Re: [Asrg] Spam button scenarios

[Martijn Grooten <martijn.grooten@virusbtn.com>]

> A) User has multiple incoming accounts, presses the spam button, and
> the
> outbound MSA doesn't match the incoming account.  Hence the report goes
> via unrelated third parties that might snoop on it.  Do we care?  The
> user
> has said it's spam, after all.

In theory this may be an issue for a small number of organizations, because if TiS buttons are being used by a large enough number of users, then some of these users will click TiS for legitimate emails, and some of these emails will actually contain confidential information and a still non-zero number of reports will go via unrelated third parties. In practise I would imagine the risk of confidential data leaking through other routes to be significantly bigger. (And of course nothing will stop, say, the CIA from disabling the sending of TiS reports altogether. Or paranoid company X from scanning outbound TiS reports for confidential information.)

> C) I have a Gmail account and a Yahoo account.  The Gmail account is
> set
> up to fetch my Yahoo mail so I can see it all in one place.  I use
> Gmail's
> IMAP server to read my mail.  (I really do this, by the way.)  I hit
> the
> spam button.  Who should get the report?
>
>   1) Gmail since that's who I picked it up from
>   2) Yahoo since that's where the spam was sent
>   3) Gmail but they should also forward the report to Yahoo

3: your MUA doesn't know anything other than that it receives email from Gmail's IMAP server. You can of course tell your MUA that Gmail fetches mail from Yahoo, but not everyone is going to do that, so just sending it to Gmail would be the simplest thing to do. Gmail should know that in this scenario it also acts as an MUA and as such should forward the report to Yahoo. It could, of course, still use the report to improve its own spam filter.

Martijn.


Virus Bulletin Ltd, The Pentagon, Abingdon, OX14 3YP, England.
Company Reg No: 2388295. VAT Reg No: GB 532 5598 33.