Secure email service builds newsletter bomb defences after attack pummels their inbox Secure email service Tutanota has built defences against newsletter bombs after becoming a victim itself. The measures are designed to protect users' inboxes against denial-of-service attacks, which involve signing up targeted email addresses to hundreds or perhaps even thousands of newsletters, essentially rendering those …
In response, they developed a semi-automated whitelisting approach designed to send newsletter sign-up mails to the spam folder
Still easier is simply arbitrarily classifying any email with the word "unsubscribe" as spam and making the users aware that if they sign up to something then they should check their quarantine folder and whitelist addresses as appropriate.
This sounds pretty much what their "semi-automated whitelisting approach" probably is
But it rather supposes that these email lists have, and mention, an unsubscribe option. There are a lot that don't. And of course, if they don't do this, they certainly don't verify email addresses before subscribing.
"Only 500,000 spam a week. Luxury !!!!"
That was my first thought, but it is actually a slightly different problem. This is exactly why Gmail already separates mail into "Primary", "Social", "Promotions" and spam. Spam is things no-one actually wants or deliberately signs up to and just gets binned as usual. But the promotions and social folders were a response to all these mailing lists and other things that people have signed up to and don't just want blocked and binned, but also don't want flooding their inbox and making it hard to find regular emails.
Forcing sites to require email confirmation might seem to get to the root of the problem better, but it actually does a worse job of removing the problem entirely - a flood of confirmation emails would be just as annoying in the short term even if the newsletters themselves never get sent. Copying Google's approach of filtering them all out is much better from the end user's point of view, especially for this sort of secure email service which probably isn't going to be signing up for any mailing lists on purpose.
"... and other things that people have signed up to and don't just want blocked and binned, but also don't want flooding their inbox and making it hard to find regular emails."
That's what your 'crapmail' account is for. Don't people know they can have more than one email account (and more than one crapmail account)?
"Doesn't that just mean they would have got 500,000 "please confirm your e-mail address" messages rather than 500,000 "welcome" messages (which often include a "click here" to confirm)?"
Not necessarily - it depends on the frequency with which the list emails for any given list are sent out.
The 500,000 figure is given as within a week - so if that was 500,000 lists that send messages out weekly, it would have been 500,000 confirmation emails if all those lists did that. However, if these are daily lists, then the number of confirmations would be 1/7 of that if they all sent confirmations. That's a lot less.
The true number would probably lie somewhere between the two, because it'll be lists of varying frequency.
Sort of related but unrelated. I started getting 'newsletters' from target.com - of whom I have never been a customer. That''s a newsletter subscription that didn't require confirmation, right there.
They had an unsubscribe link, but I'm a stubborn old git and feel that if I don't subscribe, I should not be expected to unsubscribe. Instead I decided to repay my annoyance - I did a little digging, found a bunch of addresses for Target execs, and told my mail server to forward any emails from Target.com to these addresses.
I commented to that effect (including a suitable @mention) on Twitter, and got a reply from them saying that if I DM'd them my email address, they'd sort it. I didn't - instead I replied expressing my "repay my annoyance" sentiment.
I was getting those emails at least once a day when I did that. I haven't had a single one since - so none have even been forwarded to those exec addresses.
Guess: They searched for my name and removed me that way.
There are far too many to keep track of.
I worked at a spam filtering place a while back; newsletter "spam" was a major problem, because our customers' end users would frequently report newsletters that they'd actually signed up to as spam. For obvious reasons the newsletter purveyors would be unimpressed to be blacklisted, whether by a single service provider or by lots of RBLs.
A solution was eventually decided on, but it's filed in the same place as the solution to the problem of the Lintilla clones.
It seems like every third site has a "sign up for our email" pimp screen (unless js is turned off). Now, the email providers now have to figure out how to evade bogus subscription requests. It's an idiot's race to the bottom.
It would be easy enough to blacklist known bulkmailers. Or charge a premium for doing so.
If you run your own email server then this is simple, otherwise check your email provider if they allow alias'.
For example, instead of merely $FirstName.$LastName(at)Domain.com, create an alias of $FN.$LN.$SiteName(at)Domain.com so that you know *exactly* where you used that alias. Now, if you get spam to that alias you know *EXACTLY* who leaked/sold/spaffed it to the spammers. You can then either delete that alias (so your provider no longer accepts email to it), or write an email rule to auto-flush/forward said alias. It's rather satisfying to auto forward the alias to the site that spaffed it, addressed to their CxO's, CC'd to their HR/Legal/Marketing departments, along with a note as to why they can continue to enjoy the sudden flood of spam. YOU never see that alias again, THEY get to deal with the spam.
You can then go hit the site that screwed you over, remove any/all of your PII (assuming you gave them any), try to kill the account, & then wash your hands of them. Your account now claims you're a 98 year old, underage, single, divorced, childless, 158 kids, zero income, $1M+ per year, turtle humping, lawn mower snogging, beer snorting, coke drinking, $PoliticalParty voting, inbred, sister marrying, $DenominationChurch going, transgendered lesbian hermaphrodite from London named DonaldMulla TrumpMohommed or something equally as bogus. Screw up their data, fuck with their heads, & auto-perma-delete anything to the email alias you used with them.
I've done it here, my bank, & everywhere else that I've had to register an email address at. That way I have *proof* that spam to any alias HAD to come from $AliasedSite & not anywhere else, since the *only* place that alias ever got used was at that *one site*. Their legal department can't wriggle out of the proof staring them in the face when I show them the FN.LN.$URL email address that suddenly starts getting flooded with spam. "Sorry but the ONLY place that email address got used was with *you*. You HAVE to be the source of that address, it doesn't exist anywhere else but in *YOUR* servers. So have fun dealing with the spam it gets, & delete my account before I decide to press charges. Have a nice day!"
*Gleefull rude gesture*
Alias. Use them. Everywhere.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
