At 04:41 PM 4/13/2008, Geo. wrote:
of abuse might be useful for large providers, but since we can't even get many domains even to set up the already-specified abuse@ address, much less read the mail we send to it,
When someone like AOL offloads their user complaints of spams to all the abuse@ addresses instead of verifying that they actually are spams before sending off complaints, is it any surprise that everyone else is refusing to do their jobs for them?
I'm not sure I know what you mean. Are you talking about the optional feedback loop? When I was signed up for that I did get a bunch of bogus reports, but other than that I've never received a spam report from AOL at all.
The reason abuse@ addresses are useless is because what is being sent to them is useless.
I'm sure that a lot of useless reports come in--my servers never originate spam, but we still get the occasional bogus report due to forged headers. At the same time, I certainly send dozens of real spam reports every day and they all contain actionable information (that would be supplemented further if an actual human were to ask). What I've found is that "too big to fail" ISPs respond (if they accept the email at all!) with either an automated response or a canned response from a help desk monkey who is actually wrong close to half the time, while many boutique providers and most US-based .edu sites respond personally and cluefully. (Don't get me started about the US government, especially the military...) My conclusion is that the problem is not crappy reports but rather under-investment in clue at big ISP help desks. All the fancy standards and tools in the world are not going to help this basic problem: stemming the tide of abuse from their networks is simply not a high enough priority for companies like Yahoo, Hotmail, AT&T, et al. Until they start losing money every time spam leaves their network, I don't see their behavior changing.