Re: [anti-abuse-wg] When email verification behavior is abusive
What's any of this got to do with RIPE and this WG? Is there a policy proposal or something else forthcoming? Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ Intl. +353 (0) 59 9183072 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845
Thank you for asking that very valid question! Whether something is Abuse or not abuse and when Internet behavior is abuse or not has everything to do with this WG. And, discussing what constitutes abuse (or not), how (or even if) it affects RIR etc is very relevant as it leads to a clearer understanding of many things. One very basic thing would be resource abuse reporting. How can anyone report abuse if it is not even considered to be abuse? I can go on and on, but that would be counter productive. Why do you not help and tell me what arbitrary number of verify your email address, emails would you consider to be abuse - and in/over which period? That would be super helpful to everyone, as I do not think any of us actually knows what we all consider the arbitrary number to be? Or are you saying it is not abuse at all? Actually, sorry I may not understand why you are asking about relevance? Regards Andre On Wed, 18 Jul 2018 11:03:47 +0000 Michele Neylon - Blacknight <michele@blacknight.com> wrote:
What's any of this got to do with RIPE and this WG? Is there a policy proposal or something else forthcoming?
Regards
Michele
-- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ Intl. +353 (0) 59 9183072 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845
In message <3C775DA1-20AE-441E-B30E-38243F420D24@blacknight.com>, Michele Neylon - Blacknight <michele@blacknight.com> writes
What's any of this got to do with RIPE and this WG?
the issue of mail bombing ... people getting 20K+ emails in their mailbox, each of which is individually quite acceptable is something which the industry has been struggling with for well over a year
Is there a policy proposal or something else forthcoming?
an obvious mitigation is CAPTCHAs on sign-up forms ... so it would be an appropriate Best Practice to document -- but whether RIPE is a suitable forum for such a document (or whether there is somewhere which is far more focused on hosting providers) I could not say. -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755
On Wed, 18 Jul 2018 12:45:35 +0100 Richard Clayton <richard@highwayman.com> wrote:
In message <3C775DA1-20AE-441E-B30E-38243F420D24@blacknight.com>, Michele Neylon - Blacknight <michele@blacknight.com> writes
What's any of this got to do with RIPE and this WG?
the issue of mail bombing ... people getting 20K+ emails in their mailbox, each of which is individually quite acceptable is something which the industry has been struggling with for well over a year
and so this still begs the question - what is the arbitrary number? 20k? or 20k+ and over what time? The first thing to understand is if it is abuse at all. It seems as if both Richard and Michele agree and do not think that the arbitrary number of 5 verification emails in ten minutes to a victim email address, is abuse or abusive behavior. If in fact this is the case and the general consensus is that sending 500 verify your email address emails to a victim mailbox in ten minutes is not abuse, and the average person would only think it is abuse if they receive over 20 000 emails per day, then I guess I am wrong and I need to think about that, as in my opinion anything past 3 verify emails in 24 hours is abusive... Still it would be interesting to know if this is actually the case. If nothing under 20 000 "verify your email address" emails per day from the same IP number / resource is not abuse - Then it would be good to know that the members of this abuse WG think that I am silly with my daily limit of three. My clients do consider more than three 'verify your email address' emails from the same service, as spam and abuse... So if I am wrong, then there is also a big disconnect between what this list thinks and what the real world thinks... Andre
In message , ac <ac@main.me> writes
On Wed, 18 Jul 2018 12:45:35 +0100 Richard Clayton <richard@highwayman.com> wrote:
In message <3C775DA1-20AE-441E-B30E-38243F420D24@blacknight.com>, Michele Neylon - Blacknight <michele@blacknight.com> writes
What's any of this got to do with RIPE and this WG?
the issue of mail bombing ... people getting 20K+ emails in their mailbox, each of which is individually quite acceptable is something which the industry has been struggling with for well over a year
and so this still begs the question - what is the arbitrary number?
in my experience the canonical arbitrary number is 42
It seems as if both Richard and Michele agree and do not think that the arbitrary number of 5 verification emails in ten minutes to a victim email address, is abuse or abusive behavior.
Michele did not express such an opinion and neither did I.
Still it would be interesting to know if this is actually the case. If nothing under 20 000 "verify your email address" emails per day from the same IP number / resource is not abuse - Then it would be good to know that the members of this abuse WG think that I am silly with my daily limit of three.
You appear to have misunderstood the mail bombing attack which is widely distributed. The 20000 emails I suggested (as an indicative figure, your attack may vary) come from up to 20000 different sources -- so very small numbers from each source, thereby avoiding any rate limitation systems. There is usually just one originating server that automates the filling in of forms on the various websites that send the verification emails -- though there appear to be multiple criminals offering the mail bombing service. -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755
On Wed, 18 Jul 2018 14:32:26 +0100 Richard Clayton <richard@highwayman.com> wrote: <snip>
and so this still begs the question - what is the arbitrary number?
in my experience the canonical arbitrary number is 42
so if you receive 41 emails for you to verify your email address from the same ESP and the same resource, in ten minutes, you would not consider this abuse or abusive behavior. good to know, thank you.
It seems as if both Richard and Michele agree and do not think that the arbitrary number of 5 verification emails in ten minutes to a victim email address, is abuse or abusive behavior.
Michele did not express such an opinion and neither did I.
Of course you did. simply read the paragraph above. You would not consider 5 emails in ten minutes abuse or are you simply joking about the "canonical arbitrary number" ? in that case: It is not very funny as you already seem confused about the TWO abusers. The criminal going to Google and adding the verification email = Abuse Google going and sending 5 verification emails in ten minutes = Also Abuse.
Still it would be interesting to know if this is actually the case. If nothing under 20 000 "verify your email address" emails per day from the same IP number / resource is not abuse - Then it would be good to know that the members of this abuse WG think that I am silly with my daily limit of three.
You appear to have misunderstood the mail bombing attack which is widely distributed. The 20000 emails I suggested (as an indicative figure, your attack may vary) come from up to 20000 different sources -- so very small numbers from each source, thereby avoiding any rate limitation systems.
There is usually just one originating server that automates the filling in of forms on the various websites that send the verification emails -- though there appear to be multiple criminals offering the mail bombing service.
This is a core issue that affects the entire abuse community and the very definition of what is abuse. please also do spend the time to look at my thread about the definition of abuse. You will note that there are hundreds of posts and even a kind of, sort of, general consensus of what abuse actually is. Yes, of course the action of the mail bomber is abuse. But, the further action of the ESP is also abuse! So, it does not matter what criminal, syndicate, person or group initiates any action... It is up to the provider of the service, the ESP, to ensure that what that ESP is doing is not abuse. Otherwise a criminal can do one action / post - and this results in a ten fold amplification Which brings me back to my Google example: If Google, and ESP, sends five verify your email address emails in 10 minutes to a victim that is not known to Google, it will be my contention that this is abusive behavior. You do not agree with that? As you have said that this behavior is not abuse, you have not yet told me why though? Andre
participants (3)
-
ac -
Michele Neylon - Blacknight -
Richard Clayton