[Asrg] FeedBack loops

Rich Kulawiec rsk at gsp.org
Thu Nov 13 08:12:00 PST 2008

On Wed, Nov 12, 2008 at 11:00:31AM -0700, J.D. Falk wrote:
> That just means you aren't sending what you'd consider to be spam.

What I would "consider" it or what anyone else would "consider" it
is unimportant and irrelevant.  What's important is reality: what is it?

In this case, it's all ordinary mailing list traffic from other members of
those same mailing lists.  That is: none of it actually is spam, therefore
it is obviously an error for anyone to report it as such.  (And yes,
of course it's all COI, and yes, of course I have all those records
in hand for every subscriber, and yes, RFC 2369 headers are present,
and yes, every message footer provides an unsubscription pointer, and
so on.  As some of you know, this is not my first day on the job.)

I have considerably more analysis to do, but it appears to me at this
time that the AOL "report as spam" button has been used exclusively:

	- in error
	- as a substitute for unsubscribing
	- as a means of expressing disagreement with message content
	- as a means of expressing antipathy toward message sender

I plan to extend this analysis to other feedback loops, but I'll be
somewhat surprised if users elsewhere behave differently.

But the bottom line seems obvious to me: end users, the same people
who fall for phishes by the millions, the same people who forward around
chain letters spouting long-debunked rumors, the same people who will
click on anything shiny, the same people who will download and run
almost anything, the same people who will surrender their passwords quite
easily, the same people who will drop in CDs or plug in USB sticks
given away in parking lots, and so on, are NOT the people that anyone
should be giving a "spam/not-spam" button to.

Marcus Ranum got to the same place a long time ago, in

	The Six Dumbest Ideas in Computer Security

which says in the entry listing "Educating Users" as one of those
six dumb ideas:

	On the surface of things, the idea of "Educating Users" seems
	less than dumb: education is always good. On the other hand,
	like "Penetrate and Patch" if it was going to work, it would have
	worked by now. There have been numerous interesting studies that
	indicate that a significant percentage of users will trade their
	password for a candy bar, and the Anna Kournikova worm showed us
	that nearly 1/2 of humanity will click on anything purporting
	to contain nude pictures of semi-famous females.


More information about the Asrg mailing list