[anti-abuse-wg] Question about spam to abuse inbox

In message <20210218200036.066496E3600F at ary.qy>, 
"John Levine" <johnl at taugh.com> wrote:

>Report web forms are out of the question because they do not scale. I
>send about a hundred abuse reports a day about spam received from all
>over the Internet, and I have no interest in using your form or anyone
>else's to make a manual special case for under 1% of my reports.

I'm real glad that John posted the above comment, as he has saved me
from having to do so myself.  (But I will take this opportunity to
elaborate on what John said anyway.)

I am in 1000% agreement with John on this.  Abuse reporting forms do
not scale... at least not for the *victims* of the abuse.

I report email spams... by far the most common form of network abuse...
to dozens of different providers every week.  At the moment in time
when I send each of these reports, I have already been abused by each
of these providers.  (I hold them responsible because they obviously
fail to have in place contractual clauses that would persuasively
deter this behavior on the part of their customers.)

To make me "jump through the hoops" of first even just *finding* each
provider's unique abuse reporting web form, and then navigating it
sufficiently well to insure that I have dotted all of the i's and
crossed all of the t's, as required, uniquely, for each different
provider, just *adds* injury to the insult that I have already suffered
at the hands of these same providers, and these same networks.

The demand to use a web-based reporting form is itself a form of cost
shifting.  It shifts more of the costs of dealing with network abuse
onto the victims of abuse and away from the providfers that are actually
originating the abuse in the first place.   In that sense it is arguably
the same as spam itself.  Email spam only exists because it is a way
of shifting the costs of advertising onto the recipient and away from
the senders.  Likewise, demanding that I must find my way to, and then
properly complete *your* unique web reporting form is yet another way
of shifting the costs of dealing with *your* abuse of *my* inbox away
from yourself and onto me.  Sure, it is maximally convenient FOR YOU,
but how about a little more consideration for the victim?

As John and others have noted, if I take up *my* time and effort to
report to you abuse that is coming from *your* network, then I am NOT
doing that for *my* benefit.  Rather all of the benefits of abuse
reports flow to the network operator of the network where the abuse
originated.

I am not an imbecile, and I can easily enough block any arbitrary sender
in my own local configuration, either by full email address, or by
domain name, or by IP address range.  Thus, nothing obligates me to
report any spam, and I can easily enough prevent myself from gettting
spammed twice or more from the same source.  So how does it benefit
*me* as a spam recipient, or send in a spam report?

The answer is that it doesn't.  Period, full stop. I only do it out of
a sense of community responsibility, i.e. to do my part to help pick
up trash that other people leave lying around on the Internet.  In an
ideal world the networks/providers who are the recipients of my spam
reports would be greatful for my help in truing to keep their networks
clean, EVEN TO THE POINT WHERE THEY SHOULD PAY ME OUT OF GRATITUDE upon
receiving any professionally prepared report from me.  But they don't.
(Sigh.)  At the very least they should have the minimal courtesy and
respect to not make the task of sending them a report more cumbersome
and more tedious than it needs to be.   Web reporting forms do the
exact opposite, and they are thus every bit as anti-social as spam
itself.


Regards,
rfg


P.S.  Some providers try to justify or excuse their clearly anti-social 
demand that everyone reporting abuse to them must use a web form by
claiming that they get too abuse many reports, on a regular basis, to
allow them to do anything sane or useful with such reports UNLESS they
come to them via a web form.

This is 1000% bullshit, and it indicates two things:

   1)  The provider in question is a perfectly lousy coder and is thus
       unable and/or unwilling to write code to parse emailed abuse
       reports.

       And anyway, don't actual human beings need to look at these things,
       in the end, in order to be able to react to each of them properly
       and in a professional fashion?  If so, then how does the additional
       automation of a web form even provide any real or useful service to
       *either* the originator of an abuse report *or* to the sender of
       such a report?  It doesn't, clearly.  It is just a way of maximally
       inconveniencing the originators of abuse reports, and thus to
       quite apparently deter them from reporting AT ALL.

       In fact, for me, any time a provider says to me "Oh, you need to
       use our web form to report that" I take any such statement as a
       nearly 100% reliable indicator that the provider/network in
       question is going to be routing whatever I submit directly to
       /dev/null.  Any provider that is making *any* attempt to 
       "automate" abuse handling is, by definition, trying to *avoid*
       having any human ever look at abuse reports.  And it logically
       follows that any provider that is trying its best to AVOID looking
       at abuse reports will NEVER have a human look at any such, which
       in turn clearly implies that no abuse report will ever be actioned
       by that provider in any way.  (Example:  Digital Ocean.  But I can
       easily cite many many more.)
      
   2)  More importantly, it speaks volumes about the provider in question
       when and if he/she/it claims that they are receiving "too many
       reports" on a regular basis to allow them to be handled via email,
       rather than via a web form.

       To any and all such providers, I have a stock reply:  Oh really?

       A provider that is routinely receiving so many abuse reports that
       it can barely keep up with them all has bigger problems that just
       the manner in which abuse reports are received.