[Top] [All Lists]

Re: [Asrg] Adding a spam button to MUAs

2010-01-29 22:26:42
Martijn Grooten wrote:
Chris Lewis wrote:
Frankly, I think the vast majority of people who thing TiS are bad are
either people who have an incentive to consider them bad, or are
unaware of how they're actually used, or are expecting some sort of
one-to-one reaction/theoretical purity to every TiS hit.

Score 'em statistically.  Whitelist when they goof.  Humans make
mistakes.  And sometimes they're right when the filters aren't.  Design
for it, including methods to intervene when necessary.  No big deal.

Out of curiosity, have your users been instructed on how to use the TiS buttons 
(and to use them in the first place, instead of just clicking delete) or do you 
just trust them to do the right thing (most of the time)? And do you think it 
would scale to larger, more anonymous organizations such as ISPs?

The "TiS" button is, in effect, an email forward to a specific robot process. Except for Outlook which mangles things up too much, but Outlook is unfortunately the corporate standard for most people. In that case, we supply a plugin that knows how to forward full emails without mangulation.

We pretty much only mine it for IP addresses.

Instructed our users? Well, it started out ad-hoc, and it largely still is. There are various employee communications that have gone out over the years that tell people to forward spam to it. Never formally enough to remotely be considered "training" Never particularly detailed in terms of "don't report grandma", etc. The only "fine tuning" we've ever done is "if you're getting very large quantities of the same thing, let us know <here> instead", and "if it's spammish behaviour from Nortel itself, report <there> instead".

The first of those is the role account, and we'll look into an individual users problem to see if we can do something about it. The second hasn't been used in ages.

Oh, and yes, we've told them to discard and ignore blowback unless the volume is extreme, and we'll put in a recipient-specific blocking of inbound bounces.

But it's still mostly skunk works, and as it wasn't part of the common O/S release, it didn't get as widely used as it should have. We did get quite high compliance rates at one point (perhaps nudged the 1 in 10 spams got reported level), but that's more of a corporate vs. ISP thing.

Unrelated to that, if most MUAs got a TiS-button, wouldn't this allow 
spammers/botherders to effectively DDOS the systems that process the feedback, 
thus making them (temporarily) useless? I could see why spammers would see an 
advantage in doing that.

Various DOSes are available - eg: flooding and reputation poisoning with FPs. As it exists now, much depends on the per-site implementation strategy. The big guys probably already have it handled, perhaps as a native part of their TiS handling, perhaps as active remediation. We've not done much, but it would be really hard to do something that would cause me more than a few seconds work to deal with permanently, and all damage can be undone. In terms of outright volume, you're attacking our MTAs, and that's fairly hard to break considering the head room we operate with. Full scale whole bot army attack like a Storm Worm retaliation? Well, you have that issue anyway. And we've already demonstrated we can ride out a Storm DDOS without significant impairment.

[If Storm was still around we were all set in terms of approvals nnd technology to "get in its face" and do it serious damage. But Storm chickened out ;-)[*]

With a "common" TiS mechanism, of course some time would have to be spent on hardening it.

[*] Provoke it to attack us deliberately. Use the resulting intel to <I'm not going to say>. Storm died instead.

No, of course that wasn't really why it died.  But it makes a good story ;-)
Asrg mailing list