Re: [mailop] signup form abuse

2016-05-31 Thread Dave Pooser 
On 5/31/16, 8:57 AM, "mailop on behalf of Vick Khera"
 wrote:

>
>On Fri, May 27, 2016 at 1:57 PM, Michael Peddemors
> wrote:
>
>> Putting your business card in a bowl to win a prize is definitely not
>>giving permission to get on a mailing list ;)
>
>I for one pretty much expect that I'll be put on a list. I'm sure a lot
>of other folk do, too.

Yeah, I always understood that to be the transaction: I exchange
permission to send me an initial marketing mail in exchange for a 0.17%
chance of winning a widget. Once I get that message, from there I can opt
out or not depending on how useful I perceive the content to be.
-- 
Dave Pooser
Cat-Herder-in-Chief, Pooserville.com



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-31 Thread Vick Khera 
On Fri, May 27, 2016 at 1:57 PM, Michael Peddemors 
wrote:

> Putting your business card in a bowl to win a prize is definitely not
> giving permission to get on a mailing list ;)
>

I for one pretty much expect that I'll be put on a list. I'm sure a lot of
other folk do, too.
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-29 Thread Dave Warren 

On 2016-05-29 12:29, Rich Kulawiec wrote:

On Fri, May 27, 2016 at 11:07:44AM -0700, Jay Hennigan wrote:

>CAPTCHA could potentially fix it, but that is sure to raise
>objections as being too inconvenient for list operators playing the
>numbers game.

Captchas are also not a valid anti-abuse mechanism: they have been quite
thoroughly beaten and are only used today by those who have failed to
pay attention to adversarial progress over the last 10-15 years.

Resources are either targets for abuse or they're not; adversaries are
either competent and well-resourced or they're not.  In the case where
resources*are*  targets and adversaries*are*  competent/well-resourced,
they will defeat captcha mechanisms at will using either automated,
manual, or hyrid techniques.  In the other three cases, captchas aren't
necessary, either because the resource isn't being targeted, or adversaries
aren't capable, or both.


This is downright silly, it's akin to saying that one shouldn't bother 
locking their front door because a trained locksmith can pick the lock.


Yes, a captcha can be beaten, as can literally every other security 
mechanism if one imagines a sufficiently competent and well-resourced 
adversary. Most adversaries are not both competent and well-resourced, 
why not raise the bar against the low-level dull roar of attacks that 
happen all the time?


Security is a system of layers, never a single perfect mechanism and 
we're talking about mailing list subscriptions here, not missile launch 
codes; unless one's company depends on mailing lists, the overall 
resources available to combat a generally-minor problem will be equally 
minimal and a captcha will defeat the entirety of the types of 
adversaries which one can expect to encounter.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-29 Thread Shaun 
On Fri, 27 May 2016 11:07:44 -0700
Jay Hennigan  wrote:

> HTML "Click-to-confirm" has been shown in the recent discussion to be 
> subject to false positives by email scanning software that follows links.

I feel like this is the result of poor implementation on the part of the
list operator. RFC2616 states "GET and HEAD methods SHOULD NOT have the
significance of taking an action other than retrieval." RFC7231 is more
strict: "If the purpose of such a resource is to perform an unsafe
action, then the resource owner MUST disable or disallow that action
when it is accessed using a safe request method" ("safe" methods are
enumerated as GET, HEAD, OPTIONS, and TRACE).

Scanning software simply following a link should not confirm a
subscription request. This should require a form post, which can still
be presented to most users in a one-click manner.

Are there scanning solutions out there that are posting forms contained
within HTML messages?

-s

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-29 Thread Jay Hennigan 

On 5/29/16 11:29 AM, Rich Kulawiec wrote:

On Fri, May 27, 2016 at 11:07:44AM -0700, Jay Hennigan wrote:

CAPTCHA could potentially fix it, but that is sure to raise
objections as being too inconvenient for list operators playing the
numbers game.


Captchas are also not a valid anti-abuse mechanism: they have been quite
thoroughly beaten and are only used today by those who have failed to
pay attention to adversarial progress over the last 10-15 years.


The CAPTCHA in this case would not be a situation where the recipient of 
the CAPTCHA has bad intent. It would be used on subscription 
confirmation messages to differentiate between a benign automated 
process such as a mail scanner following links and a human addressee 
confirming a desired subscription.


--
Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-29 Thread Rich Kulawiec 
On Fri, May 27, 2016 at 11:07:44AM -0700, Jay Hennigan wrote:
> CAPTCHA could potentially fix it, but that is sure to raise
> objections as being too inconvenient for list operators playing the
> numbers game.

Captchas are also not a valid anti-abuse mechanism: they have been quite
thoroughly beaten and are only used today by those who have failed to
pay attention to adversarial progress over the last 10-15 years.

Resources are either targets for abuse or they're not; adversaries are
either competent and well-resourced or they're not.  In the case where
resources *are* targets and adversaries *are* competent/well-resourced,
they will defeat captcha mechanisms at will using either automated,
manual, or hyrid techniques.  In the other three cases, captchas aren't
necessary, either because the resource isn't being targeted, or adversaries
aren't capable, or both.

Moreover, we have long since passed the point on the curve where "captchas
that be successfully attacked" became harder than "captchas that can be
solved by most humans".

Having worked on this problem extensively, I've found that other measures
are much more effective, predictable, stable under load, and diagnosable
-- depending on the use case, of course, and one size does not fit all.
The key, as it so often is with any anti-abuse measure, is to carefully
study one's own log files and understand (qualitatively and quantitatively)
what "normal" looks like and what "abnormal" looks like.  Lots of people
skip this analysis in their haste to deploy "solutions" and thus don't
actually understand the the nature of their problem(s).  This inevitably
results in poor outcomes.

---rsk

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-27 Thread Anne Mitchell 

> I personally think that ESP's should make an effort to carefully separate 
> their confirmed double opt-in mailings, from single opt-in mailers..

We have a lot of ESPs as customers of our email reputation certification 
service, and we *always* urge them to segregate their IPs by opt-in level (and 
also to assign customers their own IPs, whenever possible).  The bigger ESPs 
get this, and many of them do - others do a sort of graduated "new customers 
start in the low end, and then move up over time as they prove themselves" 
thing, but all of them do something to make sure their customers who are 
adhering to best practices are on IPs with good reputations.

(And, thank you for referencing our white paper! :~) )

Anne

Anne P. Mitchell, 
Attorney at Law
CEO/President, 
SuretyMail Email Reputation and Inbox Deliverability Certification Program 
http://www.SuretyMail.com/
http://www.SuretyMail.eu/

"Email marketing is the one place where it's better to ask permission than 
forgiveness." - Me

Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law)
Member, California Bar Cyberspace Law Committee
Member, Colorado Cybersecurity Consortium
Member, Asilomar Microcomputer Workshop Committee
Ret. Professor of Law, Lincoln Law School of San Jose
Ret. Chair, Asilomar Microcomputer Workshop


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-27 Thread Jay Hennigan 

On 5/27/16 9:49 AM, Michael Peddemors wrote:


While it might be more 'attractive' to offer a simple 'click to
confirm', why are you not using the more standard 'Please Reply To' this
message if you want to receive these messages?

This would solve the problem being discussed, and ensure that the
recipient truly wants your message.


Both methods have the potential of triggering false positives due to 
automated processes.


HTML "Click-to-confirm" has been shown in the recent discussion to be 
subject to false positives by email scanning software that follows links.


"Please reply-to" has a similar problem with out-of-office vacation 
autoresponders that copy all or part of the message in the response, as 
well as some NDRs that do the same. Reply-to also potentially breaks if 
the recipient automatically forwards mail from one account to another as 
the reply will come from a different address than the subscription.


CAPTCHA could potentially fix it, but that is sure to raise objections 
as being too inconvenient for list operators playing the numbers game.


--
Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-27 Thread Jay Hennigan 

On 5/27/16 9:49 AM, Michael Peddemors wrote:

Have been watching this thread for a bit, and do have an opinion.

First of all, I see a lot of talk about 'COI' (Confirmed Opt-In), rather
than the term 'CDOI' (Confirmed Double Opt-in) and the reason I point it
out, is that there is a lot of loose definitions of both 'opt-in' and
'confirmed'.


The term "Double opt-in" was originated by spammers early-on in an 
attempt to paint the confirmation process as odious and unnecessary. 
It's spammer-speak. Confirmed opt-in is in my opinion the appropriate term.


* When you log in to an account you provide a username.
* When you subscribe to a mailing list you provide an email address.

Then, when logging in to an account, you're also asked for a password to 
*confirm* your identity. Have you EVER heard of the requirement to 
provide a password as "Double log-in"? I didn't think so.


The same principle applies (or should apply) to mailing list subscriptions.


While it might be more 'attractive' to offer a simple 'click to
confirm', why are you not using the more standard 'Please Reply To' this
message if you want to receive these messages?


Both are typically presented as options, with the token included both in 
the embedded URL and subject or body of the email. This allows people to 
use email to confirm email and eliminates potential issues with HTML 
rendering in some MUAs. It also allows a simple "Click here" button for 
those more familiar with web-based applications.



--
Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-27 Thread Michael Peddemors 

On 16-05-27 10:08 AM, Michael Wise wrote:


The problem with the, "Please Reply" method is that it can lead to mailbombing 
the target.
We've seen it happen.


Of course, someone could use a forged address when sending the 
'confirmation' email, but how they would get mail bombed I am unsure of.


No-one will reply that they want the email, for a list they didn't 
subscribe to.  And the sending system would normally limit the amount of 
subscription requests to an individual address.



But I agree with you completely on the, "loose definition" issue, and have a 
rather nasty story about that.
Always get the person who asserts their doing it to tell you exactly what that 
term means to them.

" I checked with my manager, and we looked it up, that address DOES Exist!


And we hear a lot of them too :)

Putting your business card in a bowl to win a prize is definitely not 
giving permission to get on a mailing list ;)


But true confirmed double opt-in lists very seldom get complaints, and 
provides a higher ROI..


http://www.isipp.com/documents/The-Case-for-COI.pdf

My personal pet peeve (and yes I mean you ticket master) is when you 
expressly do everything you can (uncheck the box) to declare you don't 
want any marketing, but still get it..


Some ESP's do make a good effort to encourage it, but many still allow 
new customers to bring over their old 'confirmed' lists as an import, 
instead of forcing a new confirmation, which of course is ripe for 
abuse.  The concern is that they will have a large drop in subscribers, 
as people don't re-confirm.. but probably they miss the point, those 
aren't the people you want on your list, as they aren't engaged enough 
to re-confirm.


Most of the world's largest mailing lists, which operate as confirmed 
double opt-in, never get on the complaint radar..


I personally think that ESP's should make an effort to carefully 
separate their confirmed double opt-in mailings, from single opt-in 
mailers..


But, still there is a lot of commercial motivators to maximize delivery 
rates, (including mixing good and bad mailers together, obfuscating the 
sender information etc).. But in the end, whether it is adblocking, 
reputation lists, or even legislative powers, at some point those 
techniques may backfire.. IMHO








--
"Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic

A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-27 Thread Anne Mitchell 

> But I agree with you completely on the, "loose definition" issue, and have a 
> rather nasty story about that.
> Always get the person who asserts their doing it to tell you exactly what 
> that term means to them.

These are the definitions that we use, and that we use in working with our 
customers - and yes, lots of senders have..interesting..definitions, 
particularly of "opt-in".

http://www.gettingemaildelivered.com/definitions-and-descriptions-of-various-levels-of-email-opt-in

Anne

Anne P. Mitchell, 
Attorney at Law
CEO/President, 
SuretyMail Email Reputation and Inbox Deliverability Certification Program 
http://www.SuretyMail.com/
http://www.SuretyMail.eu/

"Email marketing is the one place where it's better to ask permission than 
forgiveness." - Me

Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law)
Member, California Bar Cyberspace Law Committee
Member, Colorado Cybersecurity Consortium
Member, Asilomar Microcomputer Workshop Committee
Ret. Professor of Law, Lincoln Law School of San Jose
Ret. Chair, Asilomar Microcomputer Workshop




___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-27 Thread Michael Wise via mailop 

The problem with the, "Please Reply" method is that it can lead to mailbombing 
the target.
We've seen it happen.

Now if the intended subscriber could send a single message to the mailinglist, 
and it could be easily proved that it either came from them, or someone that 
their mail admin could identify and punish, this would also work as CDOI, so to 
speak.

But I agree with you completely on the, "loose definition" issue, and have a 
rather nasty story about that.
Always get the person who asserts their doing it to tell you exactly what that 
term means to them.

" I checked with my manager, and we looked it up, that address DOES Exist!

Aloha,
Michael.
-- 
Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been 
Processed." | Got the Junk Mail Reporting Tool ?

-Original Message-
From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Michael Peddemors
Sent: Friday, May 27, 2016 9:50 AM
To: mailop@mailop.org
Subject: Re: [mailop] signup form abuse

Have been watching this thread for a bit, and do have an opinion.

First of all, I see a lot of talk about 'COI' (Confirmed Opt-In), rather than 
the term 'CDOI' (Confirmed Double Opt-in) and the reason I point it out, is 
that there is a lot of loose definitions of both 'opt-in' and 'confirmed'.

While it might be more 'attractive' to offer a simple 'click to confirm', why 
are you not using the more standard 'Please Reply To' this message if you want 
to receive these messages?

This would solve the problem being discussed, and ensure that the recipient 
truly wants your message.



On 16-05-26 08:06 AM, Alberto Miscia via mailop wrote:
> This opens up for an interesting discussion.
> We experienced the very same issue in the past for few customers and
> enabling a captcha was the only viable option.
> The "bots" (don't really know actually) managed to complete a COI
> process with several free accounts.
>
> Ip ranges were different some on CBL some not but blocking a listed IP
> in a COI process can be dangerous.
> For the very same reason I'd rule out e-hawk and alike.
> The vast majority of the addresses were listed on cleantalk.org
>
> The hidden link in the confirmation email (an HTML comment would work
> better than a "white-on-white tiny font" from a
> deliverabilityperspective) in may opinion is the way to go.
> Even if it can be very tricky to implement, we are seriously
> considering it to prevent bot clicks across the board.
>
> HTH
>
> Alberto Miscia | MailUp | Head of Deliverability & Compliance
>
>
> 2016-05-26 15:05 GMT+02:00 Vick Khera <vi...@khera.org>:
>>
>> On Wed, May 25, 2016 at 6:04 PM, Al Iverson <aiver...@spamresource.com>
>> wrote:
>>>
>>> I've heard John Levine propose the "hidden link to catch scanning
>>> robots" solution but I've never heard of an email system implementing
>>
>>
>> I'm running through my head how that would work, and makes for some very
>> complicated state transition diagrams to go from "signup requested" to
>> "confirmed". What if they scan in parallel and the timing works out they
>> poked them in the opposite order, etc. I see a few new states and many
>> transitions, and some timeout based events. Not pretty.
>>
>>>
>>> it. Similarly, senders have often suggested that spamtrap systems
>>> shouldn't follow links. (Security systems, sure, but don't do that
>>> with spamtrap addresses.) And today I heard it suggested that it would
>>> be wiser to have COI have a second click (probably an HTTP POST-based
>>
>>
>> What if the confirmation email button itself was a POST form rather than
>> just a GET to a page? Are scanning systems following POSTs too?
>>
>>>
>>>
>>> button) on the landing web page, to prevent security systems from
>>> erroneously completing COI confirm steps. All good stuff, but it
>>
>>
>> I don't think you're going to get much buy-in for requiring so many clicks
>> to get activated. I know we already lose customer just for requiring COI.
>> Making the COI be more work for the subscriber will just make people go
>> elsewhere faster.
>>
>>>
>>> doesn't sound as though any of it has been widely broadcasted as a
>>> best practice or requirement.
>>
>>
>>
>>
>> ___
>> mailop mailing list
>> mailop@mailop.org
>> https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fchilli.nosignal.org%2fcgi-bin%2fmailman%2flistinfo%2fmailop=01%7c01%7cmichael.wise%40microsoft.com%7c8957eb82fca6420f212608d3864fa84d%7c72f988bf86f141af91a

Re: [mailop] signup form abuse

2016-05-27 Thread Al Iverson 
On Fri, May 27, 2016 at 11:49 AM, Michael Peddemors
 wrote:
> Have been watching this thread for a bit, and do have an opinion.
>
> First of all, I see a lot of talk about 'COI' (Confirmed Opt-In), rather
> than the term 'CDOI' (Confirmed Double Opt-in) and the reason I point it
> out, is that there is a lot of loose definitions of both 'opt-in' and
> 'confirmed'.
>
> While it might be more 'attractive' to offer a simple 'click to confirm',
> why are you not using the more standard 'Please Reply To' this message if
> you want to receive these messages?

Because a signup process that falls victim to various types of
auto-responses would be bad. Anything you'd have to add to that to try
to prevent that issue would make it more confusing for some folks and
would result in a drop off in confirmation rate.

Regarding this new "CDOI" acronym: Michael, bless you for trying, but
you're the guy who runs the blacklist that calls all commercial email
"third party mail" no matter how confirmed or clearly opt-in it is, so
you personally wouldn't be the guy I'd look to for help throwing more
definitions at the problem.

Regards,
Al Iverson

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-27 Thread Michael Peddemors 

Have been watching this thread for a bit, and do have an opinion.

First of all, I see a lot of talk about 'COI' (Confirmed Opt-In), rather 
than the term 'CDOI' (Confirmed Double Opt-in) and the reason I point it 
out, is that there is a lot of loose definitions of both 'opt-in' and 
'confirmed'.


While it might be more 'attractive' to offer a simple 'click to 
confirm', why are you not using the more standard 'Please Reply To' this 
message if you want to receive these messages?


This would solve the problem being discussed, and ensure that the 
recipient truly wants your message.




On 16-05-26 08:06 AM, Alberto Miscia via mailop wrote:

This opens up for an interesting discussion.
We experienced the very same issue in the past for few customers and
enabling a captcha was the only viable option.
The "bots" (don't really know actually) managed to complete a COI
process with several free accounts.

Ip ranges were different some on CBL some not but blocking a listed IP
in a COI process can be dangerous.
For the very same reason I'd rule out e-hawk and alike.
The vast majority of the addresses were listed on cleantalk.org

The hidden link in the confirmation email (an HTML comment would work
better than a "white-on-white tiny font" from a
deliverabilityperspective) in may opinion is the way to go.
Even if it can be very tricky to implement, we are seriously
considering it to prevent bot clicks across the board.

HTH

Alberto Miscia | MailUp | Head of Deliverability & Compliance


2016-05-26 15:05 GMT+02:00 Vick Khera :


On Wed, May 25, 2016 at 6:04 PM, Al Iverson 
wrote:


I've heard John Levine propose the "hidden link to catch scanning
robots" solution but I've never heard of an email system implementing



I'm running through my head how that would work, and makes for some very
complicated state transition diagrams to go from "signup requested" to
"confirmed". What if they scan in parallel and the timing works out they
poked them in the opposite order, etc. I see a few new states and many
transitions, and some timeout based events. Not pretty.



it. Similarly, senders have often suggested that spamtrap systems
shouldn't follow links. (Security systems, sure, but don't do that
with spamtrap addresses.) And today I heard it suggested that it would
be wiser to have COI have a second click (probably an HTTP POST-based



What if the confirmation email button itself was a POST form rather than
just a GET to a page? Are scanning systems following POSTs too?




button) on the landing web page, to prevent security systems from
erroneously completing COI confirm steps. All good stuff, but it



I don't think you're going to get much buy-in for requiring so many clicks
to get activated. I know we already lose customer just for requiring COI.
Making the COI be more work for the subscriber will just make people go
elsewhere faster.



doesn't sound as though any of it has been widely broadcasted as a
best practice or requirement.





___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop





--
"Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic

A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-26 Thread Alberto Miscia via mailop 
This opens up for an interesting discussion.
We experienced the very same issue in the past for few customers and
enabling a captcha was the only viable option.
The "bots" (don't really know actually) managed to complete a COI
process with several free accounts.

Ip ranges were different some on CBL some not but blocking a listed IP
in a COI process can be dangerous.
For the very same reason I'd rule out e-hawk and alike.
The vast majority of the addresses were listed on cleantalk.org

The hidden link in the confirmation email (an HTML comment would work
better than a "white-on-white tiny font" from a
deliverabilityperspective) in may opinion is the way to go.
Even if it can be very tricky to implement, we are seriously
considering it to prevent bot clicks across the board.

HTH

Alberto Miscia | MailUp | Head of Deliverability & Compliance


2016-05-26 15:05 GMT+02:00 Vick Khera :
>
> On Wed, May 25, 2016 at 6:04 PM, Al Iverson 
> wrote:
>>
>> I've heard John Levine propose the "hidden link to catch scanning
>> robots" solution but I've never heard of an email system implementing
>
>
> I'm running through my head how that would work, and makes for some very
> complicated state transition diagrams to go from "signup requested" to
> "confirmed". What if they scan in parallel and the timing works out they
> poked them in the opposite order, etc. I see a few new states and many
> transitions, and some timeout based events. Not pretty.
>
>>
>> it. Similarly, senders have often suggested that spamtrap systems
>> shouldn't follow links. (Security systems, sure, but don't do that
>> with spamtrap addresses.) And today I heard it suggested that it would
>> be wiser to have COI have a second click (probably an HTTP POST-based
>
>
> What if the confirmation email button itself was a POST form rather than
> just a GET to a page? Are scanning systems following POSTs too?
>
>>
>>
>> button) on the landing web page, to prevent security systems from
>> erroneously completing COI confirm steps. All good stuff, but it
>
>
> I don't think you're going to get much buy-in for requiring so many clicks
> to get activated. I know we already lose customer just for requiring COI.
> Making the COI be more work for the subscriber will just make people go
> elsewhere faster.
>
>>
>> doesn't sound as though any of it has been widely broadcasted as a
>> best practice or requirement.
>
>
>
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-26 Thread Vick Khera 
On Wed, May 25, 2016 at 6:04 PM, Al Iverson 
wrote:

> I've heard John Levine propose the "hidden link to catch scanning
> robots" solution but I've never heard of an email system implementing
>

I'm running through my head how that would work, and makes for some very
complicated state transition diagrams to go from "signup requested" to
"confirmed". What if they scan in parallel and the timing works out they
poked them in the opposite order, etc. I see a few new states and many
transitions, and some timeout based events. Not pretty.


> it. Similarly, senders have often suggested that spamtrap systems
> shouldn't follow links. (Security systems, sure, but don't do that
> with spamtrap addresses.) And today I heard it suggested that it would
> be wiser to have COI have a second click (probably an HTTP POST-based
>

What if the confirmation email button itself was a POST form rather than
just a GET to a page? Are scanning systems following POSTs too?


>
> button) on the landing web page, to prevent security systems from
> erroneously completing COI confirm steps. All good stuff, but it
>

I don't think you're going to get much buy-in for requiring so many clicks
to get activated. I know we already lose customer just for requiring COI.
Making the COI be more work for the subscriber will just make people go
elsewhere faster.


> doesn't sound as though any of it has been widely broadcasted as a
> best practice or requirement.
>
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-26 Thread Vick Khera 
In the confirmation message, there is a link (which looks like a button) to
click to confirm you want to be on the list. That link is being followed
and the addresses activated. My working theory is that some mail filtering
software is fetching the URLs it sees.

On Wed, May 25, 2016 at 5:47 PM, Michael Wise <michael.w...@microsoft.com>
wrote:

> When you say, “Confirmation Clicks”, do you mean on a link provided via
> email, or a confirmation button of a web form?
>
>
>
> Aloha,
>
> Michael.
>
> --
>
> *Michael J Wise* | Microsoft | Spam Analysis | "Your Spam Specimen Has
> Been Processed." | Got the Junk Mail Reporting Tool
> <http://www.microsoft.com/en-us/download/details.aspx?id=18275> ?
>
>
>
> *From:* mailop [mailto:mailop-boun...@mailop.org] *On Behalf Of *Vick
> Khera
> *Sent:* Wednesday, May 25, 2016 2:14 PM
> *To:* Erwin Harte <eha...@barracuda.com>
> *Cc:* mailop@mailop.org
> *Subject:* Re: [mailop] signup form abuse
>
>
>
>
>
> On Wed, May 25, 2016 at 3:02 PM, Erwin Harte <eha...@barracuda.com> wrote:
>
> I did a spot check of a recent attack. The email address was
> jabradb...@kanawhascales.com and it got signed up to 12 lists during May
> 17 and 18. Amazingly, whoever is on the other end of that address clicked
> to confirm every one of those confirmation messages. All confirmation
> clicks appear to come from a netblock owned by Barracuda Networks... Hmm...
>
> Which netblock was that?
>
>
> 64.235.144.0/20
> <https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2f64.235.144.0%2f20=01%7c01%7cmichael.wise%40microsoft.com%7c06de737a7a6840fa5ca908d384e4c158%7c72f988bf86f141af91ab2d7cd011db47%7c1=vzNvba4az0YFZEVEU7BPcnFpDG%2bJuzhiwZGWOzYem9o%3d>
>
>
>
> Specifically: 64.235.154.109,
> 64.235.153.2, 64.235.150.252, 64.235.153.10, 64.235.154.105, 64.235.154.109
>
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-25 Thread Michael Wise via mailop 
Yeah, pretty much. :)

Aloha,
Michael.
-- 
Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been 
Processed." | Got the Junk Mail Reporting Tool ?

-Original Message-
From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Jay Hennigan
Sent: Wednesday, May 25, 2016 4:25 PM
To: mailop@mailop.org
Subject: Re: [mailop] signup form abuse

On 5/25/16 4:11 PM, Michael Wise wrote:
> That may or may not be a good metric, since if I just signed up for a legit 
> mailing-list, I may be anxiously awaiting the confirmation mail, or if I'm a 
> robot, I might be backlogged a few tens of seconds.

So, "Click here to subscribe", "Click here if you're a robot" 
white-on-white tiny font. Only count if 1 > 2.


--
Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse 
Internet Service  -  
https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.impulse.net%2f=01%7c01%7cmichael.wise%40microsoft.com%7ca285b4851de84c9af1f908d384f47cda%7c72f988bf86f141af91ab2d7cd011db47%7c1=ouB5JoFwSlBReFwvakAy6ww56Bl8RoacU3MbHhDsEe4%3d
Your local telephone and internet company - 805 884-6323 - WB6RDV

___
mailop mailing list
mailop@mailop.org
https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fchilli.nosignal.org%2fcgi-bin%2fmailman%2flistinfo%2fmailop=01%7c01%7cmichael.wise%40microsoft.com%7ca285b4851de84c9af1f908d384f47cda%7c72f988bf86f141af91ab2d7cd011db47%7c1=U6GOv%2bT3BNdme5bMp1Fax1%2fTpUO9%2fmhTJ76XyVgpT6M%3d
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-25 Thread Michael Wise via mailop 

[ lightbulb / ]

I've been thinking about this for a while, and just had a flash of brilliance 
(or madness, hard to tell at times...)

You know what might be a good solution?
Just occurred to me.

The mailing list software displays a clickable link that will send an email 
address with a cookie in the Subject to a special address hosted by the mailing 
list server.

But the trick is, the email *MUST* pass a sufficiently strict DMARC check.

So if the mailing list receives a piece of email *FROM* the sending domain, and 
it's DKIM signed, and it validates, and DMARC passes...
That would be a remarkably strong authentication that the recipient really did 
want the traffic.
It could even be stored for reference later.

And if it was not actually from the recipient, but someone on the same service, 
the true recipient has a piece of evidence of either a compromise, or malicious 
act by another user that would be grounds to TOS them.

Thoughts?

Aloha,
Michael.
-- 
Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been 
Processed." | Got the Junk Mail Reporting Tool ?

-Original Message-
From: Michael Wise 
Sent: Wednesday, May 25, 2016 4:11 PM
To: 'Jay Hennigan' <mailop-l...@keycodes.com>; mailop@mailop.org
Subject: RE: [mailop] signup form abuse

That may or may not be a good metric, since if I just signed up for a legit 
mailing-list, I may be anxiously awaiting the confirmation mail, or if I'm a 
robot, I might be backlogged a few tens of seconds.

So the Venn Diagram circles just might overlap more than you would wish.

Aloha,
Michael.
--
Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been 
Processed." | Got the Junk Mail Reporting Tool ?

-Original Message-
From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Jay Hennigan
Sent: Wednesday, May 25, 2016 4:03 PM
To: mailop@mailop.org
Subject: Re: [mailop] signup form abuse

On 5/25/16 8:36 AM, Vick Khera wrote:

> I did a spot check of a recent attack. The email address was 
> jabradb...@kanawhascales.com <mailto:jabradb...@kanawhascales.com>
> and it got signed up to 12 lists during May 17 and 18. Amazingly, 
> whoever is on the other end of that address clicked to confirm every 
> one of those confirmation messages. All confirmation clicks appear to 
> come from a netblock owned by Barracuda Networks... Hmm...

Maybe Barracuda spam filtering is doing something like opening remote content 
to inspect it before forwarding it to the inbox.

What was the latency between when the confirmations were sent and when they 
were "clicked"?

--
Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse 
Internet Service  -  
https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.impulse.net%2f=01%7c01%7cmichael.wise%40microsoft.com%7cce37d60a078e41cab81e08d384f15cf7%7c72f988bf86f141af91ab2d7cd011db47%7c1=x0mTD7A0OqaRkzR%2fgnb7sHsi7oIhOgP7OJEi4c%2bVTv8%3d
Your local telephone and internet company - 805 884-6323 - WB6RDV

___
mailop mailing list
mailop@mailop.org
https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fchilli.nosignal.org%2fcgi-bin%2fmailman%2flistinfo%2fmailop=01%7c01%7cmichael.wise%40microsoft.com%7cce37d60a078e41cab81e08d384f15cf7%7c72f988bf86f141af91ab2d7cd011db47%7c1=R5a9BsHXQJjF81%2fAeHFChLTICwDj14lNST8CpCmq00k%3d
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-25 Thread Michael Wise via mailop 
That may or may not be a good metric, since if I just signed up for a legit 
mailing-list, I may be anxiously awaiting the confirmation mail, or if I'm a 
robot, I might be backlogged a few tens of seconds.

So the Venn Diagram circles just might overlap more than you would wish.

Aloha,
Michael.
-- 
Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been 
Processed." | Got the Junk Mail Reporting Tool ?

-Original Message-
From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Jay Hennigan
Sent: Wednesday, May 25, 2016 4:03 PM
To: mailop@mailop.org
Subject: Re: [mailop] signup form abuse

On 5/25/16 8:36 AM, Vick Khera wrote:

> I did a spot check of a recent attack. The email address was 
> jabradb...@kanawhascales.com <mailto:jabradb...@kanawhascales.com>
> and it got signed up to 12 lists during May 17 and 18. Amazingly, 
> whoever is on the other end of that address clicked to confirm every 
> one of those confirmation messages. All confirmation clicks appear to 
> come from a netblock owned by Barracuda Networks... Hmm...

Maybe Barracuda spam filtering is doing something like opening remote content 
to inspect it before forwarding it to the inbox.

What was the latency between when the confirmations were sent and when they 
were "clicked"?

--
Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse 
Internet Service  -  
https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.impulse.net%2f=01%7c01%7cmichael.wise%40microsoft.com%7cce37d60a078e41cab81e08d384f15cf7%7c72f988bf86f141af91ab2d7cd011db47%7c1=x0mTD7A0OqaRkzR%2fgnb7sHsi7oIhOgP7OJEi4c%2bVTv8%3d
Your local telephone and internet company - 805 884-6323 - WB6RDV

___
mailop mailing list
mailop@mailop.org
https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fchilli.nosignal.org%2fcgi-bin%2fmailman%2flistinfo%2fmailop=01%7c01%7cmichael.wise%40microsoft.com%7cce37d60a078e41cab81e08d384f15cf7%7c72f988bf86f141af91ab2d7cd011db47%7c1=R5a9BsHXQJjF81%2fAeHFChLTICwDj14lNST8CpCmq00k%3d
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-25 Thread Laura Atkins 

> On May 25, 2016, at 4:03 PM, Jay Hennigan  wrote:
> 
> On 5/25/16 8:36 AM, Vick Khera wrote:
> 
>> I did a spot check of a recent attack. The email address
>> was jabradb...@kanawhascales.com 
>> and it got signed up to 12 lists during May 17 and 18. Amazingly,
>> whoever is on the other end of that address clicked to confirm every one
>> of those confirmation messages. All confirmation clicks appear to come
>> from a netblock owned by Barracuda Networks... Hmm...
> 
> Maybe Barracuda spam filtering is doing something like opening remote content 
> to inspect it before forwarding it to the inbox.
> 
> What was the latency between when the confirmations were sent and when they 
> were "clicked”?

Barracuda is well known for following every link in an email, including 
confirmation links

laura

-- 
Having an Email Crisis?  800 823-9674 

Laura Atkins
Word to the Wise
la...@wordtothewise.com
(650) 437-0741  

Email Delivery Blog: http://wordtothewise.com/blog  






___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-25 Thread Michael Wise via mailop 

Oh heck yeah.
And if nothing else, it's Rule Fodder.

Subject =~ /confirm [\da-f]{32}/
Body =~ /\bxx.yy.zz.\d+\b/
... you know the drill.

Aloha,
Michael.
-- 
Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been 
Processed." | Got the Junk Mail Reporting Tool ?

-Original Message-
From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Jay Hennigan
Sent: Wednesday, May 25, 2016 3:49 PM
To: mailop@mailop.org
Subject: Re: [mailop] signup form abuse

On 5/25/16 7:59 AM, Vick Khera wrote:
>
> On Wed, May 25, 2016 at 10:45 AM, Matthew Black 
> <matthew.bl...@csulb.edu <mailto:matthew.bl...@csulb.edu>> wrote:
>
> Are your customers using confirmed opt-in mailing lists? If not,
> they should not be running mailing lists.
>
>
> Yes, the only effect is to send a confirmation message, which is quite 
> generic and at most contains the customer's logo and name of the list, 
> to the victim.

Consider adding the origin IP and timestamp/timezone to the confirmation 
message. It can be useful to savvy folks and to your abuse department if people 
complain about fraudulent confirmation messages themselves, and might act as a 
mild deterrent if the bad guys know you're doing it.

--
--
Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse 
Internet Service  -  
https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.impulse.net%2f=01%7c01%7cmichael.wise%40microsoft.com%7c0e6a58359c014fa180b008d384efa268%7c72f988bf86f141af91ab2d7cd011db47%7c1=ZgDQ9cukcInQ041qGJUQM21kUKDyRqRn88BOIhg9wWw%3d
Your local telephone and internet company - 805 884-6323 - WB6RDV

___
mailop mailing list
mailop@mailop.org
https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fchilli.nosignal.org%2fcgi-bin%2fmailman%2flistinfo%2fmailop=01%7c01%7cmichael.wise%40microsoft.com%7c0e6a58359c014fa180b008d384efa268%7c72f988bf86f141af91ab2d7cd011db47%7c1=PFxzxOHGZeQgpOCD2ioi6OB2q69DFyKTZ1hdVyY8%2b7k%3d
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-25 Thread Jay Hennigan 

On 5/25/16 8:36 AM, Vick Khera wrote:


I did a spot check of a recent attack. The email address
was jabradb...@kanawhascales.com 
and it got signed up to 12 lists during May 17 and 18. Amazingly,
whoever is on the other end of that address clicked to confirm every one
of those confirmation messages. All confirmation clicks appear to come
from a netblock owned by Barracuda Networks... Hmm...


Maybe Barracuda spam filtering is doing something like opening remote 
content to inspect it before forwarding it to the inbox.


What was the latency between when the confirmations were sent and when 
they were "clicked"?


--
Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-25 Thread Jay Hennigan 

On 5/25/16 7:45 AM, Matthew Black wrote:

Are your customers using confirmed opt-in mailing lists? If not, they
should not be running mailing lists.


The monetary compensation of ESPs is directly proportional to the volume 
of promotional messages that they send. Let that sink in.


--
--
Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-25 Thread Jay Hennigan 

On 5/25/16 7:59 AM, Vick Khera wrote:


On Wed, May 25, 2016 at 10:45 AM, Matthew Black > wrote:

Are your customers using confirmed opt-in mailing lists? If not,
they should not be running mailing lists.


Yes, the only effect is to send a confirmation message, which is quite
generic and at most contains the customer's logo and name of the list,
to the victim.


Consider adding the origin IP and timestamp/timezone to the confirmation 
message. It can be useful to savvy folks and to your abuse department if 
people complain about fraudulent confirmation messages themselves, and 
might act as a mild deterrent if the bad guys know you're doing it.


--
--
Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-25 Thread Al Iverson 
I've heard John Levine propose the "hidden link to catch scanning
robots" solution but I've never heard of an email system implementing
it. Similarly, senders have often suggested that spamtrap systems
shouldn't follow links. (Security systems, sure, but don't do that
with spamtrap addresses.) And today I heard it suggested that it would
be wiser to have COI have a second click (probably an HTTP POST-based
button) on the landing web page, to prevent security systems from
erroneously completing COI confirm steps. All good stuff, but it
doesn't sound as though any of it has been widely broadcasted as a
best practice or requirement.

--
Al Iverson
www.aliverson.com
(312)725-0130


On Wed, May 25, 2016 at 4:55 PM, Michael Wise via mailop
<mailop@mailop.org> wrote:
> The classical response to that is a "Hidden" URL that, if "clicked" by the 
> scanning software, gives "Insight" into the fact that the recipient is doing 
> that, yes?
>
> Aloha,
> Michael.
> --
> Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been 
> Processed." | Got the Junk Mail Reporting Tool ?
>
> -Original Message-
> From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Erwin Harte
> Sent: Wednesday, May 25, 2016 2:48 PM
> To: Michelle Sullivan <miche...@sorbs.net>; Vick Khera <vi...@khera.org>
> Cc: mailop@mailop.org
> Subject: Re: [mailop] signup form abuse
>
> On 5/25/16 4:40 PM, Michelle Sullivan wrote:
>> Vick Khera wrote:
>>> On Wed, May 25, 2016 at 3:02 PM, Erwin Harte <eha...@barracuda.com
>>> <mailto:eha...@barracuda.com>> wrote:
>>>
>>>>  I did a spot check of a recent attack. The email address was
>>>>  jabradb...@kanawhascales.com
>>>>  <mailto:jabradb...@kanawhascales.com> and it got signed up to 12
>>>>  lists during May 17 and 18. Amazingly, whoever is on the other
>>>>  end of that address clicked to confirm every one of those
>>>>  confirmation messages. All confirmation clicks appear to come
>>>>  from a netblock owned by Barracuda Networks... Hmm...
>>>  Which netblock was that?
>>>
>>>
>>> 64.235.144.0/20
>>> <https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2f64.2
>>> 35.144.0%2f20=01%7c01%7cmichael.wise%40microsoft.com%7c0958149c2
>>> 70e4866966b08d384e71286%7c72f988bf86f141af91ab2d7cd011db47%7c1=
>>> oIRzp1YSYhsrARm8tlIY7lSAqbZvAx0rP1eLn4MWmaE%3d>
>>>
>>> Specifically: 64.235.154.109,
>>> 64.235.153.2, 64.235.150.252, 64.235.153.10, 64.235.154.105,
>>> 64.235.154.109
>>>
>>>
>> Single click through?  (as in everything in the URL?) - if so probably
>> automated mail scanning.
>>
> That's what I expect as well. Those addresses are all from ESS
> (https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.barracuda.com%2fproducts%2femailsecurityservice=01%7c01%7cmichael.wise%40microsoft.com%7c0958149c270e4866966b08d384e71286%7c72f988bf86f141af91ab2d7cd011db47%7c1=b1Dd64fsAyanlvQmva%2bkNgXdpLD4wqzC1UGwQxAjwVk%3d)
>  which does 'intent' checking.
>
> --Erwin
>
> ===
>
>
> Considering Office 365?  Barracuda security and storage solutions can help. 
> Learn more about Barracuda solutions for Office 365 at 
> https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fbarracuda.com%2foffice365=01%7c01%7cmichael.wise%40microsoft.com%7c0958149c270e4866966b08d384e71286%7c72f988bf86f141af91ab2d7cd011db47%7c1=RWCdhi4rj1HgPH5M%2bu9hUibpTdxR3T5NqbHgE%2f5Fh%2bU%3d.
>
> DISCLAIMER:
> This e-mail and any attachments to it contain confidential and proprietary 
> material of Barracuda, its affiliates or agents, and is solely for the use of 
> the intended recipient. Any review, use, disclosure, distribution or copying 
> of this transmittal is prohibited except by or on behalf of the intended 
> recipient. If you have received this transmittal in error, please notify the 
> sender and destroy this e-mail and any attachments and all copies, whether 
> electronic or printed.
>
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fchilli.nosignal.org%2fcgi-bin%2fmailman%2flistinfo%2fmailop=01%7c01%7cmichael.wise%40microsoft.com%7c0958149c270e4866966b08d384e71286%7c72f988bf86f141af91ab2d7cd011db47%7c1=%2f1rLcSOg0Pk3Bn9UsmkSPQokBSFF2F5T0gtlsCpAJ8A%3d
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-25 Thread Erwin Harte 

On 5/25/16 4:40 PM, Michelle Sullivan wrote:

Vick Khera wrote:

On Wed, May 25, 2016 at 3:02 PM, Erwin Harte > wrote:


 I did a spot check of a recent attack. The email address was
 jabradb...@kanawhascales.com
  and it got signed up to 12
 lists during May 17 and 18. Amazingly, whoever is on the other
 end of that address clicked to confirm every one of those
 confirmation messages. All confirmation clicks appear to come
 from a netblock owned by Barracuda Networks... Hmm...

 Which netblock was that?


64.235.144.0/20 

Specifically: 64.235.154.109,
64.235.153.2, 64.235.150.252, 64.235.153.10, 64.235.154.105, 64.235.154.109



Single click through?  (as in everything in the URL?) - if so probably
automated mail scanning.

That's what I expect as well. Those addresses are all from ESS 
(https://www.barracuda.com/products/emailsecurityservice) which does 
'intent' checking.


--Erwin

===


Considering Office 365?  Barracuda security and storage solutions can help. 
Learn more about Barracuda solutions for Office 365 at 
http://barracuda.com/office365.

DISCLAIMER:
This e-mail and any attachments to it contain confidential and proprietary 
material of Barracuda, its affiliates or agents, and is solely for the use of 
the intended recipient. Any review, use, disclosure, distribution or copying of 
this transmittal is prohibited except by or on behalf of the intended 
recipient. If you have received this transmittal in error, please notify the 
sender and destroy this e-mail and any attachments and all copies, whether 
electronic or printed.


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-25 Thread Michael Wise via mailop 
When you say, “Confirmation Clicks”, do you mean on a link provided via email, 
or a confirmation button of a web form?

Aloha,
Michael.
--
Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been 
Processed." | Got the Junk Mail Reporting 
Tool<http://www.microsoft.com/en-us/download/details.aspx?id=18275> ?

From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Vick Khera
Sent: Wednesday, May 25, 2016 2:14 PM
To: Erwin Harte <eha...@barracuda.com>
Cc: mailop@mailop.org
Subject: Re: [mailop] signup form abuse


On Wed, May 25, 2016 at 3:02 PM, Erwin Harte 
<eha...@barracuda.com<mailto:eha...@barracuda.com>> wrote:
I did a spot check of a recent attack. The email address was 
jabradb...@kanawhascales.com<mailto:jabradb...@kanawhascales.com> and it got 
signed up to 12 lists during May 17 and 18. Amazingly, whoever is on the other 
end of that address clicked to confirm every one of those confirmation 
messages. All confirmation clicks appear to come from a netblock owned by 
Barracuda Networks... Hmm...
Which netblock was that?

64.235.144.0/20<https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2f64.235.144.0%2f20=01%7c01%7cmichael.wise%40microsoft.com%7c06de737a7a6840fa5ca908d384e4c158%7c72f988bf86f141af91ab2d7cd011db47%7c1=vzNvba4az0YFZEVEU7BPcnFpDG%2bJuzhiwZGWOzYem9o%3d>

Specifically: 64.235.154.109, 64.235.153.2, 64.235.150.252, 64.235.153.10, 
64.235.154.105, 64.235.154.109
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-25 Thread Michelle Sullivan 

Vick Khera wrote:


On Wed, May 25, 2016 at 3:02 PM, Erwin Harte > wrote:



I did a spot check of a recent attack. The email address was
jabradb...@kanawhascales.com
 and it got signed up to 12
lists during May 17 and 18. Amazingly, whoever is on the other
end of that address clicked to confirm every one of those
confirmation messages. All confirmation clicks appear to come
from a netblock owned by Barracuda Networks... Hmm...

Which netblock was that?


64.235.144.0/20 

Specifically: 64.235.154.109, 
64.235.153.2, 64.235.150.252, 64.235.153.10, 64.235.154.105, 64.235.154.109





Single click through?  (as in everything in the URL?) - if so probably 
automated mail scanning.


--
Michelle Sullivan
http://www.mhix.org/


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-25 Thread Vick Khera 
On Wed, May 25, 2016 at 3:02 PM, Erwin Harte  wrote:

> I did a spot check of a recent attack. The email address was
> jabradb...@kanawhascales.com and it got signed up to 12 lists during May
> 17 and 18. Amazingly, whoever is on the other end of that address clicked
> to confirm every one of those confirmation messages. All confirmation
> clicks appear to come from a netblock owned by Barracuda Networks... Hmm...
>
> Which netblock was that?
>

64.235.144.0/20

Specifically: 64.235.154.109,
64.235.153.2, 64.235.150.252, 64.235.153.10, 64.235.154.105, 64.235.154.109
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-25 Thread Erwin Harte 

On 5/25/16 10:36 AM, Vick Khera wrote:
On Tue, May 24, 2016 at 2:18 PM, Michael Wise 
> wrote:


Are these IP addresses on CBL?

I did a spot check of a recent attack. The email address was 
jabradb...@kanawhascales.com  and 
it got signed up to 12 lists during May 17 and 18. Amazingly, whoever 
is on the other end of that address clicked to confirm every one of 
those confirmation messages. All confirmation clicks appear to come 
from a netblock owned by Barracuda Networks... Hmm...

Which netblock was that?

--Erwin

===


Considering Office 365?  Barracuda security and storage solutions can help. 
Learn more about Barracuda solutions for Office 365 at 
http://barracuda.com/office365.

DISCLAIMER:
This e-mail and any attachments to it contain confidential and proprietary 
material of Barracuda, its affiliates or agents, and is solely for the use of 
the intended recipient. Any review, use, disclosure, distribution or copying of 
this transmittal is prohibited except by or on behalf of the intended 
recipient. If you have received this transmittal in error, please notify the 
sender and destroy this e-mail and any attachments and all copies, whether 
electronic or printed.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-25 Thread Vick Khera 
On Tue, May 24, 2016 at 2:18 PM, Michael Wise 
wrote:

> Are these IP addresses on CBL?
>

I did a spot check of a recent attack. The email address was
jabradb...@kanawhascales.com and it got signed up to 12 lists during May 17
and 18. Amazingly, whoever is on the other end of that address clicked to
confirm every one of those confirmation messages. All confirmation clicks
appear to come from a netblock owned by Barracuda Networks... Hmm...

Each signup request came from a different IP address. 5 were on CBL (as of
right now) and 7 were not. In case anyone is interested, I also checked
them against MinFraud from Maxmind. Of the 7 CBL did not detect, it said 5
of them were high risk of being fraudulent source. Between the two, only 2
would get through.

If anyone is interested, these are the IPs used for the signup form
submission:

 107.184.168.161 - CBL, MF
 67.208.149.17 - CBL, MF "low"
 116.212.155.5 -
 73.4.8.181 - MF
 76.74.237.61 - CBL, MF
 96.245.176.53 - MF
 50.196.42.201 - MF
 32.213.237.56 -
 50.192.254.21 - MF
 76.74.237.61 - CBL, MF
 74.196.162.37 - MF
 76.74.237.61 - CBL, MF

I am definitely going to start checking CBL and MinFraud for these forms.
Thanks for the tip.

Are these addresses in a larger pool, like a Nigerian coffee shop?
>

Doesn't seem like it. I spot checked a couple and they look like ISPs in
the states.


> At some point, you should have a CAPTCHA, and also possibly a list of
> ranges of known bad actors.
>
>
>

We do have CAPTCHA available. I think it is time to start pushing it on the
customers a little harder...
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-25 Thread Al Iverson 
Matthew,

Which ESPs operate that way? (Hint: none. Most ESPs offer COI, few or
none require it.)

So since that's not happening...

--
Al Iverson
www.aliverson.com
(312)725-0130


On Wed, May 25, 2016 at 9:45 AM, Matthew Black  wrote:
> Are your customers using confirmed opt-in mailing lists? If not, they should
> not be running mailing lists.
>
>
>
> matthew
>
>
>
>
>
> From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Vick Khera
> Sent: Tuesday, May 24, 2016 10:18 AM
> To: mailop@mailop.org
> Subject: [mailop] signup form abuse
>
>
>
> As an ESP, we host mailing list signup forms for many customers. Of late, it
> appears they have been getting pounded on with fraudulent signups for real
> addresses. Sometimes the people confirm by clicking the confirmation link in
> the message and we are left scratching our heads as to why they would do
> that. Mostly they get ignored and sometimes they come back as spam
> complaints.
>
>
>
> One opinion I got regarding this was that people were using bots to sign up
> to newsletter lists other bot-driven email addresses at gmail, yahoo, etc.,
> to make those mailboxes look more real before they became "weaponized" for
> use in sending junk. That does not seem to be entirely what is happening
> here...
>
>
>
> Today we got a set of complaints for what appears to be a personal email
> address at a reasonably sized ISP. The complaint clearly identified the
> messages as a signup confirmation message and chastised us for not having
> the form protected by a CAPTCHA. Of course, they blocked some of our IPs for
> good measure :( They characterized it as a DDoS.
>
>
>
> What are the folks on this fine list doing about this kind of abuse? We do
> have ability to turn on CAPTCHA for our customers, but often they have
> nicely integrated the signup forms into their own web sites and making it
> work for those is pretty complicated. If I enabled CAPTCHA naively, the
> subscribers would have to click the submit form twice and then click the
> confirm on the email. The UX for that sucks, but such is the cost of
> allowing jerks on the internet...
>
>
>
> Rate limiting doesn't seem to be useful since the forms are being submitted
> at low rates and from a wide number of IP addresses.
>
>
>
> I look forward to hearing what others here are doing.
>
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-25 Thread Vick Khera 
On Wed, May 25, 2016 at 10:45 AM, Matthew Black 
wrote:

> Are your customers using confirmed opt-in mailing lists? If not, they
> should not be running mailing lists.
>
>
Yes, the only effect is to send a confirmation message, which is quite
generic and at most contains the customer's logo and name of the list, to
the victim.
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-25 Thread Matthew Black 
Are your customers using confirmed opt-in mailing lists? If not, they should 
not be running mailing lists.

matthew


From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Vick Khera
Sent: Tuesday, May 24, 2016 10:18 AM
To: mailop@mailop.org
Subject: [mailop] signup form abuse

As an ESP, we host mailing list signup forms for many customers. Of late, it 
appears they have been getting pounded on with fraudulent signups for real 
addresses. Sometimes the people confirm by clicking the confirmation link in 
the message and we are left scratching our heads as to why they would do that. 
Mostly they get ignored and sometimes they come back as spam complaints.

One opinion I got regarding this was that people were using bots to sign up to 
newsletter lists other bot-driven email addresses at gmail, yahoo, etc., to 
make those mailboxes look more real before they became "weaponized" for use in 
sending junk. That does not seem to be entirely what is happening here...

Today we got a set of complaints for what appears to be a personal email 
address at a reasonably sized ISP. The complaint clearly identified the 
messages as a signup confirmation message and chastised us for not having the 
form protected by a CAPTCHA. Of course, they blocked some of our IPs for good 
measure :( They characterized it as a DDoS.

What are the folks on this fine list doing about this kind of abuse? We do have 
ability to turn on CAPTCHA for our customers, but often they have nicely 
integrated the signup forms into their own web sites and making it work for 
those is pretty complicated. If I enabled CAPTCHA naively, the subscribers 
would have to click the submit form twice and then click the confirm on the 
email. The UX for that sucks, but such is the cost of allowing jerks on the 
internet...

Rate limiting doesn't seem to be useful since the forms are being submitted at 
low rates and from a wide number of IP addresses.

I look forward to hearing what others here are doing.
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-25 Thread Dave Warren 

On 2016-05-24 15:30, Michael Wise via mailop wrote:

If someone has a better idea how to keep mailinglist software like MailMan from 
being co-opted into such an attack, I would LOVE to hear it.


I think the obvious approach would be to move back to 
listname-subscr...@example.com requests, but require subscription 
requests to either have valid SPF, DKIM, or some matching of 
MX/rDNS/something to indicate it might be legitimate.


But of course this would require users to actually want to join lists 
enough to take action, and we can't have friction.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-25 Thread Dave Warren 

On 2016-05-24 15:17, Jay Hennigan wrote:

On 5/24/16 12:26 PM, Michael Wise wrote:


We're still seeing cases where a malicious actor, typically in 
Eastern Europe, will try and sign up a target email address for 
thousands of lists all at once, flooding their mailbox with 
confirmation traffic , perhaps to hide some other nefarious issues.


I wonder what the point is. How does the bad guy monetize it, or is it 
a coordinated attack against a specific victim? What other nefarious 
issues? Making the address useless or burying some other mail in the 
midst of the junk would seem to be a possibility.


If an attack against a specific victim, it would seem that unconfirmed 
marketing lists would be a more effective weapon than a bunch of 
random confirmation messages. 


I could see this type of attack being useful when the bad actor desires 
to suppress a legitimate message. For example, if I were to spoof a 
message from the finance director to a subordinate to send corporate 
financial information out to a third party, I might want to disrupt the 
finance director's email temporarily to ensure that the subordinate's 
attempt to confirm the request is not seen.


I might do so again after compromising the corporate bank account so 
that wire transfer confirmations are not seen and acted upon in a timely 
fashion.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-24 Thread TR Shaw 
You might want to checkout e-hawk.net as Franck suggested. Or checkout others 
in area. 

> On May 24, 2016, at 9:53 PM, Robert Mueller  wrote:
> 
> 
>> I wonder what the point is. How does the bad guy monetize it, or is it a 
>> coordinated attack against a specific victim? What other nefarious 
>> issues? Making the address useless or burying some other mail in the 
>> midst of the junk would seem to be a possibility.
>> 
>> If an attack against a specific victim, it would seem that unconfirmed 
>> marketing lists would be a more effective weapon than a bunch of random 
>> confirmation messages.
> 
> We saw this happen a while back:
> 
> https://blog.fastmail.com/2014/04/10/when-two-factor-authentication-is-not-enough/
> 
> About a month ago, our hostmas...@fastmail.fm account suddenly wound up
> subscribed to hundreds of mailing lists. All these mailing lists failed
> to use double or confirmed opt-in, so someone was simply able to enter
> the email address into a form and sign us up, no confirmation required.
> This really is poor practice, but it's still pretty common out there. A
> special shout-out goes to government and emergency response agencies in
> the USA for their non-confirmation signup on mailing lists. Thanks guys.
> 
> The upshot was that the hostmaster address was receiving significant
> noise. Rob Mueller (one of our directors) wasted (so we thought) a bunch
> of his time removing us from those lists one by one, being very careful
> to check that none of the 'opt-out' links were actually phishing
> attempts. This turns out to have been time very well spent.
> 
> -- 
> Rob Mueller
> r...@fastmail.fm
> 
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-24 Thread Robert Mueller 

> I wonder what the point is. How does the bad guy monetize it, or is it a 
> coordinated attack against a specific victim? What other nefarious 
> issues? Making the address useless or burying some other mail in the 
> midst of the junk would seem to be a possibility.
> 
> If an attack against a specific victim, it would seem that unconfirmed 
> marketing lists would be a more effective weapon than a bunch of random 
> confirmation messages.

We saw this happen a while back:

https://blog.fastmail.com/2014/04/10/when-two-factor-authentication-is-not-enough/

About a month ago, our hostmas...@fastmail.fm account suddenly wound up
subscribed to hundreds of mailing lists. All these mailing lists failed
to use double or confirmed opt-in, so someone was simply able to enter
the email address into a form and sign us up, no confirmation required.
This really is poor practice, but it's still pretty common out there. A
special shout-out goes to government and emergency response agencies in
the USA for their non-confirmation signup on mailing lists. Thanks guys.

The upshot was that the hostmaster address was receiving significant
noise. Rob Mueller (one of our directors) wasted (so we thought) a bunch
of his time removing us from those lists one by one, being very careful
to check that none of the 'opt-out' links were actually phishing
attempts. This turns out to have been time very well spent.

-- 
Rob Mueller
r...@fastmail.fm

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-24 Thread Michael Wise via mailop 
I suspect it's the hiding angle, but it's hard to tell.
It does seem to be someone offering a, "Service" out of Eastern Europe.
If the lists were unconfirmed, we'd block them; so the attack needs to use 
confirmed lists, and just bombard the target with what is, at least in theory, 
unblockable traffic.

I know it gave me serious pause when I first saw it, and I didn't have a solid 
answer for it, except to junk the confirmation emails.
If someone has a better idea how to keep mailinglist software like MailMan from 
being co-opted into such an attack, I would LOVE to hear it.

Aloha,
Michael.
-- 
Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been 
Processed." | Got the Junk Mail Reporting Tool ?

-Original Message-
From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Jay Hennigan
Sent: Tuesday, May 24, 2016 2:17 PM
To: mailop@mailop.org
Subject: Re: [mailop] signup form abuse

On 5/24/16 12:26 PM, Michael Wise wrote:
>
> We're still seeing cases where a malicious actor, typically in Eastern 
> Europe, will try and sign up a target email address for thousands of lists 
> all at once, flooding their mailbox with confirmation traffic , perhaps to 
> hide some other nefarious issues.

I wonder what the point is. How does the bad guy monetize it, or is it a 
coordinated attack against a specific victim? What other nefarious issues? 
Making the address useless or burying some other mail in the midst of the junk 
would seem to be a possibility.

If an attack against a specific victim, it would seem that unconfirmed 
marketing lists would be a more effective weapon than a bunch of random 
confirmation messages.

It kind of sounds like back in the college frat days of pranking someone by 
signing them up to Columbia Record Club and tons of bill-me-later magazine 
subscriptions, but that was usually aimed at a specific individual and watching 
the fallout was the fun part.

--
Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net
Impulse Internet Service  -  
https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.impulse.net%2f=01%7c01%7cmichael.wise%40microsoft.com%7c98fa4e609de6466c4a5808d38419df8e%7c72f988bf86f141af91ab2d7cd011db47%7c1=JTW%2bYkkIsBAp15Rua5%2fwIxLAiJdCzS24d%2bca1lbEUxU%3d
Your local telephone and internet company - 805 884-6323 - WB6RDV

___
mailop mailing list
mailop@mailop.org
https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fchilli.nosignal.org%2fcgi-bin%2fmailman%2flistinfo%2fmailop=01%7c01%7cmichael.wise%40microsoft.com%7c98fa4e609de6466c4a5808d38419df8e%7c72f988bf86f141af91ab2d7cd011db47%7c1=tGm%2bAZDhKeZr8Exd8L3cxf03f3NXELOn1tf%2bmF%2bIlEg%3d
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-24 Thread Jay Hennigan 

On 5/24/16 12:26 PM, Michael Wise wrote:


We're still seeing cases where a malicious actor, typically in Eastern Europe, 
will try and sign up a target email address for thousands of lists all at once, 
flooding their mailbox with confirmation traffic , perhaps to hide some other 
nefarious issues.


I wonder what the point is. How does the bad guy monetize it, or is it a 
coordinated attack against a specific victim? What other nefarious 
issues? Making the address useless or burying some other mail in the 
midst of the junk would seem to be a possibility.


If an attack against a specific victim, it would seem that unconfirmed 
marketing lists would be a more effective weapon than a bunch of random 
confirmation messages.


It kind of sounds like back in the college frat days of pranking someone 
by signing them up to Columbia Record Club and tons of bill-me-later 
magazine subscriptions, but that was usually aimed at a specific 
individual and watching the fallout was the fun part.


--
Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-24 Thread Vladimir Dubrovin via mailop 

You definitely need anti-bot protection because currently you produce
bounce SPAM and may be used for targeted SPAM / DDoS, especially if you
reflect some user input (e.g. First name / last name). Currently, bots
of this kind do not bother to emulate user behavior and checking user
have visited form page before submitting the form in the same session
with reasonable interval between two requests is enough in most cases to
distinguish real user from bot without requiring CAPTCHA. In future you
may be required to implement CAPTCHA or some other form of stronger
protection.

Most requests of this kind come from hosting network. Because usually
you do not expect real user's request from this kind of network, you can
blacklist hosting networks entirely. There is a risk to loose small
fractions of users who use VPS for proxy/VPN connections.

Vick Khera пишет:
> As an ESP, we host mailing list signup forms for many customers. Of
> late, it appears they have been getting pounded on with fraudulent
> signups for real addresses. Sometimes the people confirm by clicking
> the confirmation link in the message and we are left scratching our
> heads as to why they would do that. Mostly they get ignored and
> sometimes they come back as spam complaints.
>
> One opinion I got regarding this was that people were using bots to
> sign up to newsletter lists other bot-driven email addresses at gmail,
> yahoo, etc., to make those mailboxes look more real before they became
> "weaponized" for use in sending junk. That does not seem to be
> entirely what is happening here...
>
> Today we got a set of complaints for what appears to be a personal
> email address at a reasonably sized ISP. The complaint clearly
> identified the messages as a signup confirmation message and chastised
> us for not having the form protected by a CAPTCHA. Of course, they
> blocked some of our IPs for good measure :( They characterized it as a
> DDoS.
>
> What are the folks on this fine list doing about this kind of abuse?
> We do have ability to turn on CAPTCHA for our customers, but often
> they have nicely integrated the signup forms into their own web sites
> and making it work for those is pretty complicated. If I enabled
> CAPTCHA naively, the subscribers would have to click the submit form
> twice and then click the confirm on the email. The UX for that sucks,
> but such is the cost of allowing jerks on the internet...
>
> Rate limiting doesn't seem to be useful since the forms are being
> submitted at low rates and from a wide number of IP addresses.
>
> I look forward to hearing what others here are doing.
>
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop


-- 
Vladimir Dubrovin
@Mail.Ru
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-24 Thread Michael Wise via mailop 

We're still seeing cases where a malicious actor, typically in Eastern Europe, 
will try and sign up a target email address for thousands of lists all at once, 
flooding their mailbox with confirmation traffic , perhaps to hide some other 
nefarious issues.

If we could standardize the confirmation messages, at some point, it might be 
possible to install some sort of circuit-breaker for this kind of abuse, but 
until then ... we're tending to relegate all confirmations to Junk (not Spam) 
status, simply out of preservation of the customer's INBOX usefulness.

Aloha,
Michael.
-- 
Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been 
Processed." | Got the Junk Mail Reporting Tool ?

-Original Message-
From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Jay Hennigan
Sent: Tuesday, May 24, 2016 12:07 PM
To: mailop@mailop.org
Subject: Re: [mailop] signup form abuse

On 5/24/16 10:17 AM, Vick Khera wrote:
> As an ESP, we host mailing list signup forms for many customers. Of 
> late, it appears they have been getting pounded on with fraudulent 
> signups for real addresses. Sometimes the people confirm by clicking 
> the confirmation link in the message and we are left scratching our 
> heads as to why they would do that. Mostly they get ignored and 
> sometimes they come back as spam complaints.
>
> One opinion I got regarding this was that people were using bots to 
> sign up to newsletter lists other bot-driven email addresses at gmail, 
> yahoo, etc., to make those mailboxes look more real before they became 
> "weaponized" for use in sending junk. That does not seem to be 
> entirely what is happening here...

The appearance of the confirmation email makes a big difference. If it looks 
like an advertisement with lots of graphics, hidden tracking bugs, etc. it's 
likely to be viewed as abuse and used by bad guys to harass innocents.

I'm very pleasantly (and rarely) surprised with list confirmations that look 
like this:

* A single small logo for branding or no graphics at all
* No advertising
* A statement like "On [date] at [time] [timezone] you or someone claiming to 
be you requested to subscribe to [list] from IP address [IP]. To confirm your 
request, click [link]. If you didn't make this request, do nothing and you will 
not hear from us again. To report abuse, [do whatever].

Of course that's assuming that the ESP bothers to confirm subscriptions at all.

One extremely annoying new trend is websites that grey out after a few seconds 
and present a popup demanding an email address. This irritation is likely to 
result in the masses supplying an email address, any email address, just to 
stop the annoyance. I've resisted the temptation to complete them all with 
"abuse@". So far, I'm using "nob...@example.com".

--
Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse 
Internet Service  -  
https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.impulse.net%2f=01%7c01%7cmichael.wise%40microsoft.com%7c2c9259b781d94431ff5f08d384077b48%7c72f988bf86f141af91ab2d7cd011db47%7c1=XqQx5DefhhEvuhrne%2f%2bwyze%2fZIC1qFuQ30xW1nlBCv4%3d
Your local telephone and internet company - 805 884-6323 - WB6RDV

___
mailop mailing list
mailop@mailop.org
https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fchilli.nosignal.org%2fcgi-bin%2fmailman%2flistinfo%2fmailop=01%7c01%7cmichael.wise%40microsoft.com%7c2c9259b781d94431ff5f08d384077b48%7c72f988bf86f141af91ab2d7cd011db47%7c1=DZ0W0hpqF8Pi8yHeS8HhODOAH0wdt%2bzXkgsH6iQ5bG4%3d
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-24 Thread Jay Hennigan 

On 5/24/16 10:17 AM, Vick Khera wrote:

As an ESP, we host mailing list signup forms for many customers. Of
late, it appears they have been getting pounded on with fraudulent
signups for real addresses. Sometimes the people confirm by clicking the
confirmation link in the message and we are left scratching our heads as
to why they would do that. Mostly they get ignored and sometimes they
come back as spam complaints.

One opinion I got regarding this was that people were using bots to sign
up to newsletter lists other bot-driven email addresses at gmail, yahoo,
etc., to make those mailboxes look more real before they became
"weaponized" for use in sending junk. That does not seem to be entirely
what is happening here...


The appearance of the confirmation email makes a big difference. If it 
looks like an advertisement with lots of graphics, hidden tracking bugs, 
etc. it's likely to be viewed as abuse and used by bad guys to harass 
innocents.


I'm very pleasantly (and rarely) surprised with list confirmations that 
look like this:


* A single small logo for branding or no graphics at all
* No advertising
* A statement like "On [date] at [time] [timezone] you or someone 
claiming to be you requested to subscribe to [list] from IP address 
[IP]. To confirm your request, click [link]. If you didn't make this 
request, do nothing and you will not hear from us again. To report 
abuse, [do whatever].


Of course that's assuming that the ESP bothers to confirm subscriptions 
at all.


One extremely annoying new trend is websites that grey out after a few 
seconds and present a popup demanding an email address. This irritation 
is likely to result in the masses supplying an email address, any email 
address, just to stop the annoyance. I've resisted the temptation to 
complete them all with "abuse@". So far, I'm using 
"nob...@example.com".


--
Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

2016-05-24 Thread Franck Martin via mailop 
Not new story, people have devised systems to avoid the creation of such
accounts:
http://bits.blogs.nytimes.com/2013/04/05/fake-twitter-followers-becomes-multimillion-dollar-business/?_r=0

You could for instance use data from http://www.e-hawk.net/ (I'm not
endorsing them, just a company that tries to fill that need, there are
others, do due diligence) to trust (or not) that the signing up is from a
legit person and if not increase the challenge level (CAPCHA and others).

On Tue, May 24, 2016 at 11:18 AM, Michael Wise via mailop  wrote:

> Are these IP addresses on CBL?
>
> Are these addresses in a larger pool, like a Nigerian coffee shop?
>
> At some point, you should have a CAPTCHA, and also possibly a list of
> ranges of known bad actors.
>
>
>
> We’ve been so concerned about issues from bad IPs on port 25, that many of
> us have neglected noticing bad connections on port 443.
>
>
>
> Aloha,
>
> Michael.
>
> --
>
> *Michael J Wise* | Microsoft | Spam Analysis | "Your Spam Specimen Has
> Been Processed." | Got the Junk Mail Reporting Tool
>  ?
>
>
>
> *From:* mailop [mailto:mailop-boun...@mailop.org] *On Behalf Of *Vick
> Khera
> *Sent:* Tuesday, May 24, 2016 10:18 AM
> *To:* mailop@mailop.org
> *Subject:* [mailop] signup form abuse
>
>
>
> As an ESP, we host mailing list signup forms for many customers. Of late,
> it appears they have been getting pounded on with fraudulent signups for
> real addresses. Sometimes the people confirm by clicking the confirmation
> link in the message and we are left scratching our heads as to why they
> would do that. Mostly they get ignored and sometimes they come back as spam
> complaints.
>
>
>
> One opinion I got regarding this was that people were using bots to sign
> up to newsletter lists other bot-driven email addresses at gmail, yahoo,
> etc., to make those mailboxes look more real before they became
> "weaponized" for use in sending junk. That does not seem to be entirely
> what is happening here...
>
>
>
> Today we got a set of complaints for what appears to be a personal email
> address at a reasonably sized ISP. The complaint clearly identified the
> messages as a signup confirmation message and chastised us for not having
> the form protected by a CAPTCHA. Of course, they blocked some of our IPs
> for good measure :( They characterized it as a DDoS.
>
>
>
> What are the folks on this fine list doing about this kind of abuse? We do
> have ability to turn on CAPTCHA for our customers, but often they have
> nicely integrated the signup forms into their own web sites and making it
> work for those is pretty complicated. If I enabled CAPTCHA naively, the
> subscribers would have to click the submit form twice and then click the
> confirm on the email. The UX for that sucks, but such is the cost of
> allowing jerks on the internet...
>
>
>
> Rate limiting doesn't seem to be useful since the forms are being
> submitted at low rates and from a wide number of IP addresses.
>
>
>
> I look forward to hearing what others here are doing.
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>
>
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop