On 9/23/11 10:45 AM, John Leslie wrote:
Douglas Otis<dotis(_at_)mail-abuse(_dot_)org> wrote:
On 9/23/11 3:58 AM, Richard Kulawiec wrote:
Opt-out is spamming. (Or conversely, any mailing list operated
without a proper opt-in procedure is a vehicle for spam.)
Agreed.
I can't resist the opportunity to disagree with Doug...
On 23 Sep 2011 01:39:22 -0000 "John Levine"<johnl(_at_)taugh(_dot_)com> wrote:
["BOBOTEK, ALEX"<ab3778(_at_)att(_dot_)com> wrote:]
A notable example of 'opt-out' that comes to mind is not in the world
of email, but the 'do not call' list used for telephony.
True. The do-not-spam list is one of those ideas that keeps
coming around. Phones and e-mail are not really comparable here
because there is a fixed well-known set of phone numbers, while
there isn't a fixed set of e-mail addresses. I can easily list all
the numbers I don't want people to call, but I can only describe the
set of email addresses not to spam by using pattern matching.
Opt-out, in fact, is entirely possible; but it needs to be a
distributed service, with database and decisions at or very-near
the mail-distribution-agent.
(And I make no claim there is a supportable economic paradigm for
it: but after all, this is a RESEARCH group; this is a legitimate
research topic nonetheless.)
In the SMTP world, only the MDA _can_ know what mailbox an email
will be delivered to -- thus it's plain that the MDA is the ideal
(if not only) place to implement a workable opt-out mechanism.
Subscription to the opt-out service by the recipient has to be a
private transaction between the recipient (or his agent) and the
operator of the MDA. As such, the details of the subscriptions are
necessarily private (and any attempt to end-run that guarantees
the information to be out-of-date).
IMHO, the subscription -- to give value to the subscriber --
must include _whether_ to return an error, as well as whether to
bit-bucket or quarantine the emails covered by opt-out.
Likewise IMHO, the subscription must allow different classes of
opt-out conditions. Ideally, some of these might be set by "honest"
mass-mailers; others will necessarily imply filtering algorithms
by the MDA. Probably, the subscription would include whitelisting
for "known-good" senders, mainained by the subscriber (but note
that whitelists which include only "sender email address" have many
problems).
Anyone want to take this as a research topic?
(Yes, this _is_ remarkably close to what many ISPs already do...)
John,
Keeping an opt-out list secret can't work.
A) What would be the penalty for those that did not know of an opt-out
and yet received an opt-in?
B) What would be the penalty for those that send to the opt-out simply
because they were listed?
C) How would case A or B be determined?
D) Who would accept penalty notifications?
E) What would be used to determine accountability?
1- source IP address?
2- DKIM signature (easily spoofed)?
3- SPF (authorization not authentication)?
The only identifiable and thereby safely accountable entity would be the
IP address owner.
With many messages originating from compromised systems, any enforcement
would be analogous to a notification that a system or network has been
compromised. Which organization would manage the announcement of the
blackhole lists? But we are already doing just that in various fashions.
Until such time there is effective enforcement (removal of IP address
routing for example), opt-out is still an excuse used by spammers. Any
legal permission in this regard represents bad law. Fortunately, it is
still within the prerogative of recipients what traffic they'll accept.
-Doug
--
John Leslie<john(_at_)jlc(_dot_)net>
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg