Re: [mailop] FTC Report on Feasibility of Creating a 'Do Not Email' List
On 19 May 2022, at 12:29, Dave Crocker via mailop wrote: > oh. gosh. we've been wrong about this. for 20 years. Would you care to enlighten me on how the DNC "technological requirements" differ from the hypothetical "DNE" list we have been discussing, and in particular, pertaining to the simplified use case I provided? With gratitude -lem ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] FTC Report on Feasibility of Creating a 'Do Not Email' List
On 5/19/2022 7:57 AM, Luis E. Muñoz via mailop wrote: In this case, not really. oh. gosh. we've been wrong about this. for 20 years. d/ ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] FTC Report on Feasibility of Creating a 'Do Not Email' List
Ahoj, Dňa 19 May 2022 13:16:13 -0400 John Levine via mailop napísal: > Also remember that the legal rule nearly everywhere outside the US is > opt-in for bulk mail, so everyone is on the "do not spam" list. Sure, it is more logical, even more intelligent. Consider when some smart head will introduce the "do not shoot me", list, then anyone not in the list can be legally shot? Including these, who do not know about that list? regards -- Slavko https://www.slavino.sk pgpoxGhY9R5u9.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] FTC Report on Feasibility of Creating a 'Do Not Email' List
On Thu 19/May/2022 14:42:13 +0200 Dave Crocker wrote: On 5/19/2022 2:41 AM, Alessandro Vesely via mailop wrote: On Wed 18/May/2022 03:01:49 +0200 Dave Crocker via mailop wrote: Note that, in spite of DMARC, we still do not have per-user authentication. The FTC report required *domain-level* authentication. They wrote: ... They were assuming that the ISP would at least have true payment records, that would provide useful investigative leads, in case name and address were false. Since a 'do not email /ME/' requires resolution down to the individual user and this must happen as the mail is being formed or sent, the list or database query must be down to the resolution of the individual. Domain level is not sufficient. They said that under the ECPA the Commission can issue a Civil Investigative Demand to seek enough information about the individual. For authentication only at the domain level to be sufficient, it requires that the owner of the domain explicitly and reliably vet that all addresses in their domain are valid and that all requests for listing, for an address in that domain, be valid. Good luck with that. Well, except open relays and criminal spammers, domain owners do require some kind of identification before sending. Criminal spammers register their own domains. The uselessness of domain-level authentication arises from the fact that domain owners themselves, not their users, are not identifiable. Best Ale -- ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] FTC Report on Feasibility of Creating a 'Do Not Email' List
It appears that Luis E. Muñoz via mailop said: >If implemented, the proposal for email could work similarly, if the large ESPs >took the same approach. This would only leave us with the >"other" type of spam to deal with. I would think that a spamtrap included in >the "do not spam" registry could be used to identify >non-compliant senders and other classes of spammers. Although they rarely talk about it, every ESP has a suppression list they apply to their outgoing mail. Partly it's to avoid complaints, partly it's so if a customer tries to mail to suppressed addresses, they know they have a problem customer. It's often called a pander file, by analogy to a US post office rule. See my comment at the end of this blog post: https://wordtothewise.com/2016/09/global-suppression-lists/ Also remember that the legal rule nearly everywhere outside the US is opt-in for bulk mail, so everyone is on the "do not spam" list. R's, John ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] FTC Report on Feasibility of Creating a 'Do Not Email' List
> On May 19, 2022, at 8:11 AM, Dave Crocker via mailop > wrote: > > As noted earlier in the thread, there are some actors who are not criminally > inclined. Ignorant and/or aggressive, but willing to follow the rules, or at > least mostly. So, for example, they properly identify themselves. And given > a sufficiently forceful requirement, they will grudgingly conform. A notable and well-known (in some circles at least) example being Harris Interactive (the Harris Poll), who, when listed on the RBL, after initially saber-rattling and even filing a lawsuit, withdrew the lawsuit and reached out to us (this is when I was in-house at MAPS) asking us/me to guide them in changing their ways, and doing it right. They became the poster child for 'going straight'. (We did press on this, so this is all public knowledge.) To this day I think of them in terms of how an otherwise 'legitimate' organization can be doing it horribly wrong, but then actually turn it around. (Contrast that to a certain well-known coffee purveyor with an affiliate program, of whom I also think to this day, but for very different reasons (they were actually who I had in mind when we wrote the vendor liability amendment to CAN-SPAM).) Hrrm...a 'Remember them?' notable spammers/reformed spammers thread could be fun, but probably too much bandwidth-munching for what is intended to be a useful list. :-) To put it back on track, I'd say that perhaps as many as 50% of companies that apply to ISIPP SuretyMail for certification and inclusion on the IADB Good Senders List are doing it wrong, but are also prepared to change their practices and follow the rules and do it right, but of course this is in part because they *know* they are having deliverability problems, which is why they came to us in the first place. (I'd also say that perhaps 10-15% of applications we get are doing it wrong, and *not* prepared to change once that is pointed out to them). There are those who don't know but care, those who don't know and don't care, and those who know and don't care. Anne -- Anne P. Mitchell, Attorney at Law CEO ISIPP SuretyMail Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law) Author: The Email Deliverability Handbook Board of Directors, Denver Internet Exchange Dean Emeritus, Cyberlaw & Cybersecurity, Lincoln Law School Prof. Emeritus, Lincoln Law School Chair Emeritus, Asilomar Microcomputer Workshop Counsel Emeritus: Mail Abuse Prevention System (MAPS) (now the anti-spam arm of TrendMicro) ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] FTC Report on Feasibility of Creating a 'Do Not Email' List
On 19 May 2022, at 10:11, Dave Crocker via mailop wrote: > Telephone-level DNC is a different category of technological requirement. > Very different. In this case, not really. As implemented in practice, you have to run your list of phone numbers through a filter that will remove matching phones. Doesn't need to touch the actual phone network to implement. The reason it seems to work better is that technical providers for bulk dialing services take this seriously. They have incentives to do this—fines and scaremongering prospective clients into not doing it themselves. Also, let's not forget that it is national in scope and design. This, I agree, would make a substantial difference in the applicability. Still would not call it "technological requirement" though. If implemented, the proposal for email could work similarly, if the large ESPs took the same approach. This would only leave us with the "other" type of spam to deal with. I would think that a spamtrap included in the "do not spam" registry could be used to identify non-compliant senders and other classes of spammers. Best regards -lem ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] FTC Report on Feasibility of Creating a 'Do Not Email' List
On 5/19/2022 6:58 AM, Luis E. Muñoz via mailop wrote: On 19 May 2022, at 9:41, Dave Crocker via mailop wrote: So, sure. We haven't been able to do individual-level blocking, so let's add a requirement for an additional bit of complexity. That will probably make this mechanism work a lot better... Heh, appreciate the humor. It certainly won't make it work worse. A reasonable view, I think, but it occurs to me that it could. Taking a narrow, precise requirement -- even one we don't know how to satisfy -- can be made harder to satisfy by confusing the heck out, where an additional requirement creates a distraction. This might move a "we don't know how to do it now, but might be able to figure it out" to a "we don't know how to do it now and almost certainly never will"... My point if you will, is that requirements are more complex than what's stated. The reason we won't get them fulfilled—simple or complex—is because there is no incentive for the bad guys to follow the rules. As noted earlier in the thread, there are some actors who are not criminally inclined. Ignorant and/or aggressive, but willing to follow the rules, or at least mostly. So, for example, they properly identify themselves. And given a sufficiently forceful requirement, they will grudgingly conform. The other view expressed in the thread was that such folk are not currently an interesting problem, but the criminally inclined are. (I think aggressive legitimate companies /do/ warrant some effort, but it needs to be reasonably limited and efficient effort. That's what we don't yet have.) IIRC, there is (was?) a "National Do Not Call List" implemented in the US at the federal level. Telemarketers and other organizations are required by law to scrub their own lists against this federal registry. This has not made a dent in the amount of spam calls that I get on my various lines. Telephone-level DNC is a different category of technological requirement. Very different. d/ ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] FTC Report on Feasibility of Creating a 'Do Not Email' List
On 2022-05-19 at 09:58:37 UTC-0400 (Thu, 19 May 2022 09:58:37 -0400) Luis E. Muñoz via mailop is rumored to have said: IIRC, there is (was?) a "National Do Not Call List" implemented in the US at the federal level. Telemarketers and other organizations are required by law to scrub their own lists against this federal registry. This has not made a dent in the amount of spam calls that I get on my various lines. It has definitely changed the character of 'spam' calls. Before the d-n-c list, it was fairly common to get cold-called by essentially legitimate businesses. It has been years since I got one of those. This has relevance to email spam. As overall spam has declined over the past few years, criminal-grade spam has become a bigger slice of spam. It has gotten easier and safer to get a 99.9% catch rate over time. I.e. what the d-n-c list did for phone calls, spam-filtering has done for mail. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] FTC Report on Feasibility of Creating a 'Do Not Email' List
On 19 May 2022, at 9:41, Dave Crocker via mailop wrote: > So, sure. We haven't been able to do individual-level blocking, so let's add > a requirement for an additional bit of complexity. That will probably make > this mechanism work a lot better... Heh, appreciate the humor. It certainly won't make it work worse. My point if you will, is that requirements are more complex than what's stated. The reason we won't get them fulfilled—simple or complex—is because there is no incentive for the bad guys to follow the rules. IIRC, there is (was?) a "National Do Not Call List" implemented in the US at the federal level. Telemarketers and other organizations are required by law to scrub their own lists against this federal registry. This has not made a dent in the amount of spam calls that I get on my various lines. The response / recommendation to establish this new registry, IMO, is simply a way to admit defeat with some grace. Best regards -lem ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] FTC Report on Feasibility of Creating a 'Do Not Email' List
On 5/19/2022 6:30 AM, Luis E. Muñoz via mailop wrote: On 19 May 2022, at 8:42, Dave Crocker via mailop wrote: [⋯] Domain level is not sufficient. But is it though? A corporate providing email to its own users should certainly be able to express a policy that it does not want to allow any form of mailing list email to its users. My point was meant as "not sufficient for individual do not mail indication". But your response expresses a desire for an /additional/ feature, which is domain-level listing, along with individual level. So, sure. We haven't been able to do individual-level blocking, so let's add a requirement for an additional bit of complexity. That will probably make this mechanism work a lot better... d/ ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] FTC Report on Feasibility of Creating a 'Do Not Email' List
On 19 May 2022, at 8:42, Dave Crocker via mailop wrote: > [⋯] Domain level is not sufficient. But is it though? A corporate providing email to its own users should certainly be able to express a policy that it does not want to allow any form of mailing list email to its users. Best regards -lem ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] FTC Report on Feasibility of Creating a 'Do Not Email' List
On 2022-05-19 05:41, Alessandro Vesely via mailop wrote: Couldn't the Do Not Email Registry also be domain-based?... It could. Rodney Joffe (if my memory serves me right), implemented that very thing and offered it up for domain owners to use. AOL and several other majors, including very large corporates (such as mine) jumped on it immediately. At which point it became clear it wouldn't do a thing. Nobody would use it because it'd cut them off from just about every recipient. Interestingly enough, that was Rodney's point from the beginning. It was fun while it lasted tho. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] FTC Report on Feasibility of Creating a 'Do Not Email' List
On Wed 18/May/2022 03:01:49 +0200 Dave Crocker via mailop wrote: On 5/17/2022 4:40 PM, Anne Mitchell via mailop wrote: "why we can't do that", culminating in "the Commission concludes that, under present conditions, a National Do Not Email Registry in any form would not have any beneficial impact on the spam problem. It is clear, based on spammers’ abilities to exploit the structure of the email system, that the development of a practical and effective means of authentication is a necessary tool to fight spam. Note that, in spite of DMARC, we still do not have per-user authentication. The FTC report required *domain-level* authentication. They wrote: Even though domain-level authentication cannot necessarily authenticate the particular person who sent an email, it does authenticate the domain from which the email originated. Law enforcement can then contact the domain to obtain information that could identify the individual sender of the email. They were assuming that the ISP would at least have true payment records, that would provide useful investigative leads, in case name and address were false. More importantly, IMO, mechanisms like this really only apply to legitimate businesses that might be a bit too aggressive. Their proposed solution was an email address registry used for scrubbing lists that legitimate business supplied in hashed form. That technique requires users to register all the possibly deliverable address+extension forms. Couldn't the Do Not Email Registry also be domain-based?... While it is possible it would mitigate some of their aggression, the bigger problem, IMO, are the folk who operate in a criminal style, ignoring rules. Or, conversely, the domains that still don't sign their email traffic. Best Ale -- ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Spamhaus: Get more details about LISTING (Could a DMARC Report Address point to a spamtrap)?
Following up to this issue... The 'comments' field while requesting a delisting is obviously not being looked at by Spamhaus. Opening a case via their contacts page worked smoothly and the cause was found in a 'too aggressive rule' that has been fixed in the meantime, but still no very clear statement, which email from our system caused the listing. Mit freundlichen Grüssen -Benoît Panizzon- -- I m p r o W a r e A G-Leiter Commerce Kunden __ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 PrattelnFax +41 61 826 93 01 Schweiz Web http://www.imp.ch __ ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop