Re: IADB whitelist
> > My sense is that ESPs engage ISIPP thinking they are getting an advocate and > ambassador to mailbox providers when in fact they get a teacher/evangelist > for sender best practices. ITYM 'schooled in best practices. ;-) ;-) Anne P. Mitchell, Attorney at Law CEO/President, SuretyMail Email Reputation Certification and Inbox Delivery Assistance http://www.SuretyMail.com/ http://www.SuretyMail.eu/ Attorney at Law / Legislative Consultant Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law) Author: The Email Deliverability Handbook Legal Counsel: The CyberGreen Institute Legal Counsel: The Earth Law Center Member, California Bar Cyberspace Law Committee Member, Colorado Cybersecurity Consortium Member, Board of Directors, Asilomar Microcomputer Workshop Member, Advisory Board, Cause for Awareness Member, Elevations Credit Union Member Council Former Chair, Asilomar Microcomputer Workshop Ret. Professor of Law, Lincoln Law School of San Jose Available for consultations by special arrangement. amitch...@isipp.com | @AnnePMitchell Facebook/AnnePMitchell | LinkedIn/in/annemitchell
Re: IADB whitelist
On 26 Dec 2017, at 9:46 (-0500), Sebastian Arcus wrote: So you will excuse me if I take any whitelist which helps marketing emailing lists "improve deliverability" with a very big dollop of salt. Of course. I don't give significant ham weight to any of the default IADB rules other than RCVD_IN_IADB_ML_DOPTIN, RCVD_IN_IADB_DOPTIN, and RCVD_IN_IADB_OOO. IADB helps improve deliverability in part by having that myriad of responses which each mean something different, which both lets receivers know sender practice in fine detail AND provides (in theory) an incentive for the sender to do better. My sense is that ESPs engage ISIPP thinking they are getting an advocate and ambassador to mailbox providers when in fact they get a teacher/evangelist for sender best practices. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Currently Seeking Steady Work: https://linkedin.com/in/billcole
Re: IADB whitelist
On Tue, 26 Dec 2017, Anne P. Mitchell Esq. wrote: What do you call *verified* opt-in (what the marketers call "double opt-in"), where the recipient needs to comfirm that they gave permission for contact via that email address before receiving any content, in order to avoid unwanted third-party subscriptions? Confirmed opt-in, which is what it was called back at MAPS and when we launched SuretyMail. Even there we have granular breakdowns, such as: 127.3.100.8 All mailing list mail is at least opt-in, and has a confirmed (double) opt-in mechanism available, used less than 50% of the time 127.3.100.9 All mailing list mail is at least opt-in, and has a confirmed (double) opt-in mechanism available, used more than 50% of the time 127.3.100.10All mailing list mail is confirmed (double) opt-in Beautiful, thanks! --- (Note that we include the 'double' term (even though I feel I have to shower after typing it) likewise. :) -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The question of whether people should be allowed to harm themselves is simple. They *must*. -- Charles Murray --- 271 days since the first commercial re-flight of an orbital booster (SpaceX)
Re: IADB whitelist
> > What do you call *verified* opt-in (what the marketers call "double opt-in"), > where the recipient needs to comfirm that they gave permission for contact > via that email address before receiving any content, in order to avoid > unwanted third-party subscriptions? Confirmed opt-in, which is what it was called back at MAPS and when we launched SuretyMail. Even there we have granular breakdowns, such as: 127.3.100.8 All mailing list mail is at least opt-in, and has a confirmed (double) opt-in mechanism available, used less than 50% of the time 127.3.100.9 All mailing list mail is at least opt-in, and has a confirmed (double) opt-in mechanism available, used more than 50% of the time 127.3.100.10All mailing list mail is confirmed (double) opt-in --- (Note that we include the 'double' term (even though I feel I have to shower after typing it) because that is the vernacular with which more senders are familiar. Also note that there are data response codes that we would, in fact, almost never (if ever) use, but which are *great* for applicant screening - so for example if an applicant says: "Accepts unverified sign-ups such as through web page" (which is one of our codes) ...they are never actually going to get certified (unless we can educate them and they actually change their wicked ways). You can see the full list of codes here: http://www.isipp.com/email-accreditation/about-the-codes/list-of-codes/ Anne Anne P. Mitchell, Attorney at Law CEO/President, SuretyMail Email Reputation Certification and Inbox Delivery Assistance http://www.SuretyMail.com/ http://www.SuretyMail.eu/ Attorney at Law / Legislative Consultant Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law) Author: The Email Deliverability Handbook Legal Counsel: The CyberGreen Institute Legal Counsel: The Earth Law Center Member, California Bar Cyberspace Law Committee Member, Colorado Cybersecurity Consortium Member, Board of Directors, Asilomar Microcomputer Workshop Member, Advisory Board, Cause for Awareness Member, Elevations Credit Union Member Council Former Chair, Asilomar Microcomputer Workshop Ret. Professor of Law, Lincoln Law School of San Jose Available for consultations by special arrangement. amitch...@isipp.com | @AnnePMitchell Facebook/AnnePMitchell | LinkedIn/in/annemitchell
Re: IADB whitelist
On Tue, 26 Dec 2017, Anne P. Mitchell Esq. wrote: Where we say "opt-in" we mean exactly that - single opt-in; if someone didn't ask for the email not only would we call that "opt-out", but we would not certify that sender's email. What do you call *verified* opt-in (what the marketers call "double opt-in"), where the recipient needs to comfirm that they gave permission for contact via that email address before receiving any content, in order to avoid unwanted third-party subscriptions? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- If you ask amateurs to act as front-line security personnel, you shouldn't be surprised when you get amateur security. -- Bruce Schneier --- 271 days since the first commercial re-flight of an orbital booster (SpaceX)
Re: IADB whitelist
> > 'magically' re-subscribe after a while, or simply get around rules by > creating a new list and re-subscribing everybody who unsubscribed. Just so you know, that behavior is specifically made illegal by CAN-SPAM. And Sebastian, I see that you are in the UK, which already has tighter laws. Anne Anne P. Mitchell, Attorney at Law CEO/President, SuretyMail Email Reputation Certification and Inbox Delivery Assistance http://www.SuretyMail.com/ http://www.SuretyMail.eu/ Attorney at Law / Legislative Consultant Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law) Author: The Email Deliverability Handbook Legal Counsel: The CyberGreen Institute Legal Counsel: The Earth Law Center Member, California Bar Cyberspace Law Committee Member, Colorado Cybersecurity Consortium Member, Board of Directors, Asilomar Microcomputer Workshop Member, Advisory Board, Cause for Awareness Member, Elevations Credit Union Member Council Former Chair, Asilomar Microcomputer Workshop Ret. Professor of Law, Lincoln Law School of San Jose Available for consultations by special arrangement. amitch...@isipp.com | @AnnePMitchell Facebook/AnnePMitchell | LinkedIn/in/annemitchell
Re: IADB whitelist
Bill, thank you for this excellent explanation, and for the kind words! For those of you who don't know us, or me, I came out of MAPS; I was in-house counsel for MAPS during the first rash of lawsuits against MAPS brought by spammers. To say that I am rabidly anti-spam would be an understatement. ISIPP, and our SuretyMail service, were founded by me a year and a bit after I left MAPS. As such, our priority has always been, and remains, first and foremost, to the *receivers* - ISPs, spam filters, and any receiver who is using our data/zones. It is true that the senders are our paying customers, however by design the amount of monies we receive from any given customer is small enough that the pleasure of whacking a spammer far outweighs any downside of giving a paying customer the boot if they are not doing The Right Thing. Plus, we have a very extensive background check that we put a potential customer (sender) through before we will certify them. We reject plenty of applicants. > However, the different responses from IADB are VERY nuanced and the two > strongest rules you listed (RCVD_IN_IADB_OPTIN and RCVD_IN_IADB_VOUCHED) are > essentially "good intentions" markers. > Due to unfortunate terminology choices by ISIPP and a willingness to engage > in nuance and estimate intentions, those aren't really as worthwhile as they > might seem. Hey Bill - can you please elaborate on the terminology choices which you see as unfortunate? We are *always* open to input. Where we say "opt-in" we mean exactly that - single opt-in; if someone didn't ask for the email not only would we call that "opt-out", but we would not certify that sender's email. And if one of our senders is sending spam where they claim that all of their mailings are 100% opt-in (at least) we want to know, because...whack! Seriously, we are always open to feedback, and if a change in terminology is warranted we have no problem doing that (we also are happy to create a custom zone based on whatever the receiver wants for those who would like zones with highly specific profiles of the IPs therein - some receivers do that because they can't take advantage of the granularity of the data in our zones (although that is not the case for SA...in fact our data response codes were *specifically* created for SA because SA *can* take advantage of that level of granularity)). Anne Anne P. Mitchell, Attorney at Law CEO/President, SuretyMail Email Reputation Certification and Inbox Delivery Assistance http://www.SuretyMail.com/ http://www.SuretyMail.eu/ Attorney at Law / Legislative Consultant Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law) Author: The Email Deliverability Handbook Legal Counsel: The CyberGreen Institute Legal Counsel: The Earth Law Center Member, California Bar Cyberspace Law Committee Member, Colorado Cybersecurity Consortium Member, Board of Directors, Asilomar Microcomputer Workshop Member, Advisory Board, Cause for Awareness Member, Elevations Credit Union Member Council Former Chair, Asilomar Microcomputer Workshop Ret. Professor of Law, Lincoln Law School of San Jose Available for consultations by special arrangement. amitch...@isipp.com | @AnnePMitchell Facebook/AnnePMitchell | LinkedIn/in/annemitchell
Re: DMARC and mailing lists (was Re: IADB whitelist)
Matus UHLAR - fantomas skrev den 2017-12-26 18:49: have you never been subscribed to spammers' blacklist without your permission? On 26.12.17 19:01, Benny Pedersen wrote: hopefully apache.org does know how to handle spam you did not narrow your sentence on apache mailing lists, perhaps you should. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "To Boot or not to Boot, that's the question." [WD1270 Caviar]
Re: DMARC and mailing lists (was Re: IADB whitelist)
Matus UHLAR - fantomas skrev den 2017-12-26 18:49: have you never been subscribed to spammers' blacklist without your permission? hopefully apache.org does know how to handle spam
Re: DMARC and mailing lists (was Re: IADB whitelist)
RW skrev den 2017-12-26 18:05: I didn't receive any posts in "IADB whitelist" thread from the OP because they all failed DMARC with a reject policy. I found the posts on gmane. On 26.12.17 18:21, Benny Pedersen wrote: stop reject maillists no matter if dmarc fails have you never been subscribed to spammers' blacklist without your permission? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Microsoft dick is soft to do no harm
Re: DMARC and mailing lists (was Re: IADB whitelist)
RW skrev den 2017-12-26 18:05: I didn't receive any posts in "IADB whitelist" thread from the OP because they all failed DMARC with a reject policy. I found the posts on gmane. stop reject maillists no matter if dmarc fails Posting to mailing lists with a domain using a strict DMARC policy is inherently risky because you are losing the redundancy of an aligned SPF pass and there's a lot that can go wrong with DKIM. policy reject is safe on spamassaasin maillist just like it is on postfix maillist, but you report a diffrent problem that does not help it In this case the open-t.co.uk DKIM signature signed "reply-to" and a lot of "list-*" headers that are added by the list. This guaranteed a DKIM fail downstream of the list servers. this is the error, sadly systems try to sign all headers without understanding what happend with this I thought it as worth pointing this out to avoid others making similar mistakes. However, DMARC problems could generally be mitigated by the listservers adding ARC headers. makw apache.org reject dmarc fails, possible ?, opendkim can test unsafe header signed for maillist members add hermes.apache.org to opendkim AND opendmarc trusted sender ip arc is basicly help make it worse :( note signed headers on my post here, its default in opendkim, if more headers is signed it dmarc unsafe
DMARC and mailing lists (was Re: IADB whitelist)
I didn't receive any posts in "IADB whitelist" thread from the OP because they all failed DMARC with a reject policy. I found the posts on gmane. Posting to mailing lists with a domain using a strict DMARC policy is inherently risky because you are losing the redundancy of an aligned SPF pass and there's a lot that can go wrong with DKIM. In this case the open-t.co.uk DKIM signature signed "reply-to" and a lot of "list-*" headers that are added by the list. This guaranteed a DKIM fail downstream of the list servers. I thought it as worth pointing this out to avoid others making similar mistakes. However, DMARC problems could generally be mitigated by the listservers adding ARC headers.
Re: IADB whitelist
On 25/12/17 23:57, Bill Cole wrote: On 25 Dec 2017, at 3:28 (-0500), Sebastian Arcus wrote: Also, any idea why are there 6 different rules associated with this particular whitelist? IADB has many independent return codes that each have distinct meaning. See http://www.isipp.com/email-accreditation/about-the-codes/list-of-codes/ for details. If you get mail from an IADB-listed sender that you are 100% sure is spam (i.e. not "I would never ask for such mail" but "the recipient absolutely did not consent to receiving this mail.") then you should report that to ISIPP. "ab...@suretymail.com" is the reporting address listed on their website and while I've not had cause to use it, people I trust with no reason to lie say that reports to that address do actually work to either change sender behavior or eliminate listings. Anne Mitchell (head of ISIPP) is an ex-coworker of mine whose integrity and dedication to the anti-spam fight (which is dependent on keeping *wanted* mail deliverable) I can personally vouch for. However, the different responses from IADB are VERY nuanced and the two strongest rules you listed (RCVD_IN_IADB_OPTIN and RCVD_IN_IADB_VOUCHED) are essentially "good intentions" markers. Due to unfortunate terminology choices by ISIPP and a willingness to engage in nuance and estimate intentions, those aren't really as worthwhile as they might seem. The IADB definition of "All mailing list mail is opt-in" is (effectively) "we believe that this ESP believes in good faith that every recipient has chosen to receive this mail." Their "vouching" for a record is an assertion that either the ESP is personally known to ISIPP staff as competent and honest OR has maintained stable positive listings for >6 months. I'm pretty sure I don't want ANY score for a non-vouched record and unlike ISIPP (and some valuable SA contributors!) I really don't care much about ESPs' intentions or responsiveness to complaints, only about actual spamming behavior. So I have made substantial modification on my own system to how IADB results are scored, but those specific adjustments are probably not fit for most other sites. Thank you for a detailed reply. Like you as well, I don't put much weight on what ESP's say they do or intend to do. I'm afraid the email marketing industry is rather murky and the line between legitimate marketing and spamming is often pretty much non-existent - with apologies to those few operators who actually run an honest operation. I see daily examples of supposedly legit operators who don't actually act on unsubscribe requests, or 'magically' re-subscribe after a while, or simply get around rules by creating a new list and re-subscribing everybody who unsubscribed. And frankly, the whole issue of consent is blurred beyond any usefulness. If you have ever made the mistake of leaving the tick box selected for "receive offers from our carefully selected partners", it is virtually impossible to take that consent back, as your email address gets passed from database to database, never to be removed again. Besides, with most people purchasing things from so many different sources, and creating accounts on so many websites, how many would actually be able to say for sure (and prove it) that they never gave consent to be emailed by "carefully selected partners"? So you will excuse me if I take any whitelist which helps marketing emailing lists "improve deliverability" with a very big dollop of salt.