A) User has multiple incoming accounts, presses the spam button, and
the
outbound MSA doesn't match the incoming account. Hence the report goes
via unrelated third parties that might snoop on it. Do we care? The
user
has said it's spam, after all.
In theory this may be an issue for a small number of organizations, because if
TiS buttons are being used by a large enough number of users, then some of
these users will click TiS for legitimate emails, and some of these emails will
actually contain confidential information and a still non-zero number of
reports will go via unrelated third parties. In practise I would imagine the
risk of confidential data leaking through other routes to be significantly
bigger. (And of course nothing will stop, say, the CIA from disabling the
sending of TiS reports altogether. Or paranoid company X from scanning outbound
TiS reports for confidential information.)
C) I have a Gmail account and a Yahoo account. The Gmail account is
set
up to fetch my Yahoo mail so I can see it all in one place. I use
Gmail's
IMAP server to read my mail. (I really do this, by the way.) I hit
the
spam button. Who should get the report?
1) Gmail since that's who I picked it up from
2) Yahoo since that's where the spam was sent
3) Gmail but they should also forward the report to Yahoo
3: your MUA doesn't know anything other than that it receives email from
Gmail's IMAP server. You can of course tell your MUA that Gmail fetches mail
from Yahoo, but not everyone is going to do that, so just sending it to Gmail
would be the simplest thing to do. Gmail should know that in this scenario it
also acts as an MUA and as such should forward the report to Yahoo. It could,
of course, still use the report to improve its own spam filter.
Martijn.
Virus Bulletin Ltd, The Pentagon, Abingdon, OX14 3YP, England.
Company Reg No: 2388295. VAT Reg No: GB 532 5598 33.
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg