This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/anti-abuse-wg@ripe.net/
[anti-abuse-wg] When email verification behavior is abusive
- Previous message (by thread): [anti-abuse-wg] When email verification behavior is abusive
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
ac
ac at main.me
Wed Jul 18 13:22:47 CEST 2018
On Wed, 18 Jul 2018 12:06:29 +0100 Richard Clayton <richard at highwayman.com> wrote: > In message , ac <ac at main.me> writes > >lets use a real world and existing example: > >Me/I (Andre) goes and adds richard at highwayman.com as my 'recovery' > >email on Google. > >Google then goes and dumps 5 verification emails on > >richard at highwayman.com in say 10 minutes > >(as they indeed sometimes do...) > > I expect they actually send 1 email to each of 5 different accounts > which you collect into a single mailbox... in similar circumstances I > have never seen more than one email. > Hmm, no. Google in fact, does send 5 verification emails in the same ten minutes. (bearing in mind that I have email headers, etc) Either way, this is not about google, (although maybe it is...) So to victim-with-no-google-account at victim-own-domain receives 5 verify your email account from the same IP number/email server, in ten minutes. Is this abuse or not? > >Would you, Richard, consider Google's behavior as Abuse? > > no, it's clearly your fault for adding my email -- if you did it > deliberately then that's abuse, if you typo-ed my email address then > that's just one of those accidents that happened in the real world > So, the sender of the 5 verification emails in ten minutes has no onus to check that they do not behave or allow abuse through their services? Anyway, what I really wanted to know is what is that arbitrary number? (for me it is actually 3... - some other people I have spoken to, consider two in the same day abuse... yet some other people say only one...) So, the goal with this thread is to gauge what the abuse list thinks? What is the arbitrary number? > note that in such circumstances you could well have allowed me to take > over your account ... which naturally I would not take advantage of > In my example, the email address is actually a spamtrap and was added to stolen data (in a stolen/for sale database) The fact that Google is choosing to send 5 verification emails to this very specific spam trap, is of more interest than the actual verification emails. But it does beg the obvious question: How many verification emails can a service send before that service is considered acting abusively? > >If you just received one email (or maybe two?) - Where is the > >arbitrary number where you personally would consider a verification > >email, as abusive behavior? Or is five okay? is ten okay? > if you receive more than one email per recovery account then something > is broken at Google -- making a fault report is far more useful than > deeming Google to be abusive (which will not make anything change) > Of late google is less responsive to abuse complaints. Maybe they just dislike me, which is fine - But some of their current behavior skates past ethics and imnsho borders the illegal/anti-social Anyway, as I said, this is not about Google but more about that magical number? Andre
- Previous message (by thread): [anti-abuse-wg] When email verification behavior is abusive
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]