locked Spam filter


 

Hi All,

Based on the recent spammer incident and some conversations about some evolving email standards, it's clear that I need to implement a spam filter sooner rather than later. I am unfamiliar with how Y! Group's spam filter interacts with groups; can someone clue me in? And are there any issues with their implementation (the spam filter went in after the acquisition/after I left)?

Thanks,
Mark


 

Mark,

I am unfamiliar with how Y! Group's spam filter interacts with
groups; can someone clue me in?
I think a lot of people would say "What spam filter?" -- it has been a long time since I've noticed it catch anything. Others have reported that it catches only false positives, and misses actual spam.

But I think the more accurate statement is that for the last several years most (all?) spam is being caught (rejected or dropped) during the server transaction or at any rate well ahead of the forlorn content filter of Y!Groups itself. And I suspect that forlorn content filter has had very little attention over the course of time. It may be little more than a Bayesian discriminator, if even that sophisticated.

Effectiveness aside, the UI for it is similar to what one would expect in an email UI: each group has a Spam folder (or Pending Spam list) and messages diverted there can be examined by moderators with the primary options to "approve" or "delete". That's one difference versus a typical email UI: the approve choice posts the message; it doesn't merely move the message from the spam list to the pending list.
I think the other pending list operations (reject with reply to sender and edit) are also available.

The other side of the coin is in the regular Pending Message list, where the moderator has the option to "Delete as spam". That's also a little different than a normal email UI because it immediately deletes the message, not just move it to the Spam list.

During the 2013 "neo" redesign I railed at them to better coordinate the Pending Message UI and the Pending Spam UI. And neither of those had much in common with the UI for the message archive itself. Instead it was as if they handed loose descriptions of "messages in a list" to distinct teams - the list and message viewing controls are weirdly and confusingly different. That may have gotten better over time, but the paucity of messages in the Spam list means I haven't seen much of that UI in long time.

Moderators have a notification checkbox for whether they wish to be notified of Pending Spam.

There is (or was) separately some kind of filtering on messages sent to the -owner address. That filter had no UI at all: no way to know what false positives had been lost nor to inform the filter of false negatives. As with the primary spam filter, I've not seen any evidence that it is still in operation in quite some time.

Shal


On 9/30/2016 8:54 PM, Mark Fletcher wrote:
Hi All,

Based on the recent spammer incident and some conversations about some
evolving email standards, it's clear that I need to implement a spam
filter sooner rather than later. I am unfamiliar with how Y! Group's
spam filter interacts with groups; can someone clue me in? And are there
any issues with their implementation (the spam filter went in after the
acquisition/after I left)?

Thanks,
Mark
--
Shal
https://groups.io/g/Group_Help
https://groups.io/g/GroupManagersForum


 

On Fri, Sep 30, 2016 at 10:23 pm, Shal Farley wrote:
it has been a long time since I've noticed it catch anything. Others have reported that it catches only false positives, and misses actual spam.

Shal, thanks for providing my giggles for the evening. Still literally laughing out loud over this. :-) 
--
J

Messages are the sole opinion of the author. 

I wish I could shut up, but I can't, and I won't. - Desmond Tutu


 

On Fri, Sep 30, 2016 at 10:23 PM, Shal Farley <shals2nd@...> wrote:

Effectiveness aside, the UI for it is similar to what one would expect in an email UI: each group has a Spam folder (or Pending Spam list) and messages diverted there can be examined by moderators with the primary options to "approve" or "delete". That's one difference versus a typical email UI: the approve choice posts the message; it doesn't merely move the message from the spam list to the pending list.
I think the other pending list operations (reject with reply to sender and edit) are also available.

 
Thanks for the overview. I'm not sure what we should do for Groups.io. I think that we need to try to prevent the opportunity for the replay attacks we've been having this past week. That is, I think it's probably more important than I've thought for the emails that Groups.io sends out to not be spam, even with groups being opt-in and people wanting to receive the messages. That means preventing the scenario where one person creates a group and then sends a spam message to that group (which only contains himself). That implies not allowing moderators the opportunity to approve messages that have been marked as spam (like what Y! Groups apparently used to let people do).

Right now I'm preventing all this by having to approve all new groups before they can post messages. But there are downsides to that approach.

Thoughts/ideas appreciated.

Thanks,
Mark


 

Mark,

I think that we need to try to prevent the opportunity for the replay
attacks we've been having this past week. That is, I think it's
probably more important than I've thought for the emails that
Groups.io sends out to not be spam, even with groups being opt-in and
people wanting to receive the messages.
I thought the advice on the ARC list was to let the receiving services deal with distinguishing the replays from the real. I'm not so sure it is yet worth panicking over one receiving service making a dumb error.

Unless there are more now, but even so - if this type of attack is becoming more common (with other lists, not just with Groups.io) the email services will be motivated to figure it out. There are certainly many clues in what the replay scammer is doing, starting with the fact that his envelope From is different than yours and hence not aligned with the Return-Path field nor with the DKIM d parameter.

That means preventing the scenario where one person creates a group
and then sends a spam message to that group (which only contains
himself). That implies not allowing moderators the opportunity to
approve messages that have been marked as spam (like what Y! Groups
apparently used to let people do).
I'm concerned this will lead you down a dark path.

The essence of the problem is that spam remains "in the eye of the beholder", despite everyone's belief that they know it when they see it. I have very little faith that a content filter can be devised which will reliably distinguish a message destined for replay from those used legitimately by groups of broad interests.

My understanding is that the more successful email services mix a lot of behavioral measurements in with the content discriminator. That may be a way to mitigate the harm this path might do. Such extrinsic factors as the age and size of the group, the age of the group moderator's account, etc. might be used to discriminate whether a message marked as spam is allowed to be approved or not.

Right now I'm preventing all this by having to approve all new groups
before they can post messages. But there are downsides to that
approach.
Yeah, doesn't scale is just the beginning. Circumvention will no doubt crop up one way or another.

Shal
https://groups.io/g/Group_Help
https://groups.io/g/GroupManagersForum


Linda
 

Hi Mark, you wrote:
"That implies not allowing moderators the opportunity to approve messages that have been marked as spam (like what Y! Groups apparently used to let people do)."

But that assumes that your spam filter will never make a mistake...

FYI: I still haven't figured out how to ensure that Gmail and Windows Live Mail never put mail from my own, moderated groups into the Spam/Junk folder. I'd welcome ideas for a solution.

Thanks,
Linda


Maria
 

On Mon, Oct 3, 2016 at 05:38 am, Linda wrote:
FYI: I still haven't figured out how to ensure that Gmail and Windows Live Mail never put mail from my own, moderated groups into the Spam/Junk folder. I'd welcome ideas for a solution.

Is this happening a lot? I think that if you ask GMAIL to remember to not put groups.io stuff in to the spam/promo/social folder that it remembers that behavior? Are you not seeing that?

Are others getting complaints from members re: group emails going to spam? The groups I am subscribed to on groups.io are usually in my inbox just fine.


Maria


 

On Sun, Oct 2, 2016 at 11:49 PM, Shal Farley <shals2nd@...> wrote:

I thought the advice on the ARC list was to let the receiving services deal with distinguishing the replays from the real. I'm not so sure it is yet worth panicking over one receiving service making a dumb error.


Regardless of ARC, I feel like something needs to be done to address what's happening right now. The same guy is creating group after group (~50 so far today; hundreds since this started last week) of spam lists (each using a unique Yahoo email as owner). I don't want to host this junk and I don't want it cluttering up the directory. And I have to believe on some level it'd hurt our email reputation if we did host it, regardless of replay attacks.

I'm with you on the downsides of spam filters. Maria's idea of requiring a credit card to start a group would probably curtail this (with exceptions for people moving their existing groups from other services), but would also probably prevent a lot of legit people from using Groups.io. Or I could continue to require that I approve all groups before they are allowed to post messages, with the obvious downsides of that approach. I'm open to suggestions. 

A maze of twisty passages....

Thanks,
Mark


 

On Mon, Oct 3, 2016 at 04:25 pm, Mark Fletcher wrote:
each using a unique Yahoo email as owner

Simple: don't allow people with Yahoo email addresses to create groups. (Kidding ) (half...) 
--
J

Messages are the sole opinion of the author. 

I wish I could shut up, but I can't, and I won't. - Desmond Tutu


Maria
 

I don't get the ins/outs of how the spammers abuse the system, but i think the verification via credit card is an option to look more in to. Maybe there are certain red flags that would trigger a request for a credit card for verification, or a waiting period that is automatically applied if the group creator is not someone who previously has set up a group and has a good reputation? Or verification via cell phone? I'm not sure but I'd look at the way services like paypal, nextdoor, and etsy and similar verify identity.

I agree that you don't want your good name / good email reputation hurt by abusive behavior and that that would hurt all of us group owners.

I think that a legit group owner wouldn't have an issue putting their credit card down for a $1 verification transaction and if anything would appreciate (if this is explained to them) how in turn, participation in this process gives them ultimately a better product by virtue of how it protects the service's reputation.

Maria


 

As long as the ID verification does not have to match the user name or email address, and is strictlh internal to Groups.io, I'd have no problem with it. But if becomes like Facebook, where real names must be verified AND used publicly, that would be a deal breaker for me and many others. 
J

Sent from my iPhone

On Oct 3, 2016, at 5:44 PM, HR Tech via Groups.io <m.conway11@...> wrote:

I don't get the ins/outs of how the spammers abuse the system, but i think the verification via credit card is an option to look more in to. Maybe there are certain red flags that would trigger a request for a credit card for verification, or a waiting period that is automatically applied if the group creator is not someone who previously has set up a group and has a good reputation? Or verification via cell phone? I'm not sure but I'd look at the way services like paypal, nextdoor, and etsy and similar verify identity.

I agree that you don't want your good name / good email reputation hurt by abusive behavior and that that would hurt all of us group owners.

I think that a legit group owner wouldn't have an issue putting their credit card down for a $1 verification transaction and if anything would appreciate (if this is explained to them) how in turn, participation in this process gives them ultimately a better product by virtue of how it protects the service's reputation.

Maria


--
J

Messages are the sole opinion of the author. 

I wish I could shut up, but I can't, and I won't. - Desmond Tutu


Maria
 

Maybe it could be like sites that let you build websites (square space / wix, etc) and you could set up a group as a free trial but you had to go through a verification process ( internal/ only visible to groups.io -maybe even not stored once verified?) in order to actually start using the group? So legit users could see what a group feels and looks like but be forced to go through an internal verification before they get to actually use it and the switch gets flipped on.

Maria


 

Mark,

Regardless of ARC, I feel like something needs to be done to address
what's happening right now. The same guy is creating group after
group ... I don't want to host this junk and I don't want it
cluttering up the directory.
I agree with you there, particularly if the group name/description on its home page is also spammy, but that's almost a separate question from a spam filter for messages.

Maybe you can adapt some of the same ideas to automatically scanning newly created or edited group descriptions, and either flagging them for attention or blocking them until approved. And yes, if the (recent) Message content of the group is spammy that too could be a factor. That could be a way to make "spam-haven" groups (unmoderated groups with absent or negligent management) disappear.

... (each using a unique Yahoo email as owner).
That's intriguing. Is he using the disposable address feature to create them, and can you automatically detect the hyphenated syntax of disposable Y!mail address for blocking? They would all have the same base name, a hyphen, then a variable part.

Or has he found a way around Yahoo's onerous new-account creation process?

And I have to believe on some level it'd hurt our email reputation if
we did host it, regardless of replay attacks.
How so? Were it not for the reply only he would receive it. Having him alone mark the messages as spam wouldn't do much.

I'm with you on the downsides of spam filters.
They can provide useful information, but it is foolhardy to trust their results too far. I think there will always need to be ways of dealing with the inevitable false positive and false negative results.

Maria's idea of requiring a credit card to start a group would
probably curtail this ...
Well, you did report having one spammer offer to pay for the privilege. So maybe not always.

... but would also probably prevent a lot of legit people from
using Groups.io.
Yup. If you need a reputation system for new group creation then you probably need a variety of ways to earn a good reputation, not only providing a credit card.

Or I could continue to require that I approve all groups before they
are allowed to post messages, with the obvious downsides of that
approach.
Yeah. That's not a lot of fun even if you could afford to hire Support staff to handle the workload.

You could try crowd-sourcing the review process, but there's some madness in that method too (finding suitable reputation measures for the reviewers, so that spammers don't just approve each other). Not to mention a fair amount of thought and effort to build the mechanism.

A maze of twisty passages....
... all alike.

Shal
https://groups.io/g/Group_Help
https://groups.io/g/GroupManagersForum


 

Maria,

So legit users could see what a group feels and looks like
but be forced to go through an internal verification before
they get to actually use it and the switch gets flipped on.
The problem with this is that it would be hard to get a feel for how things work when the thing that isn't turned on is the ability to post even a single message to yourself.

I suppose a way out of that would be to post the message to the archive, but in email replace the subject and message text with an equivalent length of Lorem ipsum. One would need to strip or replace images and attachments as well. And neuter the View this Message footer link.
https://en.wikipedia.org/wiki/Lorem_ipsum

And still the spammer will find a way to circumvent it, especially if HTML is involved. So maybe you have to disable outbound messages altogether. But that's hardly a way to evaluate an email list service.

Shal
https://groups.io/g/Group_Help
https://groups.io/g/GroupManagersForum


Carol Good
 

On Mon, Oct 3, 2016 at 05:44 pm, HR Tech wrote:

I agree that you don't want your good name / good email reputation hurt by
abusive behavior and that that would hurt all of us group owners.
Firstly, I want to agree with this - Mark is doing excellent work.

I think that a legit group owner wouldn't have an issue putting their credit
card down for a $1 verification transaction and if anything would appreciate
(if this is explained to them) how in turn, participation in this process
gives them ultimately a better product by virtue of how it protects the
service's reputation.
But I have to disagree with this. As an insider, already signed up and as an owner of a group it sounds perfectly reasonable. As an outsider looking for somewhere to host a group, I would see that .io says it is free. To then get a request for credit card information would have me moving on immediately, no matter how valid the reason might appear.

I don't have an answer to the problem, but for me demanding what I consider to be highly sensitive information isn't the answer.

Carol


Maria
 

On Tue, Oct 4, 2016 at 01:29 am, Carol Good wrote:
I don't have an answer to the problem, but for me demanding what I consider to be highly sensitive information isn't the answer.

That's interesting feedback. Maybe you could share what you would feel OK with in terms of verification methods? Phone #? Address verification? uploading an ID? It might be helpful to get the perspective of someone who wouldn't be OK with a credit card.

It seems like so many successful services request verification of some kind, so I wonder if finding effective options to match comfort levels would be something to think about.

To clarify, I am not saying that it shouldn't be free (the credit card idea doesn't have to actually charge someone - it can be used for internal address/identity verification only)  just trying to think of ways in which those who hope to abuse the platform can be squashed away. It seems like a verification of some kind may be necessary?


Then again, I forgot about that time a spammer offered Mark money :) So maybe a dual level system?

What does Google do for their groups?

Maria


 

Yahoo requires a phone number (even just to open an account), but (a) a lot of good that evidently does (sarcasm), and (b) the spammers could just use throwaway cell phones. So, forget phone numbers.

Facebook requires driver's licenses (or did, last time I checked) but that presents difficulties. I don't know what they're doing now (and frankly don't want to know - I have no interest in Facebook).

Of course all(?) of us here would be willing to give Mark our credit card numbers, because we know him and we know Groups.io. But would I give it out to an unknown mailing-list service? I don't know. I can't get back to that mindset. I probably would not give it out just to be able to open an account, but to create a group, I think I might, if that was required.

--
J

Messages are the sole opinion of the author. 

I wish I could shut up, but I can't, and I won't. - Desmond Tutu


toki
 

On 04/10/2016 01:45, Shal Farley wrote:

Or has he found a way around Yahoo's onerous new-account creation process?
Yahoo's process is onerous only for those that play by the rules.

jonathon


Carol Good
 

On Tue, Oct 4, 2016 at 06:24 am, HR Tech wrote:

Hi Maria,

That's interesting feedback. Maybe you could share what you would feel OK with
in terms of verification methods? Phone #? Address verification? uploading an
ID? It might be helpful to get the perspective of someone who wouldn't be OK
with a credit card.
I signed up to Yahoo and Google before they started demanding phone numbers and they've been trying to get me to part with my phone number - for my convenience, of course - for years. They haven't succeeded yet :)

To clarify, I am not saying that it shouldn't be free (the credit card idea
doesn't have to actually charge someone - it can be used for internal
address/identity verification only)  just trying to think of ways in which
those who hope to abuse the platform can be squashed away. It seems like a
verification of some kind may be necessary?
I appreciated what you were saying; a $1 'set-up' fee (presumably some sort of charge has to be made for the cc to be verified?) rather than a charge for the groups. (Whether these would go through is another matter; I don't know about other countries but in the UK quite often £1 charges are made against accounts in order to see if the fraudsters are going to get away with using stolen card details and our institutions are quite hot on blocking them.)

I did say I don't have an answer. I recognise how difficult this is, and I also recognise that I'm being awkward in my view. While I don't quite have a tinfoil hat, I'm not far off when it comes to anything relating to my finances.

I find it difficult to know what I would consider submitting to a site in order to be able to use it. A scan of something official like a driving licence or bank statement certainly wouldn't happen (not least because not everyone has access to scanners!) and if it isn't anything official, then how good is it for verification?

The other thing which strikes me is that somehow, Mark has to find the time to look at all this verification. I assume places like FB rely on special software for these things.

Just for the record, I trust Mark and all the above comments are made in the spirit of "if I were an outsider coming new to .io".

Then again, I forgot about that time a spammer offered Mark money :) So maybe
a dual level system?
If you take the point I made above, you could find spammers using stolen cc details, so it leaves you no better off... :)

Carol


Carol Good
 

On Tue, Oct 4, 2016 at 06:30 am, J_Catlady wrote:

Yahoo requires a phone number (even just to open an account), but (a) a lot of
good that evidently does (sarcasm), and (b) the spammers could just use
throwaway cell phones. So, forget phone numbers.
I've had my yahoomail for 17-odd years - Yahoo can go whistle for my phone number no matter how often they ask... :)

Facebook requires driver's licenses (or did, last time I checked) but that
presents difficulties. I don't know what they're doing now (and frankly don't
want to know - I have no interest in Facebook).
Which is just one reason why I wouldn't go near FB with a 60' bargepole...
(How, then, does a 13 yo get a FB account without a driving licence? Or indeed, anyone below 13 because despite what their T&C say, we all know it happens...)

Of course all(?) of us here would be willing to give Mark our credit card
numbers, because we know him and we know Groups.io. But would I give it out to
an unknown mailing-list service? I don't know. I can't get back to that
mindset. I probably would not give it out just to be able to open an account,
but to create a group, I think I might, if that was required.
I'm afraid that I'd be highly suspicious of an unknown service wanting my cc details. I've been online for 20-odd years but find it very easy to find that mindset :)

Carol