Re: Do you obfuscate email headers when reporting spam issues to clients?
On Wed, Nov 6, 2013 at 1:30 PM, Landon <landonstewart@gmail.com> wrote:
How much trouble does your abuse department go to in order to obfuscate headers when providing evidence of spamming activity regardless of if it?s intentional/professional spammer activity or some kind of malware infection allowing a third party to spam. Especially for the pro spammers, we don?t want them list washing anything or worse yet becoming privy to spamtrap data if the reporting party wasn?t smart enough to obfuscate their own data before sending in the report.
Howdy,
It depends on the exact situation, but the general-purpose answer is: none. zero. zip.
The customer usually can't act on your information unless he can line it up with an entry in his own logs. He needs lots of details in the headers to figure out which computer or which of his users the message came from. And he needs that information to determine whether the message really came from his system -- headers get forged, you know.
Because this is an issue inherent primarily with bulk mail, we remove all identifying information *except* the unsub link, which *should* have a unique identifying token embedded within, from which the sender *should* be able to determine the complainant's email address. And, if there is no such link, we use that as an opportunity to educate them as to *why* they need to include such a link (mind you, in order to be accredited with us the sender has to have already demonstrated that they comply with including an unsub link, but because many of our accreditation customers are ESPs, their customers may sometimes not be modelling 100% of best practices). Regardless of unsub link, or anything else, if we get a spam complaint against one of our customers, we hold their feet to the fire, and require them to explain exactly how the particular list was built, how the address was acquired, etc.. Failure to do so can (and usually does) result in termination of their accreditation - in the case of an ESP, they have to take corrective measures against their spamming customer or the ESP will lose their accreditation. Anne Anne P. Mitchell, Esq. Author: Section 6 of the CAN-SPAM Act of 2003 CEO/President Institute for Social Internet Public Policy http://www.ISIPP.com Member, Cal. Bar Cyberspace Law Committee How do you get to the inbox instead of the spam filter? SuretyMail! Helping businesses keep their email out of the junk folder since 1998 http://www.isipp.com/SuretyMail
On Wed, Nov 6, 2013 at 5:16 PM, Anne P. Mitchell, Esq. <amitchell@isipp.com> wrote:
Because this is an issue inherent primarily with bulk mail, we remove all identifying information *except* the unsub link, which *should* have a unique identifying token embedded within, from which the sender *should* be able to determine the complainant's email address.
Hi Anne, Judging from Landon's web page a vanishingly small percentage of his customers are in the opt-in mailing list business. He's in the generic hosting business, so aside from the abusers his customers will tend to be heavy on single-recipient administrative emails rather than mailing lists. If you send him a complaint scrubbed in the manner you describe, he won't have enough information to act. You'd basically be wasting both his time and yours.
Failure to do so can (and usually does) result in termination of their accreditation
Accreditation of what? Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
so aside from the abusers his customers will tend to be heavy on single-recipient administrative emails rather than mailing lists.
Then, if they are truly one-to-one administrative emails, that's rather odd if they are generating a disproportionate number of spam complaints, dontcha think? Unless they are inserting too much marketing into to them (always dicey).
Failure to do so can (and usually does) result in termination of their accreditation
Accreditation of what?
I'll respond more fully to this offlist, as it's OT, but the short answer is that we accredit email senders who are adhering to best practices (not unlike ReturnPath, only we're the other white meat). Anne Anne P. Mitchell, Esq. Author: Section 6 of the CAN-SPAM Act of 2003 CEO/President Institute for Social Internet Public Policy http://www.ISIPP.com Member, Cal. Bar Cyberspace Law Committee How do you get to the inbox instead of the spam filter? SuretyMail! Helping businesses keep their email out of the junk folder since 1998 http://www.isipp.com/SuretyMail
On Wed, Nov 6, 2013 at 5:46 PM, Anne P. Mitchell, Esq. <amitchell@isipp.com> wrote:
so aside from the abusers his customers will tend to be heavy on single-recipient administrative emails rather than mailing lists.
Then, if they are truly one-to-one administrative emails, that's rather odd if they are generating a disproportionate number of spam complaints, dontcha think? Unless they are inserting too much marketing into to them (always dicey).
Hi Anne, In any given above-board hosting operation there are a whole lot of things going on: There's the small ad-hoc lists where an address is typoed and the mail meant for Uncle George now goes to a random stranger. There's the emails to formerly dead addresses now resurrected by new owners. There's the folks who signed up for something and decided to unsubscribe by reporting it as spam. There the folks playing pranks on a friend by putting his address in a bunch of "please contact me" web pages, causing the target to be one-on-one solicited by a bunch of individual salesmen. There are the server owners whose security was breached and their happy web app is now being used to relay lots of spam. And there's the spammer owned servers spewing out spam. In each of these situations save the final one, obfuscating information in the reported spam email only serves to make it difficult or impossible to identify and stop the problem. If you start with the assumption that the origin is a spammer until proven otherwise it becomes a self-fulfilling prophecy -- because when you report the obfuscated message, they can't track it down and fix it! Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
If you send him a complaint scrubbed in the manner you describe, he won't have enough information to act. You'd basically be wasting both his time and yours.
As many here know, I spent 4 years on the receiving end of the abuse@savvisbox: when I was hired it was for multiple roles, but the abuse@was a primary. Savvis had a significant spam problem when I arrived, and until just a few months before I left, had literally none. First of all, *every* abuse email should be seriously investigated, regardless of header obfuscation. Secondly, header obfuscation is NOT a waste of time for abuse@ - in fact, it is only marginally less useful than a "fully loaded" complaint. The reason is that even the smallest (or, conversely, the most expertly organized) spammer will leave a complaint trail. The complaints grow in importance as they grow in number: ten complaints in the morning abuse email tells me that there is a serious problem with the sender, even if every single header and other identifying information is removed from the complaints. Ten complaints may not indicate malice (although it usually does), but it does tell abuse@ to start their resolution clock. Any abuse department which outright rejects (or claims they are unable to process) an obfuscated ("munged") complaint is not to be trusted - period. The abuse department that wont respond to munging is deliberately closing their eyes to abuse on their network. Any abuse@ that fails to immediately act on reports of third-party beneficiaries (for example, drop boxes or ordering websites) on their network is doing the same thing. As a complainant, rather than the abuse@ recipient, I will always scrub my reports *thoroughly*, by removing the significant digits of time stamps, any unique identifiers I can find (from message-ID to unsubscribe links), and anything else I think can possibly be used to listwash. The only exception to this is if I am reporting to someone I know and explicitly trust (and there are damn few of those left). As the abuse@ guy, I would strongly encourage scrubbed reports, even reports which prove nothing other than an email went out that was unwanted (as opposed to unsolicited - it's not uncommon for people to make "spam complaints" rather than unsubscribe from mailings they legitimately subscribed to). There are a multitude of internal [& proprietary] tools at most ISPs that can lead to the appropriate determination as to what is or isn't spamming, but for the tools to be used, there needs to be a starting complaint(s). //Alif On Wed, Nov 6, 2013 at 4:40 PM, William Herrin <bill@herrin.us> wrote:
On Wed, Nov 6, 2013 at 5:16 PM, Anne P. Mitchell, Esq. <amitchell@isipp.com> wrote:
Because this is an issue inherent primarily with bulk mail, we remove all identifying information *except* the unsub link, which *should* have a unique identifying token embedded within, from which the sender *should* be able to determine the complainant's email address.
Hi Anne,
Judging from Landon's web page a vanishingly small percentage of his customers are in the opt-in mailing list business. He's in the generic hosting business, so aside from the abusers his customers will tend to be heavy on single-recipient administrative emails rather than mailing lists.
If you send him a complaint scrubbed in the manner you describe, he won't have enough information to act. You'd basically be wasting both his time and yours.
Failure to do so can (and usually does) result in termination of their accreditation
Accreditation of what?
Regards, Bill Herrin
-- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
On Wed, Nov 6, 2013 at 6:27 PM, Nonaht Leyte <alif.terranson@gmail.com>wrote: Any abuse department which outright rejects (or claims they are unable to
process) an obfuscated ("munged") complaint is not to be trusted - period.
This is very credible from someone admitting to scrubbing reports, of information required by some abuse teams to appropriately process complaints, *NOT*. You say scrub.... Many would say: munging evidence, so that it is no longer admissible, or usable as supporting documentation to suspend or terminate a subscriber's service. There are abuse departments that would ignore such reports, or reply, requesting information before proceeding, and they have that right; especially, if the scrubbed reports don't offer sufficient evidence, for their particular investigation workflow to function.
As a complainant, rather than the abuse@ recipient, I will always scrub my reports *thoroughly*, by removing the significant digits of time stamps, any unique identifiers I can find (from message-ID to unsubscribe links),
regardless of header obfuscation. Secondly, header obfuscation is NOT a
waste of time for abuse@ - in fact, it is only marginally less useful than a "fully loaded" complaint. The reason is that even the smallest (or,
This is an assumption, that is only true in some cases.
conversely, the most expertly organized) spammer will leave a complaint trail. The complaints grow in importance as they grow in number: ten
Often the spammer will not leave a complaint trail; they may very well have sent 1000 messages, that are logged with various different From: addresses. However, non-spammers will also often leave a "complaint trail"; to give an example: very often, non-spammers will even forward their own mail to another mailbox provider, e.g. Yahoo/AOL, and report duly forwarded spam that arrives in their forwarding destination inbox, as spam originating from the forwarding provider. Without the recipient address; the provider doing the mail forwarding has no idea if it is the forwarded mail, or ordinarily sent mail that is being filed as spam. -- -JH
On Wed, Nov 6, 2013 at 7:27 PM, Nonaht Leyte <alif.terranson@gmail.com> wrote:
As many here know, I spent 4 years on the receiving end of the abuse@savvisbox: when I was hired it was for multiple roles, but the abuse@was a primary. Savvis had a significant spam problem when I arrived, and until just a few months before I left, had literally none.
Howdy, Out of curiosity, what changed a few months before you left? Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
participants (4)
-
Anne P. Mitchell, Esq.
-
Jimmy Hess
-
Nonaht Leyte
-
William Herrin