Re: [mailop] What am I supposed to do with abuse complaints on legit mail?

2022-01-13 Thread Jay Hennigan via mailop

On 1/13/22 20:24, Scott Mutter via mailop wrote:
The issue is that big name mail service providers, like Gmail, 
Microsoft, Yahoo - do not offer a way to get effective feedback loops.  
Again, this is why I say the AOL feedback loop system of the 2000's was 
so great.  I've NEVER gotten anything from Gmail's Postmaster tools for 
any of the servers (which asks for a domain name and not an IP 
address).  Once in a blue moon I get something from Microsoft's JMRP, 
but they still block IPs with out any reports.  Yahoo's FBL is based on 
DomainKeys.


Have you done the following? This is a very basic first step.

1. Go to https://www.whois.com
2. Enter the IP address of your mail server.
3. Verify at OrgAbuseName, OrgAbusePhone, and OrgAbuseEmail point to 
you. If not, fix it so that they do. You may need to contact your ISP to 
have them SWIP your subnet to you.

4. Send email to the OrgAbuseEmail address.

Did you receive it? Do you check that mailbox regularly?

Many feedback loops depend on the WHOIS record being correct.

--
Jay Hennigan - j...@west.net
Network Engineering - CCIE #7880
503 897-8550 - WB6RDV
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


Re: [mailop] What am I supposed to do with abuse complaints on legit mail?

2022-01-13 Thread Scott Mutter via mailop
The issue is that big name mail service providers, like Gmail, Microsoft,
Yahoo - do not offer a way to get effective feedback loops.  Again, this is
why I say the AOL feedback loop system of the 2000's was so great.  I've
NEVER gotten anything from Gmail's Postmaster tools for any of the servers
(which asks for a domain name and not an IP address).  Once in a blue moon
I get something from Microsoft's JMRP, but they still block IPs with out
any reports.  Yahoo's FBL is based on DomainKeys.

The oft rumor with Gmail's Postmaster tools is that you have to reach a
certain mail sending limit for Google to generate reports, I suspect that
our servers all fall below that threshold.  I suspect it's the same or
similar thing with Microsoft's JMRP.  But both services block our IPs from
time to time.  How - pray, tell - am I supposed to know that these services
are seeing bad things or abuse from our IPs if they don't tell me?

Look, I get it.  It's difficult to justify expending resources generating
feedback reports for IPs that don't really send a lot of mail.  But that
doesn't mean that those IPs can't be sending out unwanted emails.  So I can
understand why these providers don't send out reports for IPs that fall
under a certain threshold.

BUT - that's got to work both ways.  You can't expect me to know that
you're receiving unwanted emails from my server's IP if you do not tell
me.  If I can understand your reasons for not sending out all feedback
reports then you have to understand why small mail server operators get
upset when you suddenly block our IPs and then give us the runaround to get
the IP unblocked.  If you think it's completely unreasonable for us small
time mail server operators to get upset when you block an IP without giving
us any feedback - that's where you've lost touch with reality.

On Thu, Jan 13, 2022 at 9:13 PM Jay Hennigan via mailop 
wrote:

> On 1/13/22 16:08, Scott Mutter via mailop wrote:
> > I'm not sure what value of Recipients is really referring to - but I
> > think this is kind of the question that needs to be asked.  Should the
> > administrator of a sending server (the IP address) be responsible for
> > removing addresses from a mailing list?  Probably.
>
> Absolutely. Not specifically removing addresses from mailing lists, but
> ensuring that the server associated with that IP address doesn't send
> UBE. If abuse originates from that IP address, the administrator of the
> machine bound to that IP is responsible for stopping it whether the
> abuse is spam, brute-force SSH attacks, viruses, SIP attacks, ping
> floods, or any other form of abuse.
>
> > But in order for the
> > administrator of the sending server to know about this, reports are
> > going to have to come to the administrator of the sending server based
> > on it's IP address.
>
> Yes, and that is accomplished by parsing headers, WHOIS, and having a
> working and responsive abuse contact.
>
> > I'm an administrator of a mail server (many mail servers).
>
> Then you should have a vested interest in running a clean shop.
>
> > I (personally) don't really send out emails through these servers.
>
> Most administrators of multi-user mail servers don't personally send
> much mail through them on a percentage basis.
>
> > We sell a service to customers that allows them to use the server to
> > send out emails.
>
> In other words, you profit from allowing others to use your server. You
> charge for the service of delivering mail on behalf of your customers.
>
> > It's those customers that are sending out mailing lists and/or
> > questionable marketing messages, etc.
>
> Then you need to fire the customers who you are presently allowing to
> abuse the Internet. "I don't personally robocall people to pitch car
> warranty scams. I sell phone service to customers. It's those customers
> that are placing the robocalls, etc. I just take their money and enable
> them to annoy people." Whose facility do you think is going to get
> blocked by other carriers and tracked down by the FTC/FCC? You or your
> customers?
>
> > When those customers send messages to Yahoo or any other email service
> > ... they really don't care if the individual recipient at Yahoo or
> > whoever flags that message as spam.  Is this wrong?  Absolutely!  But
> > this is the disconnect from reality that I think a lot of Mailops seem
> > to discount.
>
> Where's the disconnect? You profit by sending mail on behalf of
> customers. Those customers don't care if they are spamming. They aren't
> going to stop spamming because it's profitable for them. You may choose
> not to police your customers because it's profitable for you. The
> victims of the abuse don't know of or care about your relationship with
> your customers. They can easily find you by your IP, however. By
> blocking your IP they avoid abuse from any and all of your customers. It
> sounds like this has gotten your attention and you now realize that
> there is a problem.
>
> > We've reached a 

Re: [mailop] What am I supposed to do with abuse complaints on legit mail?

2022-01-13 Thread Jay Hennigan via mailop

On 1/13/22 16:08, Scott Mutter via mailop wrote:
I'm not sure what value of Recipients is really referring to - but I 
think this is kind of the question that needs to be asked.  Should the 
administrator of a sending server (the IP address) be responsible for 
removing addresses from a mailing list?  Probably. 


Absolutely. Not specifically removing addresses from mailing lists, but 
ensuring that the server associated with that IP address doesn't send 
UBE. If abuse originates from that IP address, the administrator of the 
machine bound to that IP is responsible for stopping it whether the 
abuse is spam, brute-force SSH attacks, viruses, SIP attacks, ping 
floods, or any other form of abuse.


But in order for the 
administrator of the sending server to know about this, reports are 
going to have to come to the administrator of the sending server based 
on it's IP address.


Yes, and that is accomplished by parsing headers, WHOIS, and having a 
working and responsive abuse contact.



I'm an administrator of a mail server (many mail servers).


Then you should have a vested interest in running a clean shop.


I (personally) don't really send out emails through these servers.


Most administrators of multi-user mail servers don't personally send 
much mail through them on a percentage basis.


We sell a service to customers that allows them to use the server to 
send out emails.


In other words, you profit from allowing others to use your server. You 
charge for the service of delivering mail on behalf of your customers.


It's those customers that are sending out mailing lists and/or 
questionable marketing messages, etc.


Then you need to fire the customers who you are presently allowing to 
abuse the Internet. "I don't personally robocall people to pitch car 
warranty scams. I sell phone service to customers. It's those customers 
that are placing the robocalls, etc. I just take their money and enable 
them to annoy people." Whose facility do you think is going to get 
blocked by other carriers and tracked down by the FTC/FCC? You or your 
customers?


When those customers send messages to Yahoo or any other email service 
... they really don't care if the individual recipient at Yahoo or 
whoever flags that message as spam.  Is this wrong?  Absolutely!  But 
this is the disconnect from reality that I think a lot of Mailops seem 
to discount. 


Where's the disconnect? You profit by sending mail on behalf of 
customers. Those customers don't care if they are spamming. They aren't 
going to stop spamming because it's profitable for them. You may choose 
not to police your customers because it's profitable for you. The 
victims of the abuse don't know of or care about your relationship with 
your customers. They can easily find you by your IP, however. By 
blocking your IP they avoid abuse from any and all of your customers. It 
sounds like this has gotten your attention and you now realize that 
there is a problem.


We've reached a point in society where individuals can't 
read and can't be expected to take the 90 seconds it takes to read and 
understand something, they want to be spoon fed information.  ... If an 
individual in the general public gets a feedback loop report about a 
message being spam... they're not going to read it... they're not going 
to take the time to understand it... they're just going to keep sending 
out to their list just ignoring that report


But you're not the general public. You operate a mail server. Maybe you 
should ensure that the feedback loop reports come to you as the operator 
of the mail server that's originating the abuse. You are a professional 
generating revenue by sending mail on behalf of others. When you get a 
feedback loop report, wouldn't it be a good idea to take the 90 seconds 
to read, understand, and actually act on it?


Now, eventually, Yahoo or whatever mail service, will say that the mail 
server that I'm an administrator to has sent them too much spam and they 
start to block/blacklist/throttle mail from the server.


Indeed. Hopefully that will get your attention and cause you to reduce 
the spam that the server that you administer is sending. This may 
require you to fire your bad customers and take steps to ensure that any 
new customers you acquire aren't bad actors.


I'm left out in the cold because 1) I'm not the one sending out the 
mailing list messages 


Yes. You. Are. Technically, the server that you administer is, but you 
are in control of that server and thus the messages that it sends. You 
are in control of who you take on as a customer.


2) I have no way of getting feedback loop messages 
from Yahoo or whatever mail service for this sending IP 


Why not? Have you tried? FBLs are generally tied to IPs, not domains. Is 
your sending IP associated with you in WHOIS? Do you have a working 
abuse contact listed for it? If so, do you monitor it?


3) there's a 
severe lack of ways to get in touch with a human person at 

Re: [mailop] What am I supposed to do with abuse complaints on legit mail?

2022-01-13 Thread Jay Hennigan via mailop

On 1/13/22 16:08, Scott Mutter via mailop wrote:
I'm not sure what value of Recipients is really referring to - but I 
think this is kind of the question that needs to be asked.  Should the 
administrator of a sending server (the IP address) be responsible for 
removing addresses from a mailing list?  Probably. 


Absolutely. Not specifically removing addresses from mailing lists, but 
ensuring that the server associated with that IP address doesn't send 
UBE. If abuse originates from that IP address, the administrator of the 
machine bound to that IP is responsible for stopping it whether the 
abuse is spam, brute-force SSH attacks, viruses, SIP attacks, ping 
floods, or any other form of abuse.


But in order for the 
administrator of the sending server to know about this, reports are 
going to have to come to the administrator of the sending server based 
on it's IP address.


Yes, and that is accomplished by parsing headers, WHOIS, and having a 
working and responsive abuse contact.



I'm an administrator of a mail server (many mail servers).


Then you should have a vested interest in running a clean shop.


I (personally) don't really send out emails through these servers.


Most administrators of multi-user mail servers don't personally send 
much mail through them on a percentage basis.


We sell a service to customers that allows them to use the server to 
send out emails.


In other words, you profit from allowing others to use your server. You 
charge for the service of delivering mail on behalf of your customers.


It's those customers that are sending out mailing lists and/or 
questionable marketing messages, etc.


Then you need to fire the customers who you are presently allowing to 
abuse the Internet. "I don't personally robocall people to pitch car 
warranty scams. I sell phone service to customers. It's those customers 
that are placing the robocalls, etc. I just take their money and enable 
them to annoy people." Whose facility do you think is going to get 
blocked by other carriers and tracked down by the FTC/FCC? You or your 
customers?


When those customers send messages to Yahoo or any other email service 
... they really don't care if the individual recipient at Yahoo or 
whoever flags that message as spam.  Is this wrong?  Absolutely!  But 
this is the disconnect from reality that I think a lot of Mailops seem 
to discount. 


Where's the disconnect? You profit by sending mail on behalf of 
customers. Those customers don't care if they are spamming. They aren't 
going to stop spamming because it's profitable for them. You may choose 
not to police your customers because it's profitable for you. The 
victims of the abuse don't know of or care about your relationship with 
your customers. They can easily find you by your IP, however. By 
blocking your IP they avoid abuse from any and all of your customers. It 
sounds like this has gotten your attention and you now realize that 
there is a problem.


We've reached a point in society where individuals can't 
read and can't be expected to take the 90 seconds it takes to read and 
understand something, they want to be spoon fed information.  ... If an 
individual in the general public gets a feedback loop report about a 
message being spam... they're not going to read it... they're not going 
to take the time to understand it... they're just going to keep sending 
out to their list just ignoring that report


But you're not the general public. You operate a mail server. Maybe you 
should ensure that the feedback loop reports come to you as the operator 
of the mail server that's originating the abuse. You are a professional 
generating revenue by sending mail on behalf of others. When you get a 
feedback loop report, wouldn't it be a good idea to take the 90 seconds 
to read, understand, and actually act on it?


Now, eventually, Yahoo or whatever mail service, will say that the mail 
server that I'm an administrator to has sent them too much spam and they 
start to block/blacklist/throttle mail from the server.


Indeed. Hopefully that will get your attention and cause you to reduce 
the spam that the server that you administer is sending. This may 
require you to fire your bad customers and take steps to ensure that any 
new customers you acquire aren't bad actors.


I'm left out in the cold because 1) I'm not the one sending out the 
mailing list messages 


Yes. You. Are. Technically, the server that you administer is, but you 
are in control of that server and thus the messages that it sends. You 
are in control of who you take on as a customer.


2) I have no way of getting feedback loop messages 
from Yahoo or whatever mail service for this sending IP 


Why not? Have you tried? FBLs are generally tied to IPs, not domains. Is 
your sending IP associated with you in WHOIS? Do you have a working 
abuse contact listed for it? If so, do you monitor it?


3) there's a 
severe lack of ways to get in touch with a human person at 

Re: [mailop] [E] Re: What am I supposed to do with abuse complaints on legit mail?

2022-01-13 Thread Scott Mutter via mailop
> Domain reputation is a thing though. If your IP really gets blocked (and
not just throttled; that's a signal you have access to btw) you usually
have a bigger problem.

Unfortunately, that's not what I'm seeing in the real world.  Everything is
IP based.  Go through the archives here at Mailops.  Over the past month
how many messages has this list gotten with request for help from
Microsoft, Comcast, T-Mobile, etc all concerning their mail server IPs
being blocked?  They block by IP address.

I'm not really saying that blocking by IP address is a bad idea.  I get
it.  I get why it's so effective.  I'm just saying you can't say you're
acknowledging spam from certain domains or DomainKeys and then go and block
the IP that's sending.  You're comparing apples to oranges.

I remember the early 00's with AOL's feedback loop.  This was a wonderful,
wonderful thing.  It helped that a lot of people still had AOL email
addresses.  I could sign up all of my SMTP server IPs to funnel in spam
feedback to a single email address.  I could monitor that email address for
feedback reports.  The reports included all of the headers, including the
message ID that I could parse through my logs to identify the sender.  And
then I could take action against that account on our server.  But
eventually AOL addresses died off and that FBL became dormant.  I wish
Gmail, Yahoo, Microsoft, all had similar feedback loops - that would be the
most useful thing to me as a server administrator.  I think Gmail may have
something similar but it's useless because you have to send 100 million
messages a day (or some absurd high number) to get the feedback loop to
register a single incident.  AOL's feedback loop from the 2000s was the
pinnacle of feedback loops.  I think instead of looking at something that
lowly AOL did successfully, all of these big name mail service providers
are taking the idea and trying to "improve" it to the point that it's
ineffective.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


Re: [mailop] [E] Re: What am I supposed to do with abuse complaints on legit mail?

2022-01-13 Thread Marcel Becker via mailop
On Thu, Jan 13, 2022 at 4:14 PM Scott Mutter via mailop 
wrote:

If a service is going to block/blacklist/throttle messages by the sending
> IP, then what good does it do to base feedback loops and spam reports on a
> domain basis?  A sending IP could have 1000 domains sending from it and
> only 1 of those domains is sending spam or sending to a list that is being
> flagged as spam, but the recipient server isn't going to block based on
> domain, it's going to block based on IP.
>

If one (authenticated) domain from 1000 is spamming from your IP (and all
the other (authenticated) traffic is fine) then no, blocking your IP based
on that is/should not really be a thing. Domain reputation is a thing
though. If your IP really gets blocked (and not just throttled; that's a
signal you have access to btw) you usually have a bigger problem.

- Marcel
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


Re: [mailop] What am I supposed to do with abuse complaints on legit mail?

2022-01-13 Thread Grant Taylor via mailop

On 1/13/22 5:08 PM, Scott Mutter via mailop wrote:
I'm not sure what value of Recipients is really referring to - but I 
think this is kind of the question that needs to be asked.


I was purposely nebulous specifically because what the exact list is 
doesn't matter.  ;-)


Should the administrator of a sending server (the IP address) be 
responsible for removing addresses from a mailing list?  Probably.


I feel like the SMTP administrator ~> postmaster / hostmaster probably 
wants to /not/ be involved, but that it behooves them to be somewhat 
involved, especially when the reputation of the server / IP / etc. is 
involved ~> at risk.


But in order for the administrator of the sending server to know 
about this, reports are going to have to come to the administrator 
of the sending server based on it's IP address.


Point of order:  I don't think that the reports /must/ go /directly/ to 
-- whom I'm going to refer as -- the postmaster / hostmaster.  But I do 
believe that the messages need to make it to said postmaster / 
hostmaster /in/ /a/ /timely/ /manner/!!!  Meaning that the messages can 
come into a system where the messages ~> tickets are routed to the 
postmaster / hostmaster /in/ /a/ /timely/ /manner/.


I'm going to define a timely manner to be ≤ 24 (wall clock) hours.  I'll 
accept 1 business day / give some slack for a weekend / holiday / etc.


Note:  That's how long I think it should take for the message ~> ticket 
to be routed to the postmaster / hostmaster.  That's completely 
independent of how long said postmaster / hostmaster has to respond to it.


Aside:  I'd like to see a response from the postmaster / hostmaster 
within 72 (wall clock) hours / 3 business days.



I (personally) don't really send out emails through these servers.


I suspect that's quite common, particularly for subscribers of this 
mailing list.


When those customers send messages to Yahoo or any other email service 
... they really don't care if the individual recipient at Yahoo or 
whoever flags that message as spam.


Agreed.


Is this wrong?  Absolutely!


Reluctantly agreed.

But this is the disconnect from reality that I think a lot of Mailops 
seem to discount.


?

We've reached a point in society where individuals can't read 
and can't be expected to take the 90 seconds it takes to read and 
understand something, they want to be spoon fed information.


With heavy resignation in my heart, I agree with your description.

However, I would /require/ that clients using my server to do something 
notoriously questionable, e.g. sending mass email, to actually spend the 
90 seconds to read and act on such bounces / abuse reports / complaints.


Because if they don't do so as the list administrator and I receive 
enough (copies of) notices / abuse reports myself, I would (eventually) 
suspend their services.


Eventually because there would be multiple strikes with escalating 
responses.


... If an individual in the general public gets a feedback loop report 
about a message being spam... they're not going to read it... they're 
not going to take the time to understand it... they're just going to 
keep sending out to their list just ignoring that report


Agreed.

However I do not acknowledge that a mailing list administrator is 
/simply/ a member of the /general/ /public/.  Rather they are a (paying) 
customer and they have agreed to my companies terms of service.  As 
such, they have a responsibility to keep their use of my services clean, 
lest they find themselves looking for a new service provider.


Now, eventually, Yahoo or whatever mail service, will say that the mail 
server that I'm an administrator to has sent them too much spam and they 
start to block/blacklist/throttle mail from the server.


Yep.  Which is why you have the responsibility to keep your server(s) as 
clean as possible.


I'm left out in the cold because 1) I'm not the one sending out the 
mailing list messages 2) I have no way of getting feedback loop messages 
from Yahoo or whatever mail service for this sending IP 3) there's a 
severe lack of ways to get in touch with a human person at Yahoo or 
whatever mail service to discuss the situation.


I made sure that I received a copy of anything and everything that was 
sent to abuse@, postmaster@, and hostmaster@ for any of the domains that 
ran through my servers.  I *REQUIRED* it as a condition of using my 
servers.  --  I would periodically send test messages to the 
aforementioned addresses to confirm that I received copies.


It's not a perfect method by any stretch of the imagination.  But I do 
believe that it is a step in the correct direction.


Some people seem to assume that 1 IP address = 1 domain sending out mail 
= 1 person responsible for managing that.


I assume that these people you speak of have never actually administered 
a server since the '90s when we could just throw IPs at things.



And that is just simply not true.


Agreed.

If a service is going to 

Re: [mailop] What am I supposed to do with abuse complaints on legit mail?

2022-01-13 Thread Scott Mutter via mailop
I'm not sure what value of Recipients is really referring to - but I think
this is kind of the question that needs to be asked.  Should the
administrator of a sending server (the IP address) be responsible for
removing addresses from a mailing list?  Probably.  But in order for the
administrator of the sending server to know about this, reports are going
to have to come to the administrator of the sending server based on it's IP
address.

I'm an administrator of a mail server (many mail servers).

I (personally) don't really send out emails through these servers.

We sell a service to customers that allows them to use the server to send
out emails.

It's those customers that are sending out mailing lists and/or questionable
marketing messages, etc.

When those customers send messages to Yahoo or any other email service ...
they really don't care if the individual recipient at Yahoo or whoever
flags that message as spam.  Is this wrong?  Absolutely!  But this is the
disconnect from reality that I think a lot of Mailops seem to discount.
We've reached a point in society where individuals can't read and can't be
expected to take the 90 seconds it takes to read and understand something,
they want to be spoon fed information.  ... If an individual in the general
public gets a feedback loop report about a message being spam... they're
not going to read it... they're not going to take the time to understand
it... they're just going to keep sending out to their list just ignoring
that report

Now, eventually, Yahoo or whatever mail service, will say that the mail
server that I'm an administrator to has sent them too much spam and they
start to block/blacklist/throttle mail from the server.

I'm left out in the cold because 1) I'm not the one sending out the mailing
list messages 2) I have no way of getting feedback loop messages from Yahoo
or whatever mail service for this sending IP 3) there's a severe lack of
ways to get in touch with a human person at Yahoo or whatever mail service
to discuss the situation.

Some people seem to assume that 1 IP address = 1 domain sending out mail =
1 person responsible for managing that.  And that is just simply not true.
1 IP address may have 1000s of domains sending out emails, which may refer
to 1000s of different individuals.  The common denominator is the sending
IP address and that's why abuse reports, feedback loops, and all discussion
about the quality/quantity of mail coming from that IP address needs to
refer to the individual that is managing the SMTP service at that IP
address.

If a service is going to block/blacklist/throttle messages by the sending
IP, then what good does it do to base feedback loops and spam reports on a
domain basis?  A sending IP could have 1000 domains sending from it and
only 1 of those domains is sending spam or sending to a list that is being
flagged as spam, but the recipient server isn't going to block based on
domain, it's going to block based on IP.

On Thu, Jan 13, 2022 at 4:23 PM Grant Taylor via mailop 
wrote:

> On 1/13/22 1:00 PM, Scott Mutter via mailop wrote:
> > The person sending out the mails or mailing list often doesn't care if
> > their recipients are flagging messages as spam or if their messages are
> > being treated as spam or unsolicited.
>
> Does this imply that the person sending out the mails to the mailing
> list cares more about the message going to $RECIPIENTS and less about
> the actual value of $RECIPIENTS?  Sort of implying that the SMTP server
> operators have some leeway to remove / unsubscribe a few specific
> recipients from the larger $RECIPIENTS list in the spirit of protecting
> the larger overall system operation and flow?
>
>
>
> --
> Grant. . . .
> unix || die
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
>
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


Re: [mailop] What am I supposed to do with abuse complaints on legit mail?

2022-01-13 Thread Jay Hennigan via mailop

On 1/13/22 00:32, Alessandro Vesely via mailop wrote:

As an extra courtesy you could add something like "We're sorry that 
our mail was considered spam, it's not our intent to send unsolicited 
mail."


That's appropriate for the specific case where the MUA flags the list 
owner that the message was moved to the recipient's spam folder, likely 
a corner case overall but one that has been discussed in this thread. 
I'm not aware of any client-side IMAP implementations that do this, but 
it seems that major provider webmail and IMAP implementations (Yahoo, 
etc.) may.


Also appropriate if the unsubscribe link offers a menu of reasons for 
the unsub and the user selects the "this is spam" option.


Heck, spam is not the reason why one unsubs from a mailing list.  For 
example, one may join a list about a product when she first installed it 
and leave after a while.  Then yes, there are mailing lists with no 
moderators, which send spam.  If the signal to noise ration drops below 
some level one can loose interest in the discussion and then unsubscribe 
from the list.


One situation on which I'm on the receiving end far too frequently is 
email that is totally unsolicited but very obviously "targeted". I get 
unsolicited email on a daily basis for webinars and white papers from 
companies with which I have zero prior interaction but are in my 
industry. I get at least two or three a day, they typically have an 
unsubscribe link, and the vast majority are sent via ESPs with plenty of 
apologists on this list. I'm looking at you, Marketo and Sendgrid.


Complaints to their abuse addresses rarely even get so much as a "You've 
been listwashed" ignore-bot response.



Of course, you only do that when you really didn't send unsolicited mail.


As long as ESPs don't vet customer-provided lists and don't require COI, 
either of which would cut into their bottom line, they send a ton of 
unsolicited mail but claim plausible deniability.


Unsolicited means without subscription, which we don't call "mailing 
list". Perhaps UCE?  Yes, they often sport unsubscribe URIs, since 
they're mandatory in many countries, so as to masquerade as newsletters.


Precisely this. Rampantly this.


--
Jay Hennigan - j...@west.net
Network Engineering - CCIE #7880
503 897-8550 - WB6RDV
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


Re: [mailop] What am I supposed to do with abuse complaints on legit mail?

2022-01-13 Thread Grant Taylor via mailop

On 1/13/22 1:00 PM, Scott Mutter via mailop wrote:
The person sending out the mails or mailing list often doesn't care if 
their recipients are flagging messages as spam or if their messages are 
being treated as spam or unsolicited.


Does this imply that the person sending out the mails to the mailing 
list cares more about the message going to $RECIPIENTS and less about 
the actual value of $RECIPIENTS?  Sort of implying that the SMTP server 
operators have some leeway to remove / unsubscribe a few specific 
recipients from the larger $RECIPIENTS list in the spirit of protecting 
the larger overall system operation and flow?




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


Re: [mailop] What am I supposed to do with abuse complaints on legit mail?

2022-01-13 Thread Scott Mutter via mailop
I think some of what's lost in this discussion - and it's true this may be
dragging the discussion off-topic, but seems as good a time as any to bring
this up.

Often times the individual maintaining the mailing list or sending out the
emails, is not the same individual that administers and maintains the SMTP
server that's doing the actual sending out.

Props to a mailing list administrators that actually handles unsubscribing
members that flag messages as spam or email senders that actually care
about how their messages are being treated.  But this is most often, not
the case.

The person sending out the mails or mailing list often doesn't care if
their recipients are flagging messages as spam or if their messages are
being treated as spam or unsolicited.  It's only until it comes to the desk
of the SMTP server administrator that the server is blocked/blacklisted
that this then becomes a problem.  That's why I think it's better for mail
servers to focus their feedback loops or however else they report
spam/abuse back to the SMTP server administrator and not the emailing
domain owner.



On Thu, Jan 13, 2022 at 1:13 PM Matt Vernhout via mailop 
wrote:

> On Thu, Jan 13, 2022 at 1:41 AM Jay Hennigan via mailop 
> wrote:
>
>> Agreed 100%.
>>
>> A single acknowledgement of a successful unsubscribe is fine, but don't
>> make them jump through another flaming hoop. This goes double if the
>> "subscription" is the typical webinar/whitepaper spam that they never
>> wanted in the first place.
>>
>> In my opinion, a single reply email, "You have been unsubscribed from
>> xyz mailing list" is a good thing to do.
>>
>
> A number of years ago while working at an ESP we tried this, sending a
> notice that was along the lines of "Thank you for reporting this message as
> spam, we have taken action to remove you from the mailing list and will
> review the sending practices of XYZ Brand ."
>
> Two things happened:
>
> 1 - People replied in large numbers "I never reported this as spam, I want
> to continue receiving these emails" - depending on the day >20% of the
> messages generated this reply
> 2 - People reported the reply/notification as spam.
>
> Needless to say it was a short-lived experiment as it just created more
> support overhead for us having to undo the unsubscribe or deal with angry
> customers getting calls from their subscribers. Which is actually in line
> with where this whole conversation started...
>
> ~ Matt
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
>
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


Re: [mailop] What am I supposed to do with abuse complaints on legit mail?

2022-01-13 Thread Matt Vernhout via mailop
On Thu, Jan 13, 2022 at 1:41 AM Jay Hennigan via mailop 
wrote:

> Agreed 100%.
>
> A single acknowledgement of a successful unsubscribe is fine, but don't
> make them jump through another flaming hoop. This goes double if the
> "subscription" is the typical webinar/whitepaper spam that they never
> wanted in the first place.
>
> In my opinion, a single reply email, "You have been unsubscribed from
> xyz mailing list" is a good thing to do.
>

A number of years ago while working at an ESP we tried this, sending a
notice that was along the lines of "Thank you for reporting this message as
spam, we have taken action to remove you from the mailing list and will
review the sending practices of XYZ Brand ."

Two things happened:

1 - People replied in large numbers "I never reported this as spam, I want
to continue receiving these emails" - depending on the day >20% of the
messages generated this reply
2 - People reported the reply/notification as spam.

Needless to say it was a short-lived experiment as it just created more
support overhead for us having to undo the unsubscribe or deal with angry
customers getting calls from their subscribers. Which is actually in line
with where this whole conversation started...

~ Matt
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


Re: [mailop] blocked by microsoft -- support procedure?

2022-01-13 Thread Mark G Thomas via mailop
Hi,

On Thu, Jan 13, 2022 at 12:35:25AM -0800, Jyri J. Virkki via mailop wrote:
> On Tue, Jan 11, 2022 at 02:04:56PM -0500, Mark G Thomas via mailop wrote:
> >
> > I'm not generally involved in our support issues, but a coworker at 
> > my work (Linode) reached out to me about what looks to be a new problem 
> > involving hosting customers being blocked by by Microsoft. We have 
> > 150-200 new support tickets about this, starting on December 21, 2021. 
> > Our support goes back and forth with the customers and tries to help, 
> > typically 4 responses, but up to 48, per ticket, and both support and 
> > customers are growing increasingly frustrated.
> 
> Thanks for the support!
> 
> Mine is one of those hundreds of tickets (FYI 16748061).
...
> I got the same response that Linode got (based on the support ticket)
> 
> "Not qualified for mitigation 66.175.223.185/32 Our investigation has
> determined that the above IP(s) do not qualify for mitigation."
> 
> However, today I tried writing to my friend at hotmail.com again and
> this time didn't get the IP-based block bounce, so at least something
> has changed. I'll follow up offline with him later to see if anything
> got delivered or not.

Linode is taking immediate and drastic measures. Since yesterday 50 
accounts represnting several hundred IPs have been cancelled as fraud 
for this specific SMTP-enabled-customer plus high IP churn abuse pattern.

A new policy will be going into effect today, putting further 
restrictions on when support may grant outbound-SMTP-filter removal 
to requesting customers.

Would Linode meet the criteria for getting someone from the Linode's 
Trust and Safety department on this list?

Mark

-- 
Mark G. Thomas , KC3DRE
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


Re: [mailop] What am I supposed to do with abuse complaints on legit mail?

2022-01-13 Thread Anne P. Mitchell, Esq. via mailop


> On Jan 12, 2022, at 11:30 PM, Jay Hennigan via mailop  
> wrote:
> 
> A single acknowledgement of a successful unsubscribe is fine, but don't make 
> them jump through another flaming hoop. 

It's also a violation of Federal law, which requires a "one-step unsubscribe 
method".

Anne

--
Anne P. Mitchell, Attorney at Law
CEO Get to the Inbox by SuretyMail
Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law)
Author: The Email Deliverability Handbook
Board of Directors, Denver Internet Exchange
Dean Emeritus, Cyberlaw & Cybersecurity, Lincoln Law School
Prof. Emeritus, Lincoln Law School
Chair Emeritus, Asilomar Microcomputer Workshop
In-house Counsel: Mail Abuse Prevention System (MAPS) (Closed in 2004)

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


Re: [mailop] What am I supposed to do with abuse complaints on legit mail?

2022-01-13 Thread Hans-Martin Mosner via mailop
13. Januar 2022 09:32, "Alessandro Vesely via mailop"  
schrieb:

> On Thu 13/Jan/2022 08:01:56 +0100 Hans-Martin Mosner via mailop wrote:
> 
>> Am 13.01.22 um 07:30 schrieb Jay Hennigan via mailop:
>>> In my opinion, a single reply email, "You have been unsubscribed from xyz
>>> mailing list" is a good thing to do.
>> 
>> As an extra courtesy you could add something like "We're sorry that our mail
>> was considered spam, it's not our intent to send unsolicited mail."
> 
> Heck, spam is not the reason why one unsubs from a mailing list. For example,
> one may join a list about a product when she first installed it and leave 
> after
> a while. Then yes, there are mailing lists with no moderators, which send
> spam. If the signal to noise ration drops below some level one can loose
> interest in the discussion and then unsubscribe from the list.

Yes, but the context here was abuse reports and unsubscribing the recipients in 
response to those reports.
Of course you don't need to explain anything if someone unsubscribes themselves.
My goal is transparency and veracity in communication. If someone is 
unsubscribed due to any other reason than themselves hitting an unsubscribe 
button or send mail to the "list-leave" address, it is prudent to tell them the 
reason they were unsubscribed.

Cheers,
Hans-Martin
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


Re: [mailop] blocked by microsoft -- support procedure?

2022-01-13 Thread Jyri J. Virkki via mailop
On Tue, Jan 11, 2022 at 02:04:56PM -0500, Mark G Thomas via mailop wrote:
>
> I'm not generally involved in our support issues, but a coworker at 
> my work (Linode) reached out to me about what looks to be a new problem 
> involving hosting customers being blocked by by Microsoft. We have 
> 150-200 new support tickets about this, starting on December 21, 2021. 
> Our support goes back and forth with the customers and tries to help, 
> typically 4 responses, but up to 48, per ticket, and both support and 
> customers are growing increasingly frustrated.

Thanks for the support!

Mine is one of those hundreds of tickets (FYI 16748061).

relay=hotmail-com.olc.protection.outlook.com[104.47.14.33]:25, delay=0.85, 
delays=0.04/0.02/0.63/0.16, dsn=5.7.1, status=bounced (host 
hotmail-com.olc.protection.outlook.com[104.47.14.33] said: 550 5.7.1 
Unfortunately, messages from [66.175.223.185] weren't sent. Please contact your 
Internet service provider since part of their network is on our block list 
(S3140). You can also refer your provider to 
http://mail.live.com/mail/troubleshooting.aspx#errors. 
[VI1EUR04FT006.eop-eur04.prod.protection.outlook.com] (in reply to MAIL FROM 
command))

Based on discussion in HN, it seems Microsoft has suddenly blocked off
large parts of the Internet sometime in late December, the delivery
problem is much broader than Linode IP space.

Aside from filing a ticket with Linode (due to the "Please contact
your Internet service provider since part of their network is on our
block list" part in the message) I also tried various ways to contact
Microsoft directly with limited success. I received prompt replies but
they are the same bot-reply form letter, so not clear if anyone is
reading them.

I got the same response that Linode got (based on the support ticket)

"Not qualified for mitigation 66.175.223.185/32 Our investigation has
determined that the above IP(s) do not qualify for mitigation."

However, today I tried writing to my friend at hotmail.com again and
this time didn't get the IP-based block bounce, so at least something
has changed. I'll follow up offline with him later to see if anything
got delivered or not.


-- 
Jyri J. Virkki - Santa Cruz, CA




-- 
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


Re: [mailop] What am I supposed to do with abuse complaints on legit mail?

2022-01-13 Thread Alessandro Vesely via mailop

On Thu 13/Jan/2022 08:01:56 +0100 Hans-Martin Mosner via mailop wrote:

Am 13.01.22 um 07:30 schrieb Jay Hennigan via mailop:
In my opinion, a single reply email, "You have been unsubscribed from xyz 
mailing list" is a good thing to do.


As an extra courtesy you could add something like "We're sorry that our mail 
was considered spam, it's not our intent to send unsolicited mail."



Heck, spam is not the reason why one unsubs from a mailing list.  For example, 
one may join a list about a product when she first installed it and leave after 
a while.  Then yes, there are mailing lists with no moderators, which send 
spam.  If the signal to noise ration drops below some level one can loose 
interest in the discussion and then unsubscribe from the list.




Of course, you only do that when you really didn't send unsolicited mail.



Unsolicited means without subscription, which we don't call "mailing list". 
Perhaps UCE?  Yes, they often sport unsubscribe URIs, since they're mandatory 
in many countries, so as to masquerade as newsletters.



Best
Ale
--





___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop