semi-legit senders in DNSWL and habeas - a hard problem

[Greg Troxel <gd...@ir.bbn.com>]

I've recently gotten multiple spams from linkedin.  (I don't consider
invitations from people I dimly have heard of spam.)  These are
typically invitations that are sent to mailinglists, and occasionally
invitationos from people that I have never ever heard of.

I believe what is going on is that there is some way for people to
upload an entire addressbook and then bulk-spam all those addresses with
invitations.

The problem is that linkedin is getting adjusted scores due to

  RCVD_IN_DNSWL_MED
  HABEAS_ACCREDITED_SOI
  RCVD_IN_BSP_TRUSTED

Here is an example (I have the postgis mailinglist in trusted_networks):

  http://www.lexort.com/spam/spam-linkedin.out.txt

At least for my scores, the +2 points for HABEAS and BSP counterbalance
the dnswl.

I have sent mail to abuse@linkedin.com, but have never gotten any response.

I complained to dnswl, and that got linkedin.com moved to MED from HI
(thanks!), but I think MED is still excessive.

Once again I went to returnpath and senderscorecertified's web pages,
and found no link to an email address to report being spammed by one of
their customers.  Can anyone from returnpath explain why this glaring
problem hasn't been fixed, or better yet fix it?  And also remove
linkedin as a certified address, because they are spamming?

This is a general problem, more than linkedin - this has happened with
twitter and faceboook as well.

The problem seems to have multiple related components:

  linkedin is a spam source because they off bulk inviting

  whitelists list them because some of their mail is legitimate

  SA gives negative points to whitelists where most of the hosts on the
  whitelist don't send spam, and those that do send some ham

Clearly some things that should happen are:

  dnswl should drop linkedin, because it doesn't meet "Extremely rare
  spam occurrences, corrected promptly." because 1) this keeps happening
  because the structural problem has not been addressed and 2) there is
  no functioning abuse@.  I don't think linkedin belongs even in LOW,
  but it's fair to be in NONE (legit server, also sends spam).

  returnpath should drop linkedin, because they send spam and the mails
  I referenced above clearly do not meet any definition of opt in

But it's hard for SA to cause these changes.  dnswl clearly has value,
and perhaps part of the difficulty is that it gets used for two reasons:
not blocking connections or greylisting at the MTA level, and spam
filtering.  It's certainly reasonable for linkedin to be in a "don't
outright block" list, but not for it to get a pass from filtering given
the spam that comes out of it.

Does anyone have any ideas of what else might help?

Re: semi-legit senders in DNSWL and habeas - a hard problem

[Benny Pedersen <me...@junc.org>]

On Tue 05 Jan 2010 09:59:15 PM CET, Michael Scheidell wrote
> and if someone wants to get linkedin email, they should get a  
> hotmail or gmail account.

talk about bussiness now ?

-- 
xpoint http://www.unicom.com/pw/reply-to-harmful.html

Re: semi-legit senders in DNSWL and habeas - a hard problem

[Michael Scheidell <sc...@secnap.net>]

On 1/5/10 12:10 PM, Greg Troxel wrote:
> Does anyone have any ideas of what else might help?
>    
we blacklisted linkedin because, despite my personally hitting the web 
page that says 'I never want invitations', I still get them.

they are also violating federal can-spam laws since their email is 
commercial in nature, does not include full physical address of sender, 
and they do not remove you from the list in 10 business days, as 
evidenced by their continued spamming.

they should NOT be in dnswl, since even if you block, delay or 
quarantine that email, who cares.  its not business critical email, and 
if someone wants to get linkedin email, they should get a hotmail or 
gmail account.


-- 
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
 > *| *SECNAP Network Security Corporation

    * Certified SNORT Integrator
    * 2008-9 Hot Company Award Winner, World Executive Alliance
    * Five-Star Partner Program 2009, VARBusiness
    * Best Anti-Spam Product 2008, Network Products Guide
    * King of Spam Filters, SC Magazine 2008

_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.spammertrap.com
_________________________________________________________________________

Re: semi-legit senders in DNSWL and habeas - a hard problem

[Charles Gregory <cg...@hwcn.org>]

On Tue, 5 Jan 2010, Michael Scheidell wrote:
: > My suggestion: Setup a link/page that provides for rapid reporting by
: > pasting an offending e-mail without a bunch of form-filling. Just use a
: > captcha to avoid poisoning.... :)
: > - C
: or an industry standard, RFC REQUIRED abuse@ address.

Well, I'm trying to be flexible here, and you have to realize that an 
'abuse@' address can be badly abused at large companies. I can actually 
see the logic where if it is made too *easy* to forward a complaint to 
abuse@ then people adopt the attitude of forwarding *all* the mail 
that they don't like, even if it is not really spam, and with no effort to
determine the actual originating system.

I am lucky enough to get very few complaints here, so I can read them all 
personally. But even so, the majority of them are people complaining 
about spam that merely has *spoofed* our domain name in the From header.
Forcing people to use a web form may be 'non-compliant' to RFC, but it 
puts some thought into the process, and makes people think twice about 
reporting the one 'invite' out of many that they "didn't want". 

But the forms at returnpath are uber unfriendly. They need a quicker 
simpler form. Otherwise, as they sit, it honestly looks like they are 
trying to discourage reports by making them *too* difficult.

- C

Re: [sa] Re: semi-legit senders in DNSWL and habeas - a hard problem

["J.D. Falk" <jd...@cybernothing.org>]

On Jan 5, 2010, at 3:52 PM, Michael Scheidell wrote:

> or an industry standard, RFC REQUIRED abuse@ address.
> 
> Section 1 of RFC2142

abuse@ works, but it isn't the fastest method for reaching the correct team.

What I think a lot of y'all are missing is that we have more than one product, and (unfortunately) a lot of legacy domain names, so anything sent to abuse@ goes into a general queue which gets sorted later.  Neil and I have been trying to give you the fastest method for resolving issues, but if you'd rather take it slow... *shurg*

One of the things I've noticed about the anti-spam community over the years is that we'll always heap way more abuse on anyone who is willing to listen than we do on the spammers who aren't listening at all.  That's never a good idea, because it chases away people who might otherwise be listening -- or even helping.

(Oh BTW, take a look at the acknowledgements section of RFC 2142.)

--
J.D. Falk <jd...@returnpath.net>
Return Path Inc

Re: [sa] Re: semi-legit senders in DNSWL and habeas - a hard problem

[Michael Scheidell <sc...@secnap.net>]

O
> My suggestion: Setup a link/page that provides for rapid reporting by
> pasting an offending e-mail without a bunch of form-filling. Just use a
> captcha to avoid poisoning.... :)
>
> - C
>    
or an industry standard, RFC REQUIRED abuse@ address.

  Section 1 of RFC2142

     However, if a given service is offered, then the associated mailbox 
name(es) *must* be supported, resulting in delivery to a recipient 
appropriate for the referenced service or role.

-- 
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
 > *| *SECNAP Network Security Corporation

    * Certified SNORT Integrator
    * 2008-9 Hot Company Award Winner, World Executive Alliance
    * Five-Star Partner Program 2009, VARBusiness
    * Best Anti-Spam Product 2008, Network Products Guide
    * King of Spam Filters, SC Magazine 2008

_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.spammertrap.com
_________________________________________________________________________

Re: semi-legit senders in DNSWL and habeas - a hard problem

[Christian Brel <br...@copperproductions.co.uk>]

On Wed, 6 Jan 2010 14:06:23 -0800
"jdow" <jd...@earthlink.net> wrote:

> From: "Kai Schaetzl" <ma...@conactive.com>
> Sent: Wednesday, 2010/January/06 13:03
> 
> 
> > Jdow wrote on Wed, 6 Jan 2010 10:40:14 -0800:
> >
> >> Actually, Charles, this is a VERY good reason I'd use to justify
> >> changing my quote character to something goofy like % or # or
> >> even ; just to annoy the anal retentive types.
> >
> > First, to clarify, it was Charles who sent this to the list, not me.
> > Second, I see, RFC-compliance is "anal-retentive".
> >
> > Kai
> 
> It's a Request For Comment, not a rule or law. Using something
> different would be my comment.
> 
> {^_^} 
> 


Oh dear. *plonk*

Re: semi-legit senders in DNSWL and habeas - a hard problem

[jdow <jd...@earthlink.net>]

From: "Kai Schaetzl" <ma...@conactive.com>
Sent: Wednesday, 2010/January/06 13:03


> Jdow wrote on Wed, 6 Jan 2010 10:40:14 -0800:
>
>> Actually, Charles, this is a VERY good reason I'd use to justify changing
>> my quote character to something goofy like % or # or even ; just to annoy
>> the anal retentive types.
>
> First, to clarify, it was Charles who sent this to the list, not me.
> Second, I see, RFC-compliance is "anal-retentive".
>
> Kai

It's a Request For Comment, not a rule or law. Using something different
would be my comment.

{^_^} 

Re: semi-legit senders in DNSWL and habeas - a hard problem

[Kai Schaetzl <ma...@conactive.com>]

Jdow wrote on Wed, 6 Jan 2010 10:40:14 -0800:

> Actually, Charles, this is a VERY good reason I'd use to justify changing
> my quote character to something goofy like % or # or even ; just to annoy
> the anal retentive types.

First, to clarify, it was Charles who sent this to the list, not me.
Second, I see, RFC-compliance is "anal-retentive".

Kai

-- 
Get your web at Conactive Internet Services: http://www.conactive.com

Re: semi-legit senders in DNSWL and habeas - a hard problem

[jdow <jd...@earthlink.net>]

From: "Charles Gregory" <cg...@hwcn.org>
Sent: Wednesday, 2010/January/06 09:20


> On Wed, 6 Jan 2010, Kai Schaetzl wrote:
> : just wanted to inform you that ">" is the only official quote marker.
>
> Deep sigh..... Do you know why I changed it?
>
> Because I was getting several M$ Outhouse correspondents complaining that
> my messages (using the 'standard' '>') were 'difficult to read'.
> I could never get them to explain exactly how/why they were difficult to
> read. It was like they were seeing something completely different with
> bits of text missing. Not just word-wrapped..... They were very insistent
> that I top post rather than use (to me) standard quote-reply method...
>
> I haven't confirmed it yet, but after reading a few notes on the web, I
> was testing the possibility that Outhouse was incorrectly attempting to
> parse the '>' as an HTML marker and mangling my messages.....
>
> But if this is really messing up people (or software) on this list, I'll
> put it back to '>'...

Actually, Charles, this is a VERY good reason I'd use to justify changing
my quote character to something goofy like % or # or even ; just to annoy
the anal retentive types.

{^_-} 

Re: semi-legit senders in DNSWL and habeas - a hard problem

[Kai Schaetzl <ma...@conactive.com>]

Charles Gregory wrote on Wed, 6 Jan 2010 12:20:33 -0500 (EST):

> Because I was getting several M$ Outhouse correspondents complaining that 
> my messages (using the 'standard' '>') were 'difficult to read'.
> I could never get them to explain exactly how/why they were difficult to 
> read. It was like they were seeing something completely different with 
> bits of text missing. Not just word-wrapped..... They were very insistent 
> that I top post rather than use (to me) standard quote-reply method...

The reason are not the ">", but the fact that these morons are only used to 
the crappy way that Outlook quotes. It makes no difference for them what 
character you use, it's the basic way of quoting.

Kai

-- 
Get your web at Conactive Internet Services: http://www.conactive.com

Re: semi-legit senders in DNSWL and habeas - a hard problem

[Charles Gregory <cg...@hwcn.org>]

On Wed, 6 Jan 2010, Kai Schaetzl wrote:
: just wanted to inform you that ">" is the only official quote marker. 

Deep sigh..... Do you know why I changed it?

Because I was getting several M$ Outhouse correspondents complaining that 
my messages (using the 'standard' '>') were 'difficult to read'.
I could never get them to explain exactly how/why they were difficult to 
read. It was like they were seeing something completely different with 
bits of text missing. Not just word-wrapped..... They were very insistent 
that I top post rather than use (to me) standard quote-reply method...

I haven't confirmed it yet, but after reading a few notes on the web, I 
was testing the possibility that Outhouse was incorrectly attempting to 
parse the '>' as an HTML marker and mangling my messages.....

But if this is really messing up people (or software) on this list, I'll 
put it back to '>'...

- C

Re: semi-legit senders in DNSWL and habeas - a hard problem

[Charles Gregory <cg...@hwcn.org>]

On Tue, 5 Jan 2010, Gene Heskett wrote:
: The bottom line is that they are still spammers.  Filter 'em.

About that..... 

A principle needs to be discussed here: Prohibition does not work.

The way to gain cooperation from 'big business' that *does* want to 'spam' 
is to find ways to keep them happy and thinking that they are gainnig 
sufficient 'benefit' from this amazing marketing tool called the internet.
And let's be honest with ourselves. Big business is what has *paid* for 
this internet, so that you and I can send e-mails around the globe for a 
ridiculously small price. 

If we 'prohibit' all e-mail advertising, we drive the 'needs' of ALL big 
business into an 'underground' that will *struggle* with all its corporate 
power to get its spew into every mailbox, and most likely in clever 'off 
shore' methods that are even *worse* than what we endure now.

The 'trick' of spam filtering is that there are thousands of people who 
are too stupid or gullible to think spam is 'bad' and *welcome* the 
advertising of 'legitimate' big business. They WANT this crap. They 
willingly and knowingly subscribe to it! And naturally, these are the 
people that bug business MOST wants to reach with their spew. 

So the principle is, if they both want it, we need to find mechanisms that 
HELP that happen, so that they don't fight to get around 'general' 
anti-spam filtering, but are content to be given 'special exception' to 
get their mail to the people who WANT it. Emphasize, absolutely WANT it.

By cooperating, and doing the job well, we can hope to then gain *their* 
cooperation, so that they follow the 'easy path' we give them, and only 
'spam' the people who want it.

Now to be fair, there is always the business that wants to see how far 
they can 'push' the rules. Every business WANTS to spam, and some of them 
try to see if they can do it 'sneakily'. Others try to take advantage of a 
'reputation' service to sneak some stuff out. No system is perfect.

But lamely saying that we should ban every last piece of mail through 
hotmail or returnpath or any other e-mail service is self-defeating. It 
will not result in 'less spam'. It will result in the same spam being 
delivered *more* indiscriminately, to YOU and to ME. 

No thank you. Let the morons who subscribe to this crap have it. Thanks.

- C

Re: [sa] Re: semi-legit senders in DNSWL and habeas - a hard problem

[Gene Heskett <ge...@verizon.net>]

On Tuesday 05 January 2010, Charles Gregory wrote:
>On Tue, 5 Jan 2010, J.D. Falk wrote:
>: On Jan 5, 2010, at 10:10 AM, Greg Troxel wrote:
>: > Once again I went to returnpath and senderscorecertified's web pages,
>: > and found no link to an email address to report being spammed by one of
>: > their customers.
>:
>: Is the font size for "Contact Us" and "Support" too small?
>
>I keep seeing the complaint, and this response, so I thought I would take
>a look, and indeed, the one form under 'Contact Us' appears to be for
>general inquiries, and not for spam complaints, and includes the
>significant deterrent of requiring large amounts of personal/corporate
>information.
>
>My suggestion: Setup a link/page that provides for rapid reporting by
>pasting an offending e-mail without a bunch of form-filling. Just use a
>captcha to avoid poisoning.... :)
>
>- C

That isn't part of their business model.  These folks only think they are 
doing it right.  Some sort of brainwashed & warped thinking they learned at 
the Master Bastards Association school I guess.

The bottom line is that they are still spammers.  Filter 'em.

-- 
Cheers, Gene
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)

enhance, v.:
	To tamper with an image, usually to its detriment.

Re: [sa] Re: semi-legit senders in DNSWL and habeas - a hard problem

[Charles Gregory <cg...@hwcn.org>]

On Tue, 5 Jan 2010, J.D. Falk wrote:
: On Jan 5, 2010, at 10:10 AM, Greg Troxel wrote:
: > Once again I went to returnpath and senderscorecertified's web pages,
: > and found no link to an email address to report being spammed by one of
: > their customers.
: Is the font size for "Contact Us" and "Support" too small?

I keep seeing the complaint, and this response, so I thought I would take 
a look, and indeed, the one form under 'Contact Us' appears to be for 
general inquiries, and not for spam complaints, and includes the 
significant deterrent of requiring large amounts of personal/corporate 
information. 

My suggestion: Setup a link/page that provides for rapid reporting by 
pasting an offending e-mail without a bunch of form-filling. Just use a 
captcha to avoid poisoning.... :)

- C

RE: [SPAM:9.6] Re: [SPAM:9.6] Re: semi-legit senders in DNSWL and habeas - a hard problem

[R-Elists <li...@abbacomm.net>]

 

> From: Christian Brel 
> Sensible folk know people like Return Path will never grow 
> the balls to stand up to eBay, they will just take the money 
> and smile.
> 

Christian Brel,

are you suggesting that orgs like Return Path buy some body part growth
pharma ?

;->

 - rh

Re: [SPAM:9.6] Re: [SPAM:9.6] Re: semi-legit senders in DNSWL and habeas - a hard problem

[Christian Brel <br...@copperproductions.co.uk>]

On Wed, 06 Jan 2010 14:27:25 +0530
ram <ra...@netcore.co.in> wrote:

> On Wed, 2010-01-06 at 07:51 +0000, Christian Brel wrote:
> > On Tue, 5 Jan 2010 14:18:54 -0800
> > "jdow" <jd...@earthlink.net> wrote:
> > 
> > > From: "J.D. Falk" <jd...@cybernothing.org>
> > > Sent: Tuesday, 2010/January/05 12:43
> > > 
> > > 
> > > > On Jan 5, 2010, at 10:10 AM, Greg Troxel wrote:
> > > > 
> > > >> Once again I went to returnpath and senderscorecertified's web
> > > >> pages, and found no link to an email address to report being
> > > >> spammed by one of their customers.
> > > > 
> > > > Is the font size for "Contact Us" and "Support" too small?
> > > > 
> > > > I'll forward your report to the appropriate team.
> > > 
> > > J.D., rather than getting snarky it might be a good idea to
> > > suggest to your webmaster that a formal "Report Abuse" link be
> > > placed on your front page? I'd not look to support or contact us
> > > for reporting abuse, myself. So I can understand Greg's problem.
> > > 
> > > {o.o}
> > 
> > I'm jealous, at least you can get a *narky* reply from Return Path.
> > I've been trying for three days....
> > 
> > http://www.spampig.org.uk/bbs/showthread.php?tid=31
> > 
> 
> Ebay is definitely a too big spammer. So what if they pay habeas and
> other accreditation lists 
> 
> Their unsubscribe doesnt work.
> I had all notifications off still I used to get their mails. 
> I got fed up of their reminders .. even though I have never purchased
> anything at ebay they keep sending me nonsense
> 
> The only last resort ... I configured a dummy alias on my server and
> changed the ebay notification email address to the dummy alias. 
> After activating the dummy .. now I give a std "450" Try later to all
> mails that come to the dummy.
> 
> 
The point is, if you accredit someone as a email professional, and that
sender fails to act professionally - it's the accreditation that is
brought into question, not the spammy sender. After all, the
accrediation is saying - more or less - that the sender is not a
spammer and will act professionally when complaints are raised.

Just because eBay is a big company does not mean it respects peoples
choices and behaves appropriately.

However, this in *not* the place for that discussion. It just starts a
hissy fit between the 'professional spammers' and those that seek to
stop them.

Sensible folk know people like Return Path will never grow the balls to
stand up to eBay, they will just take the money and smile.

Re: [SPAM:9.6] Re: semi-legit senders in DNSWL and habeas - a hard problem

[ram <ra...@netcore.co.in>]

On Wed, 2010-01-06 at 07:51 +0000, Christian Brel wrote:
> On Tue, 5 Jan 2010 14:18:54 -0800
> "jdow" <jd...@earthlink.net> wrote:
> 
> > From: "J.D. Falk" <jd...@cybernothing.org>
> > Sent: Tuesday, 2010/January/05 12:43
> > 
> > 
> > > On Jan 5, 2010, at 10:10 AM, Greg Troxel wrote:
> > > 
> > >> Once again I went to returnpath and senderscorecertified's web
> > >> pages, and found no link to an email address to report being
> > >> spammed by one of their customers.
> > > 
> > > Is the font size for "Contact Us" and "Support" too small?
> > > 
> > > I'll forward your report to the appropriate team.
> > 
> > J.D., rather than getting snarky it might be a good idea to suggest to
> > your webmaster that a formal "Report Abuse" link be placed on your
> > front page? I'd not look to support or contact us for reporting
> > abuse, myself. So I can understand Greg's problem.
> > 
> > {o.o}
> 
> I'm jealous, at least you can get a *narky* reply from Return Path.
> I've been trying for three days....
> 
> http://www.spampig.org.uk/bbs/showthread.php?tid=31
> 

Ebay is definitely a too big spammer. So what if they pay habeas and
other accreditation lists 

Their unsubscribe doesnt work.
I had all notifications off still I used to get their mails. 
I got fed up of their reminders .. even though I have never purchased
anything at ebay they keep sending me nonsense

The only last resort ... I configured a dummy alias on my server and
changed the ebay notification email address to the dummy alias. 
After activating the dummy .. now I give a std "450" Try later to all
mails that come to the dummy.

Re: [SPAM:9.6] Re: semi-legit senders in DNSWL and habeas - a hard problem

[Christian Brel <br...@copperproductions.co.uk>]

On Tue, 5 Jan 2010 14:18:54 -0800
"jdow" <jd...@earthlink.net> wrote:

> From: "J.D. Falk" <jd...@cybernothing.org>
> Sent: Tuesday, 2010/January/05 12:43
> 
> 
> > On Jan 5, 2010, at 10:10 AM, Greg Troxel wrote:
> > 
> >> Once again I went to returnpath and senderscorecertified's web
> >> pages, and found no link to an email address to report being
> >> spammed by one of their customers.
> > 
> > Is the font size for "Contact Us" and "Support" too small?
> > 
> > I'll forward your report to the appropriate team.
> 
> J.D., rather than getting snarky it might be a good idea to suggest to
> your webmaster that a formal "Report Abuse" link be placed on your
> front page? I'd not look to support or contact us for reporting
> abuse, myself. So I can understand Greg's problem.
> 
> {o.o}

I'm jealous, at least you can get a *narky* reply from Return Path.
I've been trying for three days....

http://www.spampig.org.uk/bbs/showthread.php?tid=31

Re: semi-legit senders in DNSWL and habeas - a hard problem

[jdow <jd...@earthlink.net>]

From: "J.D. Falk" <jd...@cybernothing.org>
Sent: Tuesday, 2010/January/05 12:43


> On Jan 5, 2010, at 10:10 AM, Greg Troxel wrote:
> 
>> Once again I went to returnpath and senderscorecertified's web pages,
>> and found no link to an email address to report being spammed by one of
>> their customers.
> 
> Is the font size for "Contact Us" and "Support" too small?
> 
> I'll forward your report to the appropriate team.

J.D., rather than getting snarky it might be a good idea to suggest to
your webmaster that a formal "Report Abuse" link be placed on your front
page? I'd not look to support or contact us for reporting abuse, myself.
So I can understand Greg's problem.

{o.o}

Re: semi-legit senders in DNSWL and habeas - a hard problem

["J.D. Falk" <jd...@cybernothing.org>]

On Jan 5, 2010, at 6:01 PM, Greg Troxel wrote:

> Thanks.  A link like "report spam" in the top bar, alongside "marketers

I'll pass all of this along to the appropriate folks.

--
J.D. Falk <jd...@returnpath.net>
Return Path Inc

Re: semi-legit senders in DNSWL and habeas - a hard problem

[Kai Schaetzl <ma...@conactive.com>]

Jdow wrote on Wed, 6 Jan 2010 10:37:49 -0800:

> I've never received any and I am a member. Every invite has been from
> somebody with a "solid" connection to me.

Well, they seem to provide an option to upload your whole addressbook. And 
some email applications have an option to add every incoming or outgoing 
address to the addressbook. That combination calls for disaster.
I've recently seen quite a few invites sent to mailing lists ...

Kai

-- 
Get your web at Conactive Internet Services: http://www.conactive.com

Re: semi-legit senders in DNSWL and habeas - a hard problem

[jdow <jd...@earthlink.net>]

From: "Charles Gregory" <cg...@hwcn.org>
Sent: Wednesday, 2010/January/06 07:11


> On Tue, 5 Jan 2010, Greg Troxel wrote:
> : Thanks.  A link like "report spam" in the top bar, alongside "marketers
> : and senders" would help.  That should link to a page that gives an email
> : address where one can forward the full offending message, and a way to
> : lookup IP addresses to see if they are still in the database, like other
> : DNSBLS.
>
> I agree with both these ideas. The DNSBL lookup could actually be a 'front
> end' to the mechanism, so that people don't send a report if an IP has
> already been removed from the whitelist(s). Saves time dealing with old
> problems....

Excellent idea, Charles.

> : On the real issue, I find it hard to believe I'm the first one to
> : complain about linkedin invitation spam.  Is this really true?
>
> Possibly. Most people accept that this sort of abuse is not a fault WITH
> 'linkedin', but merely abuse OF 'linkedin' and so they send their abuse
> report to linkedin directly.

I've never received any and I am a member. Every invite has been from
somebody with a "solid" connection to me. (Which is easy - I'm not a
very social animal. {^_-})

{^_^} 

Re: semi-legit senders in DNSWL and habeas - a hard problem

[Charles Gregory <cg...@hwcn.org>]

On Tue, 5 Jan 2010, Greg Troxel wrote:
: Thanks.  A link like "report spam" in the top bar, alongside "marketers
: and senders" would help.  That should link to a page that gives an email
: address where one can forward the full offending message, and a way to
: lookup IP addresses to see if they are still in the database, like other
: DNSBLS.

I agree with both these ideas. The DNSBL lookup could actually be a 'front 
end' to the mechanism, so that people don't send a report if an IP has 
already been removed from the whitelist(s). Saves time dealing with old 
problems....

: The 'report spam' link should be blindingly obvious.

This needs empahsizing. The people who use it will not be customers 
familiar with (and willing to navigate) the whole site. If I find that 
returnpath is a problem, it will be quicker and easier to disable the 
whitelist rather than fight my way through those forms, so its in 
returnpath's own interest to make it easy...

: On the real issue, I find it hard to believe I'm the first one to
: complain about linkedin invitation spam.  Is this really true?

Possibly. Most people accept that this sort of abuse is not a fault WITH 
'linkedin', but merely abuse OF 'linkedin' and so they send their abuse 
report to linkedin directly.

: Is my supposition that there is some sort of bulk invitation process 
: correct? Do your whitelist membership criteria permit this kind of 
: misbehavior?

It certainly should not! Any service capable of permitting the submission 
of 'mailing lists' and their use for a 'sneaky' custom e-mail, by FREE
accounts should NEVER be whitelisted, or you are just inviting abuse of 
the mechanism by eager spammers who want the negative score.

: in which case it's wrong to list linkedin, as the postgis-devel
: mailinglist surely did not agree to get invitations.

Actually, what should really happen, and I'm hoping the guys at returnpath 
are listening:

Ask 'linkedin' to setup their servers so that 'invites' are sent by a 
dedicated IP address that is NOT used for any other regular meil. Then 
REMOVE that IP (or range) from the whitelist, so that it does not gain the 
same benefits as personal mail sent from one 'linkedin' member to another.
You still have 'linkedin' as a customer, and their whitelisting is 
meaningful.

- Charles

Re: semi-legit senders in DNSWL and habeas - a hard problem

[Greg Troxel <gd...@ir.bbn.com>]

"J.D. Falk" <jd...@cybernothing.org> writes:

> On Jan 5, 2010, at 10:10 AM, Greg Troxel wrote:
>
>> Once again I went to returnpath and senderscorecertified's web pages,
>> and found no link to an email address to report being spammed by one of
>> their customers.
>
> Is the font size for "Contact Us" and "Support" too small?
>
> I'll forward your report to the appropriate team.

Thanks.  A link like "report spam" in the top bar, alongside "marketers
and senders" would help.  That should link to a page that gives an email
address where one can forward the full offending message, and a way to
lookup IP addresses to see if they are still in the database, like other
DNSBLS.

'Contact us' is obviously a sales inquiry form, plus as others point out
asks for way too much information.

And the 'support' font size was in fact too small.  I went to the page
in good faith (because the 3.2.5 current sa-update rules give the URL)
trying to find out how to send a complaint, and I didn't figure it out.
Even in the support page it starts out seeming like it's for those who
are returnpath customers.

The 'report spam' link should be blindingly obvious.  The point is that
it should be clear to someone visiting your site that you are as
interested in getting reports of abuse as in signing up new clients.
Right now it's hard to believe that.


On the real issue, I find it hard to believe I'm the first one to
complain about linkedin invitation spam.  Is this really true?  Is my
supposition that there is some sort of bulk invitation process correct?
Do your whitelist membership criteria permit this kind of misbehavior?

Where on your website can I find the definitions of what membership in
your lists means?  I found a pdf under "ISP" about how to query the
zones, but it doesn't really answer the listing criteria question.
It does say

  "Query both for inbox placement as both are whitelists for only
  legitimate permission based senders."

in which case it's wrong to list linkedin, as the postgis-devel
mailinglist surely did not agree to get invitations.

Re: semi-legit senders in DNSWL and habeas - a hard problem

["J.D. Falk" <jd...@cybernothing.org>]

On Jan 5, 2010, at 10:10 AM, Greg Troxel wrote:

> Once again I went to returnpath and senderscorecertified's web pages,
> and found no link to an email address to report being spammed by one of
> their customers.

Is the font size for "Contact Us" and "Support" too small?

I'll forward your report to the appropriate team.

--
J.D. Falk <jd...@returnpath.net>
Return Path Inc

Re: [SPAM:9.6] semi-legit senders in DNSWL and habeas - a hard problem

[ram <ra...@netcore.co.in>]

On Tue, 2010-01-05 at 14:39 -0500, Bowie Bailey wrote:

> Christian Brel wrote:
> > On Tue, 05 Jan 2010 12:10:28 -0500
> > Greg Troxel <gd...@ir.bbn.com> wrote:
> >
> >   
> >>
> >> Does anyone have any ideas of what else might help?
> >>     
> >
> >
> > #ADD TO THE END OF local.cf at your own risk
> > score RCVD_IN_BSP_TRUSTED 0 4.3 0 4.3
> > score RCVD_IN_SSC_TRUSTED_COI 0 3.7 0 3.7
> > score HABEAS_ACCREDITED_COI 0 8.0 0 8.0
> > score HABEAS_ACCREDITED_SOI 0 4.3 0 4.3
> > score HABEAS_CHECKED 0 0.2 0 0.2
> > score RCVD_IN_DNSWL_LOW 0 1 0 1
> > score RCVD_IN_DNSWL_MED 0 4 0 4
> > score RCVD_IN_DNSWL_HI 0 8 0 8

                                                   ^^^^^^^^
Dont your SA-list mails go into spam  .. or do you whitelist them 

Re: [SPAM:9.6] semi-legit senders in DNSWL and habeas - a hard problem

[Bowie Bailey <Bo...@BUC.com>]

Christian Brel wrote:
> On Tue, 05 Jan 2010 12:10:28 -0500
> Greg Troxel <gd...@ir.bbn.com> wrote:
>
>   
>>
>> Does anyone have any ideas of what else might help?
>>     
>
>
> #ADD TO THE END OF local.cf at your own risk
> score RCVD_IN_BSP_TRUSTED 0 4.3 0 4.3
> score RCVD_IN_SSC_TRUSTED_COI 0 3.7 0 3.7
> score HABEAS_ACCREDITED_COI 0 8.0 0 8.0
> score HABEAS_ACCREDITED_SOI 0 4.3 0 4.3
> score HABEAS_CHECKED 0 0.2 0 0.2
> score RCVD_IN_DNSWL_LOW 0 1 0 1
> score RCVD_IN_DNSWL_MED 0 4 0 4
> score RCVD_IN_DNSWL_HI 0 8 0 8
> score RCVD_IN_IADB_VOUCHED 0 2.2 0 2.2
> score RCVD_IN_IADB_DOPTIN 0 4 0 4
> score RCVD_IN_IADB_ML_DOPTIN 0 6 0 6
> score HASHCASH_20 0.500
> score HASHCASH_21 0.700
> score HASHCASH_22 1.000
> score HASHCASH_23 2.000
> score HASHCASH_24 3.000
> score HASHCASH_25 4.000
> score HASHCASH_HIGH 5.000
>   

It should be pointed out that the result of this change is to give a
positive score to a bunch of whitelists (the opposite of their intended
use).  I'm not going to enter the argument over whether this is a good
idea or not, but just make sure you know what you are doing before you
blindly apply these score changes.

-- 
Bowie

Re: [SPAM:9.6] semi-legit senders in DNSWL and habeas - a hard problem

[Christian Brel <br...@copperproductions.co.uk>]

On Tue, 05 Jan 2010 12:10:28 -0500
Greg Troxel <gd...@ir.bbn.com> wrote:

> 
> I've recently gotten multiple spams from linkedin.  (I don't consider
> invitations from people I dimly have heard of spam.)  These are
> typically invitations that are sent to mailinglists, and occasionally
> invitationos from people that I have never ever heard of.
> 
> I believe what is going on is that there is some way for people to
> upload an entire addressbook and then bulk-spam all those addresses
> with invitations.
> 
> The problem is that linkedin is getting adjusted scores due to
> 
>   RCVD_IN_DNSWL_MED
>   HABEAS_ACCREDITED_SOI
>   RCVD_IN_BSP_TRUSTED
> 
> Here is an example (I have the postgis mailinglist in
> trusted_networks):
> 
>   http://www.lexort.com/spam/spam-linkedin.out.txt
> 
> At least for my scores, the +2 points for HABEAS and BSP
> counterbalance the dnswl.
> 
> I have sent mail to abuse@linkedin.com, but have never gotten any
> response.
> 
> I complained to dnswl, and that got linkedin.com moved to MED from HI
> (thanks!), but I think MED is still excessive.
> 
> Once again I went to returnpath and senderscorecertified's web pages,
> and found no link to an email address to report being spammed by one
> of their customers.  Can anyone from returnpath explain why this
> glaring problem hasn't been fixed, or better yet fix it?  And also
> remove linkedin as a certified address, because they are spamming?
> 
> This is a general problem, more than linkedin - this has happened with
> twitter and faceboook as well.
> 
> The problem seems to have multiple related components:
> 
>   linkedin is a spam source because they off bulk inviting
> 
>   whitelists list them because some of their mail is legitimate
> 
>   SA gives negative points to whitelists where most of the hosts on
> the whitelist don't send spam, and those that do send some ham
> 
> Clearly some things that should happen are:
> 
>   dnswl should drop linkedin, because it doesn't meet "Extremely rare
>   spam occurrences, corrected promptly." because 1) this keeps
> happening because the structural problem has not been addressed and
> 2) there is no functioning abuse@.  I don't think linkedin belongs
> even in LOW, but it's fair to be in NONE (legit server, also sends
> spam).
> 
>   returnpath should drop linkedin, because they send spam and the
> mails I referenced above clearly do not meet any definition of opt in
> 
> But it's hard for SA to cause these changes.  dnswl clearly has value,
> and perhaps part of the difficulty is that it gets used for two
> reasons: not blocking connections or greylisting at the MTA level,
> and spam filtering.  It's certainly reasonable for linkedin to be in
> a "don't outright block" list, but not for it to get a pass from
> filtering given the spam that comes out of it.
> 
> Does anyone have any ideas of what else might help?


#ADD TO THE END OF local.cf at your own risk
score RCVD_IN_BSP_TRUSTED 0 4.3 0 4.3
score RCVD_IN_SSC_TRUSTED_COI 0 3.7 0 3.7
score HABEAS_ACCREDITED_COI 0 8.0 0 8.0
score HABEAS_ACCREDITED_SOI 0 4.3 0 4.3
score HABEAS_CHECKED 0 0.2 0 0.2
score RCVD_IN_DNSWL_LOW 0 1 0 1
score RCVD_IN_DNSWL_MED 0 4 0 4
score RCVD_IN_DNSWL_HI 0 8 0 8
score RCVD_IN_IADB_VOUCHED 0 2.2 0 2.2
score RCVD_IN_IADB_DOPTIN 0 4 0 4
score RCVD_IN_IADB_ML_DOPTIN 0 6 0 6
score HASHCASH_20 0.500
score HASHCASH_21 0.700
score HASHCASH_22 1.000
score HASHCASH_23 2.000
score HASHCASH_24 3.000
score HASHCASH_25 4.000
score HASHCASH_HIGH 5.000