ietf-asrg
[Top] [All Lists]

Re: [Asrg] Adding a spam button to MUAs

2010-02-03 07:10:17


--On 2 February 2010 18:29:45 -0600 Al Iverson <aiverson(_at_)spamresource(_dot_)com> wrote:

On Tue, Feb 2, 2010 at 12:01 AM, ram <ram(_at_)netcore(_dot_)co(_dot_)in> wrote:

The MUA must also have proper time outs so as to cut-off malicious fbl
urls

And any sort of FBL-via-MUA process should be opt-in, as well.
Checking only for a signature means bad guys signing mail can direct
where the feedback goes when you hit "this is spam." That data could
be misused to confirm email addresses, telling a spammer "we got a
live one" and making the email address worth selling.

Come to think of it, I don't think this should be core MUA
functionality. Even though I work for an ESP and would want the
feedback, I see too much opportunity for abuse. I'd rather see
third-party "report spam" plugins wherein that third party can make
the determination on where and whether or not to route a report. If
that third party doesn't trust or know about the sender, a report
would hopefully not be sent.


This is one reason to support an IMAP extension. If the communication is between the authenticated user and the IMAP server, then there doesn't seem to be room for abuse of the abuse reporting mechanism.

Granted, if the client machine is compromised then all bets are off.

--
Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see http://www.sussex.ac.uk/its/help/
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg