On 27/May/11 18:29, John R. Levine wrote: >>>> 2) do we need a mechanism to alert the receiving MTA that you have >>>> subscribed to a mailing list, and all messages should pass through? >> >> Yes, desperately. >> >>> Certainly a possible feature, but it seems like it won't scale very well. >> >> Why not? > > If I were a spammer, I would tell the victim's MTA that the victim > subscribed, then send the spam.
Yes, but then the MTA would then know how to treat the corresponding victim's complaint. > These days most subscriptions are entered on a web page, and if you're > lucky the mailer will send a confirmation message with a URL that sends > the subscriber back to the web page. Where's the MTA going to get the > subscriber info? An http url could be advertised on the MX's EHLO reply. That's a page on the users' server, where they can confirm subscriptions along with their credentials. MLMs get digitally signed confirmations of COI. Ways to accept non-interactive subscription notifications are also necessary. I agree they are somewhat more challenging. For MLMs that present DKIM-signed List-* header fields, subscriptions might be assumed, and tracked unilaterally that way. But unsubscribe attempts seem to be more difficult to do, in this case. > The challenges in designing a protocol that neither makes > unreasonable demands on users and MUAs nor is easily spoofed by > hostile mailers seem insurmountable to me. MUAs wouldn't be much affected, except for allowing TiS buttons. Users would gain uniform subscribe/unsubscribe pages. > If you're planning to keep a reputation database of mailers who > send credible subscription announcements, why not just whitelist > their mail? The ability to maintain such database would be improved. > Since as far as I know nobody does this, it's a resarch topic, so I've > directed replies to the ASRG. See you there. Here I am. I've kept a CC to DKIM list, to be removed in followups. It is not the first time I bring up this idea on the ASRG. It addresses newsletters more than discussion lists, because of the way subscriptions work. In Europe, the resulting protocol could help providing proofs of consent, which many European newsletters handle as a checkbox on _manually_ signed forms. Indeed, I'd consider it an implementation of the Data Protection Directive. _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
