Douglas Otis <dotis(_at_)mail-abuse(_dot_)org> wrote:
On 9/23/11 10:45 AM, John Leslie wrote:
Opt-out, in fact, is entirely possible; but it needs to be a
distributed service, with database and decisions at or very-near
(And I make no claim there is a supportable economic paradigm for
it: but after all, this is a RESEARCH group; this is a legitimate
research topic nonetheless.)
In the SMTP world, only the MDA _can_ know what mailbox an email
will be delivered to -- thus it's plain that the MDA is the ideal
(if not only) place to implement a workable opt-out mechanism.
Subscription to the opt-out service by the recipient has to be a
private transaction between the recipient (or his agent) and the
operator of the MDA. As such, the details of the subscriptions are
necessarily private (and any attempt to end-run that guarantees
the information to be out-of-date).
Keeping an opt-out list secret can't work.
Of course it can, if sufficiently distributed. There might be a
protocol for communicating desires to the MDA-maintainer, but such
traffic need never leak to an upstream, and the database would be
A) What would be the penalty for those that did not know of an opt-out
and yet received an opt-in?
Howzzat? I can't imagine any appropriate penalty beyond the opt-in.
B) What would be the penalty for those that send to the opt-out simply
because they were listed?
I don't understand that question either...
C) How would case A or B be determined?
D) Who would accept penalty notifications?
I don't believe I mentioned any...
E) What would be used to determine accountability?
1- source IP address?
2- DKIM signature (easily spoofed)?
3- SPF (authorization not authentication)?
The question of accountability only arises if there is a contract
between the mass-mailer and the MDA-maintainer -- in which case it
is a contract issue.
The only identifiable and thereby safely accountable entity would be the
IP address owner.
While it may well make sense to use source-IP to verify that a
particular email is covered by contract, that too feels like a contract
With many messages originating from compromised systems, any enforcement
would be analogous to a notification that a system or network has been
compromised. Which organization would manage the announcement of the
blackhole lists? But we are already doing just that in various fashions.
Actually, no. Enforcement could be limited to the MDA in question.
At first blush, it seems reasonable to use results to feed the
algorithms of blacklist maintainers, but that goes beyond the research
I was suggesting...
Until such time there is effective enforcement (removal of IP address
routing for example), opt-out is still an excuse used by spammers.
The excuse, alas, will remain until the US Congress is fixed.
Whether the research _might_ lead to a way to feed good information
to "honest opt-out" mass-mailers is an open question. Clearly it would
need some contract between mass-mailer and MDA (which seems to exceed
any initial research project.
Any legal permission in this regard represents bad law.
John Leslie <john(_at_)jlc(_dot_)net>
Asrg mailing list