[anti-abuse-wg] Email Spam & Spam Abuse Definitions

Okay, so I am assuming then that my definitions of spam are accurate.

In what phishing at storey.xxx said, the keyword was: "person has
already hired" 

My point is that even "verify your email address" could be Spam Abuse.

Recently I received around 14 "verify your email address" emails in the
same 15 minutes...

I would say that sending so many "verify" emails, in such a short time,
is Spam Abuse

And; my point is that even the first "verify your email" is Spam (it
is or could be unsolicited), but that the first "verify" email in
itself, is not Spam Abuse per se...

This is a much under discussed issue, as there is no clear standard or
acceptable "industry practise" with regards to how many spam emails in
what amount of time, is considered "reasonable"

In an attack against myself, personally (es, go figure, everyone does
not love me :) ) I received a few "verify" emails from hundreds of
legit services, websites and mailing lists...

So, this is an attack vector, when looking to attack a victim... (Of
course, I have, by now, figured out a method to deal with this type of
attack and mitigate it, against myself, but for many people on this
list, such a type of attack could prove to be challenging...)

Is anyone willing to venture a number and time period for what would be
considered 'fair' in terms of sending verification emails?

Andre



On Sun, 28 Apr 2019 07:09:04 +0200
ac <ac at main.me> wrote:

> On Sat, 27 Apr 2019 20:54:40 -0700
> "Fi Shing" <phishing at storey.xxx> wrote:
> >  
> > The twitter example is not advertising a product or service. It is
> > conveying information about a product/service that the person has
> > already hired. If twitter sends unsolicited emails to someone when
> > they have not requested that service, or have indicated they no
> > longer want the service, then it is spam. 
> >    
> 
> Does not matter if a spammer is advertising a product or a service or
> stalking/harassing or sending 5000 emails in error.
> 
> So, what I am saying is the 'intent' of the sender is not relevant at
> all.
> 
> What is relevant is that the recipient is receiving emails that they
> did not as for, does not want and is causing them costs - as
> recipients generally pay for the bandwidth to receive email.
> 
> The point of the Twitter example is : Cyber criminal creates fake
> Twitter account using random victim email address.
> 
> Random victim now starts receiving copious amounts of spam from
> Twitter.
> 
> Do you agree? - and if not can you please explain with your own
> example?
> 
> Practically, at the moment and afaik, for the past few months, Twitter
> is actually sending an initial email verification email...but, they
> never used to before.
> 
> And, in the rest of my post below, everything else is fine?
> 
> Thanks :)
> 
> Andre   
> 
> 
> > Spam & Spam Abuse Definitions From: "ac" <ac at main.me>
> > Date: 4/27/19 4:22 am
> > To: anti-abuse-wg at ripe.net
> > 
> > Hi,
> >  
> >  From a recent rant in the WG, something of interest was posted;
> >    
> >  > opinions on the proper definition of spam. Mr. Andre's preferred
> >  > definition appears to allow for "one time" invitations to be
> >  > blasted to everyone in the universe. Nonetheless, in Mr. Andre's
> >  > considered opinion, "Email Spam is not the same as Spam Abuse"
> >  > and a "... one    
> >  
> >  In my opinion, the sending of a confirmation email, from say
> > Twitter, to confirm that the actual email address does indeed exist
> > and that their further communications will be solicited - as well
> > as including links to remove/stop further communications:
> >  
> >  Would be spam (it is still an unsolicited email) - but that single
> >  confirmation email is not abuse in itself.
> >  
> >  Even though Twitter may send 1000's of these to 1000's of different
> >  email addresses...
> >  
> >  I do not think that there is anyone, that works with actual spam
> > abuse, in this WG that disagrees completely with my opinion above. 
> >  
> >  Also, I wanted to add another useful resource link for anyone that
> > is still learning about email abuse:
> >  
> >  https://www.ripe.net/publications/docs/ripe-409
> >  
> >  What is frequently missed is that BULK EMAIL itself, is not the
> > issue, but that the keyword is "unsolicited" - For example if you
> > were to relay 1000 Invoices or 1000 status notifications or 1000
> > opted in mailing list recipients, this would/should not be
> > considered spam or abuse.
> >  
> >  Then, of course, imnsho UBE itself is outdated as the spammers use
> >  'drip' systems by spinning out 10000's of emails from 10000's of
> > ip's Which various RBL cater for by speedily listing and de-listing
> > resources and then there are all the shiny new tech things, which
> > probably needs a new thread:
> >  
> >  Automated comment spam or AI based web form spam is a growing issue
> >  and is something that merits discussion and a watchful eye...
> >  
> >  Andre  
> 
>