Re: [mailop] [SUBJECT CHANGE] Feedback loops

[Laura Atkins via mailop]

> On 18 Jan 2022, at 02:32, Scott Mutter via mailop  wrote:
> 
> On Mon, Jan 17, 2022 at 6:06 PM Grant Taylor via mailop  > wrote:
> Why can't automated and manual reports go to the same address?  Isn't
> that what recipient side filtering is for?  E.g. separating RFC standard
> DSNs / MDNs from human generated messages, each handled by different teams.
> 
> My problem with FBLs is that I have to know to sign up for FBLs.
> Conversely, mailbox operators can probably more easily send push
> notifications to published addresses, whatever the industry accepted
> method is.
> 
> 
> I keep going back to the AOL Feedback Loop of yesteryear.  I didn't actually 
> READ every message in that mailbox.  But I could run a script through a 
> procmail recipe to increment counts by IP that AOL was sending back to that 
> FBL.  So that when an IP got 10 or so messages within a certain period it 
> would alert me at another email address that I watched.

The AOL FBL worked the way it did for a number of reasons. The big one is 
because AOL controlled the MUA. They managed the actions behind the “this is 
spam” button, and thus they could send mail when it was pushed.

When the provider doesn’t control the MUA they can’t provide the same FBL that 
AOL did because they do not have the ability to identify when the user clicks 
the TiS button. 

> Gmail and Yahoo all base their feedback loops on DomainKeys or something, 
> it's not IP based.  I know Comcast and some of the other ReturnPath customers 
> have feedback loops, but traffic on those are low too.

Right, because in most cases the provider doesn’t control the MUA. 

laura 

-- 
Having an Email Crisis?  800 823-9674 

Laura Atkins
Word to the Wise
la...@wordtothewise.com
(650) 437-0741  

Email Delivery Blog: http://wordtothewise.com/blog  





___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [SUBJECT CHANGE] Feedback loops

[Jaroslaw Rafa via mailop]

Dnia 17.01.2022 o godz. 16:41:26 Michael Peddemors via mailop pisze:
> 
> So, while there are many companies with terrible or no abuse
> handlers, the problem maybe is now that the other way, where noone
> reports it.

Speaking for myself, I don't get a lot of spam, but when I do, I don't
bother reporting it. Spam is so omnipresent today that I have the impression
that noone actually cares about spam reports. I just update my spam filter
to avoid receiving similar messages in the future. Spamassassin plus a few
RBLs plus a bunch of my custom filtering rules are doing a pretty good job.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [SUBJECT CHANGE] Feedback loops

[Scott Mutter via mailop]

On Mon, Jan 17, 2022 at 6:06 PM Grant Taylor via mailop 
wrote:

> Why can't automated and manual reports go to the same address?  Isn't
> that what recipient side filtering is for?  E.g. separating RFC standard
> DSNs / MDNs from human generated messages, each handled by different teams.
>
> My problem with FBLs is that I have to know to sign up for FBLs.
> Conversely, mailbox operators can probably more easily send push
> notifications to published addresses, whatever the industry accepted
> method is.
>
>
I keep going back to the AOL Feedback Loop of yesteryear.  I didn't
actually READ every message in that mailbox.  But I could run a script
through a procmail recipe to increment counts by IP that AOL was sending
back to that FBL.  So that when an IP got 10 or so messages within a
certain period it would alert me at another email address that I watched.

The abuse email address and feedback loop email address don't have to be
different.  But, for me (which may not be the same thing for everyone
else), the FBL address was just means to tally information.  Sure, I could
go back into that address and manually review the feedback reports I got
and often that was the next step after being alerted to high number of
reports for a certain IP, but it's main purpose was just to automate a
tally.

I actually like feedback loops.  To my knowledge Microsoft is the only one
that has anything any where close to what the AOL Feedback Loop was like.
But it's a hassle to sign up for it, and it either goes through periods
where it's broken or it only sends reports if X number of mailings come
into Microsoft from an IP address.  Or maybe I just have some really nice
users that always send legitimate mail to Microsoft/Hotmail/Outlook
addresses and none of our servers ever get flagged as spam (begs the
question as to why Microsoft blocks our servers from time to time though).

Gmail and Yahoo all base their feedback loops on DomainKeys or something,
it's not IP based.  I know Comcast and some of the other ReturnPath
customers have feedback loops, but traffic on those are low too.

As a responsible server administrator - I don't mind signing up for
feedback loops to help safeguard my servers.  I would think any other
responsible server administrator would feel the same way.  I just want
those feedback loops to work.  If Microsoft is going to block my server IP
claiming that we sent them spam, but I never get anything in their feedback
loop - then that's an ineffective feedback loop.  Same for Yahoo and Gmail
and really any email service provider that's going to block my server IP.

Now if others in this discussion are arguing that Microsoft/Yahoo/Gmail/etc
are sending feedback loop reports to abuse contacts listed in RDAP, RP,
rWhois, any where else - then my bone to pick is with my IP delegation
provider because they're not forwarding these on to me.  Perhaps it's just
a lack of communication and they don't know that I want to receive these -
that's a fair point.  Or perhaps there's so many different ways to define
an abuse contact address (RDAP, RP, rWhois, etc) that different service
providers look for different contact structures and the feedback reports
all end up in a gobbled mess.  If that's the case then there needs to be a
SINGLE defined way to publish a contact address that receives feedback
reports.  BUT... I just really don't think Microsoft/Yahoo/Gmail/etc are
sending feedback reports for EVERY single spam message they get back to
these RDAP, RP, rWhois abuse contacts.  But I'm a big enough man to admit
that I've been wrong before.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] [SUBJECT CHANGE] Feedback loops

[Michael Peddemors via mailop]

Yeah, maybe we should close down this thread, simply because it is a 
high volume thread among only a few list members, and been going on a 
while...


For the record, for our shared mail platform that we operate for smaller 
ISP's and Telco's, we don't get a lot of traffic to our posted abuse 
address(s) at all, in general people have give up. (We don't even get 
much spam there, spammers know it is a quick trip to getting IPs 
blacklisted)


So, while there are many companies with terrible or no abuse handlers, 
the problem maybe is now that the other way, where noone reports it.


Automation might solve that.  But we only get reports from about three 
big email providers.  The Comcast ones are kind of useless, normally not 
spam and very aged.. The Hotmail ones are handy, but in our case it is 
usually only when a person turns off their spam protection AND forwards 
it to their hotmail account.  And I think we had like one Rackspace 
report in 4 or 5 years..


Now, it 'could' be are policies and/or customer base is not conducive to 
spam activity, and a lot less compromised email accounts, than our 
peers, but I doubt that is the whole picture.


We DO get compromised accounts, but our systems and people catch it 
fast, and rate limiters stop the HUGE outbreaks that quickly used to get 
servers blacklisted, but they do happen.  Surprised that we don't get 
ANY reports of those anymore. (To abuse contacts at least)


And look at all of the people reporting abuse on Twitter now.. or using 
back channels.  It is the lack of faith in timely reaction (or any) from 
abuse departments I think that has led us to this.


I think the only way feedback loops and abuse handles will become useful 
again, is for the community to say they MUST be useful, and simply stop 
accepting email from those companies that do not have one. 
Unfortunately, IMHO that means we have to stop accepting email from some 
of the largest providers in the world.. and since I don't see that 
happening any time soon, I think we might be wasting our breathes and 
time on this issue.


Instead, the status quo will continue.. detect spam, block the sender, 
and put the onus on the remote email operator.. Or buy a commercial 
product which makes and handles that decision making decision for you.


Trouble is, that puts us on a path where only the very large survive.

Enough doom and gloom..


My suggestion? Instead of focusing on making the little guys do things 
they probably aren't going to do, and having them loose their customers 
to the 'too big to block', let's start at the top.


Let's see if we can make a system that will stop the spam from leaking 
out of the biggest operators, those that SHOULD be able to afford to do 
it right..


Until we can get Gmail to terminate/change the password on THEIR the 
spammers immediately when reported, we don't have a viable system that 
will work.


-0-

(or even better, stop them before they do, how hard is it for them to 
rate limit? ;) force the use of separate mailing lists servers for bulk 
email, if I get ONE more 'Google Top Ranking' in my spam folder I will 
scream )




On 2022-01-17 3:47 p.m., Scott Mutter via mailop wrote:
We've really taken the original topic off course.  But I feel that we 
may be taking the secondary topic off course as well.


All the talk about abuse contacts in RDAP or RP DNS - I'm not saying 
that these have merits... BUT... Is Microsoft/Yahoo/Gmail/*insert 
whatever big name email service* sending EVERY spam/abuse complaint for 
messages from the IP address to these contact addresses?


That's part of the issue - and we're kind of seeing that within this 
discussion.  There's a lot of different ways to publish an abuse 
address, so many in fact... do the entities reporting the abuse (i.e. 
Microsoft/Yahoo/Gmail) follow all of these?  An abuse contact address is 
only as good as the abuse information that's being funneled into it.  
Another words, if Microsoft is never sending anything to the Abuse 
contact in RDAP... what good does it do to have an abuse contact in RDAP?


Additionally, are all of these big name email service providers going to 
automatically send feedback to these abuse contacts for every single 
message that their users flag as spam or that their systems flags as spam?


That's where a distinction needs to be made.

I feel like the abuse contact that's being suggested in RDAP, RP, 
rWhois, etc - are all intended to be manually sent by a human, i.e. 
someone from one of these big name email service providers 
(Microsoft/Yahoo/Gmail).  And I don't really see them having humans 
tasked with manually sending out these abuse notices for every spam 
message that an IP address sends.


That's where I feel feedback loops are more automated and generally 
better equipped to notify the difference makers that can really take 
action on the spam/abuse.


An example situation would be, if Microsoft/Hotmail/Outlook is getting 
spam from one of my