[anti-abuse-wg] Anti-Abuse Training: Questions for the WG

On Sat 23/Oct/2021 01:38:56 +0200 Ronald F. Guilmette wrote:
> In message <26f1df33-b958-bed4-f748-f82324d0bea8 at tana.it>, Alessandro Vesely <vesely at tana.it> wrote:
> 
>>Shouldn't there be a standard for automatically forwarding messages destined
>>to abuse-c following a path similar to that of RFC 2317 delegations?  I'd love 
>>if AA training encouraged such behavior.
> 
> Although delegation of abuse report handling may sound like a good idea
> in theory, in practice it is a tragically bad idea.
> 
> What happens when the customer is a spammer and abuse handling is delegated
> to that customer?  Google for the term "list washing".
> 
> This isn't merely a theoretical possibility.  Digital Ocean has previously
> sent me multiple response emails saying quite explicitly that they had
> forwarded my spam reports to their spammer customer(s).  Those customers
> will then surely cease to spam *me* but will continue to spam everyone
> else on the planet.


That'd be an incentive to send spam reports, wouldn't it?


> This does not create any meaningful reduction in the global spam load.  It
> simply rewards those "responsible" spammers who remove from their target
> lists the email addresses of the few "complainers" who nowadays take the time
> to report spam.

On the other hand, there are honest mailbox providers who have not realized 
that their system has been hacked, or that their clients' credentials have been 
stolen.  And if you send a complaint to my abuse-c address, I won't get it.

For an easy guess, LIRs who offer services at regular prices —not thousand 
domain discounts— have more of the latter cases.  Still, their budget might not 
be enough for an abuse team capable of looking at each complaint.


Best
Ale