is anyone, that works with actual spam abuse, in this WG that disagrees completely with my opinion above.
Also, I wanted to add another useful resource link for anyone that is still learning about email abuse:
https://www.ripe.net/publications/docs/ripe-409
What is frequently missed is that BULK EMAIL itself, is not the issue, but that the keyword is "unsolicited" - For example if you were to relay 1000 Invoices or 1000 status notifications or 1000 opted in mailing list recipients, this would/should not be considered spam or abuse.
Then, of course, imnsho UBE itself is outdated as the spammers use 'drip' systems by spinning out 10000's of emails from 10000's of ip's Which various RBL cater for by speedily listing and de-listing resources and then there are all the shiny new tech things, which probably needs a new thread:
Automated comment spam or AI based web form spam is a growing issue and is something that merits discussion and a watchful eye...
Andre
In message , ac <ac@main.me> writes
Okay, so I am assuming then that my definitions of spam are accurate.
They are out of date ... on the big platforms (where perhaps 90% of the world's mailboxes are now to be found) spam detection is entirely an automated process ("machine learning" systems, with some guidance from skilled humans as to what they should definitely reject) These machine learning systems do the learning part by observing how the users (the people whose mailboxes the systems are protecting) deal with their incoming email. If the email is rapidly deleted or "marked as spam" then the systems learn that the email was in fact spam. If the email is automatically placed into a "spam folder" but the user interacts with it and marks it "not spam" or moves it into their inbox so that they can reply then the system learns that it has made an error and that more email of a similar type should not be treated as spam As a result of this the working definition of spam for 90% of all mailboxes is "email that is not wanted in the inbox just at the moment" This definition is not directly based on "permission" or "bulk" or any statutory definition -- though emails that are sent with permission or that are not sent in bulk are less likely in practice to be classified as spam.
My point is that even "verify your email address" could be Spam Abuse.
Yes I agree (and if enough of the people who receive such messages agree as well then such email will end up in the spam folder or will be rejected). Now of course the skilled humans may seek to override what the machine learning system decides (typically for example, emails from airlines containing boarding passes are deemed never to be spam) but this overriding depends entirely on the senders cooperating (an airline that sends marketing email from the same machines and with the same crypto identifiers as their boarding passes is going to rapidly find that their "deliverability" quickly declines.
Recently I received around 14 "verify your email address" emails in the same 15 minutes...
There are systems, used by criminals, who will deliver hundreds or even thousands of these within a short time period. They are used to flood mailboxes so as to hide account takeover and other wickedness. A short time spent with a search engine will find these :(
I would say that sending so many "verify" emails, in such a short time, is Spam Abuse
I would say that it was a pretty small attack ... but I could not say why it happened to you. If it happened to me I would look very carefully at the rest of my email that day.
Is anyone willing to venture a number and time period for what would be considered 'fair' in terms of sending verification emails?
Systems that fail to ensure that such emails cannot be automatically generated (by adding CAPTCHAs for example) need to be updated. This will benefit the system owner by ensuring that all signups are genuine. You might also usefully read ... https://www.m3aawg.org/rel-WebFormHeader ... though in practice take-up of the proposed header has been limited and if you are going to update your systems to generate it you might as well update the relevant web pages to add CAPTCHAs, randomise field names or whatever else you think will prevent automated list bombing. -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755
On Mon, 29 Apr 2019 11:32:23 +0100 Richard Clayton <richard@highwayman.com> wrote: <snip>
As a result of this the working definition of spam for 90% of all mailboxes is "email that is not wanted in the inbox just at the moment" This definition is not directly based on "permission" or "bulk" or any statutory definition -- though emails that are sent with permission or that are not sent in bulk are less likely in practice to be classified as spam. agreed, but bulk is still relevant, maybe just not as relevant as before
My point is that even "verify your email address" could be Spam Abuse. Yes I agree (and if enough of the people who receive such messages agree as well then such email will end up in the spam folder or will be rejected). Now of course the skilled humans may seek to override what the machine learning system decides (typically for example, emails from airlines containing boarding passes are deemed never to be spam) but this overriding depends entirely on the senders cooperating (an airline that sends marketing email from the same machines and with the same crypto identifiers as their boarding passes is going to rapidly find that their "deliverability" quickly declines.
Also the problem comes in when abuse is created in order to interfere with machine learning and/or when abuse exploits the process.
Recently I received around 14 "verify your email address" emails in the same 15 minutes... There are systems, used by criminals, who will deliver hundreds or even thousands of these within a short time period. They are used to flood mailboxes so as to hide account takeover and other wickedness. A short time spent with a search engine will find these :( I would say that sending so many "verify" emails, in such a short time, is Spam Abuse I would say that it was a pretty small attack ... but I could not say why it happened to you. If it happened to me I would look very carefully at the rest of my email that day. Is anyone willing to venture a number and time period for what would be considered 'fair' in terms of sending verification emails? Systems that fail to ensure that such emails cannot be automatically generated (by adding CAPTCHAs for example) need to be updated. This will benefit the system owner by ensuring that all signups are genuine. yes, this is very accurate and imho should be best practise :)
You might also usefully read ... https://www.m3aawg.org/rel-WebFormHeader ... though in practice take-up of the proposed header has been limited and if you are going to update your systems to generate it you might as well update the relevant web pages to add CAPTCHAs, randomise field names or whatever else you think will prevent automated list bombing.
Yes, but the process can be defined without specifying captcha's or randomised field names, as the abusers also have AI and also have machine learning tech, so instead of so much focus on the actual tech I am of the opinion that the process must be more clearly defined as anyone can use any tech they like. imho, WebFormHeader does/could help with counts on contact form spam and comment spam from ops perspective but already the same abuse in drip bypasses the value of the head data. your doc https://www.ripe.net/publications/docs/ripe-409 is still very valid today... Currently I have started editing the doc, but, as a lot of what you said 12 years ago, still applies today, there are still ube providers, db sales, web tools, etc and although old and mostly toothless, for independents (the 10% in your above) these kites still fly. Would it be okay if I email you what I have early next week? Kind Regards Andre
On Mon, Apr 29, 2019, 2:05 PM Richard Clayton <richard@highwayman.com> wrote:
Systems that fail to ensure that such emails cannot be automatically generated (by adding CAPTCHAs for example) need to be updated.
This is not possible. CAPTCHA is not a silver bullet. What it can do for sure is preventing simple automated actions on the orders of millions, maybe, but orders of hundreds of thousands are still achievable for a skilled criminal. I know some are lucky to have it working for now, but there's no guarantee. Therefore cannot be a requirement. -- Töma
Comments on two points raised in this discussion: First, the canonical definition of [email] spam is "unsolicited bulk email", UBE for short. (This effectively replaced terms that were extant earlier in ARPAnet days, e.g., "mass mail abuse".) This is not open for question or debate: the matter was been settled a long time ago. Since then, of course, other (slang) terms describing other forms of abuse/attack have been coined: for example, "phish". It seems reasonable to presume that still other terms will eventually come into common use as new kinds of threats arise and we find ourselves requiring a way to refer to them -- for example, "spear-phishing" is even more recent. But the emergence of new terminology is not in any way a valid reason to change the longstanding use of existing terminology. Over the many years since the canonical definition of spam was determined, a lot of people have attempted to change it. All of them fall into one of two categories: (a) people who do not understand the definition (b) people who understand it quite well but wish to modify it in order to cause what they're doing to not be classified as spam. The people in (a) are often well-intentioned, which is good, but their lack of understanding and their resulting wish to change a definition that has served us extremely well for a very long time is counterproductive. They may not realize it, but they are serving the cause of spammers by trying to tinker with something they don't really understand. I strongly encourage anyone contemplating doing this to consider the consequences of doing so at length -- because in dozens and dozens of instances I've observed over the past couple of decades, even a brief examination suffices to reveal massive and quite clearly fatal flaws in all such proposals. The people in (b) are, of course, spammers (or their shills, apologists, lobbyists, etc.), and as Vernon Schryver has pointed out, they seek a customized redefinition of spam as "that which we do not do". They, and their arguments, must be immediately dismissed with prejudice, for the same reason that we do not allow murderers to advance a line of reasoning which would conveniently redefine murder as "that which we do not do". Second, captchas are a worst practice. They can be and are defeated at will by any adversary who can trouble themselves to do so. [1] They're security theater: think Wile E. Coyote holding an umbrella over his head while a boulder drops toward him. [2] Worth noting as well are (a) the continued and accelerating convergence of the trend lines denoting "captcha hard enough to defeat automation" and "captcha easy enough to be solvable by humans" and (b) the onerous additional burden that these often place on people who have diminished eyesight and hearing, who are part of different cultures, etc. There are far better ways to defend resources, and -- judiciously deployed -- these methods are not nearly as susceptible to adversarial manipulation, nor do they make life more difficult for people whose lives are arguably difficult enough already. ---rsk [1] Here's an example of what I mean by "defeated at will": Wiseguys Indicted in $25 Million Online Ticket Ring | Threat Level | Wired.com http://www.wired.com/threatlevel/2010/03/wiseguys-indicted/ [2] A partial list of references follows. Do note that the contemporary state of the art in captcha-defeating techniques is much more advanced than any of these suggest. Of course it is: attacks always get better - they never get worse. (h/t to Bruce Schneier) Also, there's plenty of funding -- see footnote [1] above -- available to support research and development in this area that will NOT be helpfully published in blogs or journals. So consider what is enumerated below as the lower bound of what *was* possible and extrapolate markedly upwards to estimate what *is* currently available. Stanford researchers outsmart captcha codes http://www.physorg.com/news/2011-11-stanford-outsmart-captcha-codes.html CIntruder: pentesting tool to bypass captchas http://cintruder.sourceforge.net/ How a trio of hackers brought Google's reCAPTCHA to its knees | Ars Technica http://arstechnica.com/security/2012/05/google-recaptcha-brought-to-its-knee... Snapchat Account Registration CAPTCHA Defeated - Slashdot http://it.slashdot.org/story/14/01/23/2037201/snapchat-account-registration-... Gone in 60 seconds: Spambot cracks Live Hotmail CAPTCHA http://arstechnica.com/news.ars/post/20080415-gone-in-60-seconds-spambot-cra... Troy Hunt: Breaking CAPTCHA with automated humans http://www.troyhunt.com/2012/01/breaking-captcha-with-automated-humans.html Slashdot | Now Even Photo CAPTCHAs Have Been Cracked http://it.slashdot.org/article.pl?sid=08/10/14/1442213 Cheap CAPTCHA Solving Changes the Security Game https://freedom-to-tinker.com/blog/felten/cheap-captcha-solving-changes-secu... unCAPTCHA Breaks 450 ReCAPTCHAs in Under 6 Seconds https://www.bleepingcomputer.com/news/technology/uncaptcha-breaks-450-recapt...
participants (5)
-
ac -
Fi Shing -
Rich Kulawiec -
Richard Clayton -
Töma Gavrichenkov