Fwd: [anti-abuse-wg] How to Ask For A Website to Be taken Down, was How Not To Ask For A Website to Be taken Down

On 29/Dec/10 01:30, Mark Foster wrote:
> On Wed, Dec 29, 2010 at 4:31 AM, Alessandro Vesely <vesely at tana.it
> <mailto:vesely at tana.it>> wrote:
>> Automation is supposed to make reporting easier for the victim,
>> not harder.  Many webmail sites already have a "Report as Spam"
>> button. It should be added to regular (POP3/IMAP) mail clients
>> too.
> 
> Yes, and this is a key point.
> Standard formats for abuse reporting via email will in turn allow
> email client developers to embed the tech required to simplify
> reporting of abuse.
> However by making it easier, you also increase the chances that the
> report is inadvertant?  For example Gmail allow you to 'undo'
> reporting as Spam.  This would also need to be an option available to
> a user....

Implementation is lacking.  Policies should be devised so that
complaints are transmitted backward to each responsible relay,
forwarder, or author, along some trusted path.  For single hops, this
is currently carried out with feedback loops.

The possibility to challenge a report should be granted to authors.
That is, it would be fair if authors could prompt careless reporters
for undoing their reports.  In facts, purported authors are probably
the only humans who may want to look at the body of a reported message.

>>> This to me is all an attempt to make abuse-complaint-receivers
>>> better equipped to use automation to deal with complaints.
>> 
>> Yes, for the good and the bad of it.  Among the goodies, it
>> should be feasible to to route spam reports so that a network
>> provider gets a copy and forwards it to the relevant mailbox
>> provider, thereby allowing the former to somehow control the
>> latter.
> 
> Concur, though again the use of automation means that the network 
> provider can turn a blind eye to it and claim that appropriate
> action is being taken... it doesn't inspire folks to manually check
> to ensure action is infact being taken, that reports aren't repeat
> in nature, etc.

This may also be covered by adequate policy dressing.  For example, a
mailbox provider may choose to ban authors from sending for a period
of time proportional to the number of complaints.  Such policy can be
verified by looking at the "auth" property of reported messages
--along with a bunch of methods to validate authentication policies
for the relevant provider.

This kind of treatment hinges on the ever-missing reputation system...

>> Whether a hand-written complaint should be sent to an abuse@
>> address depends on how report formats will take on.
> 
> My main personal frustration is that as a 'power' end-user, I read
> email in various ways; serverside commandline mail program, webmail
> tool, various pop3/imap tools.  At work i'm either using the COE email
> application or a CRM system that manages email.  None of these will
> support a common, standards-driven method of generating abuse@ reports
> for spam, etc, for some time. In the meantime i'm constantly
> frustrated by the time that i'm obliged to waste either a) reporting
> abuse in the method that ISP X demands, or b) trashing large volumes
> of junk because to do anything else would taken even _ longer_.

Mailbox providers should help here.  The entity responsible for
accepting a message may want to provide the means for reporting it as
spam, including any required formatting.  IMAP allows for considerable
optimizations for such kind of actions.  For POP3, it has been
proposed to submit reports to the abuse-mailbox at the server
indicated in the Authentication-Results field (the authserv-id of RFC
5451, Section 2.3, in case it is actually a fully-qualified domain
name).  In any case, reporting through the receiver gives it a chance
to adjust its reputation and Bayesian records.

> I'm not averse to standard (infact i'm a big fan) but i'm also a big
> fan of ensuring a human remains in the loop and able to accept reports
> that're not within the standard format, at least until it's reasonable
> to expect _everyone_ to be using the standard format (which could take
> years)...

The fact remains that reading the body of messages reported as spam is
a frustrating job that no human would want to routinely undertake.
OTOH, there will always be unusual abuse cases that deserve human
intelligence.