Re: [anti-abuse-wg] When email verification behavior is abusive
If you framed your issues or questions more clearly and succinctly it would be helpful. In relation to your specific "ask" I don't think it's the right one. You could, potentially, come up with a best practice eg. That providers should verify that account holders / users have access to an email address before letting them add it to a service. But I've no idea how you'd decided on rate limiting the verification emails. Based on my own experiences with mail servers, spam filters, grey listing etc., you can easily end up spamming yourself when those emails don't come through quickly enough. -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 On 18/07/2018, 12:30, "anti-abuse-wg on behalf of ac" <anti-abuse-wg-bounces@ripe.net on behalf of ac@main.me> wrote: Thank you for asking that very valid question! Whether something is Abuse or not abuse and when Internet behavior is abuse or not has everything to do with this WG. And, discussing what constitutes abuse (or not), how (or even if) it affects RIR etc is very relevant as it leads to a clearer understanding of many things. One very basic thing would be resource abuse reporting. How can anyone report abuse if it is not even considered to be abuse? I can go on and on, but that would be counter productive. Why do you not help and tell me what arbitrary number of verify your email address, emails would you consider to be abuse - and in/over which period? That would be super helpful to everyone, as I do not think any of us actually knows what we all consider the arbitrary number to be? Or are you saying it is not abuse at all? Actually, sorry I may not understand why you are asking about relevance? Regards Andre On Wed, 18 Jul 2018 11:03:47 +0000 Michele Neylon - Blacknight <michele@blacknight.com> wrote: > What's any of this got to do with RIPE and this WG? > Is there a policy proposal or something else forthcoming? > > Regards > > Michele > > -- > Mr Michele Neylon > Blacknight Solutions > Hosting, Colocation & Domains > https://www.blacknight.com/ > https://blacknight.blog/ > Intl. +353 (0) 59 9183072 > Personal blog: https://michele.blog/ > Some thoughts: https://ceo.hosting/ > ------------------------------- > Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business > Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: > 370845 >
On Wed, 18 Jul 2018 13:36:41 +0000 Michele Neylon - Blacknight <michele@blacknight.com> wrote:
If you framed your issues or questions more clearly and succinctly it would be helpful.
There are multiple issues and we each project our issues and pov, which may cause misunderstanding.
In relation to your specific "ask" I don't think it's the right one. You could, potentially, come up with a best practice eg. That providers should verify that account holders / users have access to an email address before letting them add it to a service. But I've no idea how you'd decided on rate limiting the verification emails. Based on my own experiences with mail servers, spam filters, grey listing etc., you can easily end up spamming yourself when those emails don't come through quickly enough.
as I said, there are multiple issues. Richard had a brilliant addition, the distributed mail bombing attacks - as I said already, even with that, there could potentially be two or more instances of abuse. I would love to discuss that, as far as verification, capcha and all the other solution, etc. things are concerned. But I would honestly like to understand (and it seems none of us really do, we just think we do...) - What does the average person and the average abuse admin think about the volume and the time. From the perspective of the non ESP victim: How many verification emails per day, from the same ESP and/or the same resource, is fair? From the perspective of all victims (ISP/Consumer/etc): being on the receiving end of 20 000 contact requests, would of course also be abuse. This has actually happened to me before and it is quite hard (but not impossible) to manage with fetchmail and some scripting :) From the perspective of the ESP: What is best practise? If someone subscribes to Facebook, how many verify your email address, emails, in a 24 hour period, is reasonable? I would propose that at present we suspect, but we do not really know? So, this is what I would like to explore: the actual abuse numbers and the actual average current considered 'best practise' Andre
participants (2)
-
ac -
Michele Neylon - Blacknight