Re: [mailop] signup form abuse

[Anne Mitchell]

> I personally think that ESP's should make an effort to carefully separate 
> their confirmed double opt-in mailings, from single opt-in mailers..

We have a lot of ESPs as customers of our email reputation certification 
service, and we *always* urge them to segregate their IPs by opt-in level (and 
also to assign customers their own IPs, whenever possible).  The bigger ESPs 
get this, and many of them do - others do a sort of graduated "new customers 
start in the low end, and then move up over time as they prove themselves" 
thing, but all of them do something to make sure their customers who are 
adhering to best practices are on IPs with good reputations.

(And, thank you for referencing our white paper! :~) )

Anne

Anne P. Mitchell, 
Attorney at Law
CEO/President, 
SuretyMail Email Reputation and Inbox Deliverability Certification Program 
http://www.SuretyMail.com/
http://www.SuretyMail.eu/

"Email marketing is the one place where it's better to ask permission than 
forgiveness." - Me

Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law)
Member, California Bar Cyberspace Law Committee
Member, Colorado Cybersecurity Consortium
Member, Asilomar Microcomputer Workshop Committee
Ret. Professor of Law, Lincoln Law School of San Jose
Ret. Chair, Asilomar Microcomputer Workshop


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

[Jay Hennigan]

On 5/27/16 9:49 AM, Michael Peddemors wrote:


While it might be more 'attractive' to offer a simple 'click to
confirm', why are you not using the more standard 'Please Reply To' this
message if you want to receive these messages?

This would solve the problem being discussed, and ensure that the
recipient truly wants your message.


Both methods have the potential of triggering false positives due to 
automated processes.


HTML "Click-to-confirm" has been shown in the recent discussion to be 
subject to false positives by email scanning software that follows links.


"Please reply-to" has a similar problem with out-of-office vacation 
autoresponders that copy all or part of the message in the response, as 
well as some NDRs that do the same. Reply-to also potentially breaks if 
the recipient automatically forwards mail from one account to another as 
the reply will come from a different address than the subscription.


CAPTCHA could potentially fix it, but that is sure to raise objections 
as being too inconvenient for list operators playing the numbers game.


--
Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

[Jay Hennigan]

On 5/27/16 9:49 AM, Michael Peddemors wrote:

Have been watching this thread for a bit, and do have an opinion.

First of all, I see a lot of talk about 'COI' (Confirmed Opt-In), rather
than the term 'CDOI' (Confirmed Double Opt-in) and the reason I point it
out, is that there is a lot of loose definitions of both 'opt-in' and
'confirmed'.


The term "Double opt-in" was originated by spammers early-on in an 
attempt to paint the confirmation process as odious and unnecessary. 
It's spammer-speak. Confirmed opt-in is in my opinion the appropriate term.


* When you log in to an account you provide a username.
* When you subscribe to a mailing list you provide an email address.

Then, when logging in to an account, you're also asked for a password to 
*confirm* your identity. Have you EVER heard of the requirement to 
provide a password as "Double log-in"? I didn't think so.


The same principle applies (or should apply) to mailing list subscriptions.


While it might be more 'attractive' to offer a simple 'click to
confirm', why are you not using the more standard 'Please Reply To' this
message if you want to receive these messages?


Both are typically presented as options, with the token included both in 
the embedded URL and subject or body of the email. This allows people to 
use email to confirm email and eliminates potential issues with HTML 
rendering in some MUAs. It also allows a simple "Click here" button for 
those more familiar with web-based applications.



--
Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

[Michael Peddemors]

On 16-05-27 10:08 AM, Michael Wise wrote:


The problem with the, "Please Reply" method is that it can lead to mailbombing 
the target.
We've seen it happen.


Of course, someone could use a forged address when sending the 
'confirmation' email, but how they would get mail bombed I am unsure of.


No-one will reply that they want the email, for a list they didn't 
subscribe to.  And the sending system would normally limit the amount of 
subscription requests to an individual address.



But I agree with you completely on the, "loose definition" issue, and have a 
rather nasty story about that.
Always get the person who asserts their doing it to tell you exactly what that 
term means to them.

" I checked with my manager, and we looked it up, that address DOES Exist!


And we hear a lot of them too :)

Putting your business card in a bowl to win a prize is definitely not 
giving permission to get on a mailing list ;)


But true confirmed double opt-in lists very seldom get complaints, and 
provides a higher ROI..


http://www.isipp.com/documents/The-Case-for-COI.pdf

My personal pet peeve (and yes I mean you ticket master) is when you 
expressly do everything you can (uncheck the box) to declare you don't 
want any marketing, but still get it..


Some ESP's do make a good effort to encourage it, but many still allow 
new customers to bring over their old 'confirmed' lists as an import, 
instead of forcing a new confirmation, which of course is ripe for 
abuse.  The concern is that they will have a large drop in subscribers, 
as people don't re-confirm.. but probably they miss the point, those 
aren't the people you want on your list, as they aren't engaged enough 
to re-confirm.


Most of the world's largest mailing lists, which operate as confirmed 
double opt-in, never get on the complaint radar..


I personally think that ESP's should make an effort to carefully 
separate their confirmed double opt-in mailings, from single opt-in 
mailers..


But, still there is a lot of commercial motivators to maximize delivery 
rates, (including mixing good and bad mailers together, obfuscating the 
sender information etc).. But in the end, whether it is adblocking, 
reputation lists, or even legislative powers, at some point those 
techniques may backfire.. IMHO








--
"Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic

A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

[Anne Mitchell]

> But I agree with you completely on the, "loose definition" issue, and have a 
> rather nasty story about that.
> Always get the person who asserts their doing it to tell you exactly what 
> that term means to them.

These are the definitions that we use, and that we use in working with our 
customers - and yes, lots of senders have..interesting..definitions, 
particularly of "opt-in".

http://www.gettingemaildelivered.com/definitions-and-descriptions-of-various-levels-of-email-opt-in

Anne

Anne P. Mitchell, 
Attorney at Law
CEO/President, 
SuretyMail Email Reputation and Inbox Deliverability Certification Program 
http://www.SuretyMail.com/
http://www.SuretyMail.eu/

"Email marketing is the one place where it's better to ask permission than 
forgiveness." - Me

Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law)
Member, California Bar Cyberspace Law Committee
Member, Colorado Cybersecurity Consortium
Member, Asilomar Microcomputer Workshop Committee
Ret. Professor of Law, Lincoln Law School of San Jose
Ret. Chair, Asilomar Microcomputer Workshop




___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

[Michael Wise via mailop]

The problem with the, "Please Reply" method is that it can lead to mailbombing 
the target.
We've seen it happen.

Now if the intended subscriber could send a single message to the mailinglist, 
and it could be easily proved that it either came from them, or someone that 
their mail admin could identify and punish, this would also work as CDOI, so to 
speak.

But I agree with you completely on the, "loose definition" issue, and have a 
rather nasty story about that.
Always get the person who asserts their doing it to tell you exactly what that 
term means to them.

" I checked with my manager, and we looked it up, that address DOES Exist!

Aloha,
Michael.
-- 
Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been 
Processed." | Got the Junk Mail Reporting Tool ?

-Original Message-
From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Michael Peddemors
Sent: Friday, May 27, 2016 9:50 AM
To: mailop@mailop.org
Subject: Re: [mailop] signup form abuse

Have been watching this thread for a bit, and do have an opinion.

First of all, I see a lot of talk about 'COI' (Confirmed Opt-In), rather than 
the term 'CDOI' (Confirmed Double Opt-in) and the reason I point it out, is 
that there is a lot of loose definitions of both 'opt-in' and 'confirmed'.

While it might be more 'attractive' to offer a simple 'click to confirm', why 
are you not using the more standard 'Please Reply To' this message if you want 
to receive these messages?

This would solve the problem being discussed, and ensure that the recipient 
truly wants your message.



On 16-05-26 08:06 AM, Alberto Miscia via mailop wrote:
> This opens up for an interesting discussion.
> We experienced the very same issue in the past for few customers and
> enabling a captcha was the only viable option.
> The "bots" (don't really know actually) managed to complete a COI
> process with several free accounts.
>
> Ip ranges were different some on CBL some not but blocking a listed IP
> in a COI process can be dangerous.
> For the very same reason I'd rule out e-hawk and alike.
> The vast majority of the addresses were listed on cleantalk.org
>
> The hidden link in the confirmation email (an HTML comment would work
> better than a "white-on-white tiny font" from a
> deliverabilityperspective) in may opinion is the way to go.
> Even if it can be very tricky to implement, we are seriously
> considering it to prevent bot clicks across the board.
>
> HTH
>
> Alberto Miscia | MailUp | Head of Deliverability & Compliance
>
>
> 2016-05-26 15:05 GMT+02:00 Vick Khera :
>>
>> On Wed, May 25, 2016 at 6:04 PM, Al Iverson 
>> wrote:
>>>
>>> I've heard John Levine propose the "hidden link to catch scanning
>>> robots" solution but I've never heard of an email system implementing
>>
>>
>> I'm running through my head how that would work, and makes for some very
>> complicated state transition diagrams to go from "signup requested" to
>> "confirmed". What if they scan in parallel and the timing works out they
>> poked them in the opposite order, etc. I see a few new states and many
>> transitions, and some timeout based events. Not pretty.
>>
>>>
>>> it. Similarly, senders have often suggested that spamtrap systems
>>> shouldn't follow links. (Security systems, sure, but don't do that
>>> with spamtrap addresses.) And today I heard it suggested that it would
>>> be wiser to have COI have a second click (probably an HTTP POST-based
>>
>>
>> What if the confirmation email button itself was a POST form rather than
>> just a GET to a page? Are scanning systems following POSTs too?
>>
>>>
>>>
>>> button) on the landing web page, to prevent security systems from
>>> erroneously completing COI confirm steps. All good stuff, but it
>>
>>
>> I don't think you're going to get much buy-in for requiring so many clicks
>> to get activated. I know we already lose customer just for requiring COI.
>> Making the COI be more work for the subscriber will just make people go
>> elsewhere faster.
>>
>>>
>>> doesn't sound as though any of it has been widely broadcasted as a
>>> best practice or requirement.
>>
>>
>>
>>
>> ___
>> mailop mailing list
>> mailop@mailop.org
>> https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fchilli.nosignal.org%2fcgi-bin%2fmailman%2flistinfo%2fmailop=01%7c01%7cmichael.wise%40microsoft.com%7c8957eb82fca6420f212608d3864fa84d%7c72f988bf86f141af91ab2d7cd011db47%7c1=nz3dOs%2fKyyotiQ22W%2fjQGE3SJpTAw8tGwS0nbAVglpU%3d
>>
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fchilli.nosignal.org%2fcgi-bin%2fmailman%2flistinfo%2fmailop=01%7c01%7cmichael.wise%40microsoft.com%7c8957eb82fca6420f212608d3864fa84d%7c72f988bf86f141af91ab2d7cd011db47%7c1=nz3dOs%2fKyyotiQ22W%2fjQGE3SJpTAw8tGwS0nbAVglpU%3d
>



-- 
"Catch the Magic of Linux..."

Re: [mailop] signup form abuse

[Al Iverson]

On Fri, May 27, 2016 at 11:49 AM, Michael Peddemors
 wrote:
> Have been watching this thread for a bit, and do have an opinion.
>
> First of all, I see a lot of talk about 'COI' (Confirmed Opt-In), rather
> than the term 'CDOI' (Confirmed Double Opt-in) and the reason I point it
> out, is that there is a lot of loose definitions of both 'opt-in' and
> 'confirmed'.
>
> While it might be more 'attractive' to offer a simple 'click to confirm',
> why are you not using the more standard 'Please Reply To' this message if
> you want to receive these messages?

Because a signup process that falls victim to various types of
auto-responses would be bad. Anything you'd have to add to that to try
to prevent that issue would make it more confusing for some folks and
would result in a drop off in confirmation rate.

Regarding this new "CDOI" acronym: Michael, bless you for trying, but
you're the guy who runs the blacklist that calls all commercial email
"third party mail" no matter how confirmed or clearly opt-in it is, so
you personally wouldn't be the guy I'd look to for help throwing more
definitions at the problem.

Regards,
Al Iverson

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] signup form abuse

[Michael Peddemors]

Have been watching this thread for a bit, and do have an opinion.

First of all, I see a lot of talk about 'COI' (Confirmed Opt-In), rather 
than the term 'CDOI' (Confirmed Double Opt-in) and the reason I point it 
out, is that there is a lot of loose definitions of both 'opt-in' and 
'confirmed'.


While it might be more 'attractive' to offer a simple 'click to 
confirm', why are you not using the more standard 'Please Reply To' this 
message if you want to receive these messages?


This would solve the problem being discussed, and ensure that the 
recipient truly wants your message.




On 16-05-26 08:06 AM, Alberto Miscia via mailop wrote:

This opens up for an interesting discussion.
We experienced the very same issue in the past for few customers and
enabling a captcha was the only viable option.
The "bots" (don't really know actually) managed to complete a COI
process with several free accounts.

Ip ranges were different some on CBL some not but blocking a listed IP
in a COI process can be dangerous.
For the very same reason I'd rule out e-hawk and alike.
The vast majority of the addresses were listed on cleantalk.org

The hidden link in the confirmation email (an HTML comment would work
better than a "white-on-white tiny font" from a
deliverabilityperspective) in may opinion is the way to go.
Even if it can be very tricky to implement, we are seriously
considering it to prevent bot clicks across the board.

HTH

Alberto Miscia | MailUp | Head of Deliverability & Compliance


2016-05-26 15:05 GMT+02:00 Vick Khera :


On Wed, May 25, 2016 at 6:04 PM, Al Iverson 
wrote:


I've heard John Levine propose the "hidden link to catch scanning
robots" solution but I've never heard of an email system implementing



I'm running through my head how that would work, and makes for some very
complicated state transition diagrams to go from "signup requested" to
"confirmed". What if they scan in parallel and the timing works out they
poked them in the opposite order, etc. I see a few new states and many
transitions, and some timeout based events. Not pretty.



it. Similarly, senders have often suggested that spamtrap systems
shouldn't follow links. (Security systems, sure, but don't do that
with spamtrap addresses.) And today I heard it suggested that it would
be wiser to have COI have a second click (probably an HTTP POST-based



What if the confirmation email button itself was a POST form rather than
just a GET to a page? Are scanning systems following POSTs too?




button) on the landing web page, to prevent security systems from
erroneously completing COI confirm steps. All good stuff, but it



I don't think you're going to get much buy-in for requiring so many clicks
to get activated. I know we already lose customer just for requiring COI.
Making the COI be more work for the subscriber will just make people go
elsewhere faster.



doesn't sound as though any of it has been widely broadcasted as a
best practice or requirement.





___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop





--
"Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic

A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Excluding Message-ID from DKIM Signature

[Michael Peddemors]

On 16-05-27 09:19 AM, Rich Kulawiec wrote:

It's also a bad idea operationally, as it will break things like
loop detection, it will complicate problem diagnosis, and it will
break anti-spam/anti-abuse mechanisms that rely on Message-ID.

---rsk


+1


--
"Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic

A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Excluding Message-ID from DKIM Signature

[Joel Beckham]

Thanks, Vick. I'm curious, what initially lead you to exclude the
message-id from your signature?

On Fri, May 27, 2016 at 5:55 AM, Vick Khera  wrote:

> Hi Joel,
>
> I don't sign my message-id. In fact, I let my MTA create the Message-ID
> header and I sign before that in my application. Never been an issue.
>
>
> On Thu, May 26, 2016 at 4:25 PM, Joel Beckham  wrote:
>
>> Are there any negative consequences to consider before excluding
>> message-id from our signature?
>>
>> I'm working towards p=reject on bombbomb.com and found that Securence /
>> usinternet.com (A forwarder) gets a measurable percentage of our mail
>> and modifies the message-id in the process. This breaks our DKIM signature
>> and causes DMARC to fail at the destination. Working directly with them,
>> I've learned that they're unable to preserve the signed message-id.
>>
>> RFC4871 says it "SHOULD be included", but not required. RFC6376 adds,
>> which is the part that has me concerned, that:
>>
>> Verifiers may treat unsigned header fields with extreme
>> skepticism, including refusing to display them to the end user or
>> even ignoring the signature if it does not cover certain header
>> fields.
>>
>> Thanks!
>>
>> ___
>> mailop mailing list
>> mailop@mailop.org
>> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>>
>>
>


-- 
JOEL BECKHAM
Scalability Architect
[image: BombBomb | Face to Face with more people, more often]
W: BombBomb.com 
[image: BombBomb | Face to Face with more people, more often]
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop