Re: [dmarc-discuss] FBL via DMARC?
>> But see https://datatracker.ietf.org/doc/draft-levine-herkula-oneclick/ >Is this really a good idea? Spammers will add this new header as they added >List-Unsubscribe headers as well and you will kindly validate the spammed >email address if a user marks it as junk. There are much, much, easier ways to validate recipient addresses such as web bugs, which spammers could use if they cared, which they haven't for at least the past decade. Or for that matter, they could use the existing List-Unsubscribe, which has been around since 1998. We address this and other stuff in the Security Considerations section in the draft. R's, John PS: This really has nothing to do with DMARC. The discussions about this draft have been on the IETF dispatch mailing list. ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] FBL via DMARC?
On 29.11.2016 19:06, John Levine via dmarc-discuss wrote: > But see https://datatracker.ietf.org/doc/draft-levine-herkula-oneclick/ > > This is likely to be an RFC soon, and is apparently already > implemented at some large webmail providers. You can put a new header > in your message which encourages recipient systems to do a one-click > non-interactive unsubscribe when someone reports the message as junk. Is this really a good idea? Spammers will add this new header as they added List-Unsubscribe headers as well and you will kindly validate the spammed email address if a user marks it as junk. Dunno, but sounds like bad idea... Juri ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] FBL via DMARC?
At AOL we're doing this with a confirmation popup in clients we control and then sending a unsubscribe mail on behalf of the user when we find unsubscribe mailto links, and I know that some 3rd party clients also have started to implement unsubscribe logic (iOS 10 does so for example). I also know (and I think I'm allowed to say) we've been working on code to do the one click URL based unsubscribe as well. On Tue, Nov 29, 2016 at 8:51 PM, John R Levine via dmarc-discuss < dmarc-discuss@dmarc.org> wrote: > What would be great is if this RFC could have some language discussing >> having a confirmation dialog to prevent these accidental mistakes from >> happening. >> > > It does. It says that the whole point of this draft is to have a > non-interactive unsubscribe that mail systems can do in the background when > people report mail as spam. > > Mailers may not like it, but it's what recipient systems want, and what > they've told me they're going to do. > > > R's, > John > ___ > dmarc-discuss mailing list > dmarc-discuss@dmarc.org > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > NOTE: Participating in this list means you agree to the DMARC Note Well > terms (http://www.dmarc.org/note_well.html) > -- PAUL ROCK Principal Software Engineer | AOL Mail P: 703-265-5734 | C: 703-980-8380 AIM: paulsrock 22070 Broderick Dr.| Dulles, VA | 20166-9305 ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] FBL via DMARC?
What would be great is if this RFC could have some language discussing having a confirmation dialog to prevent these accidental mistakes from happening. It does. It says that the whole point of this draft is to have a non-interactive unsubscribe that mail systems can do in the background when people report mail as spam. Mailers may not like it, but it's what recipient systems want, and what they've told me they're going to do. R's, John ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] FBL via DMARC?
On Tue, Nov 29, 2016 at 10:06 AM, John Levine via dmarc-discuss < dmarc-discuss@dmarc.org> wrote: > In article <864f7119-9912-7143-7cc4-b2c10ca1f...@delegated.net> you write: > >Has there been any discussion about using DMARC to configure spam > complaint feedback loops? > > No, for reasons already mentioned. > > But see https://datatracker.ietf.org/doc/draft-levine-herkula-oneclick/ > > Ooh, interesting. I hadn't seen that; thanks for the pointer. > This is likely to be an RFC soon, and is apparently already > implemented at some large webmail providers. You can put a new header > in your message which encourages recipient systems to do a one-click > non-interactive unsubscribe when someone reports the message as junk. > > (Apologies for the non dmarc-discuss topic) We currently treat FBL reports as unsubscribe requests. We do the unsubscribe and send an email saying 'hey, if you made a mistake, here's a link to re-subscribe'. What we've found, unfortunately, is that the rate of accidental spam button clicking is higher than we expected. For example, with at least one webmail service, the Spam button is right next to the Delete button. People are peeved when we unsub them; it's not a good user experience and we're looking at different algorithms to guard against the occasional accidental spam button press. Which somewhat lessens the efficacy of the whole enterprise. What would be great is if this RFC could have some language discussing having a confirmation dialog to prevent these accidental mistakes from happening. Thanks, Mark ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] FBL via DMARC?
I should have pointed out first that this question is unrelated to DMARC. At best, we're discussing a comparable "put a record in the DNS" configuration mechanism for requesting abuse reports. Note in particular that "put abuse contacts into abuse.net" already exists, and isn't being overwhelmed. The principal means of addressing the privacy issues is the FBL signup process in which (a) the requester enters into an NDA and (b) the FBL service provider (typically a contractor to the receiver, rather than the receiver themselves) vets the applicant organisation and the individual's likely competence to execute the NDA. This can't be entirely automated, meaning that the benefits of universal access that DMARC provides aren't achievable. - Roland From: Gil Bahat <g...@magisto.com> Sent: Tuesday, 29 November 2016 13:33 To: Roland Turner Cc: DMARC Discussion List Subject: Re: [dmarc-discuss] FBL via DMARC? Hi, these are all solvable while still remaining within the DMARC domain: e.g. enabling detailed reports only after a specific signup procedure. most large receivers do have a feedback loop in place, even though not all of them standard. standardization would be really helpful as well as allow better and easier FBL management. I'd really like to see this in the DMARC standard, even if not everyone will apply it (e.g. DMARC failure reports). The privacy considerations are also apparently a non-issue as the overwhelming majority of mail providers (infact everyone but google) provide email-level FBL reports - Yahoo, Hotmail, AOL, mail.ru<http://mail.ru>, yandex, italia online, ... [http://upload.wikimedia.org/wikipedia/commons/thumb/b/bf/Mail.Ru_logo.svg/240px-Mail.Ru_logo.svg.png]<http://mail.ru/> Mail.Ru: ?, ? ? ?, ???, <http://mail.ru/> mail.ru ? Mail.Ru - ?? ?? ?, ??? ? ??? ?, ?? ... Gil On Tue, Nov 29, 2016 at 6:55 AM, Roland Turner via dmarc-discuss <dmarc-discuss@dmarc.org<mailto:dmarc-discuss@dmarc.org>> wrote: I'd hazard a guess that confidentiality constraints get in the way here, for the same reason that most receivers won't provide DMARC failure reports, only aggregate reports. Note that the feedback mechanism for receivers who wish to volunteer reports already exists - and is the origin of DMARC's ARF - that being to send to abuse contacts for the domain or the originating IP address. Those same confidentiality constraints mean that few receivers do so. A further concern for spam filters in particular is that a receiver has to be confident that the domain-owner is a legitimate sender; if not, the abuse reports are a tuning tool for a spammer. No receiver wants to help this happen. - Roland From: dmarc-discuss <dmarc-discuss-boun...@dmarc.org<mailto:dmarc-discuss-boun...@dmarc.org>> on behalf of Jonathan Knopp via dmarc-discuss <dmarc-discuss@dmarc.org<mailto:dmarc-discuss@dmarc.org>> Sent: Tuesday, 29 November 2016 12:22 To: dmarc-discuss@dmarc.org<mailto:dmarc-discuss@dmarc.org> Subject: [dmarc-discuss] FBL via DMARC? Has there been any discussion about using DMARC to configure spam complaint feedback loops? Currently it is only feasible to register for the big ESPs and can be tough to keep them up to date. DMARC could make this automatic and universal. It would be well within DMARC's mandate of domain reputation protection since it would let you know quickly when someone has infiltrated your systems and is sending spam via your legitimate email path. ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org<mailto:dmarc-discuss@dmarc.org> http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html) ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org<mailto:dmarc-discuss@dmarc.org> http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html) ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] FBL via DMARC?
I'd hazard a guess that confidentiality constraints get in the way here, for the same reason that most receivers won't provide DMARC failure reports, only aggregate reports. Note that the feedback mechanism for receivers who wish to volunteer reports already exists - and is the origin of DMARC's ARF - that being to send to abuse contacts for the domain or the originating IP address. Those same confidentiality constraints mean that few receivers do so. A further concern for spam filters in particular is that a receiver has to be confident that the domain-owner is a legitimate sender; if not, the abuse reports are a tuning tool for a spammer. No receiver wants to help this happen. - Roland From: dmarc-discuss <dmarc-discuss-boun...@dmarc.org> on behalf of Jonathan Knopp via dmarc-discuss <dmarc-discuss@dmarc.org> Sent: Tuesday, 29 November 2016 12:22 To: dmarc-discuss@dmarc.org Subject: [dmarc-discuss] FBL via DMARC? Has there been any discussion about using DMARC to configure spam complaint feedback loops? Currently it is only feasible to register for the big ESPs and can be tough to keep them up to date. DMARC could make this automatic and universal. It would be well within DMARC's mandate of domain reputation protection since it would let you know quickly when someone has infiltrated your systems and is sending spam via your legitimate email path. ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html) ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
[dmarc-discuss] FBL via DMARC?
Has there been any discussion about using DMARC to configure spam complaint feedback loops? Currently it is only feasible to register for the big ESPs and can be tough to keep them up to date. DMARC could make this automatic and universal. It would be well within DMARC's mandate of domain reputation protection since it would let you know quickly when someone has infiltrated your systems and is sending spam via your legitimate email path. ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)