Re: [Asrg] Adding a spam button to MUAs

Douglas Otis <dotis@mail-abuse.org> Mon, 01 February 2010 19:04 UTC

Return-Path: <dotis@mail-abuse.org>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2C2FC28C1B7 for <asrg@core3.amsl.com>; Mon, 1 Feb 2010 11:04:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.513
X-Spam-Level:
X-Spam-Status: No, score=-5.513 tagged_above=-999 required=5 tests=[AWL=-0.929, BAYES_20=-0.74, RCVD_IN_DNSWL_MED=-4, SUBJECT_FUZZY_TION=0.156]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F8xUr+XzlFm0 for <asrg@core3.amsl.com>; Mon, 1 Feb 2010 11:04:07 -0800 (PST)
Received: from harry.mail-abuse.org (harry.mail-abuse.org [168.61.5.27]) by core3.amsl.com (Postfix) with ESMTP id 18CC728C1C6 for <asrg@irtf.org>; Mon, 1 Feb 2010 11:04:01 -0800 (PST)
Received: from sjc-office-nat-223.mail-abuse.org (gateway1.sjc.mail-abuse.org [168.61.5.81]) by harry.mail-abuse.org (Postfix) with ESMTP id 5352FA946B4 for <asrg@irtf.org>; Mon, 1 Feb 2010 19:04:34 +0000 (UTC)
Message-ID: <4B6725C1.2080904@mail-abuse.org>
Date: Mon, 01 Feb 2010 11:04:33 -0800
From: Douglas Otis <dotis@mail-abuse.org>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.7) Gecko/20100111 Thunderbird/3.0.1
MIME-Version: 1.0
To: asrg@irtf.org
References: <20100128173112.85215.qmail@simone.iecc.com> <4B61CC2F.404@mtcc.com> <20100129134451.GA27203@gsp.org> <4B63B8C1.7000404@nortel.com>
In-Reply-To: <4B63B8C1.7000404@nortel.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [Asrg] Adding a spam button to MUAs
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Feb 2010 19:04:08 -0000

On 1/29/10 8:42 PM, Chris Lewis wrote:
> Rich Kulawiec wrote:
>> I don't think this is elitist, I think it's a matter of recognizing that
>> the spam/not-spam classification process requires expertise *vastly* in
>> excess of that possessed by almost all users.  This is not their "fault"
>> per se because it's not a fault: it's simply a lack of area-specific
>> experience and knowledge.
> You seem to be seeing it only as "a single ordinary user making 
> site-wide decisions on what to block" versus "totally ignoring what 
> the users say" choice.
>
> If that binary choice was the only choice, I'd agree with you.  I have 
> enough horror stories of goofs in that regard.  Hell, I have enough 
> horror stories when the alleged expert (me) screws up good.
>
> But that is _not_ the choice.  Acting as if it is is at least 
> mistaken.  TiS buttons aren't implemented that way.
>
> _Nobody_ is talking about individual ordinary users making site-wide 
> decisions of what to block.  That requires very high levels of 
> expertise as you say.  But there is absolutely nothing whatsoever 
> wrong with taking note of what those individual users are saying, and 
> using it in a statistical fashion to guide your filtering.  That is 
> how TiS buttons are used in infrastructures large enough to bother 
> with them.  It is, after all, how Spamcop was originally implemented, 
> and it's still part of their decisioning process albeit less than it 
> used to be.
>
> There are non-user-driven DNSBLs less useful than Spamcop ;-)
>
> If we were to specify/standardize/or even (gasp) implement a common 
> TiS strategy/implementation that actually drives filters, the crucial 
> part is coming up with a "filter decisioning" strategy that the admins 
> can tune, and has reasonable defaults.
One trend making eradication of spam fairly difficult is when large ISPs 
have customer's accounts compromised by the tens of thousands.  This 
problem can elude statistical analysis, as you suggest.  Often less than 
a dozen emails that appear to be fairly real are sent from any 
particular account.   These compromised accounts might be used to commit 
other nefarious acts beyond spamming,  such as deceiving friends in the 
address book that the holder of the account is stuck in a third-world 
airport with their credit-cards and tickets stolen, and is requesting a 
wire-transfer.

Being able to employ end user feedback indicating unwanted input might 
be of greater benefit as a warning for compromised account holders, than 
as a method of eradicating spam or for tuning filters, due to a 
potential for creating false positives.  False positive filtering 
trained by user's feedback can happen when someone forwards email from 
one account to another.  While this type of feedback can help identify 
spam missed by content filters, spammers have become better at creating 
content nearly indistinguishable from normal chatter.

Developing practices better at securing customer accounts are needed, in 
addition to offering account holders warnings that their email account 
appears compromised, which might mean imposing some type of security 
hold on the account.  While this could be costly from the aspect of 
customer support, providers need to accept a fiduciary obligation at 
keeping accounts secure, which is to monitor and report evidence of 
abusive activity.  This monitoring should include tracking end-user 
feedback, as well as finding methods to block break in attempts.

-Doug