(FTR & transparency, speaking for dnswl.org - a whitelist without paid-for-listing model, but with a pay-for-heavy-use model)
On Wed, Apr 16, 2014 at 6:43 PM, Greg Troxel <g...@ir.bbn.com> wrote: > b) meet the following transparency and responsiveness rules > i) Have a page on the SA wiki which points to the way to > complain. > abuse@<easily identifiable, stable and unique domain> should be available. Wiki and docs are fine, but should not be needed if possible. > ii) On the main web page of the whitelist, have a prominent link > about how to file a complaint about receiving spam from > whitelisted entities. This must be sufficiently prominent that > the number of people who fail to find it is essentially zero, > ACK. > and it should have equal or greater billing than material aimed > at senders. > I don't think that this should be required. A policy should try to define the what, not so much the how. > iii) Complaints received should get a response with an incident > number (or equivalent) within a business day. > For the case of dnswl.org, feedback via email gets into a request tracker, but without auto-acknowledge (for obvious reasons). > iv) Complaints should be dealt with within a week by either > delisting the offending entity or addressing the issue so that > The action may depend on the merits of the abuse report and other circumstances. At dnswl.org, we have a number of responses (add a "watch flag", cross-check between emailed abuse reports and automated feedback loops, start lowering the score, deactivate some or all entries of a given record etc). The response (eg, "watch" towards full deletion) should be proportionate to the complaint. Keeping any SLAs is difficult for volunteer-driven projects. While I agree that action should be taken on relatively short notice (measured in "days", ideally even below one day), hard SLAs may not always be possible to meet, or may be delayed due to additional checks being performed. > no spam recurs. (For the purposes of this guideline, invitations > sent by a site to an address which was taken from an uploaded > address book or equivalent are considered to be spam.) > I don't think that a policy should special-case invite-spam. -- Matthias
