The problem with the, "Please Reply" method is that it can lead to mailbombing the target. We've seen it happen.
Now if the intended subscriber could send a single message to the mailinglist, and it could be easily proved that it either came from them, or someone that their mail admin could identify and punish, this would also work as CDOI, so to speak. But I agree with you completely on the, "loose definition" issue, and have a rather nasty story about that. Always get the person who asserts their doing it to tell you exactly what that term means to them. " I checked with my manager, and we looked it up, that address DOES Exist! Aloha, Michael. -- Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been Processed." | Got the Junk Mail Reporting Tool ? -----Original Message----- From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Michael Peddemors Sent: Friday, May 27, 2016 9:50 AM To: mailop@mailop.org Subject: Re: [mailop] signup form abuse Have been watching this thread for a bit, and do have an opinion. First of all, I see a lot of talk about 'COI' (Confirmed Opt-In), rather than the term 'CDOI' (Confirmed Double Opt-in) and the reason I point it out, is that there is a lot of loose definitions of both 'opt-in' and 'confirmed'. While it might be more 'attractive' to offer a simple 'click to confirm', why are you not using the more standard 'Please Reply To' this message if you want to receive these messages? This would solve the problem being discussed, and ensure that the recipient truly wants your message. On 16-05-26 08:06 AM, Alberto Miscia via mailop wrote: > This opens up for an interesting discussion. > We experienced the very same issue in the past for few customers and > enabling a captcha was the only viable option. > The "bots" (don't really know actually) managed to complete a COI > process with several free accounts. > > Ip ranges were different some on CBL some not but blocking a listed IP > in a COI process can be dangerous. > For the very same reason I'd rule out e-hawk and alike. > The vast majority of the addresses were listed on cleantalk.org > > The hidden link in the confirmation email (an HTML comment would work > better than a "white-on-white tiny font" from a > deliverabilityperspective) in may opinion is the way to go. > Even if it can be very tricky to implement, we are seriously > considering it to prevent bot clicks across the board. > > HTH > > Alberto Miscia | MailUp | Head of Deliverability & Compliance > > > 2016-05-26 15:05 GMT+02:00 Vick Khera <vi...@khera.org>: >> >> On Wed, May 25, 2016 at 6:04 PM, Al Iverson <aiver...@spamresource.com> >> wrote: >>> >>> I've heard John Levine propose the "hidden link to catch scanning >>> robots" solution but I've never heard of an email system implementing >> >> >> I'm running through my head how that would work, and makes for some very >> complicated state transition diagrams to go from "signup requested" to >> "confirmed". What if they scan in parallel and the timing works out they >> poked them in the opposite order, etc. I see a few new states and many >> transitions, and some timeout based events. Not pretty. >> >>> >>> it. Similarly, senders have often suggested that spamtrap systems >>> shouldn't follow links. (Security systems, sure, but don't do that >>> with spamtrap addresses.) And today I heard it suggested that it would >>> be wiser to have COI have a second click (probably an HTTP POST-based >> >> >> What if the confirmation email button itself was a POST form rather than >> just a GET to a page? Are scanning systems following POSTs too? >> >>> >>> >>> button) on the landing web page, to prevent security systems from >>> erroneously completing COI confirm steps. All good stuff, but it >> >> >> I don't think you're going to get much buy-in for requiring so many clicks >> to get activated. I know we already lose customer just for requiring COI. >> Making the COI be more work for the subscriber will just make people go >> elsewhere faster. >> >>> >>> doesn't sound as though any of it has been widely broadcasted as a >>> best practice or requirement. >> >> >> >> >> _______________________________________________ >> mailop mailing list >> mailop@mailop.org >> https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fchilli.nosignal.org%2fcgi-bin%2fmailman%2flistinfo%2fmailop&data=01%7c01%7cmichael.wise%40microsoft.com%7c8957eb82fca6420f212608d3864fa84d%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=nz3dOs%2fKyyotiQ22W%2fjQGE3SJpTAw8tGwS0nbAVglpU%3d >> > > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fchilli.nosignal.org%2fcgi-bin%2fmailman%2flistinfo%2fmailop&data=01%7c01%7cmichael.wise%40microsoft.com%7c8957eb82fca6420f212608d3864fa84d%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=nz3dOs%2fKyyotiQ22W%2fjQGE3SJpTAw8tGwS0nbAVglpU%3d > -- "Catch the Magic of Linux..." ------------------------------------------------------------------------ Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.linuxmagic.com&data=01%7c01%7cmichael.wise%40microsoft.com%7c8957eb82fca6420f212608d3864fa84d%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=GBkLblFpRu2bUyVEHNWAw3QIXmShUXIZxc2RkGD%2fkww%3d @linuxmagic ------------------------------------------------------------------------ A Wizard IT Company - For More Info https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.wizard.ca&data=01%7c01%7cmichael.wise%40microsoft.com%7c8957eb82fca6420f212608d3864fa84d%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=NSFnR5zHWc2Hrw5w83Q0f18sBCxL2bRjJMWGX6GZUl8%3d "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. ------------------------------------------------------------------------ 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. _______________________________________________ mailop mailing list mailop@mailop.org https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fchilli.nosignal.org%2fcgi-bin%2fmailman%2flistinfo%2fmailop&data=01%7c01%7cmichael.wise%40microsoft.com%7c8957eb82fca6420f212608d3864fa84d%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=nz3dOs%2fKyyotiQ22W%2fjQGE3SJpTAw8tGwS0nbAVglpU%3d _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
