On Wed, 18 Jul 2018 13:36:41 +0000 Michele Neylon - Blacknight <mich...@blacknight.com> wrote:
> If you framed your issues or questions more clearly and succinctly it > would be helpful. > There are multiple issues and we each project our issues and pov, which may cause misunderstanding. > In relation to your specific "ask" I don't think it's the right one. > You could, potentially, come up with a best practice eg. That > providers should verify that account holders / users have access to > an email address before letting them add it to a service. But I've no > idea how you'd decided on rate limiting the verification emails. > Based on my own experiences with mail servers, spam filters, grey > listing etc., you can easily end up spamming yourself when those > emails don't come through quickly enough. > > as I said, there are multiple issues. Richard had a brilliant addition, the distributed mail bombing attacks - as I said already, even with that, there could potentially be two or more instances of abuse. I would love to discuss that, as far as verification, capcha and all the other solution, etc. things are concerned. But I would honestly like to understand (and it seems none of us really do, we just think we do...) - What does the average person and the average abuse admin think about the volume and the time. From the perspective of the non ESP victim: How many verification emails per day, from the same ESP and/or the same resource, is fair? From the perspective of all victims (ISP/Consumer/etc): being on the receiving end of 20 000 contact requests, would of course also be abuse. This has actually happened to me before and it is quite hard (but not impossible) to manage with fetchmail and some scripting :) From the perspective of the ESP: What is best practise? If someone subscribes to Facebook, how many verify your email address, emails, in a 24 hour period, is reasonable? I would propose that at present we suspect, but we do not really know? So, this is what I would like to explore: the actual abuse numbers and the actual average current considered 'best practise' Andre
