Re: [mailop] signup form abuse

On 5/31/16, 8:57 AM, "mailop on behalf of Vick Khera" wrote: > >On Fri, May 27, 2016 at 1:57 PM, Michael Peddemors > wrote: > >> Putting your business card in a bowl to win a prize is definitely not >>giving permission to get on a mailing list ;) > >I for one pretty much expect that I'll be put o

Re: [mailop] signup form abuse

On Fri, May 27, 2016 at 1:57 PM, Michael Peddemors wrote: > Putting your business card in a bowl to win a prize is definitely not > giving permission to get on a mailing list ;) > I for one pretty much expect that I'll be put on a list. I'm sure a lot of other folk do, too. _

Re: [mailop] signup form abuse

e: [mailop] signup form abuse On Fri, May 27, 2016 at 11:07:44AM -0700, Jay Hennigan wrote: > CAPTCHA could potentially fix it, but that is sure to raise objections > as being too inconvenient for list operators playing the numbers game. Captchas are also not a valid anti-abuse mechanism: they

Re: [mailop] signup form abuse

On 2016-05-29 12:29, Rich Kulawiec wrote: On Fri, May 27, 2016 at 11:07:44AM -0700, Jay Hennigan wrote: >CAPTCHA could potentially fix it, but that is sure to raise >objections as being too inconvenient for list operators playing the >numbers game. Captchas are also not a valid anti-abuse mecha

Re: [mailop] signup form abuse

On Fri, 27 May 2016 11:07:44 -0700 Jay Hennigan wrote: > HTML "Click-to-confirm" has been shown in the recent discussion to be > subject to false positives by email scanning software that follows links. I feel like this is the result of poor implementation on the part of the list operator. RFC2

Re: [mailop] signup form abuse

On 5/29/16 11:29 AM, Rich Kulawiec wrote: On Fri, May 27, 2016 at 11:07:44AM -0700, Jay Hennigan wrote: CAPTCHA could potentially fix it, but that is sure to raise objections as being too inconvenient for list operators playing the numbers game. Captchas are also not a valid anti-abuse mechani

Re: [mailop] signup form abuse

On Fri, May 27, 2016 at 11:07:44AM -0700, Jay Hennigan wrote: > CAPTCHA could potentially fix it, but that is sure to raise > objections as being too inconvenient for list operators playing the > numbers game. Captchas are also not a valid anti-abuse mechanism: they have been quite thoroughly beat

Re: [mailop] signup form abuse

On 16-05-27 10:02 AM, Al Iverson wrote: On Fri, May 27, 2016 at 11:49 AM, Michael Peddemors wrote: Because a signup process that falls victim to various types of auto-responses would be bad. Anything you'd have to add to that to try to prevent that issue would make it more confusing for some fo

Re: [mailop] signup form abuse

> I personally think that ESP's should make an effort to carefully separate > their confirmed double opt-in mailings, from single opt-in mailers.. We have a lot of ESPs as customers of our email reputation certification service, and we *always* urge them to segregate their IPs by opt-in level (

Re: [mailop] signup form abuse

On 5/27/16 9:49 AM, Michael Peddemors wrote: While it might be more 'attractive' to offer a simple 'click to confirm', why are you not using the more standard 'Please Reply To' this message if you want to receive these messages? This would solve the problem being discussed, and ensure that the

Re: [mailop] signup form abuse

On 5/27/16 9:49 AM, Michael Peddemors wrote: Have been watching this thread for a bit, and do have an opinion. First of all, I see a lot of talk about 'COI' (Confirmed Opt-In), rather than the term 'CDOI' (Confirmed Double Opt-in) and the reason I point it out, is that there is a lot of loose de

Re: [mailop] signup form abuse

On 16-05-27 10:08 AM, Michael Wise wrote: The problem with the, "Please Reply" method is that it can lead to mailbombing the target. We've seen it happen. Of course, someone could use a forged address when sending the 'confirmation' email, but how they would get mail bombed I am unsure of.

Re: [mailop] signup form abuse

> But I agree with you completely on the, "loose definition" issue, and have a > rather nasty story about that. > Always get the person who asserts their doing it to tell you exactly what > that term means to them. These are the definitions that we use, and that we use in working with our cust

Re: [mailop] signup form abuse

boun...@mailop.org] On Behalf Of Michael Peddemors Sent: Friday, May 27, 2016 9:50 AM To: mailop@mailop.org Subject: Re: [mailop] signup form abuse Have been watching this thread for a bit, and do have an opinion. First of all, I see a lot of talk about 'COI' (Confirmed Opt-In), rather than

Re: [mailop] signup form abuse

On Fri, May 27, 2016 at 11:49 AM, Michael Peddemors wrote: > Have been watching this thread for a bit, and do have an opinion. > > First of all, I see a lot of talk about 'COI' (Confirmed Opt-In), rather > than the term 'CDOI' (Confirmed Double Opt-in) and the reason I point it > out, is that ther

Re: [mailop] signup form abuse

Have been watching this thread for a bit, and do have an opinion. First of all, I see a lot of talk about 'COI' (Confirmed Opt-In), rather than the term 'CDOI' (Confirmed Double Opt-in) and the reason I point it out, is that there is a lot of loose definitions of both 'opt-in' and 'confirmed'.

Re: [mailop] signup form abuse

This opens up for an interesting discussion. We experienced the very same issue in the past for few customers and enabling a captcha was the only viable option. The "bots" (don't really know actually) managed to complete a COI process with several free accounts. Ip ranges were different some on CB

Re: [mailop] signup form abuse

On Wed, May 25, 2016 at 6:04 PM, Al Iverson wrote: > I've heard John Levine propose the "hidden link to catch scanning > robots" solution but I've never heard of an email system implementing > I'm running through my head how that would work, and makes for some very complicated state transition d

Re: [mailop] signup form abuse

as > Been Processed." | Got the Junk Mail Reporting Tool > <http://www.microsoft.com/en-us/download/details.aspx?id=18275> ? > > > > *From:* mailop [mailto:mailop-boun...@mailop.org] *On Behalf Of *Vick > Khera > *Sent:* Wednesday, May 25, 2016 2:14 PM > *To:* Erw

Re: [mailop] signup form abuse

y 25, 2016 4:25 PM To: mailop@mailop.org Subject: Re: [mailop] signup form abuse On 5/25/16 4:11 PM, Michael Wise wrote: > That may or may not be a good metric, since if I just signed up for a legit > mailing-list, I may be anxiously awaiting the confirmation mail, or if I'm a

Re: [mailop] signup form abuse

On 5/25/16 4:11 PM, Michael Wise wrote: That may or may not be a good metric, since if I just signed up for a legit mailing-list, I may be anxiously awaiting the confirmation mail, or if I'm a robot, I might be backlogged a few tens of seconds. So, "Click here to subscribe", "Click here if yo

Re: [mailop] signup form abuse

25, 2016 4:11 PM To: 'Jay Hennigan' ; mailop@mailop.org Subject: RE: [mailop] signup form abuse That may or may not be a good metric, since if I just signed up for a legit mailing-list, I may be anxiously awaiting the confirmation mail, or if I'm a robot, I might be backlogged

Re: [mailop] signup form abuse

lop.org Subject: Re: [mailop] signup form abuse On 5/25/16 8:36 AM, Vick Khera wrote: > I did a spot check of a recent attack. The email address was > jabradb...@kanawhascales.com <mailto:jabradb...@kanawhascales.com> > and it got signed up to 12 lists during May 17 and 18. Amazing

Re: [mailop] signup form abuse

> On May 25, 2016, at 4:03 PM, Jay Hennigan wrote: > > On 5/25/16 8:36 AM, Vick Khera wrote: > >> I did a spot check of a recent attack. The email address >> was jabradb...@kanawhascales.com >> and it got signed up to 12 lists during May 17 and 18. Amazingl

Re: [mailop] signup form abuse

-Original Message- From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Jay Hennigan Sent: Wednesday, May 25, 2016 3:49 PM To: mailop@mailop.org Subject: Re: [mailop] signup form abuse On 5/25/16 7:59 AM, Vick Khera wrote: > > On Wed, May 25, 2016 at 10:45 AM, Matthew Black

Re: [mailop] signup form abuse

On 5/25/16 8:36 AM, Vick Khera wrote: I did a spot check of a recent attack. The email address was jabradb...@kanawhascales.com and it got signed up to 12 lists during May 17 and 18. Amazingly, whoever is on the other end of that address clicked to confirm e

Re: [mailop] signup form abuse

On 5/25/16 7:45 AM, Matthew Black wrote: Are your customers using confirmed opt-in mailing lists? If not, they should not be running mailing lists. The monetary compensation of ESPs is directly proportional to the volume of promotional messages that they send. Let that sink in. -- -- Jay Hen

Re: [mailop] signup form abuse

On 5/25/16 7:59 AM, Vick Khera wrote: On Wed, May 25, 2016 at 10:45 AM, Matthew Black mailto:matthew.bl...@csulb.edu>> wrote: Are your customers using confirmed opt-in mailing lists? If not, they should not be running mailing lists. Yes, the only effect is to send a confirmation m

Re: [mailop] signup form abuse

Michael Wise wrote: The classical response to that is a "Hidden" URL that, if "clicked" by the scanning software, gives "Insight" into the fact that the recipient is doing that, yes? Aloha, Michael. That is the best solution - I'd hate for people to stop single click unsubscribes because they

Re: [mailop] signup form abuse

-Original Message- > From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Erwin Harte > Sent: Wednesday, May 25, 2016 2:48 PM > To: Michelle Sullivan ; Vick Khera > Cc: mailop@mailop.org > Subject: Re: [mailop] signup form abuse > > On 5/25/16 4:40 PM, Miche

Re: [mailop] signup form abuse

en Processed." | Got the Junk Mail Reporting Tool ? -Original Message- From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Erwin Harte Sent: Wednesday, May 25, 2016 2:48 PM To: Michelle Sullivan ; Vick Khera Cc: mailop@mailop.org Subject: Re: [mailop] signup form abuse On

Re: [mailop] signup form abuse

On 5/25/16 4:40 PM, Michelle Sullivan wrote: Vick Khera wrote: On Wed, May 25, 2016 at 3:02 PM, Erwin Harte mailto:eha...@barracuda.com>> wrote: I did a spot check of a recent attack. The email address was jabradb...@kanawhascales.com and it

Re: [mailop] signup form abuse

oft.com/en-us/download/details.aspx?id=18275> ? From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Vick Khera Sent: Wednesday, May 25, 2016 2:14 PM To: Erwin Harte Cc: mailop@mailop.org Subject: Re: [mailop] signup form abuse On Wed, May 25, 2016 at 3:02 PM, Erwin Harte mailto:eha.

Re: [mailop] signup form abuse

Vick Khera wrote: On Wed, May 25, 2016 at 3:02 PM, Erwin Harte > wrote: I did a spot check of a recent attack. The email address was jabradb...@kanawhascales.com and it got signed up to 12 lists during May 17 a

Re: [mailop] signup form abuse

On Wed, May 25, 2016 at 3:02 PM, Erwin Harte wrote: > I did a spot check of a recent attack. The email address was > jabradb...@kanawhascales.com and it got signed up to 12 lists during May > 17 and 18. Amazingly, whoever is on the other end of that address clicked > to confirm every one of those

Re: [mailop] signup form abuse

On 5/25/16 10:36 AM, Vick Khera wrote: On Tue, May 24, 2016 at 2:18 PM, Michael Wise mailto:michael.w...@microsoft.com>> wrote: Are these IP addresses on CBL? I did a spot check of a recent attack. The email address was jabradb...@kanawhascales.com an

Re: [mailop] signup form abuse

On Tue, May 24, 2016 at 2:18 PM, Michael Wise wrote: > Are these IP addresses on CBL? > I did a spot check of a recent attack. The email address was jabradb...@kanawhascales.com and it got signed up to 12 lists during May 17 and 18. Amazingly, whoever is on the other end of that address clicked

Re: [mailop] signup form abuse

On Wed, May 25, 2016 at 11:02 AM, Al Iverson wrote: > Which ESPs operate that way? (Hint: none. Most ESPs offer COI, few or > none require it.) > All our direct signup forms are only COI. We do permit customers to import existing lists, which may or may not have been COI previously, though we su

Re: [mailop] signup form abuse

On Tue, May 24, 2016 at 3:07 PM, Jay Hennigan wrote: > The appearance of the confirmation email makes a big difference. If it > looks like an advertisement with lots of graphics, hidden tracking bugs, > etc. it's likely to be viewed as abuse and used by bad guys to harass > innocents. > > I'm ver

Re: [mailop] signup form abuse

ng lists? If not, they should > not be running mailing lists. > > > > matthew > > > > > > From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Vick Khera > Sent: Tuesday, May 24, 2016 10:18 AM > To: mailop@mailop.org > Subject: [mailop] signup form ab

Re: [mailop] signup form abuse

On Wed, May 25, 2016 at 10:45 AM, Matthew Black wrote: > Are your customers using confirmed opt-in mailing lists? If not, they > should not be running mailing lists. > > Yes, the only effect is to send a confirmation message, which is quite generic and at most contains the customer's logo and nam

Re: [mailop] signup form abuse

Are your customers using confirmed opt-in mailing lists? If not, they should not be running mailing lists. matthew From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Vick Khera Sent: Tuesday, May 24, 2016 10:18 AM To: mailop@mailop.org Subject: [mailop] signup form abuse As an ESP

Re: [mailop] signup form abuse

On 2016-05-24 15:30, Michael Wise via mailop wrote: If someone has a better idea how to keep mailinglist software like MailMan from being co-opted into such an attack, I would LOVE to hear it. I think the obvious approach would be to move back to listname-subscr...@example.com requests, but r

Re: [mailop] signup form abuse

On 2016-05-24 15:17, Jay Hennigan wrote: On 5/24/16 12:26 PM, Michael Wise wrote: We're still seeing cases where a malicious actor, typically in Eastern Europe, will try and sign up a target email address for thousands of lists all at once, flooding their mailbox with confirmation traffic ,

Re: [mailop] signup form abuse

You might want to checkout e-hawk.net as Franck suggested. Or checkout others in area. > On May 24, 2016, at 9:53 PM, Robert Mueller wrote: > > >> I wonder what the point is. How does the bad guy monetize it, or is it a >> coordinated attack against a specific victim? What other nefarious >

Re: [mailop] signup form abuse

> I wonder what the point is. How does the bad guy monetize it, or is it a > coordinated attack against a specific victim? What other nefarious > issues? Making the address useless or burying some other mail in the > midst of the junk would seem to be a possibility. > > If an attack against a

Re: [mailop] signup form abuse

16 2:17 PM To: mailop@mailop.org Subject: Re: [mailop] signup form abuse On 5/24/16 12:26 PM, Michael Wise wrote: > > We're still seeing cases where a malicious actor, typically in Eastern > Europe, will try and sign up a target email address for thousands of lists > all at once, f

Re: [mailop] signup form abuse

On 5/24/16 12:26 PM, Michael Wise wrote: We're still seeing cases where a malicious actor, typically in Eastern Europe, will try and sign up a target email address for thousands of lists all at once, flooding their mailbox with confirmation traffic , perhaps to hide some other nefarious issue

Re: [mailop] signup form abuse

You definitely need anti-bot protection because currently you produce bounce SPAM and may be used for targeted SPAM / DDoS, especially if you reflect some user input (e.g. First name / last name). Currently, bots of this kind do not bother to emulate user behavior and checking user have visited fo

Re: [mailop] signup form abuse

.org Subject: Re: [mailop] signup form abuse On 5/24/16 10:17 AM, Vick Khera wrote: > As an ESP, we host mailing list signup forms for many customers. Of > late, it appears they have been getting pounded on with fraudulent > signups for real addresses. Sometimes the people confirm by clicki

Re: [mailop] signup form abuse

On 5/24/16 10:17 AM, Vick Khera wrote: As an ESP, we host mailing list signup forms for many customers. Of late, it appears they have been getting pounded on with fraudulent signups for real addresses. Sometimes the people confirm by clicking the confirmation link in the message and we are left s

Re: [mailop] signup form abuse

s.aspx?id=18275> ? > > > > *From:* mailop [mailto:mailop-boun...@mailop.org] *On Behalf Of *Vick > Khera > *Sent:* Tuesday, May 24, 2016 10:18 AM > *To:* mailop@mailop.org > *Subject:* [mailop] signup form abuse > > > > As an ESP, we host mailing list signup

Re: [mailop] signup form abuse

p.org] On Behalf Of Vick Khera Sent: Tuesday, May 24, 2016 10:18 AM To: mailop@mailop.org Subject: [mailop] signup form abuse As an ESP, we host mailing list signup forms for many customers. Of late, it appears they have been getting pounded on with fraudulent signups for real addresses. Some

[mailop] signup form abuse

As an ESP, we host mailing list signup forms for many customers. Of late, it appears they have been getting pounded on with fraudulent signups for real addresses. Sometimes the people confirm by clicking the confirmation link in the message and we are left scratching our heads as to why they would