On 12/16/09 10:59 AM, Seth wrote:
There's the zombie problem. There is no way for anyone or anything
external to an end-user's system to know whether the button click
(or equivalent event) was generated by a user or by software working
at the behest of the new owner of the user's former system. Given
that the zombie problem is epidemic and presently unstoppable,
widescale deployment of any such mechanism will lead to its use by
zombie-resident malware as soon as it's advantageous for abusers to
do so. Thus, anyone proposing such a "report as spam" mechanism on a
large scale must also include in their proposal a workable plan for
solving the zombie problem.
How would it be advantageous for a zombie to report as spam? Report
as non-spam, sure, to game the filters. But with the data being noisy
to begin with, zombies adding noise don't have much effect; they might
require tuning of the filters.
Users without 0wned systems might still attempt to unsubscribe from
spoofed subscriptions and be asked for passwords they never set, and
then attempt to guess it anyway. There are also risks related to browser
vulnerabilities that would be avoided by offering a "this is junk"
button that invokes an unsubscribe service, even for user who have
initially confirmed the subscription.
To avoid complaints, a web page associated with an email account could
allow users a means to confirm their desire to unsubscribe, or just have
user authentication included in the "this is junk" transaction, which
might simply mean placement into the "junk" folder. As such, it would
be in the interest of list administrators to unsubscribe "unwanted"
email based upon this feedback.
This feedback should not be confused with "spam" email feedback.
Recently, new developers within our company confused these two
categories and caused a number of complaints. It is important to
understand the difference between "unwanted" and "spam-trap" as
determined by the source of the feedback.
Spammers will surely abuse any control mechanism in an effort to cause
user complaints. User complaints will cause the mechanism to be
abandoned as being too expensive. Users that are 0wned will likely be
detected with spam-trap feedback, as well as through other mal activity.
Any effort to utilize email feedback MUST understand the difference
between a general category of "unwanted" and feedback from "spam-traps"
that are able to differentiate between "auto-responses" and DSNs.
-Doug
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg