Do you obfuscate email headers when reporting spam issues to clients?

Mailman List Mirror (Read Only)
1

Because this is an issue inherent primarily with bulk mail, we remove all identifying information *except* the unsub link, which *should* have a unique identifying token embedded within, from which the sender *should* be able to determine the complainant's email address. And, if there is no such link, we use that as an opportunity to educate them as to *why* they need to include such a link (mind you, in order to be accredited with us the sender has to have already demonstrated that they comply with including an unsub link, but because many of our accreditation customers are ESPs, their customers may sometimes not be modelling 100% of best practices).

Regardless of unsub link, or anything else, if we get a spam complaint against one of our customers, we hold their feet to the fire, and require them to explain exactly how the particular list was built, how the address was acquired, etc.. Failure to do so can (and usually does) result in termination of their accreditation - in the case of an ESP, they have to take corrective measures against their spamming customer or the ESP will lose their accreditation.

Anne

Anne P. Mitchell, Esq.
Author: Section 6 of the CAN-SPAM Act of 2003
CEO/President
Institute for Social Internet Public Policy
http://www.ISIPP.com
Member, Cal. Bar Cyberspace Law Committee

How do you get to the inbox instead of the spam filter? SuretyMail!
Helping businesses keep their email out of the junk folder since 1998
http://www.isipp.com/SuretyMail

2

Because this is an issue inherent primarily with bulk mail,
we remove all identifying information *except* the unsub link,
which *should* have a unique identifying token embedded
within, from which the sender *should* be able to determine
the complainant's email address.

Hi Anne,

Judging from Landon's web page a vanishingly small percentage of his
customers are in the opt-in mailing list business. He's in the generic
hosting business, so aside from the abusers his customers will tend to
be heavy on single-recipient administrative emails rather than mailing
lists.

If you send him a complaint scrubbed in the manner you describe, he
won't have enough information to act. You'd basically be wasting both
his time and yours.

Failure to do so can (and usually does)
result in termination of their accreditation

Accreditation of what?

Regards,
Bill Herrin

3

so aside from the abusers his customers will tend to
be heavy on single-recipient administrative emails rather than mailing
lists.

Then, if they are truly one-to-one administrative emails, that's rather odd if they are generating a disproportionate number of spam complaints, dontcha think? Unless they are inserting too much marketing into to them (always dicey).

Failure to do so can (and usually does)
result in termination of their accreditation

Accreditation of what?

I'll respond more fully to this offlist, as it's OT, but the short answer is that we accredit email senders who are adhering to best practices (not unlike ReturnPath, only we're the other white meat).

Anne

Anne P. Mitchell, Esq.
Author: Section 6 of the CAN-SPAM Act of 2003
CEO/President
Institute for Social Internet Public Policy

Member, Cal. Bar Cyberspace Law Committee

How do you get to the inbox instead of the spam filter? SuretyMail!
Helping businesses keep their email out of the junk folder since 1998
http://www.isipp.com/SuretyMail

4

If you send him a complaint scrubbed in the manner you describe, he
won't have enough information to act. You'd basically be wasting both
his time and yours.

As many here know, I spent 4 years on the receiving end of the
abuse@savvisbox: when I was hired it was for multiple roles, but the
abuse@was a primary. Savvis had a significant spam problem when I
arrived, and
until just a few months before I left, had literally none.

First of all, *every* abuse email should be seriously investigated,
regardless of header obfuscation. Secondly, header obfuscation is NOT a
waste of time for abuse@ - in fact, it is only marginally less useful than
a "fully loaded" complaint. The reason is that even the smallest (or,
conversely, the most expertly organized) spammer will leave a complaint
trail. The complaints grow in importance as they grow in number: ten
complaints in the morning abuse email tells me that there is a serious
problem with the sender, even if every single header and other identifying
information is removed from the complaints. Ten complaints may not
indicate malice (although it usually does), but it does tell abuse@ to
start their resolution clock.

Any abuse department which outright rejects (or claims they are unable to
process) an obfuscated ("munged") complaint is not to be trusted - period.
The abuse department that wont respond to munging is deliberately closing
their eyes to abuse on their network. Any abuse@ that fails to immediately
act on reports of third-party beneficiaries (for example, drop boxes or
ordering websites) on their network is doing the same thing.

As a complainant, rather than the abuse@ recipient, I will always scrub my
reports *thoroughly*, by removing the significant digits of time stamps,
any unique identifiers I can find (from message-ID to unsubscribe links),
and anything else I think can possibly be used to listwash. The only
exception to this is if I am reporting to someone I know and explicitly
trust (and there are damn few of those left).

As the abuse@ guy, I would strongly encourage scrubbed reports, even
reports which prove nothing other than an email went out that was unwanted
(as opposed to unsolicited - it's not uncommon for people to make "spam
complaints" rather than unsubscribe from mailings they legitimately
subscribed to). There are a multitude of internal [& proprietary] tools at
most ISPs that can lead to the appropriate determination as to what is or
isn't spamming, but for the tools to be used, there needs to be a starting
complaint(s).

//Alif

5

Any abuse department which outright rejects (or claims they are unable to

process) an obfuscated ("munged") complaint is not to be trusted - period.

This is very credible from someone admitting to scrubbing reports, of
information required by some abuse teams to appropriately process
complaints, *NOT*. You say scrub.... Many would say: munging evidence,
so that it is no longer admissible, or usable as supporting
documentation to suspend or terminate a subscriber's service.

There are abuse departments that would ignore such reports, or reply,
requesting information before proceeding, and they have that right;
especially, if the scrubbed reports don't offer sufficient evidence,
for their particular investigation workflow to function.

As a complainant, rather than the abuse@ recipient, I will always scrub my
reports *thoroughly*, by removing the significant digits of time stamps,
any unique identifiers I can find (from message-ID to unsubscribe links),

regardless of header obfuscation. Secondly, header obfuscation is NOT a

waste of time for abuse@ - in fact, it is only marginally less useful than
a "fully loaded" complaint. The reason is that even the smallest (or,

This is an assumption, that is only true in some cases.

conversely, the most expertly organized) spammer will leave a complaint
trail. The complaints grow in importance as they grow in number: ten

Often the spammer will not leave a complaint trail; they may very well
have sent 1000 messages, that are logged with various different From:
addresses.

However, non-spammers will also often leave a "complaint trail"; to give
an example: very often, non-spammers will even forward their own mail to
another mailbox provider, e.g. Yahoo/AOL, and report duly forwarded spam
that arrives in their forwarding destination inbox, as spam originating
from the forwarding provider.

Without the recipient address; the provider doing the mail forwarding has
no idea if it is the forwarded mail, or ordinarily sent mail that is
being filed as spam.

6

Hi Anne,

In any given above-board hosting operation there are a whole lot of
things going on:

There's the small ad-hoc lists where an address is typoed and the mail
meant for Uncle George now goes to a random stranger.

There's the emails to formerly dead addresses now resurrected by new owners.

There's the folks who signed up for something and decided to
unsubscribe by reporting it as spam.

There the folks playing pranks on a friend by putting his address in a
bunch of "please contact me" web pages, causing the target to be
one-on-one solicited by a bunch of individual salesmen.

There are the server owners whose security was breached and their
happy web app is now being used to relay lots of spam.

And there's the spammer owned servers spewing out spam.

In each of these situations save the final one, obfuscating
information in the reported spam email only serves to make it
difficult or impossible to identify and stop the problem.

If you start with the assumption that the origin is a spammer until
proven otherwise it becomes a self-fulfilling prophecy -- because when
you report the obfuscated message, they can't track it down and fix
it!

Regards,
Bill Herrin

7

Howdy,

Out of curiosity, what changed a few months before you left?

Regards,
Bill Herrin