[anti-abuse-wg] When email verification behavior is abusive

On Wed, 18 Jul 2018 11:27:15 +0100
Richard Clayton <richard at highwayman.com> wrote:
> In message , ac <ac at main.me> writes
> >ESP and email relay services should verify recipient email addresses
> >prior to sending bulk emails to any random email address.
> >ESPs that simply start dumping bulk emails on victims often end up
> >listed on RBLs for abusive behavior.
> >But, when is verification emails themselves, spamvertising or email
> >abuse?  
> when people don't want them in their mailbox
> in a world of machine learning and email flows measured in the tens of
> billions, the only practical way of identifying abuse is to examine
> user feedback ...
> ... if you're not in the billions regime then you can try and write
> down complex rules to guide your users and your abuse teams, but even
> then flexibility is key because otherwise you end up arguing with an
> abuser who is skating just on the right side of some arbitrary value
> 

lets use a real world and existing example:

Me/I (Andre) goes and adds richard at highwayman.com as my 'recovery' email on Google.

Google then goes and dumps 5 verification emails on richard at highwayman.com in say 10 minutes
(as they indeed sometimes do...)

Would you, Richard, consider Google's behavior as Abuse? 

If you just received one email (or maybe two?) - Where is the arbitrary
number where you personally would consider a verification email, as
abusive behavior? Or is five okay? is ten okay? 

So, basically the question is, for the average person, or abuse admin,
etc. - what is that arbitrary number? on average?


> >Our own email policy defines verification abuse as "more than 3
> >verify your email account" emails in the same 24 hour period and
> >verify your email account emails lasting longer than five 24 hour
> >periods.
> >Do you think this is reasonable? Too reasonable? More? Less?   
> it depends on the size of the company/mailing list ... 3 new signups
> in a day may be a red letter day, or it may merely indicate that
> something broke at thirteen minutes past midnight
> >If you receive say 4 "verify your email account" emails in 5 minutes,
> >is this abuse?  
> this question suggests that you might be seeing an outer ripple of an
> incident which is the modern form of mail bombing
> this is where users receive tens of thousands of verification emails
> in a hour or so ... sometimes this is just because the user is
> disliked, but it can be an attempt to hide other transactional email
> (associated with fraud or domain name theft) amongst all the noise
> few mail systems provide suitable tools to end users to deal with this
> regrettably few sign-up systems have (even weak) CAPTCHA systems to
> prevent automated attacks.... (something which an ISP providing
> hosting might usefully start requiring of its customers : rather more
> practical than trying to set some arbitrary number on emails sent)
> there is a proposal for assisting with automated filtering
>         https://tools.ietf.org/html/draft-levine-mailbomb-header-01
> but it's not currently getting all that much traction.
> 
thanks for this, will have a look :)

Andre