Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

Keep that one sign-up message. It's a very small per-user piece of data, and it would certainly be proof enough and to spare for me. Aloha, Michael. -- Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been Processed." | Got the Junk Mail Reporting Tool ? -Original Mess

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

On 11/06/16 09:29, Michael Wise via mailop wrote: > > ... when the server receives it, it gets authenticated. > Or did you forget this? That doesn't help when attempting to provide "proof" of signup at some future date - it will simply be a message with a DKIM sig that can no longer be confirmed.

Re: [mailop] Messages over IPv6 rejected by Google for failed authentication checks

On Thu, Jun 9, 2016 at 2:59 PM, Laura Atkins wrote: > > > On Jun 9, 2016, at 2:07 PM, Bernhard Schmidt > wrote: > > > > On 09.06.2016 18:20, Laura Atkins wrote: > >> > >>> On Jun 9, 2016, at 9:06 AM, Bernhard Schmidt > wrote: > >>> > >>> Header-From and Envelope-From are aligned, the sending do

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

... when the server receives it, it gets authenticated. Or did you forget this? Aloha, Michael. -- Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been Processed." | Got the Junk Mail Reporting Tool ? -Original Message- From: mailop [mailto:mailop-boun...@mailop.or

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

On 11/06/16 05:02, Michael Wise via mailop wrote: > Well, the From: domain would be a good start. > > It would certainly cut down on the trivial forgeries, and could easily > be transferred from the web to email with a single mailto: link. Any signed DKIM message can only be authenticated while t

Re: [mailop] "One-Click" List-Unsubscribe URIs

> You demonstrated the need for a flag day when you stated that > the ESPs need to give the ISPs "a hint" that things are > changing. Expecting every ESP to contact every ISP is ridiculous. No, what he said was that ESPs *could* give a hint. All RFCs and IETF recommendations are just that - rec

Re: [mailop] "One-Click" List-Unsubscribe URIs

> On Jun 10, 2016, at 12:56 PM, Bill Cole > wrote: > > On 10 Jun 2016, at 11:23, Laura Atkins wrote: > >> In this case, having read the documents and followed the public discussions, >> there’s no real clear benefit. There is also a lot of expense. So that’s a >> problem. The benefits need t

Re: [mailop] Microsoft/Hotmail discards mails

First of all, my kudos to Michael for discussing this so openly. On 10 Jun 2016, at 12:05, Hugo Slabbert wrote: I think everyone gets that the preferred behaviour is to reject at SMTP time, that it gets difficult/impossible to do the more tests you try and stuff into the filtering decision mak

Re: [mailop] "One-Click" List-Unsubscribe URIs

On 10 Jun 2016, at 11:23, Laura Atkins wrote: In this case, having read the documents and followed the public discussions, there’s no real clear benefit. There is also a lot of expense. So that’s a problem. The benefits need to be better articulated by the people who want to make the change.

Re: [mailop] Microsoft/Hotmail discards mails

On Fri 2016-Jun-10 12:32:20 -0600, Tim Starr wrote: I am not saying this is a good idea, but it sounds to me like what would fit the bill here would be a new folder for each user called "Bounced" in which they would see all messages sent to their email address but which were bounced by their ma

Re: [mailop] "One-Click" List-Unsubscribe URIs

On Fri, Jun 10, 2016 at 2:18 PM, Laura Atkins wrote: > You demonstrated the need for a flag day when you stated that the ESPs > need to give the ISPs “a hint” that things are changing. Expecting every > ESP to contact every ISP is ridiculous. > I don't have to contact anyone. I just add the hint

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

Well, the From: domain would be a good start. It would certainly cut down on the trivial forgeries, and could easily be transferred from the web to email with a single mailto: link. Aloha, Michael. -- Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been Processed." | Got th

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

Signed by whom? First off, this would require that sign-ups be transferred from web to email. Secondly, I can see how it could easily be forged. All I'd have to do is set up a mail server to send DKIM-signed email for each "opt-in" request, each with a different DKIM domain out of a set of pre-regi

Re: [mailop] "One-Click" List-Unsubscribe URIs

On 9 Jun 2016, at 12:11, John Levine wrote: The http specs are quite clear that GET is not supposed to change the state on the web server. For that you use POST or PUT. Not wrong... Unfortunately, that horse died of old age a decade ago, 5 counties away from the former location of the barn

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

A DKIM-signed submission request? With IP, time stamp, and such like would be pretty undeniable intent to subscribe, IMHO. Or provide plenty of fodder for the sysadmin of the domain in question to track down the imposter. Aloha, Michael. -- Michael J Wise | Microsoft | Spam Analysis | "Your Spam

Re: [mailop] Microsoft/Hotmail discards mails

I am not saying this is a good idea, but it sounds to me like what would fit the bill here would be a new folder for each user called "Bounced" in which they would see all messages sent to their email address but which were bounced by their mailbox provider. However, that would defeat the purpose o

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

Benoit Panizzon wrote: So the Mailchimp Abuse Desk was asked, with reference to the according legal articles and proof that the email was sent by their customer, to please disclose the identity of the customer sending those emails. Mailchimp always answers, that they are a US company and are onl

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

> On Jun 10, 2016, at 10:30 AM, John Levine wrote: > >> With regard to Mailchimp, as a non-customer observer it seems to me that >> pre-Mandrill was excellent, post-Mandrill not as much. > > Mandrill is automated, which makes vetting the customers a lot harder. > > They are painfully aware of

Re: [mailop] "One-Click" List-Unsubscribe URIs

> On Jun 10, 2016, at 10:56 AM, Vick Khera wrote: > > > On Fri, Jun 10, 2016 at 12:17 PM, Laura Atkins > wrote: >> The beauty of the proposal is that you can with some cooperation of the mail >> user agent convert the two-click unsub into a one-click. > > And

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

Rule #1: Spammers lie. What sort of "proof of opt-in" could they provide that can't be forged? Also, it does not follow from that requirement that senders must be "identifiable." That may be a separate legal requirement, but it doesn't logically follow from the opt-in proof requirement. I also do

Re: [mailop] "One-Click" List-Unsubscribe URIs

On Fri, Jun 10, 2016 at 12:17 PM, Laura Atkins wrote: > The beauty of the proposal is that you can with some cooperation of the > mail user agent convert the two-click unsub into a one-click. > > > And the failure of this proposal is that it requires the MUA to change > current behavior without a

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

> On Jun 10, 2016, at 10:30 AM, John Levine wrote: > >> With regard to Mailchimp, as a non-customer observer it seems to me that >> pre-Mandrill was excellent, post-Mandrill not as much. > > Mandrill is automated, which makes vetting the customers a lot harder. > > They are painfully aware of

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

> > International law? There's no international spam law. I know people > who spend full time trying to piece together spam cases using whatever > law applies in whatever places bits of the spamming happens. > > As others have noted, US companies are not subject to Swiss law, just > as Swiss c

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

>I agree. But that doesn't mean he can't get a satisfactory answer about the >international law aspect. And by satisfactory I >mean one that makes sense, not necessarily one that he is going to like. ;-) International law? There's no international spam law. I know people who spend full time t

Re: [mailop] "One-Click" List-Unsubscribe URIs

>I also am not 100% in agreement that "GET" for HTTP means no altering of >state. I think that's a recent convention coming over from REST based APIs. See section 12.2 of RFC 1945, published over 20 years ago: 12.2 Safe Methods The writers of client software should be aware that the software

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

>With regard to Mailchimp, as a non-customer observer it seems to me that >pre-Mandrill was excellent, post-Mandrill not as much. Mandrill is automated, which makes vetting the customers a lot harder. They are painfully aware of that, not sure what they're currently doing about it. ___

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

On 6/10/16 8:31 AM, Suresh Ramasubramanian wrote: I would guess they're happy to can their customer but they are refusing to tell Benoit who the customer is. Which sounds fair to me. May be fair, may be not depending on the proactive/reactive weight. In other words, weight given to preventin

Re: [mailop] "One-Click" List-Unsubscribe URIs

> On Jun 10, 2016, at 9:07 AM, Vick Khera wrote: > > > On Fri, Jun 10, 2016 at 11:23 AM, Laura Atkins > wrote: > Also in this case, there is a significant chance that the proposal will > result in sub-optimal or harmful results. It is a fact that there are > a

Re: [mailop] "One-Click" List-Unsubscribe URIs

On Fri, Jun 10, 2016 at 11:23 AM, Laura Atkins wrote: > Also in this case, there is a significant chance that the proposal will > result in sub-optimal or harmful results. It is a fact that there are > appliances and filters out there that follow every link in an email. > Implementing a protocol

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

> Venturing an opinion on how much jurisdiction a law enforcement or regulatory > Organization is prepared to assert in a cross border scenario isn't going to > fly too far > > Did you try to identify the spammer with a dummy purchase If he is doing > something illegal? > > --srs > >> On 10

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

Venturing an opinion on how much jurisdiction a law enforcement or regulatory Organization is prepared to assert in a cross border scenario isn't going to fly too far Did you try to identify the spammer with a dummy purchase If he is doing something illegal? --srs > On 10-Jun-2016, at 9:09 P

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

> I would guess they're happy to can their customer but they are refusing to > tell Benoit who the customer is. Which sounds fair to me. I agree. But that doesn't mean he can't get a satisfactory answer about the international law aspect. And by satisfactory I mean one that makes sense, not

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

I would guess they're happy to can their customer but they are refusing to tell Benoit who the customer is. Which sounds fair to me. --srs > On 10-Jun-2016, at 8:44 PM, Anne Mitchell wrote: > > Benoit, please contact me offlist, and I will see about getting you to the > right person (MC is a

Re: [mailop] "One-Click" List-Unsubscribe URIs

> On Jun 10, 2016, at 4:10 AM, tobias.herk...@optivo.de wrote: > >> I think it is an insufficient solution that potentially allows a >> security device developer or service to build one click URLs just as >> easily as the ISP could. So it's got two things that I don't like. >> 1- You're requiring

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

Benoit, please contact me offlist, and I will see about getting you to the right person (MC is a certification customer of ours, and I can confirm what Suresh says - they are *very* responsive to spam complaints, but yes, yours isn't really of that nature, at least not in a straight-forward sort

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

> On Jun 10, 2016, at 1:09 AM, Benoit Panizzon wrote: > > I have seen similar cases on many occasions. > > But what disturbed me most here, is the lack of legal cooperation from > mailchimp. It was obvious, that the sender was located in either > Switzerland or italy. The spamvertized website w

Re: [mailop] "One-Click" List-Unsubscribe URIs

On Fri, Jun 10, 2016 at 7:10 AM, wrote: > The ORT session requirement or > question never wanted to solve this completely different issue at all. > > Every other solution that came up in this discussion, run down to > possible pathes: > > 1# much more complex idea, that tries to solve a lot more

Re: [mailop] "One-Click" List-Unsubscribe URIs

On Thu, 9 Jun 2016 13:02:05 -0400 Al Iverson wrote: > On Thu, Jun 9, 2016 at 12:24 PM, wrote: > > On Thu, 9 Jun 2016 11:53:16 -0400 > > Al Iverson wrote: > > > >> This also brings us back to the issue of what happens when security > >> devices or services click the link, instead of the subscri

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

Hi Matthias > > Therefore, the sender must be identifiable. If the sender is not > > identifiable, the ISP of the sender must provide the identity of the > > sender. > > On what legal theory is this based on? I am not a lawyer, but in my job I had some contacts with OFCOM, SECO, Lauterkeitskomm

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

Benoit, > Therefore, the sender must be identifiable. If the sender is not > identifiable, the ISP of the sender must provide the identity of the > sender. On what legal theory is this based on? > Art. 8 Right to information > https://www.admin.ch/opc/en/classified-compilation/19920153/index.ht

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

Hi Suresh > As I doubt that mailchimp operates under Swiss jurisdiction- and they > probably have a customer contract that stipulates US jurisdiction .. > you'd have to rely on them suspending the spammer. I am aware of that. But the way mailchimp operates now, is as a spamer heaven. I don't kno

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

Hi Suresh > They aren’t under any obligation to reveal customer identity to you > and would potentially face legal liability for doing so. This is exactly the problem. Privacy Laws in Switzerland (and most other countires I know) states, that the sender must provide proof of opt-in. Therefore,

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

As I doubt that mailchimp operates under Swiss jurisdiction- and they probably have a customer contract that stipulates US jurisdiction .. you'd have to rely on them suspending the spammer. I can't and won't speak for them but I have known them to actively suspend spammers --srs > On 10-Jun

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

Personally - no, I don’t operate a blocklist but I have operated spam filters on rather large ISPs. I’d say - if the spammers in question are suspended I doubt that you’d see any need to block them. They aren’t under any obligation to reveal customer identity to you and would potentially face

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

Hi Suresh > There seems to be a miscommunication - I personally have seen > Mailchimp / Mandrill suspend a large number of spamming customers. Yes, the Mailchimp Customer I remember most, because one of my personal email addresses were targeted, was suspended, but probably re-subscribed under a s

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

There seems to be a miscommunication - I personally have seen Mailchimp / Mandrill suspend a large number of spamming customers. However your request - which asks to identify a customer - would probably get routed to the legal department rather than a competent abuse team and that might explain

[mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

Hi List I wonder how other Email Ops, especially in Europe, handle Mailchimp and Mandrill App. They are a constant issue with the Swinog Blacklists. The problem boils down with differences in the privacy laws of US vs EU. In Switzerland (and probably most EU countries too), a company who sends

Re: [mailop] Messages over IPv6 rejected by Google for failed authentication checks

Hi, >> Not sure yet whether my testhost has ended up on a whitelist or >> Google has reverted the behaviour. > > There was a report earlier that Google was experiencing > authentication problems on the inbound and a lot of mail was failing. > I’m guessing what you saw was related to that and it’s