Re: [Asrg] Adding a spam button to MUAs

"Chris Lewis" <clewis@nortel.com> Sat, 30 January 2010 04:26 UTC

Return-Path: <CLEWIS@nortel.com>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2E5223A67DF for <asrg@core3.amsl.com>; Fri, 29 Jan 2010 20:26:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.143
X-Spam-Level:
X-Spam-Status: No, score=-6.143 tagged_above=-999 required=5 tests=[AWL=0.300, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, SUBJECT_FUZZY_TION=0.156]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kNibDPP7hlpx for <asrg@core3.amsl.com>; Fri, 29 Jan 2010 20:26:05 -0800 (PST)
Received: from zcars04e.nortel.com (zcars04e.nortel.com [47.129.242.56]) by core3.amsl.com (Postfix) with ESMTP id 651E23A683A for <asrg@irtf.org>; Fri, 29 Jan 2010 20:26:04 -0800 (PST)
Received: from zrtphxs1.corp.nortel.com (zrtphxs1.corp.nortel.com [47.140.202.46]) by zcars04e.nortel.com (Switch-2.2.0/Switch-2.2.0) with ESMTP id o0U4QO116737 for <asrg@irtf.org>; Sat, 30 Jan 2010 04:26:24 GMT
Received: from zrtphx5h0.corp.nortel.com ([47.140.202.65]) by zrtphxs1.corp.nortel.com with Microsoft SMTPSVC(6.0.3790.3959); Fri, 29 Jan 2010 23:26:23 -0500
Received: from [47.130.64.135] (47.130.64.135) by zrtphx5h0.corp.nortel.com (47.140.202.65) with Microsoft SMTP Server (TLS) id 8.1.340.0; Fri, 29 Jan 2010 23:26:23 -0500
Message-ID: <4B63B4EF.20706@nortel.com>
Date: Fri, 29 Jan 2010 23:26:23 -0500
From: "Chris Lewis" <clewis@nortel.com>
Organization: Nortel
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.23) Gecko/20090812 Lightning/0.9 Thunderbird/2.0.0.23 Mnenhy/0.7.6.666
MIME-Version: 1.0
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
References: <20100128173112.85215.qmail@simone.iecc.com> <4B61CC2F.404@mtcc.com> <4B61DBF8.60006@mail-abuse.org> <387E2502-61E5-4811-B4EB-36AE47ADC648@blighty.com> <4B61E21B.7010509@mtcc.com> <4B621A26.5090601@nortel.com> <18B53BA2A483AD45962AAD1397BE1325379CFB2D71@UK-EXCHMBX1.green.sophos>
In-Reply-To: <18B53BA2A483AD45962AAD1397BE1325379CFB2D71@UK-EXCHMBX1.green.sophos>
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 30 Jan 2010 04:26:23.0939 (UTC) FILETIME=[61944930:01CAA164]
Subject: Re: [Asrg] Adding a spam button to MUAs
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 Jan 2010 04:26:06 -0000

Martijn Grooten wrote:
> Chris Lewis wrote:
>> Frankly, I think the vast majority of people who thing TiS are bad are
>> either people who have an incentive to consider them bad, or are
>> largely
>> unaware of how they're actually used, or are expecting some sort of
>> one-to-one reaction/theoretical purity to every TiS hit.
>>
>> Score 'em statistically.  Whitelist when they goof.  Humans make
>> mistakes.  And sometimes they're right when the filters aren't.  Design
>> for it, including methods to intervene when necessary.  No big deal.
> 
> Out of curiosity, have your users been instructed on how to use the TiS buttons (and to use them in the first place, instead of just clicking delete) or do you just trust them to do the right thing (most of the time)? And do you think it would scale to larger, more anonymous organizations such as ISPs?

The "TiS" button is, in effect, an email forward to a specific robot 
process.  Except for Outlook which mangles things up too much, but 
Outlook is unfortunately the corporate standard for most people.  In 
that case, we supply a plugin that knows how to forward full emails 
without mangulation.

We pretty much only mine it for IP addresses.

Instructed our users?  Well, it started out ad-hoc, and it largely still 
is.  There are various employee communications that have gone out over 
the years that tell people to forward spam to it.  Never formally enough 
to remotely be considered "training" Never particularly detailed in 
terms of "don't report grandma", etc. The only "fine tuning" we've ever 
done is "if you're getting very large quantities of the same thing, let 
us know <here> instead", and "if it's spammish behaviour from Nortel 
itself, report <there> instead".

The first of those is the role account, and we'll look into an 
individual users problem to see if we can do something about it.  The 
second hasn't been used in ages.

Oh, and yes, we've told them to discard and ignore blowback unless the 
volume is extreme, and we'll put in a recipient-specific blocking of 
inbound bounces.

But it's still mostly skunk works, and as it wasn't part of the common 
O/S release, it didn't get as widely used as it should have.  We did get 
quite high compliance rates at one point (perhaps nudged the 1 in 10 
spams got reported level), but that's more of a corporate vs. ISP thing.

> Unrelated to that, if most MUAs got a TiS-button, wouldn't this allow spammers/botherders to effectively DDOS the systems that process the feedback, thus making them (temporarily) useless? I could see why spammers would see an advantage in doing that.

Various DOSes are available - eg: flooding and reputation poisoning with 
FPs.  As it exists now, much depends on the per-site implementation 
strategy.  The big guys probably already have it handled, perhaps as a 
native part of their TiS handling, perhaps as active remediation.  We've 
not done much, but it would be really hard to do something that would 
cause me more than a few seconds work to deal with permanently, and all 
damage can be undone.  In terms of outright volume, you're attacking our 
MTAs, and that's fairly hard to break considering the head room we 
operate with.  Full scale whole bot army attack like a Storm Worm 
retaliation?  Well, you have that issue anyway.  And we've already 
demonstrated we can ride out a Storm DDOS without significant impairment.

[If Storm was still around we were all set in terms of approvals nnd 
technology to "get in its face" and do it serious damage.  But Storm 
chickened out ;-)[*]

With a "common" TiS mechanism, of course some time would have to be 
spent on hardening it.

[*] Provoke it to attack us deliberately.  Use the resulting intel to 
<I'm not going to say>.  Storm died instead.

No, of course that wasn't really why it died.  But it makes a good story ;-)