Subscription bombing and abuse prevention

A few weeks ago ProPublica was the victim of a subscription bomb attack. Julia Angwin found my blog post on the subject and contacted me to talk about the post. We spent an hour or so on the phone and I shared some of the information we had on the problem. Julie told me she was interested in investigating this further problem further. Today, ProPublica published Cheap Tricks: the Low Cost of Internet Harassment.
For those of us deeply involved in the issue, there isn’t too much that comes as a surprise in that article. But it’s a good introduction to folks who may not be aware of the existence of subscription bombing.

Julia does mention something I have been thinking about: abuse and anonymity online. Can we continue to have anonymous or  pseudonymous identities on the Internet? Should we?
One of the challenges a lot of companies are struggling with is that anonymity can protect oppressors as well as their targets. How do we support “good” anonymity without enabling “bad” anonymity? I’ve always thought anonymity was an overall good and the fact that it’s abused sometimes didn’t mean it should be taken away. Banning anonymity online might seem to fix the problem of abuse, except it really doesn’t and it comes with its own set of problems.
Let’s be honest, these are hard questions and ones that do need to be addressed. A lot of the tools abuse and security desks currently have rely on volume of complaints. This can result in the targets getting shut down due to false complaints while the perpetrators keep their accounts open. It means subscription bombs can target a few individuals and occur undetected for months.
Big companies in Silicon Valley love to rely on their algorithms and machine learning and AI and code to automate things. But the automation only works after you create working processes. Throwing code at the problem doesn’t work unless you have a picture of the scope of the problem. And a reliance on code ends up with Facebook asking people to upload nudes of themselves to prevent nudes on Facebook. Likewise, throwing cheap labor at the problem isn’t a solution, either.
I don’t have the answers, I don’t think anyone does. But we need to think harder about these problems and address them sooner rather than later. The internet is too important to let abusers break it.

Related Posts

Truth of Consequences

“If you want to use another means that violates the law, and every common definition of “spam”, then by all means, go ahead. You can enjoy fines and being added to the ROKSO database,” says a comment on my recent COI blog post. It’s both disconcerting and entirely predictable.

My post was a discussion of what to do with addresses that don’t confirm. Data tells us that there is some value in those addresses – that there are people who won’t confirm for some reason but will end up purchasing from an email. Using COI leaves some fraction of revenue on the table as it were. My post was a short risk analysis of things to think about when making decisions about continuing to mail to people who don’t confirm.
Mentioning COI often brings the only-COI-mail-is-not-spam zealots out of the woodwork, as it did in this case. In this case, we have the commenter first asserting that failure to do COI is a violation of CAN SPAM (it’s not). When this was pointed out, he started arguing with two people who have been actively fighting spam for 20 years (including running a widely used blocklist). Finally, he ends up with the comment asserting that anyone not using COI will end up on ROKSO. It’s as if he thinks that statement will fear other commenters into not having opinions. It can’t because everyone in the discussion, except possibly him, knows that it’s not true.
The worst problem with folks like the commenter is that they think asserting horrible consequences will make people cower. First off, people don’t react well to threats. Secondly, this is a hollow threat and most people reading this blog know it.
There are millions of mailing lists not using COI and have zero risk of ever getting on ROKSO. The only thing hollow threats do is make people not pay attention to what you have to say. Well, OK, and have me write a blog post about how those threats are bad because they’re completely removed from reality.
Exaggerating or lying about consequences is not just wrong, it’s stupid. “Do this or else BAD THING,” is awesome, up until someone decides they’re not going to do this and the bad thing never happens. It makes people less likely or pay any attention to you in the future. It certainly means your opinions and recommendations are not going to be listened to in the future.
I probably go too far the other direction. I can spend too much time contextualizing a recommendation. It’s one of the things I’m trying to get better about. No, client doesn’t need a 4 page discussion of the history of whatever, they just need 2 lines of what they should do. If they need the context, I can provide it later.
In order to effectively modify behavior consequences have to be real. Threats of consequences are meaningless. Any toddler knows this, and can quite accurately model when mom means it and when she’s just threatening.
Risk analysis is not about modifying behavior. It’s about analyzing a particular issue and providing necessary information so the company action understands potential consequences and the chance those risks will happen. The blog post about COI was not intended to modify anyone’s behavior. I know there are companies out there successfully maintaining two mail streams: one COI and one not. I know there are other companies out there successfully mailing only single opt-in mail. I know there are companies with complex strategies to verify identity and address ownership. And I smile every time I walk into a retail store and they ask me if my email address is still X and if I want to make any changes to it.
Lying about consequences does nothing to modify behavior. All it does is diminish the standing and audience of the liar. Be truthful about the consequences of an action or lack of action. Don’t make up threats in order to bully people into doing what you think is right. Sooner or later they’re going to realize that you don’t know what you’re talking about and start to ignore you.

Read More

The Blighty Flag

Back in the dark ages (the late ’90s) most people used dialup to connect to the internet. Those people who had broadband could run all sorts of services off them, including websites and mail servers and such. We had a cable modem for a while handling mail for blighty.com.
At that time blighty.com had an actual website. This site hosted some of the very first online tools for fighting abuse and tracking spam. At the same time, both of us were fairly active on USENET and in other anti-spam fora. This meant there were more than a few spammers who went out of their way to make our lives difficult. Sometimes by filing false complaints, other times by actually causing problems through the website.
At one point, they managed to get a complaint to our cable provider and we were shut off. Steve contacted their postmaster, someone we knew and who knew us, who realized the complaint was bogus and got us turned back on. Postmaster also said he was flagging our account with “the blighty flag” that meant he had to review the account before it would be turned off in the future.
I keep imagining the blighty flag looking like this in somebody’s database.

That is to say, sometimes folks disable accounts they really shouldn’t be disabling. Say, for instance:

This was an accident by a twitter employee, according to a post by @TwitterGov

Read More

Listbombing Webinar

Earlier this week I gave a webinar hosted by the EEC and the DMA discussing the listbombing problem. They will be making the recording available later this week and I will link to it then.
I wish I could say the issue was done and over with and that it was something we don’t have to worry about any longer. Unfortunately, that’s just not the case. Attacks are ongoing. Many of them are being caught and mitigated, but they’re still occurring.
We can’t let up our guard, though. Attackers will adapt to the mitigations and negate them.
And remember, listbombing is a sign that your subscription process is not collecting accurate data. If Evil Bob or Dumb Bob can give you Real Bob’s address then your data is all suspect. The problem is somewhat in the form, but it’s also in the whole process. What steps can you take to verify data without creating too much friction in the process?
This is an opportunity for forward thinking companies to reconsider their subscription and address acquisition processes. How do we get Bob’s address and information without Evil Bob or Dumb Bob giving us bad data and without contributing to the overall abuse online.
 

Read More