The opt-in argument is useless since there is no way to verify that the user subscribed in the first place, giving them the address or not. All you do is providing value to the spammer since they have now verified that the email is indeed real and read by a person. When reporting abuse you can already forge any email out of nothing, and you cannot prove that the email was forged unless they have a trace of the email being sent by their server (logs), and if they have that trace they can see easily see a pattern of mass distribution and start an investigation by contacting the other recipients on that list, or just wait for more reports to come in. Guess it's been a while since I worked at an ISP, but I have never heard of a spam abuse investigation strategy that involves forwarding the address to the suspected spammer.
I think all this just goes to reinforce the complete brokenness of e-mail to date.
While the proposals for requesting proof of opt-in via SHA hashes and such seem technically feasable, I think it pretty quickly breaks down when you think about how much cost and overhead that would put on GoDaddy (or law enforcement) to manage.
Think about the volume of spam out there. Then imagine a very tiny fraction of that being reported. Each one of those would require validation. While you could automate all the SHA sum comparison stuff, I don't think you could easily automate the validation of whether the opt-in mechanism was appropriate. If the sender indicates there was an opt-in, the validator must still confirm with the complainant whether that is a true claim. Without that, the system is useless because the spammer just keeps a SHA sum for each of the addresses they've purchased and supplies them along with an "Yes they opted in!" claim.
Manually validating the opt-in mechanism would require lots of manpower, and more importantly, a common and universally agreed upon set of rules for how opt-in should work. There are all sorts of nuance in the way there. Should it be a double confirmation? Does existing business relationship count? If so, what are all the rules regarding what constitutes such a relationship? What about unsubscribing afterward?
Edit: Removing the pessimistic and un-useful concluding paragraph on the hunch that was what warranted downvotes.
GoDaddy: "We have received complaints that you've been spamming. Give us a list of SHA-1 hashes of addresses of the people that opted in and show us how they opted in."
Considering that the spammer has the email addresses already, it would be as simple as forging a letter. Even fake a handwritten sign up form should "prove" it. No one is going to do a handwriting check to make sure it's actually correct.
I imagine a spammer could generate plausible emails and then check them against SMTP servers to discover the valid ones if they didn't get blacklisted.
a lot of spam nowadays is sent with the explicit purpose of pinging email names and bypassing filters, just to find out of the address itself has a person that checks it. war-emailing, as it were
perhaps that email had something like an embedded image or javascript that could/would dial out to tell the spammer that your email address is active.
other tactics i've seen are the "unsubscribe to this email" links on blatant spam which are social engineering attacks to trick the unwitting into telling the spammers that yes, someone is home at this address.
I'm not sure what good this would do. Wouldn't the spammer just include the ones that had not opted in (while claiming otherwise)? It'd be hard to prove them wrong.
Yep. I've also seen a few people using the same strategy I do of user+sitename.com@example.com so they can recognize when email addresses get abused and trivially filter them.
For what it's worth, I have cleaned up enough servers hacked by spammers that I'll never send one. I guess I should mention that.
That works great if the spammer hasn't forged the return address. Many spam emails contain forged headers and a working link to the scam website in the body.
A few years ago some #$^%er sent a few bazillion porn dvd spam emails with one of my domains in the header. An amazing number of admins/folks like yourself actually reply to a forged address.
Yeah, but if that happened to a person who habitually used sub-addressing it would be pretty obvious. They would likely have received the same spam many times from many of their sub-addressed emails. People who take the trouble to set this up, don't use it in only one place.
Wouldn't that be counter-productive, by showing them "yes this address is active and someone's reading your spam" as well as potentially allowing them to correlate your mailing address with online identifiers like IP address, browser fingerprint or advertising cookies?
A lot of spam mails are sent through hijacked white-listed accounts. If that's the case here, it's unnecessary exposure of someone else's email address.
If I get spam mails on lists I never signed up for, I either hunt down the X-Abuse header and report there (if they use a reputable bulk mailing service), otherwise I just paste the entire email on members.spamcop.net
I agree with you, it'd be the obvious thing to do if you're going to buy some emails from the black market. I'm not going to name any names, but you'd be surprised how much spam I've tracked down by using subaddressing.
I have what would probably be an unpopular and high friction idea but here goes.
If I were being targeted in this manor I would flip the transaction around. I would generate a long random-like email address on my website using an email specific domain that is temporary but tied to the person logged in. To activate it they would email that address with a code from the application they received whilst signed in. On that email specific domain I would validate and enforce FCrDNS, DMARC and SPF and probably also use SpamAssassin to get a spam score from all the RBL's and RSL's, then do something with it. There is also greylisting and prompt delays that can be configured to break some bots. Oh, and if the sender does not have SPF+DMARC enforcing you could just outright reject it anyway if so desired.
In this mail-list-like model, no emails are sent from my servers. The attacker has to spoof their victim which is harder to do now with DMARC, SPF, SA, SR25 regex, etc... Their proxies and cell phone farms become their own hindrance. It can still be done to people that do not have those measures in place, but it makes for a new conversation with the abuse complaint and gives the attacker more work to do.
It's unfortunate that RSS is not in all the browsers any more.
reply