Re: Complaint of the week: Ebay abuse mail (slightly OT)
On Tue, 05 Aug 2003 09:56:52 BST, [EMAIL PROTECTED] said: 1) What *immediate* benefits do you get if you are among the first to deploy? (For instance, note that you can't stop accepting plain old SMTP till everybody else deploys). You can replace complex and buggy spam filtering software with simple rules on your NIMTP servers. Erm. No. That's an *eventual* benefit. If you're among the first 10 sites to deploy, you get to haul the complex and buggy spam filtering software along until enough other sites start running the new protocol that you can get away with saying screw you and dropping SMTP support entirely. Or you can drop SMTP support immediately, or you can drop the spam filtering immediately - I think both of those are covered by Randy Bush's I invite my competitors to design their networks this way ;) pgp0.pgp Description: PGP signature
Re: Complaint of the week: Ebay abuse mail (slightly OT)
of course not. but the first thing to do is ignore naysayers. anybody who tells you something can't be done should be suspected of extreme and pervasive laziness until either they or you prove otherwise. thanks for the great technical analysys
Re: Complaint of the week: Ebay abuse mail (slightly OT)
[EMAIL PROTECTED] wrote: And so we should do nothing? No, but neither should we plan on engineering a solution. As Neil say - and many know Neil and I generally disagree on principal about everything - a technical solution will never get rid of spam. It may reduce it for a time, but not for very long. The correct solution is to make spam uneconomic by some means, then it will slow down to a trickle, maybe. Peter
Re: Complaint of the week: Ebay abuse mail (slightly OT)
And so we should do nothing? No, but neither should we plan on engineering a solution. not necessarily. as i have been trying to point out for some years, look at bellovin's presentation at a nanog a few years ago on pushback (sorry, i am on dialup and searches are a major pain). that isps have not been beating up the vendors to work on this boggles the mind. randy
Re: Complaint of the week: Ebay abuse mail (slightly OT)
The web of trusted email servers would use a new and improved mail transfer protocol (NIMTP) that would only be used to exchange email between trusted servers. Users could continue to use authenticated SMTP to initiate the sending of email, but nobody would accept any unauthenticated SMTP servers any more. And this would deploy how? In particular, consider the following questions: A few of the larger user sites such as AOL and MSN would deploy it between themselves. Once it is proven, they would analyse their logs and invite the large email sender sites to begin using the protocol. Once it is clear that NIMTP can be deployed easily and cheaply, they begin to impose rate limiting on email senders using SMTP which will cause queues to build at the email sender sites. Eventually running NIMTP will be recognized as the right thing to do and everyon will use it. 1) What *immediate* benefits do you get if you are among the first to deploy? (For instance, note that you can't stop accepting plain old SMTP till everybody else deploys). You can replace complex and buggy spam filtering software with simple rules on your NIMTP servers. Since the spammer cannot spoof their identity, you simply rate limit them based on the volume of attempts. I.e. if a sender attempted to send 10 messages in one hour, you might limit him to 2 per hour but if he attempted to send 100 per hour you would limit him to 1 per hour. And if he attempted to send 1000 per hour you would limit him to 1 every 4 hours. 2) Who bears the implementation cost when a site deploys, and who gets the benefit? (If it costs *me* to deploy, but *you* get the benefit, why do I want to do this?) The site owners pay all the costs and reap all the benefits. Just like today with spam filtering. 3) What percentage of sites have to deploy before it makes a real difference, and what incremental benefit is there to deploying before that? (For any given scheme that doesn't fly unless 90% or more of sites do it, explain how you bootstrap it). The incremental benefit is there if NIMTP deployment starts with large email sites. 4) Does the protocol still keep providing benefit if everybody deploys it? (This is a common problem with SpamAssassin-like content filters - if most sites filter phrase xyz, spammers will learn to not use that phrase). Of course it keeps providing benefits. The two key elements of NIMTP (New Improved Mail Transfer Protocol) are that the receiver will only receive email messages from a known sender site and the sender site will certify the identity of the message sender. In order to know the sender site, there needs to be an authentication handshake for a session and it needs to be based on some kind of prearranged agreement and key exchange. In order to certify the message sender, all messages will need to be relayed through an NIMTP relay site and the message sender will need to authenticate themself, i.e. using something like AuthSMTP. But AuthSMTP will only be used between mail clients and their email service provider. NIMTP is intended to be used between email service providers. Some of these NIMTP sites will be relaying email for smaller NIMTP sites that cannot afford the complexity of prearranging keys with all other NIMTP sites. To summarize, the NIMTP core will have NIMTP peering arrangements with every other member of the NIMTP core, but many NIMTP sites will only have NIMTP peering with one or two other sites. In order for anyone to send email within the NIMTP world they will need to hand the email to any NIMTP site who will relay it to its destination. But the NIMTP site will only accept email if it can certify the sender's identity. If you have a *serious* proposal that actually passes all 4 questions (in other words, it provides immediate benefit to early adopters, and still works when everybody does it), bring it on over to '[EMAIL PROTECTED]'. I've just joined the ASRG list and if I can find the time I will try to write this up as a draft architecture and post it. But feel free to copy these emails to ASRG if you feel it would be worth discussing there. --Michael Dillon
Re: Complaint of the week: Ebay abuse mail (slightly OT)
we all knew that profitable large network owners would change the landscape compared to merely ebitda-positive large network owners, and here's an example of how big company cost management practices can go up against reasonable and customary internet behaviour and pretty much ignore it. Having an abuse@ email address may be customary Internet behavior but it is no longer reasonable. The fact is that SMTP email has outlived its usefulness and needs to be replaced with something that provides a chain of authentication that certifies the sender's identity. Once email senders are no longer able to falsify their identity, then it will again be economically feasible for companies to accept abuse@ email from anyone. Instead of working to prevent email relaying, we should be working to encourage it along with certification of the sender's identity. If we had a web of ISP mail servers that trust each other to certify the sender's identity, then people would be happy to accept any and all email relayed through that web. The web of trusted email servers would use a new and improved mail transfer protocol (NIMTP) that would only be used to exchange email between trusted servers. Users could continue to use authenticated SMTP to initiate the sending of email, but nobody would accept any unauthenticated SMTP servers any more. --Michael Dillon
Re: Complaint of the week: Ebay abuse mail (slightly OT)
Speaking on Deep Background, the Press Secretary whispered: Having an abuse@ email address may be customary Internet behavior but it is no longer reasonable. The fact is that SMTP email has outlived its usefulness and needs to be replaced with something that provides a chain of authentication that certifies the sender's identity. Will eBay do business with me if THEY have to type in a 1 square on MY webform? -- A host is a host from coast to [EMAIL PROTECTED] no one will talk to a host that's close[v].(301) 56-LINUX Unless the host (that isn't close).pob 1433 is busy, hung or dead20915-1433
Re: Complaint of the week: Ebay abuse mail (slightly OT)
On Mon, 04 Aug 2003 13:38:37 BST, [EMAIL PROTECTED] said: The web of trusted email servers would use a new and improved mail transfer protocol (NIMTP) that would only be used to exchange email between trusted servers. Users could continue to use authenticated SMTP to initiate the sending of email, but nobody would accept any unauthenticated SMTP servers any more. And this would deploy how? In particular, consider the following questions: 1) What *immediate* benefits do you get if you are among the first to deploy? (For instance, note that you can't stop accepting plain old SMTP till everybody else deploys). 2) Who bears the implementation cost when a site deploys, and who gets the benefit? (If it costs *me* to deploy, but *you* get the benefit, why do I want to do this?) 3) What percentage of sites have to deploy before it makes a real difference, and what incremental benefit is there to deploying before that? (For any given scheme that doesn't fly unless 90% or more of sites do it, explain how you bootstrap it). 4) Does the protocol still keep providing benefit if everybody deploys it? (This is a common problem with SpamAssassin-like content filters - if most sites filter phrase xyz, spammers will learn to not use that phrase). If you have a *serious* proposal that actually passes all 4 questions (in other words, it provides immediate benefit to early adopters, and still works when everybody does it), bring it on over to '[EMAIL PROTECTED]'. pgp0.pgp Description: PGP signature
Re: Complaint of the week: Ebay abuse mail (slightly OT)
Also the fact that the transition time would require many companies to run 2 or more protocols. And simply put the majority of SMTP isn't bad, if fully implemented as a single standard and implemented by vendors and developers. But the idea isn't bad, but may have massive cost additions, if you are going to authenticate servers, we would basically be better off to run a FIDONET netmail configuration, where you must register to a controlling party, but then that may mean a monthly charge. Though I do have my own proposal sitting ontop of SMTP, and used initially as something to determine the level of filtering to do, it would reduce requirements on dns queries to various rbl's. It will also validate headers and each host along the way. Another thing that I am putting in the ID.. is standard error message formats, it would make life easier for maillist owners, there is one mail server that sends back only the account name of an invalid mailbox, without a domain or email address to help even figure which message failed. Jason On 4 Aug 2003 at 12:16, [EMAIL PROTECTED] wrote: On Mon, 04 Aug 2003 13:38:37 BST, [EMAIL PROTECTED] said: The web of trusted email servers would use a new and improved mail transfer protocol (NIMTP) that would only be used to exchange email between trusted servers. Users could continue to use authenticated SMTP to initiate the sending of email, but nobody would accept any unauthenticated SMTP servers any more. And this would deploy how? In particular, consider the following questions: 1) What *immediate* benefits do you get if you are among the first to deploy? (For instance, note that you can't stop accepting plain old SMTP till everybody else deploys). 2) Who bears the implementation cost when a site deploys, and who gets the benefit? (If it costs *me* to deploy, but *you* get the benefit, why do I want to do this?) 3) What percentage of sites have to deploy before it makes a real difference, and what incremental benefit is there to deploying before that? (For any given scheme that doesn't fly unless 90% or more of sites do it, explain how you bootstrap it). 4) Does the protocol still keep providing benefit if everybody deploys it? (This is a common problem with SpamAssassin-like content filters - if most sites filter phrase xyz, spammers will learn to not use that phrase). If you have a *serious* proposal that actually passes all 4 questions (in other words, it provides immediate benefit to early adopters, and still works when everybody does it), bring it on over to '[EMAIL PROTECTED]'.
Re: Complaint of the week: Ebay abuse mail (slightly OT)
Valdis Kletnieks [EMAIL PROTECTED] wrote: 1) What *immediate* benefits do you get if you are among the first to deploy? (For instance, note that you can't stop accepting plain old SMTP till everybody else deploys). The immediate benefit (as sender) is that you reduce the (now ever-increasing) risk of your mail being rejected by filtration processes and will be trusted on arrival; the benefit for the recipient is of course less junk! However you CAN stop accepting plain old SMTP right away, because you can delegate that to a filtration service that hosts your old-style MX, applies ever-increasingly stringent filtration rules, and then forwards to you using the new protocol. Several such filtrations services may well appear when the time is right. 2) Who bears the implementation cost when a site deploys, and who gets the benefit? (If it costs *me* to deploy, but *you* get the benefit, why do I want to do this?) Both parties get benefits which seriously outweigh the costs! 3) What percentage of sites have to deploy before it makes a real difference, and what incremental benefit is there to deploying before that? To some extent the concept is already here, and deployed, whether using in-house filters or remote-MX, to subject the unauthenticated mail - which of course is currently ALL the mail - to appropriate filtering. (For any given scheme that doesn't fly unless 90% or more of sites do it, explain how you bootstrap it). That is a very valid point that most people don't address. I define any new scheme as unworkable unless someone can describe the present, albeit unsatisfactory, arrangements that it offers to replace as a special case of the new scheme for which there is clearly-defined correct handling. 4) Does the protocol still keep providing benefit if everybody deploys it? That depends entirely on the contactual relationships that may exist between mail-exchanging sites. Just implementing an authenticating protocol on its own will NOT help. There will be a prima-facie need for a selection of trust-authorities who specify what is acceptable for their trusted-senders to send. Recipients then get to choose which criteria are closest to their requirements (including whitelisting if needed on a per-site basis). (This is a common problem with SpamAssassin-like content filters - if most sites filter phrase xyz, spammers will learn to not use that phrase). That goes for any precautions taken - not just content filters. That is WHY the contractual relationships are absolutely essential for any new scheme. And there, too, lies the bulk of the work needed - the technical issues do not place any great demands on the networking community. If you have a *serious* proposal that actually passes all 4 questions (in other words, it provides immediate benefit to early adopters, and still works when everybody does it), bring it on over to '[EMAIL PROTECTED]'. Heh. The noise-to-signal level *there* is far worse than in NANOG - by at least 12dB last time I looked ;-) -- Richard Cox RC1500-RIPE
Re: Complaint of the week: Ebay abuse mail (slightly OT)
I would have though people would have learned by now that there is no technical solution to spam. You can go ahead with all these wonderfully expensive authentication/filtration/insertantispambuzzword systems until the cows come home and you will +_still_+ recieve spam. Regards, Neil.
Re: Complaint of the week: Ebay abuse mail (slightly OT)
On Mon, 04 Aug 2003 19:41:35 BST, Richard D G Cox [EMAIL PROTECTED] said: The immediate benefit (as sender) is that you reduce the (now ever-increasing) risk of your mail being rejected by filtration processes and will be trusted on arrival; the benefit for the recipient is of course less junk! Erm. No. You only get benefit as *other* sites deploy. If they haven't bought in, they won't contact your new service. Or to use a totally different example - if you've deployed IPv6, you won't actually get connections from other sites until THEY put up IPv6 too. Your users receive less junk only once a significant number of other sites deploy. However you CAN stop accepting plain old SMTP right away, because you can delegate that to a filtration service that hosts your old-style MX, applies ever-increasingly stringent filtration rules, and then forwards to you using the new protocol. Several such filtrations services may well appear when the time is right. And this is an improvement over just applying the filtration rules *how*? ;) Since SpamAssassin isn't good enough to solve the problem, I'll run it over THERE instead, and then forward 99.9% of my mail to here over new protocol XYZ. 2) Who bears the implementation cost when a site deploys, and who gets the benefit? (If it costs *me* to deploy, but *you* get the benefit, why do I want to do this?) Both parties get benefits which seriously outweigh the costs! Enumerate. Remember *not* to count benefits that aren't a result of your protocol change... 3) What percentage of sites have to deploy before it makes a real difference, and what incremental benefit is there to deploying before tha= t? To some extent the concept is already here, and deployed, whether using in-house filters or remote-MX, to subject the unauthenticated mail - which of course is currently ALL the mail - to appropriate filtering. Right.. so you can't count filtering as a benefit (see above). So what benefit do you get for doing it *before* it reaches critical mass? That goes for any precautions taken - not just content filters. That is WHY the contractual relationships are absolutely essential for any new scheme. And there, too, lies the bulk of the work needed - the technical issues do not place any great demands on the networking community. Gaak. There was a *reason* the X.400 concept of ADMD and PRMD died an ugly death - it doesn't scale well at all. Contractual relationships is just a buzzword meaning whitelisting after the lawyers got hold of it. :) ObNANOG: If this goes through, it will be considered a revenue source by many providers. See peering versus buying transit for details. ;) If you have a *serious* proposal that actually passes all 4 questions (in other words, it provides immediate benefit to early adopters, and still works when everybody does it), bring it on over to '[EMAIL PROTECTED]'. Heh. The noise-to-signal level *there* is far worse than in NANOG - by at least 12dB last time I looked ;-) Would improve vastly if asrg wasn't spending so much time thrashing yet another non-bootstrappable proposal to death :) And to the other responder who's name I've lost- yes, there's no good technical solution to spam. That's why I advocate collecting $500 from each ISP to hire some muscle from a suitable ethnic organized crime organization (I'm told competition is driving the costs down ;) to explain our position and make some examples. This would quickly change the percieved economics of spamming - that $4K/week suddenly looks a *lot* less inviting when you know the last guy who tried it got a visit from 3 guys with baseball bats... ;) pgp0.pgp Description: PGP signature
Re: Complaint of the week: Ebay abuse mail (slightly OT)
On Mon, Aug 04, 2003 at 12:16:12PM -0400, [EMAIL PROTECTED] wrote: On Mon, 04 Aug 2003 13:38:37 BST, [EMAIL PROTECTED] said: The web of trusted email servers would use a new and improved mail transfer protocol (NIMTP) that would only be used to exchange email between trusted servers. Users could continue to use authenticated SMTP to initiate the sending of email, but nobody would accept any unauthenticated SMTP servers any more. Hmmm. I fail, personally, to see why ESMTP couldn't handle it. Sure, it would require a new extension, but what's what the E is for, isn't it? Specifically, view it as a form of public-key certificate exchange, whether you trust a central authority or a web of trust to establish that identity (and, really, nothing says you couldn't do both). A signature from each hop along the way (though normally this wouldn't be more than 2-3, since most mailservers these days directly connect). And this would deploy how? In particular, consider the following questions: 1) What *immediate* benefits do you get if you are among the first to deploy? (For instance, note that you can't stop accepting plain old SMTP till everybody else deploys). The very, very first to deploy? Very little, but also very little, if any, cost - since nobody will invoke that extension, there's no crypto verification overhead inbound or outbound. It costs a few bytes in your EHLO block, I guess, and some code that will stay paged out once the process has run for any length of time. Almost the first to deploy, before wide adoption? Tie it into your other spam filtering systems. Stuff from trusted sources (however that is defined) can get tailored rules for each verified site (for most, that probably means higher trust; for a few, lower). 2) Who bears the implementation cost when a site deploys, and who gets the benefit? (If it costs *me* to deploy, but *you* get the benefit, why do I want to do this?) Like many game situations, all deployers benefit, in a curve related to the number of deployers, and the cost hits each deployer. Making the overhead cost very low (an extra config line the next time you upgrade sendmail, to turn it on, and adding certificates for sites you actually care about, if and when you care about them) would remove most of the pain. A marginal cost to deploy, weighed against a benefit based on the risk of others deploying, can still be an acceptable business risk. 3) What percentage of sites have to deploy before it makes a real difference, and what incremental benefit is there to deploying before that? (For any given scheme that doesn't fly unless 90% or more of sites do it, explain how you bootstrap it). Two sites that speak to each other will potentially make a difference to those two sites. Value as deployment increases is probably better than linear, for most calculations of value return (I'm sure there are some where it might not be; they don't have to deploy, if the cost is higher than the value return, but that seems likely to be rare *if* it's done properly). 4) Does the protocol still keep providing benefit if everybody deploys it? (This is a common problem with SpamAssassin-like content filters - if most sites filter phrase xyz, spammers will learn to not use that phrase). Yes. It provides more benefit the more sites deploy it, by building a cohesive web of trusted servers within which one can believe, with some reasonable expectation of being correct, that you know who is actually talking to you - and make secondary decisions based on that, much as many folks now do with RBLs. If you have a *serious* proposal that actually passes all 4 questions (in other words, it provides immediate benefit to early adopters, and still works when everybody does it), bring it on over to '[EMAIL PROTECTED]'. The devil is, of course, in the details. The most crucial of them being that it *must* be extremely easy to implement, likely to be implementable in widespread software releases, and that the incremental overhead of use must be small enough that the value provided is greater, in most cases. In my opinion, at least, the value derived isn't from stopping spam; spammers will still use throwaway accounts, folks will still try to scam others, none of this will magically stop existing. The value is in establishing a single, verifiable, consistant identity for any system with which you might wish to talk, so that you can make decisions based on that identity (or the lack thereof). Much of this is based on my observations of the use and adopting of PGP and SSL certificates. I don't sign all of my messages - most of them, yes, but I occasionally don't do so if I expect the recipient might have problems reading it, and if the recipient is valuble enough to make that choice. Even though 90% of the mail coming to my inbox isn't PGP signed, it also doesn't incur any extra cost; my client supports it automagically, and only invokes it when I *do* get signed mail. I
Re: Complaint of the week: Ebay abuse mail (slightly OT)
Date: Mon, 4 Aug 2003 18:50:36 -0400 (EDT) From: [EMAIL PROTECTED] And so we should do nothing? If a _few_ networks null-route abusers, said networks isolate themselves. If _all_ networks cut off abusers, who becomes the island? Fixing the Internet is difficult. What can't be tackled overnight isn't worth the effort. Let's leave it to future generations. (At least we all feel a bit better each time after we gripe on nanog.) Eddy -- Brotsman Dreger, Inc. - EverQuick Internet Division Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _ DO NOT send mail to the following addresses : [EMAIL PROTECTED] -or- [EMAIL PROTECTED] -or- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked.
Re: Complaint of the week: Ebay abuse mail (slightly OT)
[EMAIL PROTECTED] writes: And so we should do nothing? of course not. but the first thing to do is ignore naysayers. anybody who tells you something can't be done should be suspected of extreme and pervasive laziness until either they or you prove otherwise. -- Paul Vixie
Re: Complaint of the week: Ebay abuse mail (slightly OT)
Here is a company who thinks they have a solution for spam http://www.nwtechusa.com/ironmail-zd-srit-enterprise-security.html -Henry[EMAIL PROTECTED] wrote: I would have though people would have learned by now that there is no technical solution to spam. You can go ahead with all these wonderfully expensive authentication/filtration/insertantispambuzzword systems until the cows come home and you will +_still_+ recieve spam. Regards, Neil.And so we should do nothing?
Complaint of the week: Ebay abuse mail (slightly OT)
To add to the eternally annoying list of companies that ignore abuse@ mail... ebay now requires that you fill in their lovely little web form to send them a note. Even if, say, you're trying to let them know about another scam going around that tries to use the machine www.hnstech.co.kr to extract people's credit card information. Has anyone had success in convincing companies that this is just A Bad Idea (ignoring abuse mail), and if so, how did you manage to do it? Sorry for the slightly non-operational content, but I've had it with ebay on this one. -Dave - Forwarded message from eBay Safe Harbor [EMAIL PROTECTED] - Date: Sat, 02 Aug 2003 22:58:01 -0700 From: eBay Safe Harbor [EMAIL PROTECTED] Subject: Your message to [EMAIL PROTECTED] was not received (KMM86277800V90276L0KM) To: David G. Andersen [EMAIL PROTECTED] Auto-Submitted: auto-replied Reply-To: eBay Safe Harbor [EMAIL PROTECTED] X-MIME-Autoconverted: from quoted-printable to 8bit by eep.lcs.mit.edu id h735w5sU087612 Thank you for writing to the eBay SafeHarbor Team. The address you wrote to ([EMAIL PROTECTED]) is no longer in service. Please resend your email to us through one of the online webforms listed below. Using these forms will help us direct your email to the right department where we can quickly answer your question correctly and get it right back to you. For Trust and Safety issues (reports of policy violations, problems with transactions, suspensions, etc.) please use the following webform: http://pages.ebay.com/help/basics/select-RS.html For General Support questions (billing, bidding, or selling concerns and technical issues, etc.) please use the following webform: http://pages.ebay.com/help/basics/select-support.html Once on the webform, what will really help us assist you further is if you choose the best topic for your question. This will allow you to view our Instant Help pages, where you may find your answer immediately. Should you not find your answer there, choosing the best topics will still help us answer your question faster, correctly, and completely. We truly appreciate your assistance in this matter and apologize for any inconvenience this may have caused. Sincerely, eBay SafeHarbor Team - End forwarded message - -- work: [EMAIL PROTECTED] me: [EMAIL PROTECTED] MIT Laboratory for Computer Science http://www.angio.net/ I do not accept unsolicited commercial email. Do not spam me.
Re: Complaint of the week: Ebay abuse mail (slightly OT)
... ebay now requires that you fill in their lovely little web form to send them a note. Even if, say, you're trying to let them know about another scam going around that tries to use the machine www.hnstech.co.kr to extract people's credit card information. one can easily imagine that their abuse@ alias was receiving so much spam that it was too costly to read it all and fish out the valid complaints. (this is a ~recent spammer tactic, clogging the metadata paths to make it harder for network owners to discuss spammer activities.) however, the real reason is likely to be lack of uniformity in complaints. among the population who complains to abuse@, there isn't a single definition of spam or abuse or hack or scam or what have you. a complaint that is about a credit card scam is only differentiable from a complaint that is about a spamvertised web site after a fairly expensive human has seen both and made a determination. at ebay's transaction volume i'm sure that the aggregate costs of those humans was looking pretty large. so it was for all the other companies who have tried to manage their abuse costs by making people go to web sites. most of these companies were not as financially successful as ebay, though, and the unwillingness of the public to fire up a web browser in order to give the valuable gift of feedback about customer activity turned into a larger cost than the one they were avoiding. ebay is a different animal, and i'll take bets that the potential complainants who send enough abuse complaints overall that they have to prefer e-mail and say no to web forms, is not even part of their target audience. that means they don't care if you stop using their service, or blackhole all mail from them, or whatever you have to do to protect yourself from their other customers... because they will still have tens of millions of other customers who don't send abuse complaints or who are willing to deal with web forms. this sounds like i'm defending them. i'm not. but while reprehensible and irresponsible and socially radical, the web form approach's only real cause for failure is when the lack of a useful feedback channel curtails complaints which the network owner would find valuable. that's just not provably true in the case of ebay. we all knew that profitable large network owners would change the landscape compared to merely ebitda-positive large network owners, and here's an example of how big company cost management practices can go up against reasonable and customary internet behaviour and pretty much ignore it. this won't be a case where taking your complaint to the peering/backbone folks can result in a policy change, either. to get the attention of the people who make this kind of decision in a company like ebay, you'd have to go to the better business bureau, or congress. good luck storming the castle, boys. -- Paul Vixie
Re: Complaint of the week: Ebay abuse mail (slightly OT)
At 09:41 AM 8/3/2003, Paul Vixie wrote: ... ebay now requires that you fill in their lovely little web form to send them a note. Even if, say, you're trying to let them know about another scam going around that tries to use the machine www.hnstech.co.kr to extract people's credit card information. one can easily imagine that their abuse@ alias was receiving so much spam that it was too costly to read it all and fish out the valid complaints. (this is a ~recent spammer tactic, clogging the metadata paths to make it harder for network owners to discuss spammer activities.) On spam-l it was reported that there presently is a valid address of spoof (for the purpose of sending abuse complaints about spoof paypal websites[1]) at paypal.com. Since ebay now owns paypal, I suspect you can use that address to report spoof sites and emails for either service and that the human at the other end has enough clue to realize that they should act on all such spoofs reported to that address. jc [1] yes, I realize this makes the sentence look really weird. I worded it this way to help keep the spoof address from being machine readable if/when spammers start scarfing username (at) domain (dot) com munging and concatenating that back into the unmunged email address. It's hard enough to get a real email address for inside ebay or paypal that we need to protect what addresses we discover.
Re: Complaint of the week: Ebay abuse mail (slightly OT)
* [EMAIL PROTECTED] (Paul Vixie) [Sun 03 Aug 2003, 18:42 CEST]: [..] this sounds like i'm defending them. i'm not. but while reprehensible and irresponsible and socially radical, the web form approach's only real cause for failure is when the lack of a useful feedback channel curtails complaints which the network owner would find valuable. that's just not provably true in the case of ebay. Some time ago I received a mail attempting to redirect me to a scam site asking for my eBay login details. I tried getting eBay's attention, but it turned out that in order to contact them you need to have an account. There was no way to be seen to contact eBay without being a customer. (Now where have we heard _that_ particular line before??) I haven't bothered since. If eBay likes to make it hard for me to point them at serious risks for their business, more power to them. ... This is the point where somebody points at an obvious URL and says You doofus, wasn't it *obvious* that you could contact them via this here? -- Niels.
Re: Complaint of the week: Ebay abuse mail (slightly OT)
My bitch about no mail, use this stooopid webform is I then get no file copy in my Out box. You get silence back from them... -- A host is a host from coast to [EMAIL PROTECTED] no one will talk to a host that's close[v].(301) 56-LINUX Unless the host (that isn't close).pob 1433 is busy, hung or dead20915-1433
Re: Complaint of the week: Ebay abuse mail (slightly OT)
On Sun, 3 Aug 2003, David G. Andersen wrote: To add to the eternally annoying list of companies that ignore abuse@ mail... ebay now requires that you fill in their lovely little web form to send them a note. Even if, say, you're trying to let them know about another scam going around that tries to use the machine www.hnstech.co.kr to extract people's credit card information. It's funny you should bring that up. I got that e-mail a few days ago, and figured I would do the nice thing for ebay and let them chase down someone blatantly abusing their name and ran into the same brick wall. I finally decided their hoops to get this information to them cost more generosity than I felt like giving. I even went to the web page they suggested to try and give them a copy of the msg with full headers and none of their categories at the time matched: Good willed person trying to give you ammunition for a company abusing your name. I gave up, and left it as their problem if they don't want to take free help to make their case easier. If they even had an Other option I could have sent it to them. *shrug* Their loss. G
Re: Complaint of the week: Ebay abuse mail (slightly OT)
At 12:53 PM 8/3/2003, Gerald wrote: I even went to the web page they suggested to try and give them a copy of the msg with full headers and none of their categories at the time matched: Good willed person trying to give you ammunition for a company abusing your name. I gave up, and left it as their problem if they don't want to take free help to make their case easier. If they even had an Other option I could have sent it to them. *shrug* Their loss. This is eBay. Decisions like that are nothing new: http://www.cctec.com/maillists/nanog/historical/0208/msg00275.html jc
Re: Complaint of the week: Ebay abuse mail (slightly OT)
I submitted ebay.com to rfc-ignorant.org for this RFC violation almost a year ago (which they of course accepted): http://www.rfc-ignorant.org/tools/detail.php?domain=ebay.comsubmitted=1029353643table=abuse Companies like this could simply care less. If you don't run a mail system with customers expecting to receive mail from ebay then I'd recommend blocking ebay.com. That would include their subsidiary, paypal.com, which BTW is also listed on RFCi. At the least I'd score their mail against the RFCi RHSBLs and add a score of 1. Justin On Sun, 3 Aug 2003, David G. Andersen wrote: To add to the eternally annoying list of companies that ignore abuse@ mail... ebay now requires that you fill in their lovely little web form to send them a note. Even if, say, you're trying to let them know about another scam going around that tries to use the machine www.hnstech.co.kr to extract people's credit card information. Has anyone had success in convincing companies that this is just A Bad Idea (ignoring abuse mail), and if so, how did you manage to do it? Sorry for the slightly non-operational content, but I've had it with ebay on this one. -Dave