ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Asrg] Opt-In definitions

2011-09-28 04:24:24
from [Alessandro Vesely] [Permanent Link] 
On 24/Sep/11 01:30, John Leslie wrote:

Douglas Otis <dotis(_at_)mail-abuse(_dot_)org> wrote:

However, random junk easily side steps [filtering] rules. This brings
us back to opt-in with perhaps review of junk folders for strays.


   That depends on how you define "opt-in"...

   Technically, it's possible to gather opt-in confirmations and
whitelist the particular List-ID and MTA (though not trivial).


To gather confirmation stealthily is not only difficult, but also
questionable for what concerns the subscriber's consent.


   If the service in question _participates_ in the opt-in, it could
provide additional "secrets" to check on incoming email.


The participation of the subscriber's MTA can significantly harden
opt-in practices.  However, it requires a consent-exchange Internet
protocol for email users.  That can allow MLMs to send list messages
using existing authentication methods, including SMTP AUTH.  The
resulting "triple opt-in" can also feature

* an automatically updated list of subscriptions and redirections,
* actual possibility to erase or rectify each of them,
* easy verification of legitimate behavior,
* catching some illegitimate disclosures of addresses, and
* better anti-spam filtering by whitelisting legitimate messages.


   Personally, I doubt it's worth the trouble for a researcher to try
to duplicate all the details of how ISPs do filtering today -- instead
one needs to invent rules of what "opt-out" _means_.


Since opt-out implies an initial set of addresses anyway, and such
addresses _must_ result from opt-in, it seems that while we want to
harden opt-in on the one hand, we want to weaken it on the other.


For a start, an opt-out request from a customer probably _doesn't_
mean you hunt down an unsubscribe process for any senders except
those with contractual arrangements (possibly through a clearing
service).


Using SMTP AUTH, an MTA can reply "550 user opt-out" right after the
relevant RCPT TO.  Consider that a participating MTA can subscribe
User-987654321(_at_)example(_dot_)com: it is not required to pass the same email
address when the same user subscribes to different lists, even if they
are managed by the same MLM.
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] Opt-Out definitions, Alessandro Vesely
Previous by Thread:  Re: [Asrg] Opt-Out ideas/suggestions?, John Leslie
Next by Thread:  Re: [Asrg] Opt-Out ideas/suggestions?, John Levine
Indexes:  [Date] [Thread] [Top] [All Lists]