Privacy of new "Report Spam" functionality

[chrisjj]

Of the new Report Spam functionality that sends reports to the sending ISP, the Fastmail newsletter says

Quote:

There's no added privacy implications involved

Could Fastmail please confirm this is true? Including that the user of this button is NOT identified to the the ISP receiving the spam report?

Thanks.

--------------------------------------------

FTR, full article:

Quote:

Report spam improvements through external feedback

Currently when you use the "Report spam" function at FastMail, it performs a number of actions with the message, such as reporting it to your personal bayes database to improve filtering accuracy on future received messages. We're about to include some new actions in this function to further improve what "Report spam" does.

We're about to setup a "feedback loop" service. This means when you "Report spam" on a message, it will notify the originating email provider/ISP of the offending message so they can investigate and take action on the originating sender (one of their users).

Feedback loops are common in the email industry and are provided by most email services. They are a powerful way to ensure that spammers and scammers are stopped as soon as possible. FastMail subscribes to a number of feedback loops (eg Yahoo, MSN, etc), so that we can block spammers that signup FastMail accounts ASAP. By allowing other email providers/ISPs to signup to our feedback loop (we get to control exactly who can signup), we're aiding others in the fight against spammers and scammers that use and abuse their service.

There's no added privacy implications involved, because the email is only being reported back to the original email provider that it came from in the first place, they're just being advised by us that the recipient of the email (you) believes the email was unsolicited and they should take action against the sender.

Despite this, we know that some people will remain extremely concerned about anything related to issues of privacy, and for that reason we're giving people a way to opt out of this feature if preferred. Just go to Options -> Spam/Virus protection, and uncheck the "Allow external spam reports" checkbox. You can change this checkbox now or at any time in the future. We'll be starting the feedback loop from August 23.

The FastMail staff fully believe the feedback loop is a useful anti-spam service and are not opting out.

[ao1]

If the spammer operates their own email provider, they just got a confirmation that the recipient email is live.

[BritTim]

Quote:

Originally Posted by chrisjj

Of the new Report Spam functionality that sends reports to the sending ISP, the Fastmail newsletter says



Could Fastmail please confirm this is true? Including that the user of this button is NOT identified to the the ISP receiving the spam report?

Thanks.

--------------------------------------------

FTR, full article:

Since the full headers of the message in question must be provided, it will usually be possible to see who received the email. In fact, this information is sometimes part of what is needed to analyse whether the email is really spam.

I get the feeling that you are against any kind of workable feedback system because of fears that it could be exploited by malicious individuals. I am not saying such malicious activities are impossible. Indeed, I think the risk of spammers trying to kill an effective feedback system by flooding the system with false reports is the biggest risk. However, experience with such systems to date has been that they are effective without impacting the innocent. In the real messy world of the Internet, there are no perfect solutions, and best practices can vary over time, but a well constructed feedback system seems a good process to employ at this time.

[chrisjj]

Quote:

Originally Posted by chrisjj

Could Fastmail please confirm this is true? Including that the user of this button is NOT identified to the the ISP receiving the spam report?

Any chance of a reply, please Fastmail?

[robmueller]

The X-Resolved-to and X-Delivered-to headers are removed.

However that doesn't mean the originating ISP can't determine the original recipients of the message, of course they can, because the email came from their system, so they can add whatever tracking headers they want, or just correlate with the Message-Id header from their logs.

If you don't like it, disable the feature on the Options -> Spam/Virus protection screen.

Rob

[Sherry]

Since I only get FM email from Aliases/SubDomain addresses would those be the only ones the ISP's can see (the address it was delivered to) and not my real address? If that's the case then that wouldn't bother me as long as there is no way to see my "real" address and FM is the only one that can determine that.

Sherry

[chrisjj]

Quote:

Originally Posted by robmueller

The X-Resolved-to and X-Delivered-to headers are removed.

Is that a Yes, Confirmed to:

the user of this button is NOT identified to the the ISP receiving the spam report?

?

Quote:

Originally Posted by robmueller

However that doesn't mean the originating ISP can't determine the original recipients of the message,

Sure, but the issue is not who it was addressed to but who reported it as spam... and that person might not even be amonsgt those addressees.

[BritTim]

Quote:

Originally Posted by chrisjj

Sure, but the issue is not who it was addressed to but who reported it as spam... and that person might not even be amonsgt those addressees.

I guess that is true. Indeed, you might deliberately redirect the email from the original recipient to another mailbox in order to report it from a non recipient. However, even in this case, you will need to be fairly clever to avoid being identifiable in most cases. Let us say you originally received it at Tuffmail and redirected to Fastmail to report it. The headers will still incriminate you unless there are multiple Tuffmail recipients of the email.

My understanding of the privacy protection that Fastmail is attempting is not to obfuscate who is making a complaint, but to avoid revealing extra information over and above the email address originally used. If you use an alias to receive email from sleazymarketing.com, the reporting of spam should not reveal your real account name. I do not think the objective is to help you make malicious claims against goodmarketing.com without fear of retribution.

[chrisjj]

Quote:

Originally Posted by BritTim

Let us say you originally received it at Tuffmail and redirected to Fastmail to report it. The headers will still incriminate you unless there are multiple Tuffmail recipients of the email.

OK, but then surely Fastmail is not achieving this:

Quote:

Originally Posted by BritTim

My understanding of the privacy protection that Fastmail is attempting is not to obfuscate who is making a complaint, but to avoid revealing extra information over and above the email address originally used.

[robmueller]

The username of the Fastmail user making the report is not explicitly added to the report, only the content of the email + headers is included in the report.

Additionally, we remove the X-Resolved-to and X-Delivered-to headers, which are the most common places this information would implicitly be found in the email itself.

However that doesn't mean information in other headers can't be used to identify the original recipient in some cases, we can't possibly know all the information in the headers and what they mean.

Rob

[chrisjj]

Quote:

Originally Posted by robmueller

The username of the Fastmail user making the report is not explicitly added to the report, only the content of the email + headers is included in the report.

Additionally, we remove the X-Resolved-to and X-Delivered-to headers, which are the most common places this information would implicitly be found in the email itself.

Thanks.

Quote:

Originally Posted by robmueller

However that doesn't mean information in other headers can't be used to identify the original recipient in some cases, we can't possibly know all the information in the headers and what they mean.

Then FM's is in no postion to make the "no added privacy implications" claim in question. FM could be returning to an originating ISP information that the ISP did not have and which IDs a recipient. That's a breach of privacy.