Re: [anti-abuse-wg] When email verification behavior is abusive
On Wed, 18 Jul 2018 13:36:41 + Michele Neylon - Blacknight wrote: > If you framed your issues or questions more clearly and succinctly it > would be helpful. > There are multiple issues and we each project our issues and pov, which may cause misunderstanding. > In relation to your specific "ask" I don't think it's the right one. > You could, potentially, come up with a best practice eg. That > providers should verify that account holders / users have access to > an email address before letting them add it to a service. But I've no > idea how you'd decided on rate limiting the verification emails. > Based on my own experiences with mail servers, spam filters, grey > listing etc., you can easily end up spamming yourself when those > emails don't come through quickly enough. > > as I said, there are multiple issues. Richard had a brilliant addition, the distributed mail bombing attacks - as I said already, even with that, there could potentially be two or more instances of abuse. I would love to discuss that, as far as verification, capcha and all the other solution, etc. things are concerned. But I would honestly like to understand (and it seems none of us really do, we just think we do...) - What does the average person and the average abuse admin think about the volume and the time. From the perspective of the non ESP victim: How many verification emails per day, from the same ESP and/or the same resource, is fair? From the perspective of all victims (ISP/Consumer/etc): being on the receiving end of 20 000 contact requests, would of course also be abuse. This has actually happened to me before and it is quite hard (but not impossible) to manage with fetchmail and some scripting :) From the perspective of the ESP: What is best practise? If someone subscribes to Facebook, how many verify your email address, emails, in a 24 hour period, is reasonable? I would propose that at present we suspect, but we do not really know? So, this is what I would like to explore: the actual abuse numbers and the actual average current considered 'best practise' Andre
Re: [anti-abuse-wg] When email verification behavior is abusive
On Wed, 18 Jul 2018 14:32:26 +0100 Richard Clayton wrote: > > > >and so this still begs the question - what is the arbitrary number? > in my experience the canonical arbitrary number is 42 > so if you receive 41 emails for you to verify your email address from the same ESP and the same resource, in ten minutes, you would not consider this abuse or abusive behavior. good to know, thank you. > >It seems as if both Richard and Michele agree and do not think that > >the arbitrary number of 5 verification emails in ten minutes to a > >victim email address, is abuse or abusive behavior. > > Michele did not express such an opinion and neither did I. > Of course you did. simply read the paragraph above. You would not consider 5 emails in ten minutes abuse or are you simply joking about the "canonical arbitrary number" ? in that case: It is not very funny as you already seem confused about the TWO abusers. The criminal going to Google and adding the verification email = Abuse Google going and sending 5 verification emails in ten minutes = Also Abuse. > >Still it would be interesting to know if this is actually the case. > >If nothing under 20 000 "verify your email address" emails per day > >from the same IP number / resource is not abuse - Then it would be > >good to know that the members of this abuse WG think that I am silly > >with my daily limit of three. > > You appear to have misunderstood the mail bombing attack which is > widely distributed. The 2 emails I suggested (as an indicative > figure, your attack may vary) come from up to 2 different sources > -- so very small numbers from each source, thereby avoiding any rate > limitation systems. > > There is usually just one originating server that automates the > filling in of forms on the various websites that send the > verification emails -- though there appear to be multiple criminals > offering the mail bombing service. > This is a core issue that affects the entire abuse community and the very definition of what is abuse. please also do spend the time to look at my thread about the definition of abuse. You will note that there are hundreds of posts and even a kind of, sort of, general consensus of what abuse actually is. Yes, of course the action of the mail bomber is abuse. But, the further action of the ESP is also abuse! So, it does not matter what criminal, syndicate, person or group initiates any action... It is up to the provider of the service, the ESP, to ensure that what that ESP is doing is not abuse. Otherwise a criminal can do one action / post - and this results in a ten fold amplification Which brings me back to my Google example: If Google, and ESP, sends five verify your email address emails in 10 minutes to a victim that is not known to Google, it will be my contention that this is abusive behavior. You do not agree with that? As you have said that this behavior is not abuse, you have not yet told me why though? Andre
Re: [anti-abuse-wg] When email verification behavior is abusive
If you framed your issues or questions more clearly and succinctly it would be helpful. In relation to your specific "ask" I don't think it's the right one. You could, potentially, come up with a best practice eg. That providers should verify that account holders / users have access to an email address before letting them add it to a service. But I've no idea how you'd decided on rate limiting the verification emails. Based on my own experiences with mail servers, spam filters, grey listing etc., you can easily end up spamming yourself when those emails don't come through quickly enough. -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ --- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 On 18/07/2018, 12:30, "anti-abuse-wg on behalf of ac" wrote: Thank you for asking that very valid question! Whether something is Abuse or not abuse and when Internet behavior is abuse or not has everything to do with this WG. And, discussing what constitutes abuse (or not), how (or even if) it affects RIR etc is very relevant as it leads to a clearer understanding of many things. One very basic thing would be resource abuse reporting. How can anyone report abuse if it is not even considered to be abuse? I can go on and on, but that would be counter productive. Why do you not help and tell me what arbitrary number of verify your email address, emails would you consider to be abuse - and in/over which period? That would be super helpful to everyone, as I do not think any of us actually knows what we all consider the arbitrary number to be? Or are you saying it is not abuse at all? Actually, sorry I may not understand why you are asking about relevance? Regards Andre On Wed, 18 Jul 2018 11:03:47 + Michele Neylon - Blacknight wrote: > What's any of this got to do with RIPE and this WG? > Is there a policy proposal or something else forthcoming? > > Regards > > Michele > > -- > Mr Michele Neylon > Blacknight Solutions > Hosting, Colocation & Domains > https://www.blacknight.com/ > https://blacknight.blog/ > Intl. +353 (0) 59 9183072 > Personal blog: https://michele.blog/ > Some thoughts: https://ceo.hosting/ > --- > Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business > Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: > 370845 >
Re: [anti-abuse-wg] When email verification behavior is abusive
In message , ac writes >On Wed, 18 Jul 2018 12:45:35 +0100 >Richard Clayton wrote: >> In message <3c775da1-20ae-441e-b30e-38243f420...@blacknight.com>, >> Michele Neylon - Blacknight writes >> >> >What's any of this got to do with RIPE and this WG? >> >> the issue of mail bombing ... people getting 20K+ emails in their >> mailbox, each of which is individually quite acceptable is something >> which the industry has been struggling with for well over a year >> > >and so this still begs the question - what is the arbitrary number? in my experience the canonical arbitrary number is 42 >It seems as if both Richard and Michele agree and do not think that the >arbitrary number of 5 verification emails in ten minutes to a victim email >address, is abuse or abusive behavior. Michele did not express such an opinion and neither did I. >Still it would be interesting to know if this is actually the case. If >nothing under 20 000 "verify your email address" emails per day from >the same IP number / resource is not abuse - Then it would be good to >know that the members of this abuse WG think that I am silly with my >daily limit of three. You appear to have misunderstood the mail bombing attack which is widely distributed. The 2 emails I suggested (as an indicative figure, your attack may vary) come from up to 2 different sources -- so very small numbers from each source, thereby avoiding any rate limitation systems. There is usually just one originating server that automates the filling in of forms on the various websites that send the verification emails -- though there appear to be multiple criminals offering the mail bombing service. -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 signature.asc Description: PGP signature
Re: [anti-abuse-wg] When email verification behavior is abusive
On Wed, 18 Jul 2018 12:45:35 +0100 Richard Clayton wrote: > In message <3c775da1-20ae-441e-b30e-38243f420...@blacknight.com>, > Michele Neylon - Blacknight writes > > >What's any of this got to do with RIPE and this WG? > > the issue of mail bombing ... people getting 20K+ emails in their > mailbox, each of which is individually quite acceptable is something > which the industry has been struggling with for well over a year > and so this still begs the question - what is the arbitrary number? 20k? or 20k+ and over what time? The first thing to understand is if it is abuse at all. It seems as if both Richard and Michele agree and do not think that the arbitrary number of 5 verification emails in ten minutes to a victim email address, is abuse or abusive behavior. If in fact this is the case and the general consensus is that sending 500 verify your email address emails to a victim mailbox in ten minutes is not abuse, and the average person would only think it is abuse if they receive over 20 000 emails per day, then I guess I am wrong and I need to think about that, as in my opinion anything past 3 verify emails in 24 hours is abusive... Still it would be interesting to know if this is actually the case. If nothing under 20 000 "verify your email address" emails per day from the same IP number / resource is not abuse - Then it would be good to know that the members of this abuse WG think that I am silly with my daily limit of three. My clients do consider more than three 'verify your email address' emails from the same service, as spam and abuse... So if I am wrong, then there is also a big disconnect between what this list thinks and what the real world thinks... Andre
Re: [anti-abuse-wg] When email verification behavior is abusive
In message <3c775da1-20ae-441e-b30e-38243f420...@blacknight.com>, Michele Neylon - Blacknight writes >What's any of this got to do with RIPE and this WG? the issue of mail bombing ... people getting 20K+ emails in their mailbox, each of which is individually quite acceptable is something which the industry has been struggling with for well over a year >Is there a policy proposal or something else forthcoming? an obvious mitigation is CAPTCHAs on sign-up forms ... so it would be an appropriate Best Practice to document -- but whether RIPE is a suitable forum for such a document (or whether there is somewhere which is far more focused on hosting providers) I could not say. -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 signature.asc Description: PGP signature
Re: [anti-abuse-wg] When email verification behavior is abusive
Thank you for asking that very valid question! Whether something is Abuse or not abuse and when Internet behavior is abuse or not has everything to do with this WG. And, discussing what constitutes abuse (or not), how (or even if) it affects RIR etc is very relevant as it leads to a clearer understanding of many things. One very basic thing would be resource abuse reporting. How can anyone report abuse if it is not even considered to be abuse? I can go on and on, but that would be counter productive. Why do you not help and tell me what arbitrary number of verify your email address, emails would you consider to be abuse - and in/over which period? That would be super helpful to everyone, as I do not think any of us actually knows what we all consider the arbitrary number to be? Or are you saying it is not abuse at all? Actually, sorry I may not understand why you are asking about relevance? Regards Andre On Wed, 18 Jul 2018 11:03:47 + Michele Neylon - Blacknight wrote: > What's any of this got to do with RIPE and this WG? > Is there a policy proposal or something else forthcoming? > > Regards > > Michele > > -- > Mr Michele Neylon > Blacknight Solutions > Hosting, Colocation & Domains > https://www.blacknight.com/ > https://blacknight.blog/ > Intl. +353 (0) 59 9183072 > Personal blog: https://michele.blog/ > Some thoughts: https://ceo.hosting/ > --- > Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business > Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: > 370845 >
Re: [anti-abuse-wg] When email verification behavior is abusive
On Wed, 18 Jul 2018 12:06:29 +0100 Richard Clayton wrote: > In message , ac writes > >lets use a real world and existing example: > >Me/I (Andre) goes and adds rich...@highwayman.com as my 'recovery' > >email on Google. > >Google then goes and dumps 5 verification emails on > >rich...@highwayman.com in say 10 minutes > >(as they indeed sometimes do...) > > I expect they actually send 1 email to each of 5 different accounts > which you collect into a single mailbox... in similar circumstances I > have never seen more than one email. > Hmm, no. Google in fact, does send 5 verification emails in the same ten minutes. (bearing in mind that I have email headers, etc) Either way, this is not about google, (although maybe it is...) So to victim-with-no-google-account@victim-own-domain receives 5 verify your email account from the same IP number/email server, in ten minutes. Is this abuse or not? > >Would you, Richard, consider Google's behavior as Abuse? > > no, it's clearly your fault for adding my email -- if you did it > deliberately then that's abuse, if you typo-ed my email address then > that's just one of those accidents that happened in the real world > So, the sender of the 5 verification emails in ten minutes has no onus to check that they do not behave or allow abuse through their services? Anyway, what I really wanted to know is what is that arbitrary number? (for me it is actually 3... - some other people I have spoken to, consider two in the same day abuse... yet some other people say only one...) So, the goal with this thread is to gauge what the abuse list thinks? What is the arbitrary number? > note that in such circumstances you could well have allowed me to take > over your account ... which naturally I would not take advantage of > In my example, the email address is actually a spamtrap and was added to stolen data (in a stolen/for sale database) The fact that Google is choosing to send 5 verification emails to this very specific spam trap, is of more interest than the actual verification emails. But it does beg the obvious question: How many verification emails can a service send before that service is considered acting abusively? > >If you just received one email (or maybe two?) - Where is the > >arbitrary number where you personally would consider a verification > >email, as abusive behavior? Or is five okay? is ten okay? > if you receive more than one email per recovery account then something > is broken at Google -- making a fault report is far more useful than > deeming Google to be abusive (which will not make anything change) > Of late google is less responsive to abuse complaints. Maybe they just dislike me, which is fine - But some of their current behavior skates past ethics and imnsho borders the illegal/anti-social Anyway, as I said, this is not about Google but more about that magical number? Andre
Re: [anti-abuse-wg] When email verification behavior is abusive
What's any of this got to do with RIPE and this WG? Is there a policy proposal or something else forthcoming? Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ Intl. +353 (0) 59 9183072 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ --- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845
Re: [anti-abuse-wg] When email verification behavior is abusive
In message , ac writes >lets use a real world and existing example: > >Me/I (Andre) goes and adds rich...@highwayman.com as my 'recovery' email on >Google. > >Google then goes and dumps 5 verification emails on rich...@highwayman.com in >say 10 minutes >(as they indeed sometimes do...) I expect they actually send 1 email to each of 5 different accounts which you collect into a single mailbox... in similar circumstances I have never seen more than one email. >Would you, Richard, consider Google's behavior as Abuse? no, it's clearly your fault for adding my email -- if you did it deliberately then that's abuse, if you typo-ed my email address then that's just one of those accidents that happened in the real world note that in such circumstances you could well have allowed me to take over your account ... which naturally I would not take advantage of >If you just received one email (or maybe two?) - Where is the arbitrary >number where you personally would consider a verification email, as >abusive behavior? Or is five okay? is ten okay? if you receive more than one email per recovery account then something is broken at Google -- making a fault report is far more useful than deeming Google to be abusive (which will not make anything change) -- Dr Richard Clayton Director, Cambridge Cybercrime Centremobile: +44 (0)7887 794090 Computer Laboratory, University of Cambridge, CB3 0FD tel: +44 (0)1223 763570 signature.asc Description: PGP signature
Re: [anti-abuse-wg] When email verification behavior is abusive
On Wed, 18 Jul 2018 11:27:15 +0100 Richard Clayton wrote: > In message , ac writes > >ESP and email relay services should verify recipient email addresses > >prior to sending bulk emails to any random email address. > >ESPs that simply start dumping bulk emails on victims often end up > >listed on RBLs for abusive behavior. > >But, when is verification emails themselves, spamvertising or email > >abuse? > when people don't want them in their mailbox > in a world of machine learning and email flows measured in the tens of > billions, the only practical way of identifying abuse is to examine > user feedback ... > ... if you're not in the billions regime then you can try and write > down complex rules to guide your users and your abuse teams, but even > then flexibility is key because otherwise you end up arguing with an > abuser who is skating just on the right side of some arbitrary value > lets use a real world and existing example: Me/I (Andre) goes and adds rich...@highwayman.com as my 'recovery' email on Google. Google then goes and dumps 5 verification emails on rich...@highwayman.com in say 10 minutes (as they indeed sometimes do...) Would you, Richard, consider Google's behavior as Abuse? If you just received one email (or maybe two?) - Where is the arbitrary number where you personally would consider a verification email, as abusive behavior? Or is five okay? is ten okay? So, basically the question is, for the average person, or abuse admin, etc. - what is that arbitrary number? on average? > >Our own email policy defines verification abuse as "more than 3 > >verify your email account" emails in the same 24 hour period and > >verify your email account emails lasting longer than five 24 hour > >periods. > >Do you think this is reasonable? Too reasonable? More? Less? > it depends on the size of the company/mailing list ... 3 new signups > in a day may be a red letter day, or it may merely indicate that > something broke at thirteen minutes past midnight > >If you receive say 4 "verify your email account" emails in 5 minutes, > >is this abuse? > this question suggests that you might be seeing an outer ripple of an > incident which is the modern form of mail bombing > this is where users receive tens of thousands of verification emails > in a hour or so ... sometimes this is just because the user is > disliked, but it can be an attempt to hide other transactional email > (associated with fraud or domain name theft) amongst all the noise > few mail systems provide suitable tools to end users to deal with this > regrettably few sign-up systems have (even weak) CAPTCHA systems to > prevent automated attacks (something which an ISP providing > hosting might usefully start requiring of its customers : rather more > practical than trying to set some arbitrary number on emails sent) > there is a proposal for assisting with automated filtering > https://tools.ietf.org/html/draft-levine-mailbomb-header-01 > but it's not currently getting all that much traction. > thanks for this, will have a look :) Andre
Re: [anti-abuse-wg] When email verification behavior is abusive
In message , ac writes >ESP and email relay services should verify recipient email addresses >prior to sending bulk emails to any random email address. > >ESPs that simply start dumping bulk emails on victims often end up >listed on RBLs for abusive behavior. > >But, when is verification emails themselves, spamvertising or email abuse? when people don't want them in their mailbox in a world of machine learning and email flows measured in the tens of billions, the only practical way of identifying abuse is to examine user feedback ... ... if you're not in the billions regime then you can try and write down complex rules to guide your users and your abuse teams, but even then flexibility is key because otherwise you end up arguing with an abuser who is skating just on the right side of some arbitrary value >Our own email policy defines verification abuse as "more than 3 verify >your email account" emails in the same 24 hour period and verify your >email account emails lasting longer than five 24 hour periods. > >Do you think this is reasonable? Too reasonable? More? Less? it depends on the size of the company/mailing list ... 3 new signups in a day may be a red letter day, or it may merely indicate that something broke at thirteen minutes past midnight >If you receive say 4 "verify your email account" emails in 5 minutes, >is this abuse? this question suggests that you might be seeing an outer ripple of an incident which is the modern form of mail bombing this is where users receive tens of thousands of verification emails in a hour or so ... sometimes this is just because the user is disliked, but it can be an attempt to hide other transactional email (associated with fraud or domain name theft) amongst all the noise few mail systems provide suitable tools to end users to deal with this regrettably few sign-up systems have (even weak) CAPTCHA systems to prevent automated attacks (something which an ISP providing hosting might usefully start requiring of its customers : rather more practical than trying to set some arbitrary number on emails sent) there is a proposal for assisting with automated filtering https://tools.ietf.org/html/draft-levine-mailbomb-header-01 but it's not currently getting all that much traction. -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 signature.asc Description: PGP signature
[anti-abuse-wg] When email verification behavior is abusive
Hi All, ESP and email relay services should verify recipient email addresses prior to sending bulk emails to any random email address. ESPs that simply start dumping bulk emails on victims often end up listed on RBLs for abusive behavior. But, when is verification emails themselves, spamvertising or email abuse? Our own email policy defines verification abuse as "more than 3 verify your email account" emails in the same 24 hour period and verify your email account emails lasting longer than five 24 hour periods. Do you think this is reasonable? Too reasonable? More? Less? If you receive say 4 "verify your email account" emails in 5 minutes, is this abuse? Andre