questions about blocking disclaimers

questions about blocking disclaimers

[Christopher Faylor]

As many people know, I'm working on modifying the spam filter software
so that it will block email which contains unenforceable company
disclaimers.  I've been surveying the archives for samples of
disclaimers to seed the spam blocking regex.  I'd like to be able to
include the match that triggered the disclaimer bounce so that people
can see what is causing the problem but that may increase the size
of the bounce.  Is that ok, though?

Here's what I have for the bounce message right now:

  Sorry.  Something in the body of your message triggered a pattern match
  which indicates that you included a company disclaimer or privacy notice
  in your message to a mailing list at this site.  Inclusion of these types
  of disclaimers is against site policy.  We do not accept email of this form.

  See:
      http://sourceware.org/lists.html
      http://gcc.gnu.org/lists.html#policies

Please tell me what works or doesn't work in the above language.

cgf

Re: questions about blocking disclaimers

[Christopher Faylor]

On Sun, Aug 05, 2007 at 01:34:29AM -0400, Christopher Faylor wrote:
>As many people know, I'm working on modifying the spam filter software
>so that it will block email which contains unenforceable company
>disclaimers.  I've been surveying the archives for samples of
>disclaimers to seed the spam blocking regex.  I'd like to be able to
>include the match that triggered the disclaimer bounce so that people
>can see what is causing the problem but that may increase the size
>of the bounce.  Is that ok, though?
>
>Here's what I have for the bounce message right now:
>
>  Sorry.  Something in the body of your message triggered a pattern match
>  which indicates that you included a company disclaimer or privacy notice
>  in your message to a mailing list at this site.  Inclusion of these types
>  of disclaimers is against site policy.  We do not accept email of this form.
>
>  See:
>      http://sourceware.org/lists.html
>      http://gcc.gnu.org/lists.html#policies
>
>Please tell me what works or doesn't work in the above language.

Here are the regexes that I have now (these are perl regexes):

  \n\s+This email [a-z\s]+is for the exclusive use
  (?i:if (?i:the reader is|you are) not the intended recipient)
  \n\s+This e-?mail (?:is|may be) (?:contain\s+)?(?:privileged|confidential)
  read[a-z\s,]{20,}by the intended recipient
  CONFIDENTIALITY AND SECURITY NOTICE
  (?i:if you received this email in error)

And here's another stab at the bounce message:

  Sorry.  Something in the body of your message triggered a match indicating
  that your email contained a company disclaimer or privacy notice.  Inclusion
  of these types of disclaimers in mail to mailing lists is against site policy.

  For more information see:
      http://sourceware.org/lists.html
      http://gcc.gnu.org/lists.html#policies

  Matched: "<substring of disclaimer>"

I'm not going to go live with this until I get some feedback on the above so
please let me know what works or doesn't work.

cgf

Re: questions about blocking disclaimers

[Jonathan Larmour]

Christopher Faylor wrote:
> On Sun, Aug 05, 2007 at 01:34:29AM -0400, Christopher Faylor wrote:
>> As many people know, I'm working on modifying the spam filter software
>> so that it will block email which contains unenforceable company
>> disclaimers.  I've been surveying the archives for samples of
>> disclaimers to seed the spam blocking regex.  I'd like to be able to
>> include the match that triggered the disclaimer bounce so that people
>> can see what is causing the problem but that may increase the size
>> of the bounce.  Is that ok, though?
>>
>> Here's what I have for the bounce message right now:

My only thought is that this might be sudden and dramatic for some people, 
who may find it difficult to remove them. Can it temporarily accept the 
message (with a warning that they will be rejected entirely soon), and 
after a month, we change it so we do reject them?

Out of interest I have had long arguments in my workplace about such 
disclaimers, and it has been alleged that EU Data Protection law (as 
applied in the UK at least) pretty much requires that any mail sent from a 
business (including any employees) has to include them. It was a hard fight 
to prevent them being added to all our email, and allegedly omitting them 
is being done at some risk to the company directors. I doubt this should 
change the policy, but it does show that the only solution people may have 
is not to post from their work at all, so giving them time to arrange an 
alternative would some reasonable.

I think the text of the bounce is fine (for when things do get dropped).

Jifl
-- 
--["No sense being pessimistic, it wouldn't work anyway"]-- Opinions==mine

Re: questions about blocking disclaimers

[Christopher Faylor]

On Sun, Aug 05, 2007 at 11:16:07PM +0100, Jonathan Larmour wrote:
>My only thought is that this might be sudden and dramatic for some
>people, who may find it difficult to remove them.  Can it temporarily
>accept the message (with a warning that they will be rejected entirely
>soon), and after a month, we change it so we do reject them?

fche suggested this, too.  It will be a little extra work to warn people
while also accepting the message but it is doable.  In fact, I wonder if
that just shouldn't be the default from now on.  It would be pretty
irritating to receive this message every time you send email.

The only problem with allowing them but complaining to the sender is
that it would be harder to figure out when one slipped by the filter.
The fact that something hit the disclaimer filter shows up in syslog
output now but there is no way to know when something should have been
caught but wasn't.

cgf

Re: questions about blocking disclaimers

[Jonathan Larmour]

Christopher Faylor wrote:
> On Sun, Aug 05, 2007 at 11:16:07PM +0100, Jonathan Larmour wrote:
>> My only thought is that this might be sudden and dramatic for some
>> people, who may find it difficult to remove them.  Can it temporarily
>> accept the message (with a warning that they will be rejected entirely
>> soon), and after a month, we change it so we do reject them?
> 
> fche suggested this, too.  It will be a little extra work to warn people
> while also accepting the message but it is doable.  In fact, I wonder if
> that just shouldn't be the default from now on.  It would be pretty
> irritating to receive this message every time you send email.

True!

> The only problem with allowing them but complaining to the sender is
> that it would be harder to figure out when one slipped by the filter.
> The fact that something hit the disclaimer filter shows up in syslog
> output now but there is no way to know when something should have been
> caught but wasn't.

If we're prepared to reject them, it doesn't seem any worse to maybe modify 
the body - add a little something at the top? Maybe Something like:

[ From the sourceware/gcc.gnu.org mail system: this message appears to 
contain a company disclaimer or confidentiality notice, which is against 
site policy. Please ensure the sender corrects this. ]

Jifl
-- 
--["No sense being pessimistic, it wouldn't work anyway"]-- Opinions==mine

Re: questions about blocking disclaimers

[Ian Lance Taylor]

Jonathan Larmour <jifl@jifvik.org> writes:

> Out of interest I have had long arguments in my workplace about such
> disclaimers, and it has been alleged that EU Data Protection law (as
> applied in the UK at least) pretty much requires that any mail sent
> from a business (including any employees) has to include them. It was
> a hard fight to prevent them being added to all our email, and
> allegedly omitting them is being done at some risk to the company
> directors. I doubt this should change the policy, but it does show
> that the only solution people may have is not to post from their work
> at all, so giving them time to arrange an alternative would some
> reasonable.

I disbelieve that EU law requires you to add anything like "if you are
not the intended recipient of this e-mail, please destroy it."  Those
are the problematic cases for us.

Ian

Re: questions about blocking disclaimers

[Daniel Berlin]

On 06 Aug 2007 06:27:51 -0700, Ian Lance Taylor <ian@airs.com> wrote:
> Jonathan Larmour <jifl@jifvik.org> writes:
>
> > Out of interest I have had long arguments in my workplace about such
> > disclaimers, and it has been alleged that EU Data Protection law (as
> > applied in the UK at least) pretty much requires that any mail sent
> > from a business (including any employees) has to include them. It was
> > a hard fight to prevent them being added to all our email, and
> > allegedly omitting them is being done at some risk to the company
> > directors. I doubt this should change the policy, but it does show
> > that the only solution people may have is not to post from their work
> > at all, so giving them time to arrange an alternative would some
> > reasonable.
>
> I disbelieve that EU law requires you to add anything like "if you are
> not the intended recipient of this e-mail, please destroy it."  Those
> are the problematic cases for us.
>

This is my cursory understanding as well (I am not an EU law specialist).
I have seen laws in various EU countries that *do arguably require the
place of business's address be listed*, but this is really different.

> Ian
>

Re: questions about blocking disclaimers

[Gerald Pfeifer]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 735 bytes --]

On Mon, 6 Aug 2007, Ian Lance Taylor wrote:
> I disbelieve that EU law requires you to add anything like "if you are
> not the intended recipient of this e-mail, please destroy it."  Those
> are the problematic cases for us.

Speaking for Germany (even though I'm Austrian ;-), I can confirm this, 
Ian.  It is required to provide the name and some data of the company,
but certainly not such a disclaimer.

And depending on how conservative the respective corporate lawyers are, 
when posting to mailing lists such as ours even the data on the company
is not required (though we all know that corporate lawyers tend to err
on the side of caution which is probably why you see the German IBMers
and Jörn include such footers).

Gerald

Re: questions about blocking disclaimers

[Jonathan Larmour]

Ian Lance Taylor wrote:
> Jonathan Larmour <jifl@jifvik.org> writes:
> 
>> Out of interest I have had long arguments in my workplace about such
>> disclaimers, and it has been alleged that EU Data Protection law (as
>> applied in the UK at least) pretty much requires that any mail sent
>> from a business (including any employees) has to include them. It was
>> a hard fight to prevent them being added to all our email, and
>> allegedly omitting them is being done at some risk to the company
>> directors. I doubt this should change the policy, but it does show
>> that the only solution people may have is not to post from their work
>> at all, so giving them time to arrange an alternative would some
>> reasonable.
> 
> I disbelieve that EU law requires you to add anything like "if you are
> not the intended recipient of this e-mail, please destroy it."  Those
> are the problematic cases for us.

I wasn't quite specific enough. I won the argument in my company because I 
persistently put forward the same view as you (backed up by various 
research) - contrary to the allegation from others that Data Protection 
laws effectively require it. But other companies, especially larger ones, 
may not have the ability for the poor suckers at the bottom of the food 
chain to argue. Hence I was saying that we need to give time to arrange an 
alternative, as their company may not see sense (or may find it more 
convenient to insist on the SMTP server doing it, rather than leaving it to 
induhviduals).

Secondly, the risk to the company (and its directors) is allegedly because 
if someone sent a mail without this nebulous "only for the intended 
recipient" line[1], then allegedly there's more risk and liability to the 
company if there should be an accidental disclosure of some sort of 
personal data (as covered by Data Protection) to e.g. a mailing list if a 
mail was sent there by accident, than if this line is not present.

 From my investigations and discussions at the time, there seemed to be no 
case law to back this up one way or the other, other than that an 
increasing number of companies in the UK (if not the EU) are making such 
privacy statements mandatory as a matter of company policy. My own argument 
against it was that it seemed like a poor defence to try and use in court. 
The arguments for it were attempting to reduce any risk or chance (or 
degree) of liability.

Anyway, that's what it was all about. I don't think it should have any 
bearing on our desire to get rid of these privacy notices, but may affect 
how heavy the wet fish is that we use to slap people round the head when 
they do it, because it may well be out of their control.

Jifl
[1] Note that this doesn't specify who the intended recipient *is*
-- 
--["No sense being pessimistic, it wouldn't work anyway"]-- Opinions==mine