avoiding egroups spam
Mark Fletcher
>
> I understand that there is a legitimate need (especially but not only in
> Egroups's eyes) for legitimate listowners to be able to PORT their lists
> over to Egroups from another service or software package. The trick is how
> to distinguish this from spammers doing mass subscribes of victims. I have
> a few suggestions for Egroups to consider.
>
> One suggestion is that the number of LEGITIMATE wholesale list migrations to
> Egroups from elsewhere, per day, could not be very large. A customer
> service representative inspecting the transaction would probably have very
> little difficulty telling the difference between, say, Model-Rockets-L
> changing homes, versus SCHWING-XXX DIET SUPPLEMENT trying to add 9,000
> people from AOL. So you tell list owners that bulk subscribes take a day to
> process, and you vet them before saying yes. If you have any doubts you
> request further verification.
>
That is exactly how things are supposed to work right now. Bulk list
transfers are reviewed by a human before they are done. Unfortunately,
in this particular case, a list transfer was approved that should not
have been.
> Another suggestion is that Egroups should take care to "salt" the web with
> telltale marker email addresses (which are never disclosed), the appearance
> of any one of which in a bulk subscribe becomes prima facie evidence of a
> rip job.
>
That's an excellent suggestion. I will make a note of it.
> A third suggestion is that, for any given list, mass migrations are RARE.
> Therefore it would be reasonable, if a bulk subscribe passes all other
> kosherness tests, to send an OPT-IN message - containing NO material written
> by the list manager whatsoever beyond the name of the list and the manager -
> to each address in the bulk subscribe list, requesting a mailed or webbed
> confirm before their subscription takes effect. Now, THIS message could
> contain as one of the possible responses "no, and never send me one of these
> opt-ins again either." That would cover the abuse case where you find
> yourself saying no-thanks to eight opt-ins a week. Remember that any
> LEGITIMATE list owner who plans to migrate her or his list to Egroups has
> ample opportunity beforehand to tell all the members, ON THE OLD LIST, what
> is happening and what they need to do to make sure they're included in the
> move. (In fact, Egroups could provide a standard form of this announcement
> for cut+paste by list managers as part of a "Migration Kit.")
>
There have been times since we've been on-line that we've completely
disabled the ability to add people directly to lists. Our list managers
complained loudly and often. There are many legitimate reasons why a
list owner needs to directly add an email address or two at a time to a
list. The web site allows list owners to do this. In the case of moving
a list over from another service, in our experience, most list owners
will not do it if it requires the users to re-confirm their
subscriptions. So the procedure we have in place now is our attempt to
balance the need of our list owners to directly transfer a list with our
need to make sure that abuses don't happen. The list owner sends us the
list of email addresses, one of our support staff does various
verification checks to make sure the previous list as it existed outside
of our service was legit, and if it checks out, we do the bulk add.
I'd like to also point out that in normal circumstances, users have to
reply to a confirmation email before they are subscribed to any
ONElist/eGroups lists.
> I hope Egroups is still reading this. Maybe I'll Cc that apologizing person
> as well.
>
I've been on this list since before I started ONElist back in 1997(I've
been on various mailing lists since 1988). It's very important that as a
company and as a web service, we are good netizens. That's why we
monitor lists like this. That's also why we have an extensive customer
support group which tries to answer all support email within an average
of 4 hours(the eGroups side of the company is currently a bit slower in
responses, but we're working on it).
I'll be the first to admit that we've sometimes made mistakes. But they
are honest mistakes, and I think as a whole we've done a good job
helping our now 15 million users enjoy the power of group communication
through mailing lists. But we're always striving to be better.
If anyone has any questions, please feel free to email myself or Kate
Shambarger, Director of Customer Support, at ka...@corp.onelist.com.
Thanks,
Mark
Chuq Von Rospach
> I'll be the first to admit that we've sometimes made mistakes. But they
> are honest mistakes,
that's not good enough. you need to be perfect, like the rest of us,
or you shouldn't do it at all.
chuq
--
Chuq Von Rospach - Plaidworks Consulting (mailto:chu...@plaidworks.com)
Apple Mail List Gnome (mailto:ch...@apple.com)
Pokemon is a game where children go into the woods and capture furry
little creatures and then bring them home and teach them to pit fight.
Ronald F. Guilmette
In message <3876E268...@corp.onelist.com>,
Mark Fletcher <ma...@corp.onelist.com> wrote:
>That is exactly how things are supposed to work right now. Bulk list
>transfers are reviewed by a human before they are done.
What exactly does this ``review'' consist of?
Unless you folks take out a random sample of at least 10 alleged list
subscribers from the list of e-mail addresses you are given, and unless
you then go and send mail to each one, asking each person in the random
sample if they indeed signed up (opted in) for the list, then your
``review'' is worthless.
>Unfortunately,
>in this particular case, a list transfer was approved that should not
>have been.
OK. So what happened?
>...In the case of moving
>a list over from another service, in our experience, most list owners
>will not do it if it requires the users to re-confirm their
>subscriptions.
OK, I will accept that this may be the case.
But if it is, and if, as a result, you _are_ going to accept what you
call ``list transfers'', then it is clear that you need to spend some
time and effort verifing the opt-in nature of the lists in question. You
claim you _are_ doing that, but that it didn't happen in this case. OK.
Why not?
>I'll be the first to admit that we've sometimes made mistakes. But they
>are honest mistakes...
I'm willing to accept that, *if* you are willing to be a bit more forth-
coming about how this rather blatant mistake occured, and also about the
other details surrounding it.
Specifically:
1) How/why did this spam list get past your manual review process?
2) How many people got spammed as a result?
3) What, if anything, has happened to the perpetrator? Is eGroups
still hosting lists for him?
>If anyone has any questions, please feel free to email myself or Kate
>Shambarger, Director of Customer Support, at ka...@corp.onelist.com.
Just to make sure we are clear about this, although I am CC'ing her on
this message, I actually _do not_ wish to speak to anyone in your Customer
Support department for one very simple reason: I am _not_ your customer.
And to be perfectly frank, I get a little annoyed when companies who have
spammed my try to point me at their customer services departments when I
express my displeasure over being spammed. It bears repeating: I am NOT
your customer. I *do not* have a question about a product or service that
your company has provided to me at my request. I thus _do not_ wish to
quietly wait my turn in the customer support queue.
Do you have a department of corporate civic responsibility? If so, then
I think that I might like to have a brief chat with _those_ folks.
Jeremy Blackman
> > I'll be the first to admit that we've sometimes made mistakes. But they
> > are honest mistakes,
>
> that's not good enough. you need to be perfect, like the rest of us,
> or you shouldn't do it at all.
[ Sarcasm detection meter: Warning! Sarcasm detected in Chuq's post! ]
Seriously, I for one appreciate the fact that eGroups/Onelist was willing
to make that apology and explanation; I know that it is possible for
smaller-scale sysadmins to make mistakes, and the sysadmins of larger
systems are still only human... sooner or later, mistakes are bound to
happen. It is recognizing the mistakes, learning from them, and not
making them again that is what counts. As long as the folks at
eGroups/Onelist recognize this and learn from what happened, that's great.
They'll certainly be a step or three ahead of Microsoft, if they do.
Sometimes, I think Microsoft doesn't know how to admit a mistake, much
less learn from it. ;)
--
Jeremy Blackman - lo...@maison-otaku.net / lo...@listar.org / jer...@lith.com
Lithtech Team, Monolith Productions -- http://www.lith.com
Listar Developer -- http://www.listar.org
Tom Neff
> In other words, still allow the list admin to subscribe anyone, since too
> many legitimate lists use it, and in the 'you joined' notice message,
> offer not only a way to unsubscribe (since often times when they get the
> unsubscribe notice, malicious users of those systems will simply
> resubscribe you) but a way to say 'regardless of what the list admin says,
> I want off this list permanently'.
Unfortunately this probably won't work.
Spammers will not be inconvenienced by it in the least, since they can
continue to paste thousands of addresses in the mass-subscribe hole and add
people to the FREE MONEY NOW list -- immediately followed by the inaugural
FREE MONEY message itself of course -- secure in the knowledge that only a
fraction of the victims will bother to remove themselves... and that anyone
who does has just verified a "GOLD!" email address in the process. (The
classic Opt-Out Fallacy in action)
Legitimate list owners are probably already providing their legitimate
members with enough info on removing themselves as it is, without extra help
from the Half-Measures Dept.
I understand that there is a legitimate need (especially but not only in
Egroups's eyes) for legitimate listowners to be able to PORT their lists
over to Egroups from another service or software package. The trick is how
to distinguish this from spammers doing mass subscribes of victims. I have
a few suggestions for Egroups to consider.
One suggestion is that the number of LEGITIMATE wholesale list migrations to
Egroups from elsewhere, per day, could not be very large. A customer
service representative inspecting the transaction would probably have very
little difficulty telling the difference between, say, Model-Rockets-L
changing homes, versus SCHWING-XXX DIET SUPPLEMENT trying to add 9,000
people from AOL. So you tell list owners that bulk subscribes take a day to
process, and you vet them before saying yes. If you have any doubts you
request further verification.
Another suggestion is that Egroups should take care to "salt" the web with
telltale marker email addresses (which are never disclosed), the appearance
of any one of which in a bulk subscribe becomes prima facie evidence of a
rip job.
A third suggestion is that, for any given list, mass migrations are RARE.
Therefore it would be reasonable, if a bulk subscribe passes all other
kosherness tests, to send an OPT-IN message - containing NO material written
by the list manager whatsoever beyond the name of the list and the manager -
to each address in the bulk subscribe list, requesting a mailed or webbed
confirm before their subscription takes effect. Now, THIS message could
contain as one of the possible responses "no, and never send me one of these
opt-ins again either." That would cover the abuse case where you find
yourself saying no-thanks to eight opt-ins a week. Remember that any
LEGITIMATE list owner who plans to migrate her or his list to Egroups has
ample opportunity beforehand to tell all the members, ON THE OLD LIST, what
is happening and what they need to do to make sure they're included in the
move. (In fact, Egroups could provide a standard form of this announcement
for cut+paste by list managers as part of a "Migration Kit.")
I hope Egroups is still reading this. Maybe I'll Cc that apologizing person
as well.
--
Tom Neff