comments inline...
NoOp wrote:
On 10/04/2008 04:35 PM, Barbara Duprey wrote:
In a related post, I asked what people thought about just eliminating
the "goodbye" confirmation. I don't think malicious unsubscribes are
either likely or particularly harmful, and it would be much easier to
deal with malicious subscribes. The unsubscribe process could send a
message, but not require response, and that would mean that once the
subscription account was known, anybody could do the unsubscribe. So
when we got one of these "please unsubscribe me" posts, we could just do
it, or tell an apparently unsubscribed OP to look at a full message
header to identify the subscriber, then use the
[EMAIL PROTECTED] to unsubscribe. Haven't
heard any response to that idea yet.
I think that is not a good idea. Without the "goodbye" confirmation
anyone could possibly unsubscribe you, or anyone else on the list.
Understood, and it would be annoying, but not really harmful. An
unwanted subscription (or a bunch of them), however, can cause real
difficulty. Maybe the technique mentioned earlier here (defining a mimic
account to the offender's on the victim's email client, sending an
unsubscribe, and confirming it as if from the offending subscribed
account) will work, and maybe not. If not, it appears to be very
difficult to unsubscribe because the victim does not have access to the
subscribed account to confirm the unsubscribe.
Malicious subscribes can only occur if someone has control of an account
and can respond to the "you have subscribed" confirmation email. If
someone has control of the email account and is using it to subscribe it
to mailing lists it is already too late; the email account has been
already compromised, and should be discarded or the user should have the
email account password reset & monitored by the email account provider.
The situation we're dealing with here is that someone created an actual
gmail account and used it to subscribe to a number of lists, providing
any required confirmations, and then redirected all incoming traffic to
the chosen target, whose mail is now filling up and interfering with his
business. The target email account was not itself compromised, and the
problem account is still out there with the guilty party apparently
frequently changing the password. No special knowledge of the target
account was needed, just its mailto name.
The Chuck case is a little confusing, but not altogether unusual. He
claims that his sbcglobal account was compromised, then a gmail account
that does not belong to him is forwarding list emails to his sbcglobal
account:
Please delete/unsubscribe the email address [EMAIL PROTECTED]
from all Google lists. This is NOT my email address and is an
address used to harass my business. I would like to know where this
email originates so that I can pursue legal action.
My email address [EMAIL PROTECTED] has been hijacked by
this emailer where I have been forwarded hundreds of lists to my
business clogging up my mailbox for the past several weeks.
Chuck Evans
1. First off he should take the issue to the provider of the
[EMAIL PROTECTED] account (Google) and file an abuse request that
all email from that account stop forwarding to his sbcglobal account.
Yes, and he's been advised of this. Don't know if he's done it, or how
responsive Google is to this kind of request.
2. He should simply log into his AT&T (sbcglobal.net) account and
blacklist [EMAIL PROTECTED] and and tag [EMAIL PROTECTED]
as spam. Note my posting address; I have an sbcglobal.net account so I
know how easy it is to block emails from any particular email address.
His initial description of the problem didn't mention the gmail account;
I'm not sure if this is a true forwarding, with the sender clearly
identified, or if the sender appears to be the list because of the way
Google handles list traffic. Maybe somebody who uses gmail can respond
with more info here. In any case, though, what about people who have to
pay by the message? Doesn't the message still get transmitted and have
to be paid for, even if it is immediately discarded? (I know that's not
the case with sbcglobal.net, but it could happen to somebody else.)
3. He should realize that his email address [EMAIL PROTECTED]
hasn't been hijacked by anybody and that the issue seems to be the
forwarded emails from [EMAIL PROTECTED] to
[EMAIL PROTECTED]
So now Chuck is trying to unsubscribe [EMAIL PROTECTED], and that
email address does not belong to him, at least according to his
postings. He apparently hadn't figured out how to simply unsubsribe
[EMAIL PROTECTED] (he was still posting via that email
address in all of his unsubscribe spam). Had he done that (and he
obviously knows the password to that account) and then
blocked/trashed/dev-nulled any and all emails from
[EMAIL PROTECTED] we wouldn't be having this discussion.
His sbcglobal.net account was not subscribed. All his messages went
through "moderator for [email protected]" -- attempting to
unsubscribe that just got a message that it wasn't subscribed and
therefore couldn't be unsubscribed. I do kind of wonder why the
moderator let so many through, though.
What if Chuck thought that Barbara Duprey or NoOp were the culprit and
tried to unsubscribe us instead? Without a "goodbye" email we'd be
dropped from the list and have to spend our time trying to get things
sorted out to get subscribed again. What if as soon as we subscribed
again the same culprit unsub'ed us again, and again, and again? I know
that I'd be pretty pissed off if that happened & figure that you would
as well.
Yes, that's why I think there should still be a message -- at least then
it would be obvious what's happening. It could maybe even have something
on the lines of "If you did not intend to unsubscribe, send a message to
... to reinstate the subscription." (That could be the usual
users-subscribe account, or a special one that was flagged for attention
by the list owner.) Somebody trying to pester me with repeated
unsubscribes would not really be getting much for his effort, though. I
think I'd pretty soon start using the newsgroup approach!
In the end Chuck's hot sauce products look pretty good... but the issue
with the list is entirely his own problem. Too bad that we probably
can't get him back as a valid OOo user - looks like he could actually
use & probably appreciate OOo for his business were circumstances different.
But I shudder at the thought of trying to help him! He sure doesn't seem
to listen well.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
