ietf-asrg
[Top] [All Lists]

Re: [Asrg] FeedBack loops

2008-11-13 18:11:30

On Nov 13, 2008, at 2:52 PM, Barry Shein wrote:


On November 13, 2008 at 14:31 steve(_at_)blighty(_dot_)com (Steve Atkins) wrote:

On Nov 13, 2008, at 2:02 PM, Franck Martin wrote:

No this was not what I was talking about.

We were talking about: "when the user click spam, the system does
not send a spam report but an unsubscribe if the mail contains the
right headers and the unsubscribe is successful"

It's been discussed. The critical flaw with the idea is blindingly
obvious if
you think about it for a second, though.

All I can come up with is it could be easily defrauded, tho some care
in verifying the source would seem to mostly avoid that problem. It's
not like we're dealing with the family jewels.

There are several problems with it, but one is
that the feedback loop is set up to return data to the entity signing
up for the feedback loop - which is someone who has demonstrated
that they have some ownership of (usually) the sending IP address.

The unsubscription link is set up to notify whoever the sender of
the email wants it to notify.

If I sign up for a feedback loop such that I want to be notified of any
reports of unwanted email for my /16 I absolutely want to be notified
if the unwanted email has a List-Unsubscribe header. I definitely
don't want spammers who are my customers or who are abusing
my resources to be able to suppress FBL reports that I've asked for.

Conversely, in the case of legitimate ESPs and other senders there's
pretty much no difference between an FBL notification and a
List-Unsubscribe notification. They both go to the same place, and
they both carry the same message.

So, if you have an email that someone has complained about
which has a List-Unsubscribe header then, sure, you might
want to tickle that unsubscription mechanism in addition to
sending an FBL report. But you wouldn't want to do so *instead*
of sending the FBL report - the only time where that would be
"safe" to do would be when you can confirm (via DKIM would
be one obvious route) that the recipient of the List-Unsubscribe
action and the FBL action are one and the same - and even in
those cases there is no negative result to sending the FBL
report instead of or as well as the unsub.

(Whether an MUA should have an unsubscribe button, in the
case where it's a trusted sender with a List-Unsubscribe header
in some standard form, instead of or in addition to a TiS button
is a whole other issue. I believe some ISPs have done so, but I've
not seen any reports as to how well it's worked.)

I suppose that might not be the spam button clicker's intent.

One gray area that occurs (in practice!) is someone sends a spam-ish,
or even really spam, message to a mailing list and people hit the spam
button sending the complaint to AOL et al.

By "spam-ish" I mean a msg that one can understand on quick skim
may've looked like spam ("ONLY FOUR DAYS LEFT TO BUY YOUR IRTG
T-SHIRTS!") but really isn't spam in the usual sense.

And they're complaining to their own ISP (e.g., AOL) rather than
perhaps the list manager or list ISP in some cases, say where they
know it's about IRTG T-Shirts and what IRTG is but don't want that in
their list discussion so they hit SPAM, but that's not really germaine
to the original comment.

Cheers,
  Steve

_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
https://www.irtf.org/mailman/listinfo/asrg

<Prev in Thread] Current Thread [Next in Thread>