ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] Opt-Out Notes: too complicated, ignoring history

2003-03-27 22:42:57
from [william] [Permanent Link] 
www.cauce.org/proposal, same place it's been for years


  Its well known draft. And I usually do not like to critisize CAUCE, I 
actually think its one of the best anti-spam organizations, but you're 
beeing too one-sided here. 
  The problem is that your proposal forces all forces the same settings on 
all users of the isp and does not make any distintion on type of UCE. It 
also does not solve the problem on when user game some company consent to 
send emails about new MP3s and they begin to send him credit card offers 
for example, claiming full consent to send user whatever they like and 
afterwards company goes out of business and email list is sold to another 
company (as part of merger process) and now they claim consent, etc etc.
  What we need is system to regular the cases above where some type of 
opt-in happened but comapny is not behaving properly and along with that 
regular all those semi-legit business that buy your email "opt-in" email 
lists from failed .coms. I'm not talking about trying to regular 
completely unsolicited email, that is trying send some fraud offer, these 
we need to completely stop. Now as far as regulation, marketing is big 
business in US and they have powerfull friends that will fight in court 
any attempts to pass a law that allows isp to choose unified policy for 
all its subscribers, but if system is such that user can CHOOSE to opt-in 
or opt-out on per-user basis, they will not be able to challenge this kind 
of law (though, I'm sure they'll try...). 
  I always try to find compromise between different positions and what you 
saw in my proposal is such a compromise - its complex, but it allows for 
local control of opt-in preferences through isp (which can set default 
opt-out everyting for its users) or directly by end user, it allows for 
some goverment regulation and has privacy issues dealt as best possibe 
(i.e. your email does not go outside your isp for example) and as well as 
using such encryption techniques that do not allow advertisers to sell 
permission to email you to somebody else or use it for different purpose. 
I can't think of any other proposal that goes as far and has so many 
options which I believe should satisfy all sides. Yes, its complex - most 
of my proposals are, that is what I'm good at - finding good points in 
different solutions and trying to combine them together to offer good in 
each at the same time eliminating weeknesses that one particular solution 
may have, you'll probably see this in my other proposals.

P.S. Keep in mind my opt-out proposal is not designed to regulate UBE, its 
designed to regulate opt-in and semi opt-in marketing companies and only 
those that operate under the law.


Where is the draft of it.  Most banner proposals have had a number of
problems.



Please keep in mind that the point of his proposal is to provide a spec
for laws that want to provide server operators with a consistent way to
provide notice to senders that they don't want UBE or UCE.  As Hamidi,
Compuserve v. Cyberpromo, and many other cases have established, server
operators are quite entitled to tell unwanted visitors to go away.


    1) "Banner" implies they occur on connection, however you don't yet
    know the policies of the target users until you get a RCPT command.


The banner displays the policy of the server owner.

Every ISP has terms of service, no ISP provides an unlimited unfiltered
bit pipe to and from the entire rest of the world, and no ISP will receive
an unlimited amount of mail for its users.  It's perfectly reasonable for
the terms to say that they don't accept incoming spam unless you pay
extra, just like they say that your mailbox is only 10MB (or whatever),
and if you want to get bigger messages than that, you're ouf of luck
unless you switch to their higher priced service with bigger mailboxes.

If for some reason a server owner wanted to sell a higher priced service
for people who want spam, he could set up a subdomain with a separate
server (most likely on the same physical equipment) that doesn't say NO
UCE or NO UBE.


    2) There's no good way to deal with the question of legitimate relaying,
       ie. MX records.


The banners on a domain's MXes are the domain's policies.  If a domain has
more than one MX, it would be a good idea if they all published the same
policy, but that's not a technical issue.  Outgoing relays before the
transaction to the MX or incoming relays after that transaction don't
matter, since the MX is where the mail is handed from the sender's agent
to the recipient's.

I realize that you can construct scenarios where a mailbox on server A
without a NO UBE policy is forwarded to a mailbox on server B which does
have a NO UBE policy, but humans interpreting a law wouldn't have any
trouble dealing with that; if the forward was authorized by the user on
server B, it's solicited, if not, it's server A's problem to control his
network.


       All your MXs and other relays need to know the
       preference of every _user_ they relay for, unless they relay only for
       single-user sites.


This is the "every user's entitled to receive all spam" fallacy again.


    3) Likewise, what do outgoing relays do?  For many mails, the user sends
       mail to an outgoing MTA, that relays to an MX, which relays to the
       target MTA.


That wouldn't be a good way to send mail that needs to obey a NO UCE or NO
UBE policy.  So don't do that.  Every ISP I know of doesn't let you send
spam through their MTAs anyway, so this would not be a change to current
practice.


       The only way to deal with this is to require the
       outgoing user to label, so that the MTA which finally talks to the
       final destination can know what to do if it's informed about a
       policy after it issues the RCPT TO:


Not at all.  They could either listwash before sending the mail (we have
sample code on the web site), or hire a mailing service that washes on the
fly.

This proposal does make it somewhat harder, but not overwhelmingly so, to
send UBE or UCE to people who will accept it.  I don't see that as a
problem, since it pushes the cost of spamming back on the spammers.  It's
a content neutral (for NO UBE at least) time and manner regulation.

This has the significant advantage over other proposals I've seen that it
doesn't require any software work by the recipient server operators other
than editing the server banner one time to add the appropriate text,
something that is easy to do with all the SMTP servers I know.

Regards,
John Levine, johnl(_at_)iecc(_dot_)com, Primary Perpetrator of "The Internet 
for Dummies",
Information Superhighwayman wanna-be, http://iecc.com/johnl, Sewer 
Commissioner
"A book is a sneeze." - E.B. White, on the writing of Charlotte's Web





_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] Opt-Out Notes: too complicated, ignoring history, John R Levine
Next by Date:  Re: [Asrg] Blacklist blackmail, Kee Hinckley
Previous by Thread:  Re: [Asrg] Opt-Out Notes: too complicated, ignoring history, Troy Rollo
Next by Thread:  Re: [Asrg] Opt-Out Notes: too complicated, ignoring history, Kee Hinckley
Indexes:  [Date] [Thread] [Top] [All Lists]