Date   

locked Re: Spam filter

toki
 

On 04/10/2016 17:18, David P. Dillard wrote:

Hence one new list per week per owner would be adequate as a means of really good control
The issue I see with one list per week, is when creating groups for
similar, but related things.

By way of example:
* Software-program-users: General list, for all users;
* Software-program-developers: List where developers discuss things;
* Software-program-a11y: List discussing a11y requirements, and more
importantly, solutions;
* Software-program-L10n: List discussing localazation and
internationalization issues;
* Software-program-Linux: List specifically for Linux issues/users;
* Software-program-iOS: List specifically for iPhone/iPad/iPod issues/users;
* Software-program-Windows: List specifically for Windows issues/users;
* Software-program-Android: List specifically for Android issues/users;
* Software-program-MacOS-X: List specifically for Mac OS X issues/users;
* Software-program-BSD: List specifically for BSD issues/users;

Or, for organizations:

* Organization-PR: News releases and other positive things about the
organization;
* Organization-BOD: List for the Board of Directors;
* Organization-Stakeholders: List for all stakeholders of the organization;
* Organization-Finance: List discussing the financial affairs of the
organization;
* Organization-Committee1: List for the first committee of the organization;

On the flipside, lists of that type are probably going to have a
sponsoring organization, and as such the owner would probably fall into
either _Groups.IO Premium_, or more likely _Groups.Io Enterprise_.

Maybe include "instant", on-demand list creation as _Groups.Io
Enterprise_ feature.

###

In these examples, I am ignoring HIPPA, S-Ox, and similar legislation,
where email data can't be made public.

jonathon


locked Re: Spam filter

Maria
 

And maybe a control could be added for addition of subgroups within a list in case that's a potential loophole if limits were to be placed and found to be helpful.


locked Re: Spam filter

Maria
 

Totally agree! 

Maria 


locked Re: Spam filter

David P. Dillard
 

I may stand corrected by other list owners, but a discussion group is a lot of work and serious non-spamming owners put lots of hard work into running lists. I, therefore doubt that legitimate lists are a frequent starting activity. Hence one new list per week per owner would be adequite as a means of really good control on this mass list creation activity. The fly in this ointment, however, is that these spammers are probably creating lists under multiple email identities, in which such a restriction is probably of little or no value.





Sincerely,
David Dillard
Temple University
(215) 204 - 4584
jwne@temple.edu

On Tue, 4 Oct 2016, Carol Good wrote:

On Mon, Oct 3, 2016 at 04:25 pm, Mark Fletcher wrote:

Can I firstly say I appreciate how difficult you must find this.

Regardless of ARC, I feel like something needs to be done to address what's
happening right now. The same guy is creating group after group (~50 so far
today; hundreds since this started last week) of spam lists (each using a
unique Yahoo email as owner). I don't want to host this junk and I don't
I'm probably talking out of the top of my head (or another part of my anatomy) but is there some way of restricting group creation based on IP address? It sounds as though some automation is being used if that many groups are being created in such a short space of time. A genuine group owner is highly unlikely to be setting up a) that many groups or b) groups that quickly (even if an owner wants sub-groups, I would think they would create one and go through the set-ups before moving to the next).

If the spammer is restricted to creating one group an hour (say) it would at least put a big dent in their efforts, while a genuine owner probably wouldn't have any problem waiting for an hour, particularly if there's an explanatory message.

Carol



locked Re: Spam filter

Steph Mathews <smathews@...>
 

I suggest that we use IP addresses.  Me and a friend of mine has had a bad experience with someone who joins groups with just 2 words followed by numbers and uses every email address with these 2 words till they get into a group.
 
Please note everyone I'm not trying to attack anyone, I'm just trying to help here.  Steph

Sent: Tuesday, October 04, 2016 11:36 AM
Subject: Re: [beta] Spam filter

On Mon, Oct 3, 2016 at 6:45 PM, Shal Farley <shals2nd@...> wrote:

> ... (each using a unique Yahoo email as owner).

That's intriguing. Is he using the disposable address feature to create them, and can you automatically detect the hyphenated syntax of disposable Y!mail address for blocking? They would all have the same base name, a hyphen, then a variable part.


He's not using the disposable address feature. They're just plain-jane Yahoo accounts. He clearly has access to as many Y! accounts as he wants.

He has also started joining existing groups and sending spam to those. This makes me wonder if I should set the default for new groups to be New User Moderated with an unmoderate after # of something like 2 messages. Thoughts?

Someone else suggested looking at IP addresses. Since I'm still blocking Morocco, he's been VPNing using a variety of services based in the USA.

A motivated individual... On the bright side, this exercise will definitely make us better.


Mark


locked Re: Spam filter

 

On Mon, Oct 3, 2016 at 6:45 PM, Shal Farley <shals2nd@...> wrote:

> ... (each using a unique Yahoo email as owner).

That's intriguing. Is he using the disposable address feature to create them, and can you automatically detect the hyphenated syntax of disposable Y!mail address for blocking? They would all have the same base name, a hyphen, then a variable part.


He's not using the disposable address feature. They're just plain-jane Yahoo accounts. He clearly has access to as many Y! accounts as he wants.

He has also started joining existing groups and sending spam to those. This makes me wonder if I should set the default for new groups to be New User Moderated with an unmoderate after # of something like 2 messages. Thoughts?

Someone else suggested looking at IP addresses. Since I'm still blocking Morocco, he's been VPNing using a variety of services based in the USA.

A motivated individual... On the bright side, this exercise will definitely make us better.


Mark


locked Re: Spam filter

Carol Good
 

On Mon, Oct 3, 2016 at 04:25 pm, Mark Fletcher wrote:

Can I firstly say I appreciate how difficult you must find this.

Regardless of ARC, I feel like something needs to be done to address what's
happening right now. The same guy is creating group after group (~50 so far
today; hundreds since this started last week) of spam lists (each using a
unique Yahoo email as owner). I don't want to host this junk and I don't
I'm probably talking out of the top of my head (or another part of my anatomy) but is there some way of restricting group creation based on IP address? It sounds as though some automation is being used if that many groups are being created in such a short space of time. A genuine group owner is highly unlikely to be setting up a) that many groups or b) groups that quickly (even if an owner wants sub-groups, I would think they would create one and go through the set-ups before moving to the next).

If the spammer is restricted to creating one group an hour (say) it would at least put a big dent in their efforts, while a genuine owner probably wouldn't have any problem waiting for an hour, particularly if there's an explanatory message.

Carol


locked Image preview for links in database? #suggestion

Maria
 

Is there any way for links added to a database to generate a visual preview? 

having a visual preview for a link would make for a very visually attractive database.

thank you!

Maria 


locked Re: Spam filter

Carol Good
 

On Tue, Oct 4, 2016 at 06:30 am, J_Catlady wrote:

Yahoo requires a phone number (even just to open an account), but (a) a lot of
good that evidently does (sarcasm), and (b) the spammers could just use
throwaway cell phones. So, forget phone numbers.
I've had my yahoomail for 17-odd years - Yahoo can go whistle for my phone number no matter how often they ask... :)

Facebook requires driver's licenses (or did, last time I checked) but that
presents difficulties. I don't know what they're doing now (and frankly don't
want to know - I have no interest in Facebook).
Which is just one reason why I wouldn't go near FB with a 60' bargepole...
(How, then, does a 13 yo get a FB account without a driving licence? Or indeed, anyone below 13 because despite what their T&C say, we all know it happens...)

Of course all(?) of us here would be willing to give Mark our credit card
numbers, because we know him and we know Groups.io. But would I give it out to
an unknown mailing-list service? I don't know. I can't get back to that
mindset. I probably would not give it out just to be able to open an account,
but to create a group, I think I might, if that was required.
I'm afraid that I'd be highly suspicious of an unknown service wanting my cc details. I've been online for 20-odd years but find it very easy to find that mindset :)

Carol


locked Re: Spam filter

Carol Good
 

On Tue, Oct 4, 2016 at 06:24 am, HR Tech wrote:

Hi Maria,

That's interesting feedback. Maybe you could share what you would feel OK with
in terms of verification methods? Phone #? Address verification? uploading an
ID? It might be helpful to get the perspective of someone who wouldn't be OK
with a credit card.
I signed up to Yahoo and Google before they started demanding phone numbers and they've been trying to get me to part with my phone number - for my convenience, of course - for years. They haven't succeeded yet :)

To clarify, I am not saying that it shouldn't be free (the credit card idea
doesn't have to actually charge someone - it can be used for internal
address/identity verification only)  just trying to think of ways in which
those who hope to abuse the platform can be squashed away. It seems like a
verification of some kind may be necessary?
I appreciated what you were saying; a $1 'set-up' fee (presumably some sort of charge has to be made for the cc to be verified?) rather than a charge for the groups. (Whether these would go through is another matter; I don't know about other countries but in the UK quite often £1 charges are made against accounts in order to see if the fraudsters are going to get away with using stolen card details and our institutions are quite hot on blocking them.)

I did say I don't have an answer. I recognise how difficult this is, and I also recognise that I'm being awkward in my view. While I don't quite have a tinfoil hat, I'm not far off when it comes to anything relating to my finances.

I find it difficult to know what I would consider submitting to a site in order to be able to use it. A scan of something official like a driving licence or bank statement certainly wouldn't happen (not least because not everyone has access to scanners!) and if it isn't anything official, then how good is it for verification?

The other thing which strikes me is that somehow, Mark has to find the time to look at all this verification. I assume places like FB rely on special software for these things.

Just for the record, I trust Mark and all the above comments are made in the spirit of "if I were an outsider coming new to .io".

Then again, I forgot about that time a spammer offered Mark money :) So maybe
a dual level system?
If you take the point I made above, you could find spammers using stolen cc details, so it leaves you no better off... :)

Carol


locked Re: Spam filter

toki
 

On 04/10/2016 01:45, Shal Farley wrote:

Or has he found a way around Yahoo's onerous new-account creation process?
Yahoo's process is onerous only for those that play by the rules.

jonathon


locked Re: Spam filter

 

Yahoo requires a phone number (even just to open an account), but (a) a lot of good that evidently does (sarcasm), and (b) the spammers could just use throwaway cell phones. So, forget phone numbers.

Facebook requires driver's licenses (or did, last time I checked) but that presents difficulties. I don't know what they're doing now (and frankly don't want to know - I have no interest in Facebook).

Of course all(?) of us here would be willing to give Mark our credit card numbers, because we know him and we know Groups.io. But would I give it out to an unknown mailing-list service? I don't know. I can't get back to that mindset. I probably would not give it out just to be able to open an account, but to create a group, I think I might, if that was required.

--
J

Messages are the sole opinion of the author. 

I wish I could shut up, but I can't, and I won't. - Desmond Tutu


locked Re: Spam filter

Maria
 

On Tue, Oct 4, 2016 at 01:29 am, Carol Good wrote:
I don't have an answer to the problem, but for me demanding what I consider to be highly sensitive information isn't the answer.

That's interesting feedback. Maybe you could share what you would feel OK with in terms of verification methods? Phone #? Address verification? uploading an ID? It might be helpful to get the perspective of someone who wouldn't be OK with a credit card.

It seems like so many successful services request verification of some kind, so I wonder if finding effective options to match comfort levels would be something to think about.

To clarify, I am not saying that it shouldn't be free (the credit card idea doesn't have to actually charge someone - it can be used for internal address/identity verification only)  just trying to think of ways in which those who hope to abuse the platform can be squashed away. It seems like a verification of some kind may be necessary?


Then again, I forgot about that time a spammer offered Mark money :) So maybe a dual level system?

What does Google do for their groups?

Maria


locked Re: Spam filter

Carol Good
 

On Mon, Oct 3, 2016 at 05:44 pm, HR Tech wrote:

I agree that you don't want your good name / good email reputation hurt by
abusive behavior and that that would hurt all of us group owners.
Firstly, I want to agree with this - Mark is doing excellent work.

I think that a legit group owner wouldn't have an issue putting their credit
card down for a $1 verification transaction and if anything would appreciate
(if this is explained to them) how in turn, participation in this process
gives them ultimately a better product by virtue of how it protects the
service's reputation.
But I have to disagree with this. As an insider, already signed up and as an owner of a group it sounds perfectly reasonable. As an outsider looking for somewhere to host a group, I would see that .io says it is free. To then get a request for credit card information would have me moving on immediately, no matter how valid the reason might appear.

I don't have an answer to the problem, but for me demanding what I consider to be highly sensitive information isn't the answer.

Carol


locked Re: Spam filter

 

Maria,

So legit users could see what a group feels and looks like
but be forced to go through an internal verification before
they get to actually use it and the switch gets flipped on.
The problem with this is that it would be hard to get a feel for how things work when the thing that isn't turned on is the ability to post even a single message to yourself.

I suppose a way out of that would be to post the message to the archive, but in email replace the subject and message text with an equivalent length of Lorem ipsum. One would need to strip or replace images and attachments as well. And neuter the View this Message footer link.
https://en.wikipedia.org/wiki/Lorem_ipsum

And still the spammer will find a way to circumvent it, especially if HTML is involved. So maybe you have to disable outbound messages altogether. But that's hardly a way to evaluate an email list service.

Shal
https://groups.io/g/Group_Help
https://groups.io/g/GroupManagersForum


locked Re: Spam filter

 

Mark,

Regardless of ARC, I feel like something needs to be done to address
what's happening right now. The same guy is creating group after
group ... I don't want to host this junk and I don't want it
cluttering up the directory.
I agree with you there, particularly if the group name/description on its home page is also spammy, but that's almost a separate question from a spam filter for messages.

Maybe you can adapt some of the same ideas to automatically scanning newly created or edited group descriptions, and either flagging them for attention or blocking them until approved. And yes, if the (recent) Message content of the group is spammy that too could be a factor. That could be a way to make "spam-haven" groups (unmoderated groups with absent or negligent management) disappear.

... (each using a unique Yahoo email as owner).
That's intriguing. Is he using the disposable address feature to create them, and can you automatically detect the hyphenated syntax of disposable Y!mail address for blocking? They would all have the same base name, a hyphen, then a variable part.

Or has he found a way around Yahoo's onerous new-account creation process?

And I have to believe on some level it'd hurt our email reputation if
we did host it, regardless of replay attacks.
How so? Were it not for the reply only he would receive it. Having him alone mark the messages as spam wouldn't do much.

I'm with you on the downsides of spam filters.
They can provide useful information, but it is foolhardy to trust their results too far. I think there will always need to be ways of dealing with the inevitable false positive and false negative results.

Maria's idea of requiring a credit card to start a group would
probably curtail this ...
Well, you did report having one spammer offer to pay for the privilege. So maybe not always.

... but would also probably prevent a lot of legit people from
using Groups.io.
Yup. If you need a reputation system for new group creation then you probably need a variety of ways to earn a good reputation, not only providing a credit card.

Or I could continue to require that I approve all groups before they
are allowed to post messages, with the obvious downsides of that
approach.
Yeah. That's not a lot of fun even if you could afford to hire Support staff to handle the workload.

You could try crowd-sourcing the review process, but there's some madness in that method too (finding suitable reputation measures for the reviewers, so that spammers don't just approve each other). Not to mention a fair amount of thought and effort to build the mechanism.

A maze of twisty passages....
... all alike.

Shal
https://groups.io/g/Group_Help
https://groups.io/g/GroupManagersForum


locked Re: Spam filter

Maria
 

Maybe it could be like sites that let you build websites (square space / wix, etc) and you could set up a group as a free trial but you had to go through a verification process ( internal/ only visible to groups.io -maybe even not stored once verified?) in order to actually start using the group? So legit users could see what a group feels and looks like but be forced to go through an internal verification before they get to actually use it and the switch gets flipped on.

Maria


locked Re: Spam filter

 

As long as the ID verification does not have to match the user name or email address, and is strictlh internal to Groups.io, I'd have no problem with it. But if becomes like Facebook, where real names must be verified AND used publicly, that would be a deal breaker for me and many others. 
J

Sent from my iPhone

On Oct 3, 2016, at 5:44 PM, HR Tech via Groups.io <m.conway11@...> wrote:

I don't get the ins/outs of how the spammers abuse the system, but i think the verification via credit card is an option to look more in to. Maybe there are certain red flags that would trigger a request for a credit card for verification, or a waiting period that is automatically applied if the group creator is not someone who previously has set up a group and has a good reputation? Or verification via cell phone? I'm not sure but I'd look at the way services like paypal, nextdoor, and etsy and similar verify identity.

I agree that you don't want your good name / good email reputation hurt by abusive behavior and that that would hurt all of us group owners.

I think that a legit group owner wouldn't have an issue putting their credit card down for a $1 verification transaction and if anything would appreciate (if this is explained to them) how in turn, participation in this process gives them ultimately a better product by virtue of how it protects the service's reputation.

Maria


--
J

Messages are the sole opinion of the author. 

I wish I could shut up, but I can't, and I won't. - Desmond Tutu


locked Re: Spam filter

Maria
 

I don't get the ins/outs of how the spammers abuse the system, but i think the verification via credit card is an option to look more in to. Maybe there are certain red flags that would trigger a request for a credit card for verification, or a waiting period that is automatically applied if the group creator is not someone who previously has set up a group and has a good reputation? Or verification via cell phone? I'm not sure but I'd look at the way services like paypal, nextdoor, and etsy and similar verify identity.

I agree that you don't want your good name / good email reputation hurt by abusive behavior and that that would hurt all of us group owners.

I think that a legit group owner wouldn't have an issue putting their credit card down for a $1 verification transaction and if anything would appreciate (if this is explained to them) how in turn, participation in this process gives them ultimately a better product by virtue of how it protects the service's reputation.

Maria


locked Re: Spam filter

 

On Mon, Oct 3, 2016 at 04:25 pm, Mark Fletcher wrote:
each using a unique Yahoo email as owner

Simple: don't allow people with Yahoo email addresses to create groups. (Kidding ) (half...) 
--
J

Messages are the sole opinion of the author. 

I wish I could shut up, but I can't, and I won't. - Desmond Tutu

18661 - 18680 of 29708