Michel Bouissou <michel(_at_)bouissou(_dot_)net> wrote:
About CSV, I have taken a quick look at the drafts (sorry, I haven't had
the time to read them thoroughly), and I have a question, and a remark :
I prefer to answer the question privately: anyone else wanting my
answer, feel free to ask.
Now for the remark : I am strongly opposing to the idea of would-become-
mandatory "accreditation services".
I believe accreditation services are expected to be part of any MARID
proposal, not just CSV, so I'll respond to this part on-list.
I'm opposing to it both for philosophical reasons, and practical reasons.
First, "accreditation services" will turn into businesses, which will
translate into cost, which means that every domain that will want to send
mail out will have to support this new cost : having to pay a commercial
"accreditation" company to get listed there, if they want their mail to
be accepted.
If there is any "mandate" to use accreditation services, it won't be
coming from MARID. However, burying our heads in the sand won't help:
At best, MARID can verify that a domain intends to authorize particular
actions by MTAs: we can say nothing about whether this authorization
gives the receiver good reason to trust that MTA.
There must be accreditation services (by whatever name we call them)
to provide that critical information link.
CSV drafts discuss how to make accreditation scalable (and, IMHO,
easier to live with). I don't believe the chairs ever inteded to stifle
discussion of accreditation services; so I'm happy to discuss those
issues on-list.
Yes, there will be costs associated with getting accreditation services
to (favorably) list you. I believe we can minimize those costs; and I
believe we can make it possible for many domains to avoid even minimal
costs, so long as they're "well-behaved".
But I don't believe we can avoid accreditation services altogether.
This will introduce costs that many non-profit, personal or vanity
domains will not be able to afford,
I specifically dispute that. Unless we do nothing at all _and_ an
unlikely series of events all happen, nobody's going to be forced to
register with one central expensive accreditation service. The horror
of having to register with multiple expensive accreditation services
can't (IMHO) get much worse than it already is.
My recommendation, however, is to design scalable accreditation
processes sooner, not later, so as to reduce the current horror of
trying to get multiple "free" accreditation services to de-list you.
and I oppose the idea that anybody should have to pay a commercial
company for being allowed to send mail.
Conceivably, Michel would actually prefer to spend time trying to
convince a swarm of "free" services to de-list an IP range, rather than
to pay a few dollars to one accreditation service. Personally, I doubt
that's the majority opinion...
The advantage of current blacklist systems is that no one has to pay
for getting blacklisted ;-) and, if some blacklists are commercial,
such as MAPS, you need to pay to use and query them, not to be listed
in them or not...
(I'm not clear who is "advantaged" by this.)
Also, big companies that send large amounts of email will be well-known
and listed by most, if not all, accreditation services,
To the extent they pay for it, yes.
Currently, most accreditation services only list large companies if
they behave poorly. There's essentially no business case for charging
to de-list them: it opens you to too many lawsuits; instead the best
business practice is to make yourself hard to find -- thus, de-listing
is "free" but nearly impossible. :^(
where little domains, small businesses and individuals that send a
very small amount of mail will mostly be "unknown" everywhere, and
the acceptance of their mail might suffer from this.
From what I know of MAPS, they're capable of handling millions of
domains with low (but non-zero) email volume, and reacting quickly to
just those domains that become the source of problems; and their
business case isn't based on charging either for initial listing _or_
for de-listing. I see no reason other accreditation services wouldn't
build similar business plans.
I discuss this issue in the CSV FAQ at:
http://www.jlc.net/MARID/CSV/FAQ.html
IMHO, one should be deemed innocent until proved guilty, and the
"accreditation services" system turn the things upside-down : One
will be presumed guilty unless listed as innocent. Bad, bad, bad.
I don't see that kind of "accreditation service" as useful --
though I agree it's going to happen. I believe we can best avoid it
by offering a better alternative.
The advantage of blacklists, on the opposite, is that, if ever you
get listed, there is probably a reason,
Evidently, Michel hasn't experienced blacklisting as I have.
Indeed, there probably "is" a reason; but that doesn't mean anyone
will ever be able to tell you what the reason is -- and even if
they do, it's often something over which you have zero control.
and if you're not listed you're presumed innocent. Much better.
Much better for spammers, yes.
I won't give you "much better" for innocent domains, however, since
you never know when you may get listed somewhere and you usually won't
know what to do about it when it happens.
At most, it's "temporarily better" for innocent parties...
--
John Leslie <john(_at_)jlc(_dot_)net>