This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/

[anti-abuse-wg] When email verification behavior is abusive

Previous message (by thread): [anti-abuse-wg] When email verification behavior is abusive
Next message (by thread): [anti-abuse-wg] When email verification behavior is abusive

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

ac ac at main.me
Wed Jul 18 16:37:13 CEST 2018

On Wed, 18 Jul 2018 13:36:41 +0000
Michele Neylon - Blacknight <michele at blacknight.com> wrote:

> If you framed your issues or questions more clearly and succinctly it
> would be helpful.
> 
There are multiple issues and we each project our issues and pov, which
may cause misunderstanding.

> In relation to your specific "ask" I don't think it's the right one.
> You could, potentially, come up with a best practice eg. That
> providers should verify that account holders / users have access to
> an email address before letting them add it to a service. But I've no
> idea how you'd decided on rate limiting the verification emails.
> Based on my own experiences with mail servers, spam filters, grey
> listing etc., you can easily end up spamming yourself when those
> emails don't come through quickly enough.
> 
>
as I said, there are multiple issues. Richard had a brilliant addition,
the distributed mail bombing attacks - as I said already, even with
that, there could potentially be two or more instances of abuse. I
would love to discuss that, as far as verification, capcha and all the
other solution, etc. things are concerned. 

But I would honestly like to understand (and it seems none of us really
do, we just think we do...)  - What does the average person and the
average abuse admin think about the volume and the time.

From the perspective of the non ESP victim: How many verification emails
per day, from the same ESP and/or the same resource, is fair?

From the perspective of all victims (ISP/Consumer/etc): being on the
receiving end of 20 000 contact requests, would of course also be abuse.

This has actually happened to me before and it is quite hard (but not
impossible) to manage with fetchmail and some scripting :)

From the perspective of the ESP: What is best practise? If someone
subscribes to Facebook, how many verify your email address, emails, in
a 24 hour period, is reasonable? 

I would propose that at present we suspect, but we do not really know?

So, this is what I would like to explore: the actual abuse numbers and
the actual average current considered 'best practise'

Andre

Previous message (by thread): [anti-abuse-wg] When email verification behavior is abusive
Next message (by thread): [anti-abuse-wg] When email verification behavior is abusive

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ anti-abuse-wg Archives ]