Complaint of the week: Ebay abuse mail (slightly OT)

Mailman List Mirror (Read Only)
1

To add to the eternally annoying list of companies that ignore
abuse@ mail... ebay now requires that you fill in their lovely
little web form to send them a note. Even if, say, you're
trying to let them know about another scam going around that
tries to use the machine www.hnstech.co.kr to extract people's
credit card information.

Has anyone had success in convincing companies that this is just
A Bad Idea (ignoring abuse mail), and if so, how did you manage
to do it?

Sorry for the slightly non-operational content, but I've had it with
ebay on this one.

  -Dave

----- Forwarded message from eBay Safe Harbor <SafeHarbor@eBay.com> -----

2

... ebay now requires that you fill in their lovely little web form to
send them a note. Even if, say, you're trying to let them know about
another scam going around that tries to use the machine www.hnstech.co.kr
to extract people's credit card information.

one can easily imagine that their abuse@ alias was receiving so much spam
that it was too costly to read it all and fish out the valid complaints.
(this is a ~recent spammer tactic, clogging the metadata paths to make it
harder for network owners to discuss spammer activities.)

however, the real reason is likely to be lack of uniformity in complaints.
among the population who complains to abuse@, there isn't a single definition
of "spam" or "abuse" or "hack" or "scam" or what have you. a complaint that
is about a credit card scam is only differentiable from a complaint that is
about a spamvertised web site after a fairly expensive human has seen both
and made a determination. at ebay's transaction volume i'm sure that the
aggregate costs of those humans was looking pretty large.

so it was for all the other companies who have tried to manage their abuse
costs by making people go to web sites. most of these companies were not as
financially successful as ebay, though, and the unwillingness of the public
to fire up a web browser in order to give the valuable gift of feedback about
customer activity turned into a larger cost than the one they were avoiding.

ebay is a different animal, and i'll take bets that the potential complainants
who send enough abuse complaints overall that they have to prefer e-mail and
say "no" to web forms, is not even part of their target audience. that means
they don't care if you stop using their service, or blackhole all mail from
them, or whatever you have to do to protect yourself from their other
customers... because they will still have tens of millions of other customers
who don't send abuse complaints or who are willing to deal with web forms.

this sounds like i'm defending them. i'm not. but while reprehensible and
irresponsible and socially radical, the web form approach's only real cause
for failure is when the lack of a useful feedback channel curtails complaints
which the network owner would find valuable. that's just not provably true
in the case of ebay.

we all knew that profitable large network owners would change the landscape
compared to merely ebitda-positive large network owners, and here's an
example of how "big company" cost management practices can go up against
"reasonable and customary internet behaviour" and pretty much ignore it.

this won't be a case where taking your complaint to the peering/backbone
folks can result in a policy change, either. to get the attention of the
people who make this kind of decision in a company like ebay, you'd have to
go to the better business bureau, or congress. good luck storming the
castle, boys.

3

On spam-l it was reported that there presently is a valid address of spoof (for the purpose of sending abuse complaints about spoof paypal websites[1]) at paypal.com. Since ebay now owns paypal, I suspect you can use that address to report spoof sites and emails for either service and that the human at the other end has enough clue to realize that they should act on all such spoofs reported to that address.

jc

[1] yes, I realize this makes the sentence look really weird. I worded it this way to help keep the spoof address from being "machine readable" if/when spammers start scarfing username (at) domain (dot) com munging and concatenating that back into the unmunged email address. It's hard enough to get a real email address for inside ebay or paypal that we need to protect what addresses we discover.

4

* vixie@vix.com (Paul Vixie) [Sun 03 Aug 2003, 18:42 CEST]:
[..]

this sounds like i'm defending them. i'm not. but while reprehensible and
irresponsible and socially radical, the web form approach's only real cause
for failure is when the lack of a useful feedback channel curtails complaints
which the network owner would find valuable. that's just not provably true
in the case of ebay.

Some time ago I received a mail attempting to redirect me to a scam site
asking for my eBay login details. I tried getting eBay's attention, but
it turned out that in order to contact them you need to have an account.
There was no way to be seen to contact eBay without being a customer.
(Now where have we heard _that_ particular line before??)

I haven't bothered since. If eBay likes to make it hard for me to point
them at serious risks for their business, more power to them.

... This is the point where somebody points at an obvious URL and says
"You doofus, wasn't it *obvious* that you could contact them via this here?"

  -- Niels.

5

It's funny you should bring that up. I got that e-mail a few days ago, and
figured I would do the nice thing for ebay and let them chase down someone
blatantly abusing their name and ran into the same brick wall. I finally
decided their hoops to get this information to them cost more generosity
than I felt like giving. I even went to the web page they suggested to try
and give them a copy of the msg with full headers and none of their
categories at the time matched: Good willed person trying to give you
ammunition for a company abusing your name.

I gave up, and left it as their problem if they don't want to take free
help to make their case easier. If they even had an "Other" option I could
have sent it to them.

*shrug* Their loss.

G

6

This is eBay. Decisions like that are nothing new:

<http://www.cctec.com/maillists/nanog/historical/0208/msg00275.html>

jc

7

I submitted ebay.com to rfc-ignorant.org for this RFC violation almost a
year ago (which they of course accepted):

http://www.rfc-ignorant.org/tools/detail.php?domain=ebay.com&submitted=1029353643&table=abuse

Companies like this could simply care less. If you don't run a mail
system with "customers" expecting to receive mail from ebay then I'd
recommend blocking ebay.com. That would include their subsidiary,
paypal.com, which BTW is also listed on RFCi. At the least I'd score
their mail against the RFCi RHSBLs and add a score of 1.

Justin