Re: [mailop] [EXTERNAL] Re: Force double opt in for marketing list companies per email address

2020-06-03 Thread Jay Hennigan via mailop 

On 6/2/20 14:25, Michael Peddemors via mailop wrote:

The 'From' header is too easily forged (see all the 'Paypal' and 
'Netflix' phishing SendGrid is dealing with..


The 'From' header is too easily forged (see all the 'Paypal' and 
'Netflix' phishing SendGrid isn't dealing with..


FTFY.

--
Jay Hennigan - j...@west.net
Network Engineering - CCIE #7880
503 897-8550 - WB6RDV

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [EXTERNAL] Re: Force double opt in for marketing list companies per email address

2020-06-03 Thread Atro Tossavainen via mailop 
> I've put a subject access request into mailchimp, so I'll see what
> comes back.  I guess depends whether mailchimp think they are
> governed by GDPR or not.

They are of course governed by the GDPR... in the role of the data
*processor*. As such, upon receiving such a request they will have to
refer you to all the customers involved, whom you will need to identify
because clearly not every single one of the millions of customers such
a company might have possess any data on you. The customers are the data
*controllers* and are the ones who would have any data related to you
and other subscribers.

The topic of whether an ESP should want to become a data controller
in its own right is extensively discussed within M3AAWG. It comes up
practically in every meeting and in the discussions in between, and
many fab ideas that could be used to prevent bad sending always come
down to the fact that as soon as you start processing anything related
to your customers' data outside the context of doing your customer's
direct bidding, you go down the rabbit hole of becoming a data controller
and

YOU DON'T   WANTTO  GO  THERE.

One Simon McGarr has lectured us extensively on the topic.

-- 
Atro Tossavainen, Chairman of the Board
Infinite Mho Oy, Helsinki, Finland
tel. +358-44-5000 600, http://www.infinitemho.fi/

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [EXTERNAL] Re: Force double opt in for marketing list companies per email address

2020-06-02 Thread Matt Palmer via mailop 
On Tue, Jun 02, 2020 at 11:37:59PM +0300, Atro Tossavainen via mailop wrote:
> On Tue, Jun 02, 2020 at 08:22:40PM +, Michael Wise via mailop wrote:
> > It would need to be a standard... a SINGLE standard.
> > 
> > Like the FTC "Do Not Call" list.
> 
> What Michael said... And it would be a colossally bad idea.
> 
> Anybody think it wouldn't leak and be used specifically to spam some
> more? A list of 100% guaranteed working email addresses? :-D

SHA-256 hash them.  The search space for possible e-mail addresses being so
large, it's not practical to brute force the hashes back into valid e-mail
addresses (unlike phone numbers, where you just brute-force the search space
by dialling them all and hassling whoever answers).

Of course, just having a giant list of "do not spam" hashes isn't helpful
without regulatory teeth, which is the main reason why such a system isn't
likely to get up and running any time soon -- since you can spam from
anywhere, avoiding regulation is not particularly difficult.

- Matt


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [EXTERNAL] Re: Force double opt in for marketing list companies per email address

2020-06-02 Thread Tim Bray via mailop 

On 02/06/2020 21:22, Michael Wise via mailop wrote:


It would need to be a standard... a SINGLE standard.

Like the FTC "Do Not Call" list.



I wasn't thinking about something central at all.  I was just thinking 
about it as something top 1 or 2 market leaders could do to be helpful.


(like various UK banks have secondary security things you can turn on if 
you are high risk or a victim of identity theft or in a domestic 
violence situation.   The credit reference agencies are helpful too in 
terms of letting you see what searches done in your name)


Because I'm unsubscribing from 3 or 4 things a day.  (but like 10 
today)  Mainly from reputable marketing companies (like mailchimp)


I don't want rid of all marketing emails.   There are companies whose 
mails I want.



Maybe mailchimp could send me a weekly digest of `these 10 companies 
signed you up this week`.  And I could just click `unsubscribe from all, 
never signed up for this list`.  In one go, rather than several times a day.



I don't really believe I've been sat in people's dormant lists (at an 
email service provider) for years and years.   I think it is fresh lists 
extracted from CRMs and webstores, but maybe several years of old data.  
And maybe people sharing lists with their mates or when sales people 
move companies.


(if you pay by paypal, then pretty much the merchant gets your email 
address whatever)


I've put a subject access request into mailchimp, so I'll see what comes 
back.  I guess depends whether mailchimp think they are governed by GDPR 
or not.




--
Tim Bray
Huddersfield, GB
t...@kooky.org

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [EXTERNAL] Re: Force double opt in for marketing list companies per email address

2020-06-02 Thread Luis E. Muñoz via mailop 



On 2 Jun 2020, at 14:25, Michael Peddemors via mailop wrote:

Yeah, and IMHO (don't hit me) that VERP should go the way of the 
Dodo..


This assertion doesn't follow the rest of your message. Even if useless 
for the use case being discussed – for which it was never meant as a 
solution – there are plenty of other valuable use cases for VERP.


Any use case involving a downstream or 1-removed error benefits from 
VERP, because the sending organization can unambiguously know which 
destination address was at fault and can mitigate.


Best regards

-lem

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [EXTERNAL] Re: Force double opt in for marketing list companies per email address

2020-06-02 Thread Michael Peddemors via mailop 

Yeah, and IMHO (don't hit me) that VERP should go the way of the Dodo..

If a domain owner wants to have MailChimp send bulk email for them, they 
should add MailChimp to their SPF record.. and have their domain in the 
MAIL FROM.. it helps improve delivery dates.. eg the ISP can safely 
'whitelist' the trusted domain, and use SPF to block forgeries..


The 'From' header is too easily forged (see all the 'Paypal' and 
'Netflix' phishing SendGrid is dealing with..


If you want to say, accept ALL email from MailChimp, sure.. leave the 
VERP, even though ANYONE who is 'bouncing' to the VERP, will undoubtably 
be also generating backscatter.. rejecting based on MAIL FROM is much 
more efficient email processing, than accepting it, and later trying to 
bounce to the MAIL FROM address (see forgeries)


Oh, and BTW "today" it's still SendGrid and MailGun sending to too many 
invalid recipients, based on reports from Telco's across North America, 
so someone is using old databases for sending..




On 2020-06-02 2:07 p.m., Atro Tossavainen via mailop wrote:

In the end, if mailchimp actually DID use the sender's email in the
MAIL FROM, it might make it easier.. If they did had a way to see
that this was an invite..


Practically all ESPs use VERP.

https://en.wikipedia.org/wiki/Variable_envelope_return_path

It makes sense for them in so many ways. For starters, they can
guarantee that SPF matches for domains they themselves control, which
is nowhere near a given with customer domains. It should also make
bounce processing trivial. (Evidence in the form of Koli-Lõks OÜ
having a business at all shows that nobody is monitoring that, though.)





--
"Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [EXTERNAL] Re: Force double opt in for marketing list companies per email address

2020-06-02 Thread Atro Tossavainen via mailop 
> In the end, if mailchimp actually DID use the sender's email in the
> MAIL FROM, it might make it easier.. If they did had a way to see
> that this was an invite..

Practically all ESPs use VERP.

https://en.wikipedia.org/wiki/Variable_envelope_return_path

It makes sense for them in so many ways. For starters, they can
guarantee that SPF matches for domains they themselves control, which
is nowhere near a given with customer domains. It should also make
bounce processing trivial. (Evidence in the form of Koli-Lõks OÜ
having a business at all shows that nobody is monitoring that, though.)

-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, http://www.koliloks.eu/

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [EXTERNAL] Re: Force double opt in for marketing list companies per email address

2020-06-02 Thread Michael Peddemors via mailop 
Yeah, over the last 10 years we banged our head on how a universal 
method would work, and yes.. all vulnerable to abuse..


In the end, if mailchimp actually DID use the sender's email in the MAIL 
FROM, it might make it easier.. If they did had a way to see that this 
was an invite..


You 'could' filter it all to the junk mail folder, but flag the 
'invites' so a person could 'click' on 'I want to be on this list', 
which would exempt it from going to the junk folder, and adding the 
sender to your address book..


So far, that's all we got ;)

You will never get 100% accuracy, but you can go for 99.99, and allow 
the recipient to make the final choice on what is wanted/unwanted.


Remember, one person's spam, is another person's reading material.

At the end, only transparency can make that happen, however transparency 
often goes against the business model where you get paid on how much 
reaches the inbox, and quite quickly allowing the 'questionable' paying 
customer to join the 'good' paying customers traffic, to increase 
revenue. IMHO


On 2020-06-02 1:37 p.m., Atro Tossavainen via mailop wrote:

On Tue, Jun 02, 2020 at 08:22:40PM +, Michael Wise via mailop wrote:

It would need to be a standard... a SINGLE standard.

Like the FTC "Do Not Call" list.


What Michael said... And it would be a colossally bad idea.

Anybody think it wouldn't leak and be used specifically to spam some
more? A list of 100% guaranteed working email addresses? :-D



Aloha,
Michael.
--
Michael J Wise
Microsoft Corporation| Spam Analysis
"Your Spam Specimen Has Been Processed."
Open a ticket for Hotmail ?



-Original Message-
From: mailop  On Behalf Of Stuart Henderson via 
mailop
Sent: Tuesday, June 2, 2020 6:52 AM
To: Tim Bray 
Cc: mailop@mailop.org
Subject: [EXTERNAL] Re: [mailop] Force double opt in for marketing list 
companies per email address



On 2020/06/02 14:35, Tim Bray via mailop wrote:


My question to mailchimp et al:







Is there way I could force my email address to be double opt in?



Like register with you, confirm my address, and then any of your



customers who try to add me, I get a `please confirm` email.




This, but without the "have to register" bit ...





___

mailop mailing list

mailop@mailop.org

https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fchilli.nosignal.org%2Fcgi-bin%2Fmailman%2Flistinfo%2Fmailop&data=02%7C01%7Cmichael.wise%40microsoft.com%7C54fda74ea1874866ddea08d806fcacb1%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637267029595466145&sdata=Kvd%2FA%2FFCdoqX4R6I9RPGKjCX%2BF95xY5pBNATC6B4oXg%3D&reserved=0



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop







--
"Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [EXTERNAL] Re: Force double opt in for marketing list companies per email address

2020-06-02 Thread Atro Tossavainen via mailop 
On Tue, Jun 02, 2020 at 08:22:40PM +, Michael Wise via mailop wrote:
> It would need to be a standard... a SINGLE standard.
> 
> Like the FTC "Do Not Call" list.

What Michael said... And it would be a colossally bad idea.

Anybody think it wouldn't leak and be used specifically to spam some
more? A list of 100% guaranteed working email addresses? :-D

> 
> Aloha,
> Michael.
> --
> Michael J Wise
> Microsoft Corporation| Spam Analysis
> "Your Spam Specimen Has Been Processed."
> Open a ticket for Hotmail ?
> 
> 
> 
> -Original Message-
> From: mailop  On Behalf Of Stuart Henderson via 
> mailop
> Sent: Tuesday, June 2, 2020 6:52 AM
> To: Tim Bray 
> Cc: mailop@mailop.org
> Subject: [EXTERNAL] Re: [mailop] Force double opt in for marketing list 
> companies per email address
> 
> 
> 
> On 2020/06/02 14:35, Tim Bray via mailop wrote:
> 
> > My question to mailchimp et al:
> 
> >
> 
> > Is there way I could force my email address to be double opt in?
> 
> > Like register with you, confirm my address, and then any of your
> 
> > customers who try to add me, I get a `please confirm` email.
> 
> 
> 
> This, but without the "have to register" bit ...
> 
> 
> 
> 
> 
> ___
> 
> mailop mailing list
> 
> mailop@mailop.org
> 
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fchilli.nosignal.org%2Fcgi-bin%2Fmailman%2Flistinfo%2Fmailop&data=02%7C01%7Cmichael.wise%40microsoft.com%7C54fda74ea1874866ddea08d806fcacb1%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637267029595466145&sdata=Kvd%2FA%2FFCdoqX4R6I9RPGKjCX%2BF95xY5pBNATC6B4oXg%3D&reserved=0

> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop


-- 
Atro Tossavainen, Chairman of the Board
Infinite Mho Oy, Helsinki, Finland
tel. +358-44-5000 600, http://www.infinitemho.fi/

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [EXTERNAL] Re: Force double opt in for marketing list companies per email address

2020-06-02 Thread Michael Wise via mailop 


It would need to be a standard... a SINGLE standard.

Like the FTC "Do Not Call" list.

Aloha,
Michael.
--
Michael J Wise
Microsoft Corporation| Spam Analysis
"Your Spam Specimen Has Been Processed."
Open a ticket for Hotmail ?



-Original Message-
From: mailop  On Behalf Of Stuart Henderson via 
mailop
Sent: Tuesday, June 2, 2020 6:52 AM
To: Tim Bray 
Cc: mailop@mailop.org
Subject: [EXTERNAL] Re: [mailop] Force double opt in for marketing list 
companies per email address



On 2020/06/02 14:35, Tim Bray via mailop wrote:

> My question to mailchimp et al:

>

> Is there way I could force my email address to be double opt in?

> Like register with you, confirm my address, and then any of your

> customers who try to add me, I get a `please confirm` email.



This, but without the "have to register" bit ...





___

mailop mailing list

mailop@mailop.org

https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fchilli.nosignal.org%2Fcgi-bin%2Fmailman%2Flistinfo%2Fmailop&data=02%7C01%7Cmichael.wise%40microsoft.com%7C54fda74ea1874866ddea08d806fcacb1%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637267029595466145&sdata=Kvd%2FA%2FFCdoqX4R6I9RPGKjCX%2BF95xY5pBNATC6B4oXg%3D&reserved=0
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop