Re: [mailop] signup form abuse

On 5/31/16, 8:57 AM, "mailop on behalf of Vick Khera" wrote: > >On Fri, May 27, 2016 at 1:57 PM, Michael Peddemors > wrote: > >> Putting your business card in a bowl to win a prize is definitely not >>giving

Re: [mailop] signup form abuse

On Fri, May 27, 2016 at 1:57 PM, Michael Peddemors wrote: > Putting your business card in a bowl to win a prize is definitely not > giving permission to get on a mailing list ;) > I for one pretty much expect that I'll be put on a list. I'm sure a lot of other folk do,

Re: [mailop] signup form abuse

On 2016-05-29 12:29, Rich Kulawiec wrote: On Fri, May 27, 2016 at 11:07:44AM -0700, Jay Hennigan wrote: >CAPTCHA could potentially fix it, but that is sure to raise >objections as being too inconvenient for list operators playing the >numbers game. Captchas are also not a valid anti-abuse

Re: [mailop] signup form abuse

On Fri, 27 May 2016 11:07:44 -0700 Jay Hennigan wrote: > HTML "Click-to-confirm" has been shown in the recent discussion to be > subject to false positives by email scanning software that follows links. I feel like this is the result of poor implementation on the part

Re: [mailop] signup form abuse

On 5/29/16 11:29 AM, Rich Kulawiec wrote: On Fri, May 27, 2016 at 11:07:44AM -0700, Jay Hennigan wrote: CAPTCHA could potentially fix it, but that is sure to raise objections as being too inconvenient for list operators playing the numbers game. Captchas are also not a valid anti-abuse

Re: [mailop] signup form abuse

On Fri, May 27, 2016 at 11:07:44AM -0700, Jay Hennigan wrote: > CAPTCHA could potentially fix it, but that is sure to raise > objections as being too inconvenient for list operators playing the > numbers game. Captchas are also not a valid anti-abuse mechanism: they have been quite thoroughly

Re: [mailop] signup form abuse

> I personally think that ESP's should make an effort to carefully separate > their confirmed double opt-in mailings, from single opt-in mailers.. We have a lot of ESPs as customers of our email reputation certification service, and we *always* urge them to segregate their IPs by opt-in level

Re: [mailop] signup form abuse

On 5/27/16 9:49 AM, Michael Peddemors wrote: While it might be more 'attractive' to offer a simple 'click to confirm', why are you not using the more standard 'Please Reply To' this message if you want to receive these messages? This would solve the problem being discussed, and ensure that the

Re: [mailop] signup form abuse

On 5/27/16 9:49 AM, Michael Peddemors wrote: Have been watching this thread for a bit, and do have an opinion. First of all, I see a lot of talk about 'COI' (Confirmed Opt-In), rather than the term 'CDOI' (Confirmed Double Opt-in) and the reason I point it out, is that there is a lot of loose

Re: [mailop] signup form abuse

On 16-05-27 10:08 AM, Michael Wise wrote: The problem with the, "Please Reply" method is that it can lead to mailbombing the target. We've seen it happen. Of course, someone could use a forged address when sending the 'confirmation' email, but how they would get mail bombed I am unsure of.

Re: [mailop] signup form abuse

> But I agree with you completely on the, "loose definition" issue, and have a > rather nasty story about that. > Always get the person who asserts their doing it to tell you exactly what > that term means to them. These are the definitions that we use, and that we use in working with our

Re: [mailop] signup form abuse

..@mailop.org] On Behalf Of Michael Peddemors Sent: Friday, May 27, 2016 9:50 AM To: mailop@mailop.org Subject: Re: [mailop] signup form abuse Have been watching this thread for a bit, and do have an opinion. First of all, I see a lot of talk about 'COI' (Confirmed Opt-In), rather than th

Re: [mailop] signup form abuse

On Fri, May 27, 2016 at 11:49 AM, Michael Peddemors wrote: > Have been watching this thread for a bit, and do have an opinion. > > First of all, I see a lot of talk about 'COI' (Confirmed Opt-In), rather > than the term 'CDOI' (Confirmed Double Opt-in) and the reason I

Re: [mailop] signup form abuse

Have been watching this thread for a bit, and do have an opinion. First of all, I see a lot of talk about 'COI' (Confirmed Opt-In), rather than the term 'CDOI' (Confirmed Double Opt-in) and the reason I point it out, is that there is a lot of loose definitions of both 'opt-in' and

Re: [mailop] signup form abuse

This opens up for an interesting discussion. We experienced the very same issue in the past for few customers and enabling a captcha was the only viable option. The "bots" (don't really know actually) managed to complete a COI process with several free accounts. Ip ranges were different some on

Re: [mailop] signup form abuse

On Wed, May 25, 2016 at 6:04 PM, Al Iverson wrote: > I've heard John Levine propose the "hidden link to catch scanning > robots" solution but I've never heard of an email system implementing > I'm running through my head how that would work, and makes for some very

Re: [mailop] signup form abuse

2016 2:14 PM > *To:* Erwin Harte <eha...@barracuda.com> > *Cc:* mailop@mailop.org > *Subject:* Re: [mailop] signup form abuse > > > > > > On Wed, May 25, 2016 at 3:02 PM, Erwin Harte <eha...@barracuda.com> wrote: > > I did a spot check of a recent

Re: [mailop] signup form abuse

y 25, 2016 4:25 PM To: mailop@mailop.org Subject: Re: [mailop] signup form abuse On 5/25/16 4:11 PM, Michael Wise wrote: > That may or may not be a good metric, since if I just signed up for a legit > mailing-list, I may be anxiously awaiting the confirmation mail, or if I'm a

Re: [mailop] signup form abuse

16 4:11 PM To: 'Jay Hennigan' <mailop-l...@keycodes.com>; mailop@mailop.org Subject: RE: [mailop] signup form abuse That may or may not be a good metric, since if I just signed up for a legit mailing-list, I may be anxiously awaiting the confirmation mail, or if I'm a robot, I might be backl

Re: [mailop] signup form abuse

rg Subject: Re: [mailop] signup form abuse On 5/25/16 8:36 AM, Vick Khera wrote: > I did a spot check of a recent attack. The email address was > jabradb...@kanawhascales.com <mailto:jabradb...@kanawhascales.com> > and it got signed up to 12 lists during May 17 and 18. Amazingly,

Re: [mailop] signup form abuse

> On May 25, 2016, at 4:03 PM, Jay Hennigan wrote: > > On 5/25/16 8:36 AM, Vick Khera wrote: > >> I did a spot check of a recent attack. The email address >> was jabradb...@kanawhascales.com >> and it got signed up to 12 lists

Re: [mailop] signup form abuse

--Original Message- From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Jay Hennigan Sent: Wednesday, May 25, 2016 3:49 PM To: mailop@mailop.org Subject: Re: [mailop] signup form abuse On 5/25/16 7:59 AM, Vick Khera wrote: > > On Wed, May 25, 2016 at 10:45 AM, Matthew Blac

Re: [mailop] signup form abuse

On 5/25/16 8:36 AM, Vick Khera wrote: I did a spot check of a recent attack. The email address was jabradb...@kanawhascales.com and it got signed up to 12 lists during May 17 and 18. Amazingly, whoever is on the other end of that address clicked to confirm

Re: [mailop] signup form abuse

On 5/25/16 7:45 AM, Matthew Black wrote: Are your customers using confirmed opt-in mailing lists? If not, they should not be running mailing lists. The monetary compensation of ESPs is directly proportional to the volume of promotional messages that they send. Let that sink in. -- -- Jay

Re: [mailop] signup form abuse

On 5/25/16 7:59 AM, Vick Khera wrote: On Wed, May 25, 2016 at 10:45 AM, Matthew Black > wrote: Are your customers using confirmed opt-in mailing lists? If not, they should not be running mailing lists. Yes, the only effect

Re: [mailop] signup form abuse

riginal Message- > From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Erwin Harte > Sent: Wednesday, May 25, 2016 2:48 PM > To: Michelle Sullivan <miche...@sorbs.net>; Vick Khera <vi...@khera.org> > Cc: mailop@mailop.org > Subject: Re: [mailop] signup form ab

Re: [mailop] signup form abuse

On 5/25/16 4:40 PM, Michelle Sullivan wrote: Vick Khera wrote: On Wed, May 25, 2016 at 3:02 PM, Erwin Harte > wrote: I did a spot check of a recent attack. The email address was jabradb...@kanawhascales.com

Re: [mailop] signup form abuse

oft.com/en-us/download/details.aspx?id=18275> ? From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Vick Khera Sent: Wednesday, May 25, 2016 2:14 PM To: Erwin Harte <eha...@barracuda.com> Cc: mailop@mailop.org Subject: Re: [mailop] signup form abuse On Wed, May 25, 2016 at 3:02

Re: [mailop] signup form abuse

Vick Khera wrote: On Wed, May 25, 2016 at 3:02 PM, Erwin Harte > wrote: I did a spot check of a recent attack. The email address was jabradb...@kanawhascales.com and it got signed up to 12

Re: [mailop] signup form abuse

On Wed, May 25, 2016 at 3:02 PM, Erwin Harte wrote: > I did a spot check of a recent attack. The email address was > jabradb...@kanawhascales.com and it got signed up to 12 lists during May > 17 and 18. Amazingly, whoever is on the other end of that address clicked > to

Re: [mailop] signup form abuse

On 5/25/16 10:36 AM, Vick Khera wrote: On Tue, May 24, 2016 at 2:18 PM, Michael Wise > wrote: Are these IP addresses on CBL? I did a spot check of a recent attack. The email address was jabradb...@kanawhascales.com

Re: [mailop] signup form abuse

On Tue, May 24, 2016 at 2:18 PM, Michael Wise wrote: > Are these IP addresses on CBL? > I did a spot check of a recent attack. The email address was jabradb...@kanawhascales.com and it got signed up to 12 lists during May 17 and 18. Amazingly, whoever is on the other

Re: [mailop] signup form abuse

Matthew, Which ESPs operate that way? (Hint: none. Most ESPs offer COI, few or none require it.) So since that's not happening... -- Al Iverson www.aliverson.com (312)725-0130 On Wed, May 25, 2016 at 9:45 AM, Matthew Black wrote: > Are your customers using

Re: [mailop] signup form abuse

On Wed, May 25, 2016 at 10:45 AM, Matthew Black wrote: > Are your customers using confirmed opt-in mailing lists? If not, they > should not be running mailing lists. > > Yes, the only effect is to send a confirmation message, which is quite generic and at most contains

Re: [mailop] signup form abuse

Are your customers using confirmed opt-in mailing lists? If not, they should not be running mailing lists. matthew From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Vick Khera Sent: Tuesday, May 24, 2016 10:18 AM To: mailop@mailop.org Subject: [mailop] signup form abuse As an ESP,

Re: [mailop] signup form abuse

On 2016-05-24 15:30, Michael Wise via mailop wrote: If someone has a better idea how to keep mailinglist software like MailMan from being co-opted into such an attack, I would LOVE to hear it. I think the obvious approach would be to move back to listname-subscr...@example.com requests, but

Re: [mailop] signup form abuse

On 2016-05-24 15:17, Jay Hennigan wrote: On 5/24/16 12:26 PM, Michael Wise wrote: We're still seeing cases where a malicious actor, typically in Eastern Europe, will try and sign up a target email address for thousands of lists all at once, flooding their mailbox with confirmation traffic ,

Re: [mailop] signup form abuse

You might want to checkout e-hawk.net as Franck suggested. Or checkout others in area. > On May 24, 2016, at 9:53 PM, Robert Mueller wrote: > > >> I wonder what the point is. How does the bad guy monetize it, or is it a >> coordinated attack against a specific victim? What

Re: [mailop] signup form abuse

> I wonder what the point is. How does the bad guy monetize it, or is it a > coordinated attack against a specific victim? What other nefarious > issues? Making the address useless or burying some other mail in the > midst of the junk would seem to be a possibility. > > If an attack against a

Re: [mailop] signup form abuse

p@mailop.org Subject: Re: [mailop] signup form abuse On 5/24/16 12:26 PM, Michael Wise wrote: > > We're still seeing cases where a malicious actor, typically in Eastern > Europe, will try and sign up a target email address for thousands of lists > all at once, flooding their mailbox wit

Re: [mailop] signup form abuse

On 5/24/16 12:26 PM, Michael Wise wrote: We're still seeing cases where a malicious actor, typically in Eastern Europe, will try and sign up a target email address for thousands of lists all at once, flooding their mailbox with confirmation traffic , perhaps to hide some other nefarious

Re: [mailop] signup form abuse

You definitely need anti-bot protection because currently you produce bounce SPAM and may be used for targeted SPAM / DDoS, especially if you reflect some user input (e.g. First name / last name). Currently, bots of this kind do not bother to emulate user behavior and checking user have visited

Re: [mailop] signup form abuse

e: [mailop] signup form abuse On 5/24/16 10:17 AM, Vick Khera wrote: > As an ESP, we host mailing list signup forms for many customers. Of > late, it appears they have been getting pounded on with fraudulent > signups for real addresses. Sometimes the people confirm by clicking >

Re: [mailop] signup form abuse

On 5/24/16 10:17 AM, Vick Khera wrote: As an ESP, we host mailing list signup forms for many customers. Of late, it appears they have been getting pounded on with fraudulent signups for real addresses. Sometimes the people confirm by clicking the confirmation link in the message and we are left

Re: [mailop] signup form abuse

Not new story, people have devised systems to avoid the creation of such accounts: http://bits.blogs.nytimes.com/2013/04/05/fake-twitter-followers-becomes-multimillion-dollar-business/?_r=0 You could for instance use data from http://www.e-hawk.net/ (I'm not endorsing them, just a company that