Re: [mailop] [E] $GOOG

[yuv via mailop]

On Mon, 2022-04-18 at 06:16 +0200, Paul Vixie via mailop wrote:
> the original RBL (at MAPS, this was) was an 
> attempt (by me, and then by others) to "keep the noise down so that 
> e-mail is usable". you should be able to verify from where you sit
> that (a) we did not achieve that goal, (b) we achieved a number of
> other deleterious non-goals, and (c) we were not universally hailed
> as liberators by others who thought they knew better what "the
> public interest" actually was.

Hindsight is 20/20, good for you you are learning.  Earlier in this
interesting thread you qualified Gmail as "late stage surveillance
capitalism."  Has it occured to you that reputation services, whether
distributed or other, are early stage surveillace capitalism?  I am not
familiar with the lawsuits, but the general solution to all reputation
services, whether IP-reputation, consumer credit, or any other business
that collects information about other subjects (the building block of
surveillance capitalism!) is consent:  if the subject does not consent,
do not collect/report.  No reporting, no cause for legal action. 
Provide reputation certificates for subjects that opt into the service
and let recipients decide how to deal with the absence of such
reputation ceritificate(s).

As has been noted in this interesting thread by others to whom I
apologize for not citing them properly, the problem is behavioral.  Not
technical.  The solution (easier said than done) is policy, and
sometimes co-operation must be enforced.

Humans live on fault lines oblivious to the tectonic movements
underneath until the tensions explode.  The three active fault lines
underneath this industry that require policing are:

(1) the dissociation of cost and benefits.  economic externalities.  I
miss the days when I could operate a mail server behind a 2400bps dial-
up modem.

(2) the dissociation of liability and control.  for much too long, this
industry has disclaimed, wether in licensing terms or terms of service,
the liability for the consequences of what it controls.  just copied
from your nemesis:

TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, EXCEPT AS EXPRESSLY
PROVIDED FOR HEREIN, NEITHER PARTY MAKES ANY OTHER WARRANTY OF ANY
KIND, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING
WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR USE AND NONINFRINGEMENT. the opressor MAKES NO
REPRESENTATIONS ABOUT ANY CONTENT OR INFORMATION MADE ACCESSIBLE BY OR
THROUGH THE SERVICES. CUSTOMER ACKNOWLEDGES THAT THE SERVICES ARE NOT A
TELEPHONY SERVICE AND THAT THE SERVICES ARE NOT CAPABLE OF PLACING OR
RECEIVING ANY CALLS, INCLUDING EMERGENCY SERVICES CALLS, OVER PUBLICLY
SWITCHED TELEPHONE NETWORKS.

(3) competing ownership/property claims.  Who owns the network, the
device, the software, the data, the service?  And what are the limits
on such property?

Easier to point the fault lines out than to suggest solutions.  I
apologize for not being ready to offer fully thought out solutions. 
Even if I was, the even more difficult task is to gain acceptability
and get the solutions implemented.  The political process.  Even within
the most advanced legal frameworks, serious updates are required in the
areas of (A) competition law; (B) consumer protection; and (C)
telecommunication policy.

The question is:  what kind of world do we want to live in, and leave
to our children?  The answer is subjective.

Back to lurking,
--
Yuval Levy, JD, MBA, CFA
Ontario-licensed lawyer


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Walled gardens

[yuv via mailop]

Sorry for the late reply, Bill.  Life.  In absence of external
governance factors, I can only self-govern.  I decided to self-govern
toward co-operation rather than confrontation, let's work through the
little misunderstandings.


On Thu, 2021-12-30 at 11:29 -0500, Bill Cole via mailop wrote:
> On 2021-12-29 at 07:40:01 UTC-0500 (Wed, 29 Dec 2021 07:40:01 -0500)
> yuv via mailop 
> is rumored to have said:
> 
> > On Tue, 2021-12-28 at 21:59 -0500, John Levine via mailop wrote:
> > > It appears that yuv via mailop  said:
> > > > The first thing to make internet email viable for the future is
> > > > to
> > > > establish a defensible perimeter and keep bad actors
> > > > out.  Easier
> > > > said
> > > > than done. ...
> > > 
> > > Unfortunately, e-mail walled gardens are a Well Known Bad Idea.
> > 
> > RFCs-based e-mail is a walled garden.
> 
> You may have missed the fact that "walled garden" is actually an 
> established bit of jargon in an Internet context

Forgive me for using established jargon, I will accept the focus on the
world that started on 00:00:00 UTC on 1 January 1970 and rephrase my
argument in more precise terms than my previous use of terms
established by a slightly older Western cult [1].


> So, in short: no, it is not.

You are right.  It's not walled, it is surrounded by a Ring of Fire. 
And it is Hell, not a garden.

A wall is a barrier.  It creates two separate spaces: a protected space
on the inside and the remainder outside.  Sometimes, the protected
space is the desirable space and it is called a garden in opposition to
the wilderness outside.  Desirability is a matter of opinion and so is
the use of the term "garden".

You do, elegantly, put up a different kind of walls to protect inside
space [2].

RFCs (or the implementations described within, to use your definition
of what RFCs are) are a barrier to enter the inside and participate in
the system.  Unlike your barriers cited above, the barrieres
implemented and described in RFCs are unintentional barriers, but the
end effect is that the complexity makes the system worse, not better;
and spammers benefits more of that complexity than non-spammers.  But
that is again a matter of opinion: spam is in the eyes of the
recipient.  Always.


> > We lawyers call this the Rule of Law.
> 
> LOL. RFCs are "law." Not in *any* way. RFCs are documentation.

Sir Isaac Newton merely documented gravity [3].


> RFCs are not law. Not ever. Can't improve a "Rule of Law" that has
> no laws and only pragmatic, heuristic rules in the form of
> documentation.

With all due respect, "Rule of Law" is actually an established bit of
political and philosphical thinking [4].  You are mistaking "Rule of
Law" for the collection of statutes imposed on the land by legislators
and enforced by the power of government.  These are artificial rules. 
Some rules are natural, some are artificial.  Artificial rules can be
improved, and RFC (or the underlying, described implementations) are
definitely artificial and definitely can be improved.


> There is no "rule of law" on the Internet because it is defined, 
> designed, and developed as a giant pile of autonomous entities who 
> interact in documented ways developed by experimentation and 
> collaboration. There is no penalty for not working together, beyond
> not working together.

There is no penalty for ignoring the law of universal gravitation,
beyond... oh, wait a minute, why is it so difficult to move to a
different planet, leaving the "90% crap" behind? (you referenced
Sturgeon's Law [5]).  Sometimes, natural penalties are more powerful
than the most powerful penalties that governing entities can mete. 
Governing entities are subject to the Rule of Law like anyone else.  In
fact, the Rule of Law applies to any political setting, including loose
and experimental collaboration.


> Not law, documentation. RFC5321 describes the state of SMTP, as of
> 2008, sorta. How it was working best then, to the degree that the
> editor and authors could reach consensus. The changes from 2821 to
> 5321 are clarifications, consolidations, and updates reflecting the
> evolution of implementations of SMTP in the interim.

Documentation with consequences = law.

To bring it back to Sturgeon's Law: the percentage depends on the
choice of denominator.  Miopically setting the denominator to all
internet emails ignores my reality (and possibly the reality of many
users) that if the denominator includes all electronic transmissions,
internet email is over-represented in the numerator.

The result is the rise of alternative messaging platforms.  The
displacement of mission-critical inter-entities transmissions to other
tools.  It takes just a little bit of courage to

Re: [mailop] Musings on Mail Service Operators

[yuv via mailop]

On Wed, 2022-02-02 at 11:20 +0100, Jaroslaw Rafa via mailop wrote:
> Dnia  2.02.2022 o godz. 10:47:33 Carsten Schiefner via mailop pisze:
> > I start to earnestly wonder when folks [...]
> > will attempt to regain knowledge to run their own and small-scale
> > mail systems again
> 
> I think it will rather go the other way

Probably.

Either it will go the other way, or folks will move away from email all
together.  I am moving away.  I miss the ability to store away in
Maildir format my correspondence and to look back in the archives to
Eudora times and earlier, but since I made the decision to prefer other
methods of electronic communication over email, I feel much better.

I still owe an answer to Bill about Walled Gardens.  It will come,
eventually, maybe, if it was not caught in the spam filter.

--
Yuval Levy, JD, MBA, CFA
Ontario-licensed lawyer


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Barriers to Entry / Governance (was: What a drag it is sending DMARC reports)

[yuv via mailop]

On Thu, 2021-12-23 at 21:02 -0700, Dave Warren via mailop wrote:
> On 2021-12-18 08:39, yuv via mailop wrote:
> > On Sat, 2021-12-18 at 15:13 +0100, Alexey Shpakovsky via mailop
> > wrote:
> > > On Sat, December 18, 2021 13:50, yuv via mailop wrote:
> > > > What makes the difference between [the smoothly running
> > > > messaging
> > > > systems] and internet email?
> > > 
> > > I believe answer is centralization and to some extent lack of
> > > backwards compatibility requirement.
> > 
> > what is it that centralization brings to those systems?  after all,
> > they also consists of numerous independent parties communicating
> > with
> > one another over electronic devices, exactly like internet email.
> 
> Among other things, the barrier to entry is higher with many/most 
> services verifying at least a phone number (and sometimes the
> hardware itself).

Barriers to entry are not an exclusivity of centralized systems.  In
fact, the complexity generated by independent actors contributing to
RFCs and operating internet email represent a much higher barrier to
entry than a tightly managed set of requirement under a single
authority who accepts any participant that submits to such requirements
without subverting them.  Embrace, Expand, Extinguish, anyone?

Evolving rules by consensus is slower, but hey, look at W3C.  What is
different in the governance of the web to governance of internet email?
 
--
Yuval Levy, JD, MBA, CFA
Ontario-licensed lawyer


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] PII is a diversion from Privacy (was: Roundcube client IPs → dovecot, postfix)

[yuv via mailop]

On Tue, 2021-12-28 at 12:19 -0600, Richard W via mailop wrote:
> Those that advocate IP addresses are PII still drive around with a 
> license plate on their car.  That's even more PII out in the open as 
> that is a static IP.

Those that advocate what is PII and what is not are diverting from what
should be the real focus of attention: it is not whether the data can
be used to identify me or not, it is by whom it can be used and for
what purpose.

On Tue, 2021-12-28 at 10:36 -0800, Jay Hennigan via mailop wrote:
> Don't forget that politicians conveniently exempted themselves from
> TCPA and anti-spam laws.

And those loopholes should be closed at the next possible opportunity
with every possible (non-violent) means, including voting those
politicians out at the next possible opportunity.


> How about content providers selling lists of which households watch 
> which adult PPV channels?

Subject them to a non-consensual taste of their own medicine.  And I do
not mean to make them watch.  Make them do.  S1E1 Black Mirror style.


On Wed, 2021-12-29 at 10:35 +1000, Noel Butler via mailop wrote:
> As to the anti privacy brigade, suck it up, we are network operators,
> if we want to know who they are, we can

And you should. The purpose of ensuring network integrity/security is a
legitimate limitation on my property/privacy right.  No right is
absolute, and there are worse limitations on property than this.  Try
talk zoning laws with your local municipality.

The day you will have a say over who can use the data you generate and
for what purpose, on the same level and with the same legal protection
as do Hollywood or Netflix, my work as privacy advocate will be done.

--
Yuval Levy, JD, MBA, CFA
Ontario-licensed lawyer


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Privacy is Propery, not Confidentiality (was: Roundcube client IPs → dovecot, postfix)

[yuv via mailop]

On Tue, 2021-12-28 at 07:17 -0800, Michael Peddemors via mailop wrote:
> The world has gone far too anal in it's approach to privacy, at the
> expense of security, IMHO.

The "world" does not understand privacy.  Most of the experts who
understand are hired by the entities who stand to lose if the world
would understand that privacy has two components: property and
confidentiality.

Confidentiality is a wall that is expensive to keep up, and in most
cases unnecessary.  This is where the world has gone far too anal.

Property is the right to exclude others.  It is also the fundamental
cornerstone of a working market, since excluding others reveals the
value of what they are excluded from: they will be willing to pay to
get access to it.  This is where the world is not there yet, and this
is why we still all carry a pricetag on our back instead of shopping
around where to be paid for the data we generate.

--
Yuval Levy, JD, MBA, CFA
Ontario-licensed lawyer

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] What a drag it is sending DMARC reports

[yuv via mailop]

On Tue, 2021-12-28 at 15:27 +0100, Hans-Martin Mosner via mailop wrote:
> Am 28.12.21 um 14:31 schrieb yuv via mailop:
> > 
> > The problem is behavioral, not technological.  More technology is
> > not the solution.
> 
> I'm a software developer, not a lawyer. And as you certainly know, if
> the only tool you have is a hammer, all things tend to look like
> nails...

I trust you are a good person with good intentions trying to make a
honest living providing email services.


> Triggering changes in law or pushing contractual agreements between
> third parties is out of my reach. If you can do it, 
> more power to you!

I can't either.  It is beyond the power of any single individual, but
if we work together, maybe we can make the world better.  Just not by
reinventing a wheel that has not worked in the past and can be
predicted not to work in the future.


> One example is the gradual creation of laws to 
> improve environmental awareness and animal wellbeing in the
> production of food. Much of that started by grassroots 
> awareness campaigns which made the discount supermarkets look bad
> when their products were created in ethically questionable ways.

Analogies are good at explaining and bad at persuading.  So you make an
analogy to how reputation works in another area.  Let's talk that area,
as I have no intention to persuade or dissuade you on how to use your
time and you are already well aware of the hammer and nail focus.

You and I look at the issues from our Western perspective and it is
easy to miss other aspects.  We may call "ethically questionable ways"
the way coffee is harvested in third world countries with what we deem
inadequate protections against child labor.  The child laborant who
loses their job may have a different perspective, since that job meant
the difference between putting food on the family table or going
hungry.  Think of how the generation that came before you in Germany (I
assume based on your email address) felt about its manufacturing jobs
outsourced to countries were production cost was lower.  It is all good
to be mindful about the environment.  However, the carbon emissions are
predictable from the first diaper to cremation and the real driver of
global warming are neither cars nor cows.  Whom does the focus on cars
and cows benefit?


> I somewhat hope that improved rejection of spam mails and making
> spam-supporting agents known will gradually make spam 
> less effective. I know that this hope may be futile. If it is, I will
> at least improve the signal-to-noise level for my 
> users, which is a good goal anyway.

Doing the same thing and expecting a different outcome is unreasonable.
Yet for more than a decade now, this is the kind of solutions that have
encumbered internet email space.  Spammers have adapted, and at the end
of every cycle, spam was not less effective.  Maintaining an email
system was more onerous.  No benefit.

Improved rejections = simple outright IP block.  There will be some
initial pain when your users will ask where is the email that their
friends using gmail tried to send.  Some adjustments, as your users
will create a gmail account to receive gmail mail, until they realize
that servicing that account has cost they do not want to bear. 
Eventually "spam-supporting agents" will have to line up on one or the
other side of the wall and after a transitional period you and your
users will be in better company inside the wall, keeping the bad actors
outside a defensible wall.
 
--
Yuval Levy, JD, MBA, CFA
Ontario-licensed lawyer


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Walled gardens

[yuv via mailop]

On Tue, 2021-12-28 at 21:59 -0500, John Levine via mailop wrote:
> It appears that yuv via mailop  said:
> > The first thing to make internet email viable for the future is to
> > establish a defensible perimeter and keep bad actors out.  Easier
> > said
> > than done. ...
> 
> Unfortunately, e-mail walled gardens are a Well Known Bad Idea.

RFCs-based e-mail is a walled garden.  We lawyers call this the Rule of
Law.  The Rule of Law is the worst form of walled gardens except for
all those other forms that have been tried from time to time [1] and
include the single-god ruler or the Cult of the Bitten Fruit.  Does not
mean that whe sould not work to improve the Rule of Law.


> The short version is that any collection of people large enough to be
> interesting is also large enough to have people you don't want to
> hear from.

And this is why any society needs policing and walls.  Most likely that
your home has walls, and if you live with significant other(s) you have
common rules.  Your country most likely has prisons -- walls to keep
people you don't want to hear from off the streets -- and borders --
walls to keep other kind of people you don't want to hear from off your
streets.  Walls are a matter of cost/benefit, not a matter of Bad/Good.
Pragma vs Dogma.


> The slightly longer version is whatever criteria you use to decide
> whose mail to accept is unlikely to match the set of people whose
> mail you actually do want to accept, and the more hoops you expect
> people to jump through, the more likely it is that people will decide
> they weren't all that eager to send you that contract proposal.

The general analysis is that two parties decide between themselves what
means of communication to use, and mail has no monopoly on that. 
Sometimes, one party has sufficiently more power to impose the use of a
specific means of communication.  Few parties restrict themselves to a
single means of communication.  In my experience, alternative means of
communications to internet email are gaining traction because the hoops
(cost) of participating in internet email are growing past the pain
point.  I have seen contract proposed and accepted over Twitter.

In popular parlance, the Garden of Eden is the image that comes to mind
when a walled garden is evoked: paradise inside, hell outside, insiders
naked and exposed to the whims of a single capricious ruler.

The walled garden of RFCs is more hell inside than outside.  The
guardians of the walls keep adding layers of complexity with
questionable benefits.  Where there is an alternative, participants are
leaving in droves and eventually the guardians of the walls will find
themselves alone, naked in their own RFCs.  Where there is no
alternative (the telecom's oligopoly on subscriber lines), participants
pay the cost and market forces drive some competition, imperfectly.

[1] <
https://winstonchurchill.org/resources/quotes/the-worst-form-of-government/
>
--
Yuval Levy, JD, MBA, CFA
Ontario-licensed lawyer


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] What a drag it is sending DMARC reports

[yuv via mailop]

On Tue, 2021-12-28 at 12:11 +0100, Hans-Martin Mosner via mailop wrote:
> Am 28.12.21 um 11:08 schrieb Alessandro Vesely via mailop:
> > OTOH, if it were possible to ascribe each nastiness to its actual
> > culprit

UNNECESSARY AND


> I'm working on a reputation based system which would use a p2p
> network to transmit reputation opinions very quickly,

COMPLICATED.


The problem is behavioral, not technological.  More technology is not
the solution.

There are very simple natural principles of economics and law that have
proven themselves over time:  proximity; the least cost avoider; and
the duty to mitigate.

Proximity is the distance of an actor (or in this case a node) to the
incident.  In the case of spamming or other internet malware, the
incident is the spam reaching the egress node and the distance is
measured in hops across jurisdictions / controlling actors.

The least cost avoider in a system of interrelated actors is the actor
who could prevent the incident at the lowest cost.  At first sight, on
the internet the least cost avoider is the ingress node.

However, the cost for each egress node individually to reach the
ingress node is higher than the cost for the next upstream node to do
so; and often, the ingress node is out of reach because off-shore or
unknown.  Therefore, it makes economic sense to fix the problem at the
next upstream node and the solution is a legal one, not a technical
one:  impose the duty to mitigate on the upstream node.  Even if the
upstream node is not the culprit, it is in the best position to prevent
further harm and must do so.

The duty to mitigate can be imposed as contractual liability (terms of
service) or as statutory liability (a law enacted by a progressive
jurisdiction).  It would take the form of a penalty that is painful
enough to motivate the upstream node to fix the problem.  In an ideal
world, the penalty would escalate progressively, starting with a
warning on first incident, then increasingly higher fines for further
incidents; and ultimately puling the plug and cutting off access to the
node that does not fix the problem.

What and how can be imposed depends on who is in a position of
authority.  A closed system operated by a single authority can afford a
finer approach than a federated system spanning multiple sovereign
jurisdictions and a miriad of participants that may have to resort to a
blunter approach: cut them off at the inter-jurisdictional border until
they get it and join progress on the other side.  A large operator can
afford cutting others off, and if a large, benign email operator would
start to seriously cut off sources of spam, it would be beneficial for
smaller operators to follow its lead and join a closed but clean
federated system that would eventually grow to be open to actors that
abide by the simple rule of policing their immediate upstream.  I am
not holding my breath for this to happen when the two largest operators
are at the same time also the two largest enablers of spam.  As long as
they maintain that split personality, internet email is doomed to be a
dungeon of horrors.

--
Yuval Levy, JD, MBA, CFA
Ontario-licensed lawyer


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] What a drag it is sending DMARC reports

[yuv via mailop]

On Mon, 2021-12-27 at 02:44 +0100, Ángel via mailop wrote:
> On 2021-12-23 at 21:02 -0700, Dave Warren via mailop wrote:
> > Even just verifying a phone number adds a real world cost to
> > switching identities which makes blocking far more effective.
> 
> There is certainly a cost for casual users wishing to switch
> identities.

[...]

> I wonder however if that's still the case for "professional"
> spammers,

Barriers to entry are indeed one of the weaknesses of internet email
when compared to closed systems like the single-entity controlled
messaging tools (iMessage, Telegram, Whatsapp, and their likes).

Desirable: a clearly defined perimeter that is easy to protect.

Any entry-level military strategist can tell you that the lines of
defense of internet email are a nightmare.  In traditional warfare,
strategists seek to establish a perimeter:  what is inside is friendly,
what is outside is not.  The longer and more convoluted the line of the
perimeter, the more difficult it is to defend.  In the physical world,
strategists try to make use of natural barriers such as rivers and
mountains to make perimeter defense easier.

And in the world of email?

There is no clearly delineated perimeter.  The telcos are happy to give
a subscriber line and an IP address to anyone with a modem.  On that
free for all infrastructure, spammers can operate domains and SMTP
servers with impunity.  They can prey on legitimate SMTP businessess
and create accounts to abuse them, circumventing all forms of often
ridiculous abuse prevention.  As is too often the case, the industry
gets it wrong (from an efficiency perspective. of course it gets it
right from a revenue generation perspective) and its solutions leave
programmatic malware indifferent while making it more nightmarish to
the human user.  Typical example: requiring passwords with upper/lower
case and all sorts of special characters and numbers, instead of using
much longer passphrases that achieve the same entropy in a form that is
easier for humans to process.

The verification via text messages (SMS) is one of those ultra-stupid
solutions whose real benefit is, arguably, to the surveillance economy
only.  Garden varieties of SIM swap scams abounds and trusting the
telecoms with identification and authorization when they are not even
able to filter bad packets at the IP level is questionable.  Any
authorization system that depend on a token transmitted at the time and
place of authorization is faulty by design and ready to be hacked.  It
is inferior to TOTP or other designs where
communication/synchronisation has happened in a distant past.  In
advanced economies, banks are now forbidden from using SMS as 2FA
token.  Here in Canada, they are just introducing it (sigh).

Speaking of the requirement of a phone number:  Google has been
particularly insistent, even on my existing account.  Possibly because
I do not let any requests to Google server's out unless vetted, because
the webbugs on so many websites.  I don't care if there is a Google
Analytics opt-out extension.  My opt-out of Google Analytics and its
other data-syphons is not to allow for a communication from my network
to them.

The worse requirements I have seen so far, however, was Instagram. 
Network effects have it that my child is the only kid in the classroom
without an Instagram account.  I tried the process of opening one,
using a burner phone / pre-paid SIM card, and Instagram comes back at
me with the requirement for a picture of me, my face and my hands
clearly visible, holding an handwritten note with an authorization
code.  Seriously? handwriting recognition, facial recognition?  How
about fingerprints?  And the conspiracy theorist still believe that it
is government that is after us?  No way that a corporation whose sole
purpose is to spew evil and misinformation in the world will get
anything but anonymous access from my end.  Or no access at all.  The
day that proper safeguards will be in place, that I will be able to
control my information the same way Hollywood or Netflix can control
theirs, I may consider lowering the defences a bit.

Internet email could learn a page or two from the Swift manual.  Swift
moves $200 billions / day.  What works for banks and their customers 
can surely work for internet email operators and their users,
especially those parts that are pure protocol, pure IT, no physical
cost.

The first thing to make internet email viable for the future is to
establish a defensible perimeter and keep bad actors out.  Easier said
than done.  The problem does not affect email only.  It affects
anything internet.  Lacking a proper perimeter, my network is my
perimeter and the default rule at my router is nothing in, nothing out,
until an exception is added.  I am not there yet, but nearly. 
Maintaining lists of allowed IP addresses is not as difficult as it
sounds.  There will be pain along the way, but if service providers are
not able to federate around clear rules to 

Re: [mailop] Is outlook.com blocking all Linode IPv4 space?

[yuv via mailop]

On Sun, 2021-12-19 at 21:13 -0500, John Levine via mailop wrote:
> tektonic.net

you'd do them a favor if you alerted them that their website is so 2012.  Not 
just the design: expired certificate and still using an outdated TLS version.  
I trust your judgment that they are good at screening customers and keeping bad 
actors away; but in their line of business, keeping up with the safest 
standards is critical.  The design of the website is fine and can remain 
unchanged: I would hire them for their tech skills, not their graphic design 
skills (or budget).
--
Yuval Levy, JD, MBA, CFA
Ontario-licensed lawyer


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] What a drag it is sending DMARC reports

[yuv via mailop]

On Sat, 2021-12-18 at 17:02 +, Andrew C Aitchison via mailop wrote:
> On Sat, 18 Dec 2021, yuv via mailop wrote:
> 
> > > When you're one company controlling both backend and all frontend
> > 
> > This is the undesirable feature of centralization, I think we can
> > all
> > agree on that.  But what are the desirable features of
> > centralization,
> > and can they be breaken out and applied to a decentralized world?
> > Care to continue?
> 
> Desired (by many service providers):
>Captive market - content consumers cannot access the same
> content from another provider.
>Ability to make money from content consumers (advertising).
> 
> Many of us find these feature *un*desirable, the second at least in
> its 
> current form, but those so inclined can take advantage ...
> 

The difference between desired and desirable is that anything can be desirable 
by one or more participants, but the desirable features are those win-win 
features that are systemically desirable.

A captive market is definitely undesirable, except for the entity holding it 
captive.  Few entities would not like to own a captive market.  Few entities 
would like to be the captive.

The ability to make money is definitely desirable, the quesition with money is 
not what, it is how.  I am happy to pay for utility.  I will do everything I 
can not to pay for products or services that would be useless if there was note 
the artificially created demand.  Note that anti-abuse services would be 
useless if there were no spammers, so those two group that are seemingly 
fighting a whack-a-mole game with the DKIM/DMARC alphabet soup are actually 
allies at the expense of everone else.

A captive market is certainly an opportunity to make money, and if the market 
dictator is sufficiently benevolent, the market turns out to be a pleasant 
walled garden with acceptable service.  However, a competitive market should, 
in theory, achieve better outcomes at lower cost through the creativity and 
innovation spurred by competition.  But even competition has its limits and too 
much competition, too many standards, too many RFCs, is what made internet 
email such an unwieldy beast.

--
Yuval Levy, JD, MBA, CFA
Ontario-licensed lawyer


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Ethics Complaint to Princeton (was: Privacy research spam apparently from a grad student at Princeton)

[yuv via mailop]

On Sun, 2021-12-19 at 11:53 -0800, Jay Hennigan via mailop wrote:
> The most obvious and frequently asked question isn't answered or
> even acknowledged in their FAQ.

When lawyers or snake-oil sellers are involved, FAQ stands for
fictionally asked question.  And when lawyers of snake-oil sellers are
writing it, it is a lose phonetic contraction of a popular English
language four-letters world that too frequently draw censure and that
the reader of the text is probably going to utter as many times as
there are questions and answers in the text.

--
Yuval Levy, JD, MBA, CFA
Ontario-licensed lawyer


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Ethics Complaint to Princeton (was: Privacy research spam apparently from a grad student at Princeton)

[yuv via mailop]

On Sun, 2021-12-19 at 09:51 -0600, Larry M. Smith via mailop wrote:
> There has been another update, and appears to be well worth a read.

Indeed it is.  I have complimented Jonathan for his leadership.  His
note is what counts.

I had used some of my snowy/rainy/slushy weekend to research US law. 
Obligatory disclaimer:  I am not licensed to practise US law, this is
unfamiliar territory, the following is for information purpose only, is
possibly wrong, I am not the lawyer of any reader of this information,
do not rely on this information.

With the disclaimer out of the way, I have found out the legal ground
on which the IRBs make the determination if the research is human-
subject research or not.  The rest (thinking of the consequences on the
humans or not) follows from that determination.  

Subpart A of 45 CFR Part 46.  To my horror I found §46.102 (e)(1)
extends protections to humans only when the information extracted is
about them.  The moment researchers are not extracting data about the
human itself, the IRB does not even have to consider the effect that
the research will have on any human.  My understanding of the law as
written is that it white-washes a researcher who coerce information
about a third party from a human!

The flow chart is at [1].

No-one considered that the mechanisms of the law exercised an abnormal,
in my view intolerable amount of pressure on the human recipients of
the emails, in addition to their scammy/spammy character.  Even if
unintentional, the end-effect was morally wrong, a lack of respect for
persons as envisioned by the Belmont Report [2].


To me, this was a dead-end.  The research was in my view morally wrong,
but legally right and I had no leverage other than appealing to the
researchers' morality because the law is flawed.  And the IRB has
simply done its job as expected by the law, so again, no leverage
whatsoever.  Leveraging the spam issue and putting the kids in the same
class as the phishers and other scammers that infest the internet would
have been heavy-handed and probably also inconclusive, putting them on
the defensive and achiving nothing more than the shields of the anti-
abuse tools were not already achieving.

Dilemma: how to advance on the issue?  Sure, there is that ethical
middle ground, the Belmont Report [3], but it required goodwill on the
other side.  Jonathan has shown goodwill.

This is no longer on-topic for nitty gritty email system operators, so
I will stop annoying mailop with this.

I want to thank everyone who has contributed little bits of evidence to
the case, whether it is point out to anti-spam resources clearly
showing that the emails were spam; or describing their experience.  You
have all helped the researchers understand that what they did was
morally wrong.

[1] <
https://www.hhs.gov/ohrp/regulations-and-policy/decision-charts-2018/index.html#c1
>

[2] <
https://www.hhs.gov/ohrp/regulations-and-policy/belmont-report/read-the-belmont-report/index.html#xrespect
>

[3] <
https://www.hhs.gov/ohrp/regulations-and-policy/belmont-report/index.html
>

-- 
Yuval Levy, JD, MBA, CFA
Ontario-licensed lawyer


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] What a drag it is sending DMARC reports

[yuv via mailop]

On Sat, 2021-12-18 at 15:13 +0100, Alexey Shpakovsky via mailop wrote:
> On Sat, December 18, 2021 13:50, yuv via mailop wrote:
> > What makes the difference between [the smoothly running messaging
> > systems] and internet email?
> 
> I believe answer is centralization and to some extent lack of
> backwards compatibility requirement.

what is it that centralization brings to those systems?  after all,
they also consists of numerous independent parties communicating with
one another over electronic devices, exactly like internet email.


> When you're one company controlling both backend and all frontend

This is the undesirable feature of centralization, I think we can all
agree on that.  But what are the desirable features of centralization,
and can they be breaken out and applied to a decentralized world?

Let's start:

Front end:
* undesirable: dictated device, sometimes only available from selected
vendors on selected platform (the walled garden, though for
Apple/iMessage it has apparently already achieved sufficient network
effect for the company to start allowing its captives to invite non-
Apple devices to the conversation)
* desirable: implement ONE SET OF RIGID (but can change over time),
INTEROPERABLE, SIMPLE, SPECIFICATIONS.

Back end:
* undesirable: single controlling entity
* desirable: ONE SET OF RIGID (but can change over time) INTEROPERABLE,
SIMPLE, SPECIFICATIONS.

Ecosystem:
* desirable: CLOSED TO ABUSE SOURCES (and no one should be big enough
to tolerate abuse from their network, including Google, Microsoft,
Amazon, and any other cloud provider) 
* undesirable: CLOSED TO ALTERNATIVE Front and Back ends. 
Uncompetitive
* desirable: OPEN TO ALTERNATIVE as long as they implement the exact
rigid specification. (Competitive, without allowing for uncontrolled
feature creep, or in other words no Embrace, Extend, Extinguish)
* desirable: CLOSED PROTOCOL SPECIFICATION, subject to strict change
control 

Care to continue?


> And who on this list haven't thought: "oh, I wish this part of email
> spec was different"?!


The thinking is legit.  It is the process of addressing that thinking
that has failed.  Too often, change is adopted for the sake of change. 
See the recently proposal for DKIM-QR on this list.  Just because QR
codes have been made popular by vaccine passport, it does not mean that
we have to rush to implement them everywhere and for everything.  Same
with blockchain previously.  But fashion is irresistible and when I
have a hammer, every problem looks like a nail.


> Email openness is both blessing (when any person can implement an
> email client however they like) and a curse (when any spammer can
> implement an email client...).

Because the protocol's implementation is not the appropriate place to
deal with spammer, and this is one of the major driving forces that has
pushed internet email to the point of breakage.  The protocol should be
open to read, but under strict change control.  Implementation of the
protocol should be open to anyone.  Bad actors should be kept out not
by preventing them to implement the protocol, but by preventing them
from joining the network.  The network must be open only to actors that
adhere strictily to the rules.  This includes operators AND end-users.


> Worth mention however, that I've seen spam on other messaging
> platforms, too, and a black market for Telegram accounts being
> mentioned, and people developing anti-spam solutions for not-so-big
> public Telegram groups...

Of course, if one thing is not changing, it is human nature, and any
communication platform large enough will attract scumbags.  Keeping
scumbugs at bay must be central to the protocol design (or evolution). 
SPF/DKIM/DMARC have all failed at that.  They have made life more
difficult for the legitimate user and they are better mastered by the
spammers than by the legitimate users.  The platform has been overtaken
by marketers.  I am disgusted when I see a recommendation (by
Microsoft) to craft emails in HTML format to make them more
deliverable.  To me, HTML is a hallmark of marketing email that I do
not care a damn about, and the messengers protocols are much better at
that.  To me, internet email should not try to become like the
messenger protocols: it is a losing competition, partly because of the
legacy baggage.  To me, internet email should refocus on what it was
meant to be in its original design: a way to send/receive PASSIVE
CONTENT, without the tracking/spying bugs and other active/dynamic
elements that advertisers so covet and spammers abuse.


On Sat, 2021-12-18 at 15:42 +0100, Jaroslaw Rafa via mailop wrote:
> Dnia 18.12.2021 o godz. 07:50:19 yuv via mailop pisze:
> > 
> Sadly, in recent years - mostly because of the actions of the "big
> guys", I will hold on to my opinion on that - email has steered
> towards becoming a similar group of independent, non-int

Re: [mailop] Ethics Complaint to Princeton (was: Privacy research spam apparently from a grad student at Princeton)

[yuv via mailop]

On Fri, 2021-12-17 at 15:21 -0500, John Levine via mailop wrote:
> They don't seem very good at recognizing that at the other end
> of each e-mail there is a person, and that person will be affected.

can you blame them? most ordinary people deal >95% of the time with <5%
of the websites in the world, and those happen to be the one that have
automated customer service.

Discerning a legal demand (as GDPR/CCPA should be understood) from a
regular customer service email is also not immediately clear to lay
people who are probably not familiar with the obligations and sanctions
provided in the law.

Based on the conversation with the researchers so far, I suspect that
they disingenously represented to the IRB their data collection
practice so as not to alert the IRB that humans would be affected.  I
also suspect that the IRB process is biased in favour of approving
research, as this is the interest of the university.  How long has it
taken for animal rights activists to achieve representation at IRBs of
the interest of animals?  The same will have to happen for IT users,
because the researchers, who were the ones best placed in the process
to alert the IRB that person will be affected, had absolutely no
interest to do so; and in a common law tradition and in an adversarial,
litigious society such as the US are not obligated and should not
expected to.

Their FAQ is up at  and it all
looks like a lawyers-approved shield to try to justify what they have
done.  They know they have pushed too far.  The question is whether
they will learn from this and whether the learning will flow into a
fairer IRB.  I will follow up with Jonathan.

--
Yuval Levy, JD, MBA, CFA
Ontario-licensed lawyer

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] What a drag it is sending DMARC reports

[yuv via mailop]

On Sat, 2021-12-18 at 12:47 +0100, Jaroslaw Rafa via mailop wrote:
> Dnia 17.12.2021 o godz. 13:36:51 Jarland Donnell via mailop pisze:
> > DMARC has become mainstream enough that far more people
> > have a DMARC record than actually know what it's for.
> 
> I would blame the "big guys" (especially Google) for it,

No.  Blame the complexification.

The whole alphabet soup of SPF, DKIM, DMARC, etc. has taken the ecosystem down 
the wrong path for many years already, to a point that there are 
inconsistencies between the RFC specifying email and the RFC specifying DMARC 
(IIRC one has been recently discussed on this list) and that it is a full time 
job to keep tracks of changes to all the relevant RFCs; and their details; and 
the different implementations and variations (of which the "big guys" are the 
most influential ones).

Meanwhile, I hear that iMessage, Whatsapp, Messenger, etc. do not suffer these 
problem and are a good replacement for internet email.  What makes the 
difference between them and internet email?

Sad fact:  I use Telegram and SMS more in my legal practice than I use internet 
email.  Even though email provides for much easier ways to preserve and 
introduce into evidence in court rooms.

Yuv

--
Yuval Levy, JD, MBA, CFA
Ontario-licensed lawyer


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Ethics Complaint to Princeton (was: Privacy research spam apparently from a grad student at Princeton)

[yuv via mailop]

On Fri, 2021-12-17 at 08:08 -0800, Dave Crocker via mailop wrote:
> this particular decision seems bizarre.

bizarre decisions are typical of the evolution of any decision-making
body.  Nobody is perfect.  We all have our blind spots and their blind
spot happens to be your spotlight, which is why you find the decision
bizarre.


> Beyond concern for this IRB repeating the error, it occurs to be that
> it could be replicated by other IRBs.

I am sure it occurs to them as well.  For ages, decision-making bodies
have dealt with this concern about (in)consistencies of decision across
neighbouring jurisdictions.  Or in tech terms: replication/syncing of
reasoning over space and time.  The judicial system has a tried and
tested way to propagate updates and synchronize across jurisdictions --
even hostile jurisdictions -- that has worked for centuries and keeps
working very well, even when accelerated by technology.

The spatial organization in autonomous entities has many reasons.  Some
are related to the reach of the decision-making authority.  Others are
of technical nature and include the speed of propagation of the
authority's orders.  Then there are sovereignty considerations, and
this is where each university will defend its own IRB.  And that's
good, because it adds an important feature: competition.  Competition
drives innovation, even in decision-making, and the synchronization
between parallel spatial organizations (jurisdictions) occurs through a
common appeal process to a higher authority.  Those universities are
subject to state and federal rule.

On the downside for this case is the fact that a decision has already
made in the case and probably the time to appeal is over.  Possibly,
there is not even a possibility to appeal against the research as the
purpose is to allow science and appeals are most likely designed to
give researchers a second chance, not the other way around.  However,
there is surely also a body that writes the policies along which the
IRBs are making decisions, and this is where we need to bring our
argument that humans are affected; that the safeguards proposed by
researchers are not enough; that more oversight is required.


> That makes me wonder about the possible benefit of 
> independently-developed guidance that might be circulated among
> them.  Possibly from a respected anti-abuse organization?

I am skeptical of every such organization.  They invariably represent
more or less cover behind the scene influences.  What if this IRB takes
guidance from one "respected anti-abuse organization" and another IRB
takes guidance from another "respected anti-abuse organization" that is
of a different opinion?  In my view, the opinion of the IRB is enough
opinion.  Additional opinions of additional entities only helps snake-
oil sellers sell more snake-oil.

Traditionally, courts (or boards) take their guidance from expert
witnesses, which are called by one of the parties in the process to
inform the process.  This admits that there is no such thing as
"independently-developed" and every such expert organization has an
agenda.  It is better to acknowledge partisanship and deal with it in
the open than to investigate backroom influences (typically financial
donation).  So the party that argues that this is abuse will bring in
its expert; the party that argues that this is not abuse will bring in
its expert; and the board will make the decision that will then become
part of its precedent and as such applied to future decision.  The
experts are then only required for the marginally new, with the body of
guidance enshrined as law in precedent ruling, that can, with effort,
be overrulled when new developments come to light.

But I am digressing.
Yuv

--
Yuval Levy, JD, MBA, CFA
Ontario-licensed lawyer


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Ethics Complaint to Princeton (was: Privacy research spam apparently from a grad student at Princeton)

[yuv via mailop]

Apology for this diversion, off-topic to the subject of the Ethics
Complaint, but definitely on-topic for mailop.

On Fri, 2021-12-17 at 08:32 -0700, Anne P. Mitchell, Esq. wrote:
> His response to the above was that CAN-SPAM didn't apply as it was
> academic and not commercial email, at which point I pointed out to
> him that he and I both knew that reasonable minds can differ on what
> is "commercial"

Hair-splitting.  IMHO this is an aspect on which CAN-SPAM is flawed. 
The general rule must be that spam is in the eyes of the recipient, and
from there on the rule can be overriden with exceptions for acceptable
message classes.  The commercial or non-commercial nature of a message
should have ZERO bearing on whether a message qualifies as spam or not,
but it was a convenient and self-serving way for some non-commercial
actors with overweighted influence on the legislative process to carve
themselves an exemption.  I find political parties, charities, and
universities to be much worse spammers than legitimate commercial
entities.


> So, again, Yuval, well done!  We make a good 'good cop bad cop' team!

Our interests are aligned but I am not sure that we are on the same
team.  Your team is tackling the email deliverability / spam issue,
which can be fixed technically (at a cost) by blackisting the sender. 
My team is tackling the offense on individual autonomy.  Being coerced
into a scientific research under the threat of consequences from
GDPR/CCPA non-compliance.  There is no tech fix for that.

Yuv
--
Yuval Levy, JD, MBA, CFA
Ontario-licensed lawyer


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Ethics Complaint to Princeton (was: Privacy research spam apparently from a grad student at Princeton)

[yuv via mailop]

UPDATE:

* I had waited for the answer to my direct note to Jonathan Mayer and
fell asleep.  It arrived at 01:44 EST.  This morning I replied to him. 
With a direct line of communication open,  the letter higher up is on
hold.

* They are currently not sending emails and will be publishing an FAQ
soon.  The issue that is relevant for mailop is, at least temporarily,
defused.  The feedback I have given them with regard to the spam issue
is that:

The study abused the mechanism created by the laws to deliver its
questionnaire to an email address whose purpose is only to receive
legal GDPR/CCPA requests.  Maybe, on balance, such minor abuse could be
tolerated as an efficient, low-cost shortcut to reach the person better
placed to answer the study's questionnaire.  However, the obfuscation
of the sender; the use of fraudulent identities; the covert and
indirect questions; all void any possible justification, whether the
study does or does not constitute human subjects research.

[...]

(a) put your questions in a direct plain view survey form on the web
instead of covering them up with hypothetical facts scenarios;

(b) identify yourself as the sender instead of using covert domains and
false identities;

(c) use a strict opt-in logic: the first email is the last one unless
the subject responds; and the first email has all the elements for the
subject to make an informed consent decision.


* On the big issue, the ENROLLMENT OF HUMAN SUBJECTS WITHOUT CONSENT
into the study, I have been told that "[t]he IRB determined that our
study does not constitute human subjects research."  I do not have the
reasons for such determination, but this is the fault line at the
moment.  I have offered to Jonathan my opinion that:

The IRB's determination stands corrected (of course without admitting
fault, given the litigious contest of the land).  Behind every website
there is an operator and in most cases, the end-operator is a human
subject, or an organization within which a human subject bears ultimate
responsibility for processing the study's emails.  That human deserves
respect [Belmont Report].

In the context of GDPR/CCPA, the mechanism they create and the
obligations and sanctions they impose, the study as designed resulted
in the ENROLLMENT OF HUMAN SUBJECTS WITHOUT CONSENT.

It is work in progress.  I am trying to identify who at Princeton would
be the optimal recipient of my letter.  A Researcher Misconduct
Complaint to the DoF would only deal with the individual researcher's
integrity and would not prevent the IRB from making further misguided
decisions on the coerced enrollment of humans.  At this time I am not
seeking to punish the researchers.  I wait to see how the dialog with
Jonathan unfolds.


On Thu, 2021-12-16 at 22:10 -0700, Grant Taylor via mailop wrote:
> I don't buy the silly mistake.  Not the second time around.
[...]
> But the fact that the student repeated the action and apparent lack
> of caring completely negates both "silly" and "mistake" in my head.

https://en.wikipedia.org/wiki/Three-strikes_law

 
--
Yuval Levy, JD, MBA, CFA
Ontario-licensed lawyer


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Ethics Complaint to Princeton (was: Privacy research spam apparently from a grad student at Princeton)

[yuv via mailop]

On Thu, 2021-12-16 at 12:13 -0500, John Levine via mailop wrote:
> It appears that Al Iverson via mailop  said:
> > 
> > Maybe let's try not to do something that'll screw up that college
> > kid's life forever over their bit of stupidity.
>
> I'm not worried about the kid.  I'm worried that his department and
> the university's IRB
> thinks that sending pretextual spam is OK.

Indeed supervision is the problem here, and the kids is currently being
sent straight onta a F*book style ethics trajectory.  The goal is to
get the supervisors' attention, not to play whack-a-mole with every kid
that will come after this one.

--
Yuval Levy, JD, MBA, CFA
Ontario-licensed lawyer


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Ethics Complaint to Princeton (was: Privacy research spam apparently from a grad student at Princeton)

[yuv via mailop]

Direct note just sent to Jonathan Mayer 
below.  Letter to the Office of the Dean of the Faculty at Princeton
University will follow later.


Dear Jonathan:

I am a lawyer with an interest in online privacy.  You are named as a
"team member" on ;.

While writing a polite note trying to understand how your name can be
associated with an initiative that seems to be so out of character with
your impressive and adimrable profile, I received notice of your
generic response to Anne P. Mitchell on the subject, in which you
characterize this part of the study as "requesting information from
websites" and generally state your openness to answer questions. [1]

With all due respect, your characterization omits the most important of
the many problematic aspects of the research: the fraudulent and
possibly illegal (I am not licensed to practice in the US but have been
told that CAN-SPAM applies) information requests ends up on the desk of
an individual person and that individual person is thus involuntarily
enrolled as research subject without meaningful consent.  Can you see
this point of view?

A letter to the Office of the Dean of the Faculty at Princeton
University is in preparation and will be sent out later today. [2]

At this point, the only question that may influence the content of that
letter is:  are the researchers responsible for the harvesting of email
addresses and the sending of fraudulent GPRD/CCPA requests willing to
suspend immediately all harvesting and emailing activity, pending
ethical review; and engage with the community on a redesign of their
harmful data collection practice?

[1] 

[2] 

Sincerely,
-- 
Yuval Levy, JD, MBA, CFA
Ontario-licensed lawyer

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Ethics Complaint to Princeton (was: Privacy research spam apparently from a grad student at Princeton)

[yuv via mailop]

I was writing a nice direct note to Jonathan following  Hal Murray's
lead when this email arrived.  Obviously too late to be nice.  I will
still send it out as an heads up, but I will also finish the Research
Misconduct letter and mail it out this afternoon.  After reading
Jonathan's profile, I find this so out of character, I wonder what his
explanation is.

Updates follow, thanks for your patience.  English is my fifth language
and when I have to write something important I am slower than I would
like to be, sorry.

On Thu, 2021-12-16 at 07:54 -0700, Anne P. Mitchell, Esq. via mailop
wrote:
> As a follow up, to my letter, I received the following:
> 
> > Thank you for reaching out about our research on the European Union
> > General Data Protection Regulation (GDPR) and the California
> > Consumer Privacy Act (CCPA). A component of the study involves
> > requesting information from websites about how they have
> > implemented the consumer data access provisions of the GDPR and the
> > CCPA. Both the GDPR and CCPA provide for these types of information
> > requests. We would be glad to answer any questions you have about
> > the study goals, methods, and safeguards, and we welcome any
> > additional feedback you would like to provide.
> > 
> > Sincerely,
> > Jonathan
> 
> That was really the wrong response.  I responded explaining *exactly*
> how they are in violation of U.S. Federal law (CAN-SPAM), and I cc:ed
> the chair of the compsci department, and Princeton's general legal
> counsel.  If you are going to send something, please let it be soon
> so as to make clear that I'm not a single cartoony voice crying in
> the wilderness.
> 
> FWIW, here is the section of CAN-SPAM of which they are in violation:
> 
> ‘‘§1037. Fraud and related activity in connection with electronic
> mail
> 
> ‘‘(a) IN GENERAL.—Whoever, in or affecting interstate or foreign
> commerce, knowingly —
> 
> ‘‘(2) uses a protected computer to relay or retransmit multiple
> commercial electronic mail messages, with the intent to deceive or
> mislead recipients, or any Internet access service, as to the origin
> of such messages,
> ‘‘(3) materially falsifies header information in multiple commercial
> electronic mail messages and intentionally initiates the transmission
> of such messages,
> ‘‘(4) registers, using information that materially falsifies the
> identity of the actual registrant, for five or more electronic
> mail accounts or online user accounts or two or more domain names,
> and intentionally initiates the transmission of multiple commercial
> electronic mail messages from any combination of such accounts or
> domain names, or
> 
> ...shall be punished as provided in subsection (b).
> 
> ‘‘(2) a fine under this title, imprisonment for not more than 3
> years, or both, if—
> 
> ‘‘(A) the offense is an offense under subsection (a)(1); ‘‘(B) the
> offense is an offense under subsection (a)(4)
> and involved 20 or more falsified electronic mail or online user
> account registrations, or 10 or more falsified domain name
> registrations;
> ‘‘(C) the volume of electronic mail messages transmitted in
> furtherance of the offense exceeded 2,500 during any 24-hour period,
> 25,000 during any 30-day period, or 250,000 during any 1-year period;
> ‘‘(D) the offense caused loss to one or more persons aggregating
> $5,000 or more in value during any 1-year period;
> ‘‘(E) as a result of the offense any individual committing the
> offense obtained anything of value aggregating $5,000 or more during
> any 1-year period; or
> ‘‘(F) the offense was undertaken by the defendant in concert with
> three or more other persons with respect to whom the defendant
> occupied a position of organizer or leader;
> 
> ---
> 
> Anne
> 
> Anne P. Mitchell,  Attorney at Law
> Author: Section 6 of the Federal CAN-SPAM Law
> Board of Directors, Denver Internet Exchange
> Professor Emeritus, Lincoln Law School
> Chair Emeritus, Asilomar Microcomputer Workshop
> Former Counsel: MAPS Anti-Spam Blacklist
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
-- 
--
Yuval Levy, JD, MBA, CFA
Ontario-licensed lawyer
https :// moneylaw.ca
Tel: 519.488.1783 (does not receive MMS)
Tel: 1.844.234.5389
Fax: 1.888.900.5709
2201-323 Colborne Street
London, ON N6B 3N8

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Ethics Complaint to Princeton (was: Privacy research spam apparently from a grad student at Princeton)

[yuv via mailop]

On Wed, 2021-12-15 at 08:53 -0700, Grant Taylor via mailop wrote:
> I feel like the student and the 
> professor / powers that be which approved this study should be clued 
> into the costs of the research on the rest of the world.

+1

https://dof.princeton.edu/policies-procedure/policies/research-misconduct

If enough mailops, preferably representing large corporate names that
donate money to Princeton (hint), are interested to co-operate and
ultimately co-sign a letter to Princeton's along the following lines, I
volunteer to circulate and update a draft until there is a reasonable
mass of signatories / consensus; and to send it on law office
letterhead to the responsible dean at:

Office of the Dean of the Faculty
Princeton University
9 Nassau Hall, Princeton, NJ 08544-5264
Phone: 609-258-3020
Fax: 609-258-2168
Email: d...@princeton.edu

IMHO this is an important issue that transcends this individual
spamming instance.  The student's dandy attitude did not originate in a
vacuum and while some universities such as Harvard and Stanford are at
the forefront of addressing the (lack of) ethics in IT [1], it is
obvious that others still need some prodding.  The design does not come
near to the complexity of real IT ethics questions such as who should a
self driving car sacrifice in case of an inevitable collision with
predictable casualties.  The ethical questions raised are of the
traditional kind: how does the researcher interact with the subject of
their research.  This researcher and his supervisors have failed
completely, in a way that shines a negative light on Princeton and
should not go unpunished.

It is generally uncontroversial that co-opting subjects into academic
research is unethical.  Where persons capable of consent are the
intended subject of academic research, it is accepted practice to
obtain informed consent before enrolling them into the research.  In
this case, consent was not obtained at all and information was
intentionally falsified, obfuscated, and withheld.
* The opt-out is only offered after the involuntary enrollment has
occured, and on a difficult to find, seemingly unrelated site [2].
* The researcher has knowingly obfuscated the identity of the sender,
used false or stolen identities and bogus domains.
* No meaningful information about the research was provided to the
unwitting subjects before, during, or after the involuntary enrollment.
* The information available when trying to investigate, from "official
source" [2] as well as from the affected community [3] is incomplete at
best.
* Apparently the researcher has been made aware and has not done
anything but further obfuscating between April [3] and December.

In my view, co-opting websites and email addresses through harvesting
and spamming is equivalent to co-opting persons capable of consent.
Behind each and every one of the harvested email addresses there are
persons and ultimately a responsible individual that had to deal with
the threatening content of the emails.  Based on annecdotal feedback
[3], receipt of the email has caused a great deal of uncertainty,
anxiety and fear in addition to the economic harm of the spam that
became subject of expert investigation in an attempt to mitigate the
fallout for our systems and our email recipients[4].  It has a negative
effect on the operators of email systems signed below; on their user
communities; and frankly also on Princeton's reputation.  Has the
Princeton given permission to the use of its name as part of the bogus
domain names?

The way this study was designed raises questions about the ethics, but
also the intellectual integrity of the researcher.  His reaction when
made aware of the shortcomings was intellectually dishonest.  We trust
that your investigation in the matter will find whether his supervisors
were part to this dishonesty, or whether this continued harrassment is
the result of a single, rogue, element in your university.  In either
case, in my view those responsible deserve to be disciplined and I do
not exclude the possibility of a class action if Princeton does not
take satisfactory corrective and punitive actions.

Apparently, Princeton's Research Integrity and Assurance (RIA) has been
recently informed and has said they'll check and get back on the matter
to the informer. [5] The same informer has received a reply from the
researcher that points to either the researcher not being aware of
RIA's involvement, or having been cleared by it [6].  

The researcher's conduct goes beyond negligence.  He has displayed
willful blindness when expert system operators alerted him to the
negative effects of his conduct and tried to engage in constructive
criticism.  The email's text, the fake identities, the obfuscated
domains, all point to intentionally raising the fear factor in a way
unsavoury spammers typically do to force answers from recipients that
would normally ignore their requests.  While I am myself curious about
how website operators handle GDPR or 

Re: [mailop] Google's contributions to spam volume (was: Re: Google should be burnt or blown up (was: Gmail putting messages to spam))

[yuv via mailop]

On Tue, 2021-10-05 at 18:15 -0700, Brandon Long via mailop wrote:
> larger providers are their own special targets.

Thank you for sharing with us the perspective of a Big service
provider, and how you deal with annoyances on that exa-scale.


> We also see spammers try to use Gmail to spam other

I allow myself to draw your attention to two annoyances, to which
Google is at least a contributing factor if not the culprit, on a scale
that is sufficiently large to warrant some sort of filtering /
automation, or better, supression at the sender (Google).


(A) the calendar invite/reminder.  I understand the convenience, to
some, of emailed invite/reminders when a user creates a calendar entry
and adds contacts.  However, whether the meeting is legit or not, I
have not granted permission to the user to spam me with
invites/reminders; and I have not granted permission to Google to spam
me with a proposition to create a calendar on its system on every
reminder that I have not replied whether I will attend or not the
meeting.  I have my reasons not to reply to calendar invites / publish
my intention to attend.  I have my reasons to hate external reminders
with a passion.  And I have my reasons not to use Google's services. 
At the very least, I would expect Google to offer an opt-out mechanism
per recipient (and, also per domain) that does not require the user to
create an account with Google.  And I would expect Google to accept no-
answer for an answer instead of repeating the invite/reminder multiple
times.  Even once is too many, i.e. spam.


(B) the "help us keep your account safe" reminder.  While in (A) Google
is merely a contributing factor, this one is all on Google.  It affects
Google Accounts that are associated with a third-party email address. 
I must maintain one Google account for things that cannot be done
without Google Account.  It is a bare-minimum Google Account with need-
to-know information only.  When I log into it, it verifies my email
address by email me a six digits temporary code, so I can only log in
if I am in control of the email address associated with that account. 
And yet, invariably, a day or two after I log into that account I get
the annoying "help us keep your account safe" reminder in which Google
asks me to click on an URL to confirm that I still have access to the
email address.  That reminder also keeps coming in regular, too
frequent intervals.  Once a year I could understand/tolerate, though a
user should be allowed to opt-out of the practice all together, without
requiring the user to deliver to Google any further information.


Thanks for your consideration.
--
Yuval Levy, JD, MBA, CFA
Ontario-licensed lawyer


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Gmail putting messages to spam

[yuv via mailop]

On Fri, 2021-10-15 at 18:07 -0500, Mike Jovanovic via mailop wrote:
> Gmail can send email to spam if it arrives in a language that is
> different from the recipient's default language setting.

Do you have evidence to substantiate your claim?

I have plenty of beef with Big Tech, but it is not wise to alienate
them randomly if you want them to listen.

Specifically to language settings, doing what you are suggesting would
be shortsighted for a system that knows so much about its users.  I
expect that if I was a Gmail user, it would detect my pattern of
corresponding in different languages and adapt.

--
Yuval Levy, JD, MBA, CFA
Ontario-licensed lawyer


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Got any users in Texas? Better turn off your spam filters by Dec 2

[yuv via mailop]

On Fri, 2021-09-24 at 12:36 -0400, Bill Cole via mailop wrote:
> Owning an operational domain name makes you a public person.
[...]
> In many places (including the US and at least some European
> countries) you can only own land if your 'title' to that land is
> registered with the government in an open public record.

In principle, YES!  However, there are limitations and safeguards in
place, some of which historical and unintentional, that prevent abuse
of that open and public record.

First, "open."  Here in Ontario, where I have write-privilege on the
Land Registry (I register deeds, mortgages, and all sorts of other
instruments for my clients), the cost of accessing the record is
substantial enough to dissuade the equivalent of a spammer accessing
the WHOIS record.  Historically, the openness of the record was limited
because it had to be physically consulted at the local registry office.
With the migration to electronic records and remote access, an
unintentional and steep (approximately $40/record) paywall has been
introduced.  The government has given a way too generous contract to
the IT company that developed and operates the database (and cash most
of that paywall revenue).  I would argue that read-access should be
completely free of charge and with a public API, much like the WHOIS
record, however, see the third point below why it is not a good idea.

Second, even in the Land Registry I can obfuscate the name of the
ultimate individual in control/ownership with a few legal tools:  I can
register land in the name of a trust or a corporation.  In those cases,
the contact details that can be found publicly are for some proxy
trustees or directors, but the names of the beneficiaries /
shareholders remain private, like the many privacy services offered
with domain name registration.  In recent years (since 2017) I must
disclose beneficial ownership to the Ministry of Finance, but that is
solely for taxation purpose and the information is not public.

Third, purpose.  The purpose of the land registry, and of the WHOIS
database, are matching owners with their responsibility.  If it was
possible to restrict usage of the WHOIS data for the sole purpose of
making the owner responsible for the land/domain, I would be against
the obfuscation of the ultimate owners behind privacy services. 
However, because it is not possible, having a proxy service that
forwards legitimate messages to the owner while blocking out spammers
and scammers of all sorts is a welcome element in the system.  I do not
miss the snailmail spam from the nineties, addressed to my WHOIS
contact details, selling directory entries or trying to fool me into
migrating my domains to their registry.

We all recognize a spammer when we see one, and yet it is so difficult
to root them out!

--
Yuval Levy, JD, MBA, CFA
Ontario-licensed lawyer


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Got any users in Texas? Better turn off your spam filters by Dec 2

[yuv via mailop]

On Fri, 2021-09-24 at 13:36 +0200, Sidsel Jensen via mailop wrote:
>  Privacy is sometimes a two-edged sword.

Privacy is a two-concepts word whose combination is misunderstood by
most: Property+Secrecy.

Property: the right to exclude others from using what is yours.  
Secrecy: the effort to hide what is yours from others.

Property is easier to understand when applied to cars, buildings, and
other objects composed of atoms.  However, it applies also to email
addresses, movies, and other objects composed by a sequence of bits. 
The difficulty with Privacy=Property in the digital realm is that some
sequences of bits are given more (legal) protection than others.  Just
because the door is not locked it does not mean that the thieves may
come in and serve themselves.

Yuv
--
Yuval Levy, JD, MBA, CFA
Ontario-licensed lawyer


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] SNDS At Work

[yuv via mailop]

On Tue, 2021-09-07 at 13:09 -0500, Mike Hammett via mailop wrote:
> I went to sign up for SNDS with my work e-mail. [...] and "You can't
> [...]."

> Well, that's dumb.

That's Microsoft: Size can compensate for dumb, unfortunately.
 

> What are the rest of you doing in these kinds of scenarios?

A few years back I simply opened a dedicated / throwaway hotmail
account.  Don't know if this will still work today as all the tech
bullies are using the Covid crisis to clamp down on personal freedoms.

HTH
--
Yuval Levy, JD, MBA, CFA
Ontario-licensed lawyer


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Recommendation for inbox provider?

[yuv via mailop]

On Mon, 2021-09-06 at 20:36 -0500, Jarland Donnell via mailop wrote:
> MXroute might be a bit rough around the edges for the average user. 

I was intending to try MXroute out.  Now I registered.  It will take a
little while to look around...


> But an arguably excessive hyper focus on outbound 
> delivery and inbound spam prevention. 

IMHO if internet email is to thrive, it needs more mailops like you and
less, much less of the marketing spammers.


> I love my work, happy to have anyone on board that wants to share it 
> with me :)

Will test with one of my domains dedicated for experimental/fun stuff,
and hopefully migrate my real stuff soon.

Now on to read the docs, searching how to set up relay from my internal
Postfix instance to MXroute as this would be my preferred modus
operandi, at least for now.  I will probably not bother with anything
inbound, so if your servers delete my outbound messages and related
logs after having used them for the sole purposes of spam-prevention
and (duh!) delivery, my most important requirement will be met. 

--
Yuval Levy, JD, MBA, CFA
Ontario-licensed lawyer


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Recommendation for inbox provider?

[yuv via mailop]

On Mon, 2021-09-06 at 18:22 -0500, Al Iverson AND OTHERS via mailop
recommended: 
> GMAIL or OFFICE365 or
> The only other one I'd add to that list is probably
> https://smallbusiness.yahoo.com

In response to

> September 7, 2021 10:47 AM, "Anne P. Mitchell, Esq. via mailop wrote:
> someone [...] needs an inbox host [b/c] GoDaddy are discontinuing
their free hosted email

Interesting to say the least.  GoDaddy's decision is possibly motivated
by cost/benefit; by the excessive power of the oligopoly; or most
likely by both.  But what motivates expert mailops to only reccomend
the oligopolists as an inbox host?

Is not outbox, with its deliverability issues, the more complex part of
the service?

I am fine with my crappy old inbox, but I am still looking for an SMTP
service to deal with the deliverability issues, most of them caused by
one of the oligopolists.  Sending customers their way will only make
internet email even less useful?

--
Yuval Levy, JD, MBA, CFA
Ontario-licensed lawyer


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] So uh... Zoom/Sendgrid... How's that webinar spam investigation coming?

[yuv via mailop]

On Thu, 2021-08-05 at 22:52 +1000, Noel Butler via mailop wrote:
> On 05/08/2021 19:07, Jaroslaw Rafa via mailop wrote:
> 
> > I would never block an entire server/provider, no matter big or
> > small, unless the server/provider sends spam *only* and not any
> > legitimate emails.
> > 
> pt  NEWSFLASH  the blocking is to the advantage of end users
> 

One mailop's spammer is another mailop's end user.  Hold off your
fire...


> you run your spam infested network the way you want, and i'll run
> mine the way I want.

THIS is the main reason why internet email is doomed for failure and
why I second the following, earlier statement in another thread:

On Fri, 2021-07-30 at 19:19 +0800, Philip Paeps via mailop wrote:
> On 2021-07-30 18:10:23 (+0800), G. Miliotis via mailop wrote:
> > We're just managing our misery here.
> 
> That's a great tag line for mailop@. :-)


Truth is: internet email sits on a fault line that is more poisonous
than the magma fumes emanating from geophysical fault lines.  Email
works fairly well as an internal service because one mailop rules all
users.  Email fails utterly when mailops serve interests on opposite
sides of the fault line.

Trying to deliver internet email today is more complex and difficult
than trying to effect legal service on an absconding defendant.  "The
dog ate the envelope" is no excuse, even if the dog is some fancy
experimental M$ AI trying to second guess recipient's interest and
punish bad actors according to its own rules, arguably arbitrary.

When an end user cannot rely on internet email to deliver messages,
they will look for alternatives.  Internet email is being bypassed left
and right by messaging platforms with tighter controls.  Spammers are
trying to infiltrate those platforms too, but with much less success
than internet email.

If anyone can suggest an email relay system that is compliant with US
HIPAA , I would love to connect
my internal email system to it and outsource email deliverability
problems.

Regards,
Yuv
--
Yuval Levy, JD, MBA, CFA
Ontario-licensed lawyer


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] SMTP AUTH harassment

[yuv via mailop]

On Mon, 2021-07-26 at 18:34 +0200, Alessandro Vesely via mailop wrote:
> On Tue 20/Jul/2021 04:17:31 +0200 Ángel via mailop wrote:
> > On 2021-07-19 at 23:27 +0200, Slavko wrote:
> > > Dňa Sun, 18 Jul 2021 13:56:18 -0400 Bill Cole:
> > > 
> > > > > The only usable way seems to be GoiIP blocking countries, but
> > > > > i
> > > > > afraid that it is wrong way.  
> > > > 
> > > > Why?
> > > 
> > > Hard to describe it in English for me, but i will try.
> > > 
> > > I consider blocking access by country as discriminating all
> > > honest
> > > people in particular country. (...)
> > 
> > You opened the thread describing it as a "personal mail server". I
> > interpret that as being a mta serving just you, or a few select
> > family
> > members/friends.
> > As such you can (should?) be highly selective. If you only use ISP
> > A,
> > why should you allow from any other source? It's not as if you
> > won't
> > notice when you change providers. If John uses only provider B, why
> > would you let a login from ISP C?
> 
> I run a personal mail server too.  I agree with safety arguments and
> all what Bill said.  However, any family member/ friend of mine, or
> even myself, could travel abroad for a week and forget to punch that
> hole in the firewall.  In addition, some use foreign services that
> login on their behalf (gmail is one).

Punch hole in the firewall function must be easy.  All user need to do
is call a URL from the IP address from which they want to send email. 
Arrive at the hotel, log on to WiFi, hit https://example.com/hereIam
with some authorization token or password and the hole in the firewall is 
punched automatically for the next 24 hours. If they forget, they get a bounce 
back from the mail server, they do the log on and they resend.

Define "foreign?" -- to me, in the hostile world of the internet, every
IP address that is not under my control is foreign.


> However, I discriminate by country when I report such abuses.  I only
> send reports to countries where I expect providers act under
> democratic laws.

How do you know the laws of all countries?  when interests are aligned,
autocratic laws are better than democratic laws.  If China's rulers
decide to clamp down on spam emission, you can bet that their
enforcement and therefore their outcome will be superior to that of any
self-righteous idiocracy.  And the big ISP/ESP are like not-so-little
autocracies.  If Microsoft/Google/Amazon wanted to reduce spam, they
could do it by cutting accounts aggressively.  However, that is not
aligned with their interest of making money.  Those amounts are all
associated with a credit card.  Not necessarily the spammer's, but as
long as money flows in, GAFAM will not make a fuzz about it.


>   I don't want to wreak more havoc than it deserves, nor to deal with
> incomprehensible problems.  This discrimination also helps reducing
> the overall number of reports being sent.
> 
> Does that make any sense?

If it makes sense for you, by all means.  Given the outcome, I wonder
how many of these reports are directed straight through to /dev/null
with zero human review.
--
Yuval Levy, JD, MBA, CFA
Ontario-licensed lawyer


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] SMTP AUTH harassment

[yuv via mailop]

On Sun, 2021-07-18 at 13:56 -0400, Bill Cole via mailop wrote:
> On 2021-07-18 at 06:43:51 UTC-0400 (Sun, 18 Jul 2021 12:43:51 +0200)
> Slavko via mailop 
> is rumored to have said:
> 
> [...]
> 
> > The only usable way seems to be GoiIP blocking countries, but i
> > afraid
> > that it is wrong way.
> 
> Why?
> 
> If you have no users who need to authenticate from a particular
> network, 
> there's no need to allow access from that network. If knowing where
> a 
> network is based helps you make an accurate estimation of whether
> access 
> from that network is needed, what's wrong with that?

IMHO this should be the general design principle of every protocol,
every server, and every router going forward.  I just have not been
bothered enough so far and have simply steered clear of obvious
creepware devices:  I do not an LG TV to report my viewing habits, a
Samsung washer/dryer to report my laundry habits, and some shady
dataminer inferring that if I stopped watching porn and am doing more
laudry on the delicate cycle I got a girlfriend and they can now spam
me with Valentine Day offers instead of XXX.

For SMTP, there is the added complexity that sometimes I have an
obligation to receive emails.  I was recently a side-show on a Federal
Court case in which the judge allowed service per email.  To a few
hundred parties, many with gmail/hotmail and the like.  The behavior of
the big mail servers outcompetes some of the most notorious defendants
absconding service.  As long as SMTP is plagued with these
deliverability issues (and with the even worse problem of spam), it is
good for internal email only.  The guy who predicted the pandemic does
not always get it right:
https://www.nytimes.com/2004/01/26/business/gates-predicts-that-spam-will-go-away.html

In that case, one could think of that statement as willful blindness,
since spam is in the eyes of the beholder, and spam is good business
for the company he represented back then, it seems.  
 
--
Yuval Levy, JD, MBA, CFA
Ontario-licensed lawyer


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] m-365 still works like a spammer !

[yuv via mailop]

On Fri, 2021-07-23 at 21:44 +0200, Thomas Walter via mailop wrote:

> Regarding RFC974
> If the list of MX RRs is not empty, the mailer SHOULD try to
> deliver
> the message to the MXs in order (lowest preference value tried
> first).  The mailer IS REQUIRED to attempt delivery to the lowest
> valued MX.  Implementors are ENCOURAGED to write mailers so that
> they
> try the MXs in order until one of the MXs accepts the message, or
> all
> the MXs have been tried.
> 
> It's been a while since I looked at this, but isn't "SHOULD" a 
> recommendation? I understand this collides with the next "IS
> REQUIRED", 
> but...?

a general principle of statutory interpretation that applies well
(though not mandatory AFAIK) to the interpretation of standards is to
always read parts of the text in harmony with its whole.  Not in
collision.

Easy in this case: the highlighted SHOULD is not a direction.  It is a
description of the potential outcome that would/could/*should* happen
(outcome) if the mailer will/can/shall do what is directed.
 
--
Yuval Levy, JD, MBA, CFA
Ontario-licensed lawyer


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] protection.outlook.com refusing to accept mail with misleading temp error message

[yuv via mailop]

On Fri, 2021-06-04 at 11:16 +0200, Jaroslaw Rafa via mailop wrote:
> Sometimes, just out of curiosity, I'm checking MX-es for eg. Internet
> shops in which I shop or other entities I communicate with. Most of
> them have e-mail hosted by their hosting companies (at least MX
> points to the hosting ISP server), as part of the hosting package
> probably.
> 
> So I guess there are still many that are neither Microsoft nor
> Google.

I am sure you are guessing right.  Do you also check their SPF records?

Here in Canada, internet shops are being taken over by Shopify.  I am
not saying that big service providers like Microsoft, Google, Shopify,
etc. are inherently bad.  Economies of scale predict that such large
outfits can be very competitive.

What I am saying is that where network effects are important, or as in
the case of internet email, critical, these large outfits have an
incentive to use their scale for anti-competitive behavior, such as
arbitrarily rejecting mail from competitor's services.  Nothing
prevents you or me from developing an online retail solution and
compete with Shopify.  But if we try to operate a mail server and can't
deliver emails to a large number of potential recipients, no one will
contract our services and we will be prevented from making a run on
Gmail/Outlook.

I am not saying Microsoft is doing that -- there is ample evidence that
its filtering service is going ballistic against mail coming from its
own cloud.  I am saying that the unintended consequences of Microsoft's
filtering are difficult to distinguish from intended anti-competitive
behavior.

What is more important is that intentional or not, this behavior is
detrimental to internet email and has to stop before internet email
becomes even more irrelevant.  How many shops and other services have
you visited that have downgraded email from absolutely necessary to
secondary, e.g. by replacing email with phone/SMS for login and
messaging?

-- 
Yuval Levy, JD, MBA, CFA
Ontario-licensed lawyer


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] protection.outlook.com refusing to accept mail with misleading temp error message

[yuv via mailop]

On Thu, 2021-06-03 at 12:20 -0400, Bill Cole via mailop wrote:
> On 2021-06-01 at 21:46:43 UTC-0400 (Tue, 01 Jun 2021 21:46:43 -0400)
> yuv via mailop 
> is rumored to have said:
> 
> > I do like the fact that if someone puts
> > a letter with my address in a post office box anywhere in the
> > world, 
> > it
> > makes its way to my snail box within a reliable service standard.
> 
> [...]
> The direct corollary to that factoid is that all email should
> therefore be run by government entities with nationwide monopolies.

No.  Internet email suffers indeed a governance problem that result in
interoperability or deliverability difficulties, but government
monopolies are not the solution.  Government's role is to set the rules
and police them, not to provide the service that can be competitively
provided by private enterprise.  The corollary you envision is the
phone network of the Seventies.  Today, in advanced countries, the
phone network is a more or less competitive market, that unlike
internet email is *regulated* by government and *co-ordinated* at the
ITU-T, a UN agency.  I am not proposing that exact model (a license is
required to operate a telecom and I rather see less red tape than more)
but I am proposing that standards be enforced, and extended to include
a sufficient level of deliverability.

Today, "standards" are imposed by the big players, and they do so very
much in the bad Microsoft way of the nineties: Embrace, Extend, and
Extinguish.  Internet email may not be extinguished any time soon, but
it is becoming less and less relevant, replaced by SMS/MMS and other
proprietary messaging platforms (iMessage, Whatsapp, Telegram, etc.)
that do not suffer the governance problems that come with the
cacophonic fragmentation of internet email space where sender
identification flaky and filtering is not only not standardized, but
also spurious to a point of unreliability.


> I do not expect this to garner much support by anyone currently
> running any sort of commercial mail service on either end.

Of course not.  There is more money to be made in a world of
deliverability issues and in the long term using deliverability as a
way to squeeze out of the market the smaller players and aim for an
oligopoly or even a monopoly, resulting in higher prices and less
innovation.

What volume of maiboxes is handled by the three biggest service
providers in your country?  Not talking free consumers services.  It
has been a long time since I have dealt with another business whose
mailboxes were not handled by either Microsoft or Google.  Choose your
poison.

Internet email in its pure form was/is a sore pain for profitability:
there is an unlimited number of domains available (unlike the limited
and controlled range of phone numbers or IP addresses) and barriers to
entry were very low.  Let's make them high by complicating things and
we can make more money /s.

--
Yuval Levy, JD, MBA, CFA
Ontario-licensed lawyer


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [EXTERNAL] Re: protection.outlook.com refusing to accept mail with misleading temp error message

[yuv via mailop]

On Wed, 2021-06-02 at 04:15 +, Michael Wise via mailop wrote:
> That would shut down email as a viable communications mechanism
> almost immediately.

Substitute subnets for countries.  Is that not what your employer is
doing, blocking entire subnets?  The only difference is that the rules
are made by your employer, not by government.

On a more practical matter, maybe you can help me fix Hotmail
deliverability? for a few months I have been receiving the reply
snipped below.  I have been using that IP address as a very low volume
SMTP sender for about a decade.  The attempt was to message a Hotmail
address that I have been corresponding with for even longer.  I have
asked my ISP (Digital Ocean) to no avail.  I have not been able to make
sense of the information at the URL provided by Microsoft, specifically
map it against the diagnostic code in the snippet.

Thanks in advance for your insights.


--- START SNIPPET ---

host
hotmail-com.olc.protection.outlook.com[104.47.14.33] said: 550
5.7.1
Unfortunately, messages from [XXX.XXX.XXX.XXX] weren't sent. Please
contact
your Internet service provider since part of their network is on
our block
list (S3140). You can also refer your provider to
http://mail.live.com/mail/troubleshooting.aspx#errors.
[VI1EUR04FT003.eop-eur04.prod.protection.outlook.com] (in reply to
MAIL
FROM command)



> 
> Aloha,
> Michael.
> 
> -Original Message-
> From: mailop  On Behalf Of yuv via mailop
> Sent: Tuesday, June 1, 2021 9:10 PM
> To: mailop@mailop.org
> Subject: [EXTERNAL] Re: [mailop] protection.outlook.com refusing to
> accept mail with misleading temp error message
> 
> On Tue, 2021-06-01 at 23:55 -0400, John Levine via mailop wrote:
> > > All what recipients AND mailers want is a reliable email service,
> > > 
> > You really REALLY do not want your mail provider to deliver every
> > message.
> 
> Agree.  What I do want (but probably not even Santa can give me) is
> to
> make ISPs liable for every bit that emanates from their network the
> same way a land owner is liable for the pollution emanating from
> their
> land, and to block out completely countries that do not enforce such
> stringent standard.
> 
> 
> > Spammers really do ruin everything.
> 
> Slackers do too, and our governments have been giving too much slack
> to
> the industry who lobbied so successfully for a hands-off approach to
> encourage innovation.  That industry is no longer in its infancy and
> self-regulation has failed.


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] protection.outlook.com refusing to accept mail with misleading temp error message

[yuv via mailop]

On Tue, 2021-06-01 at 23:55 -0400, John Levine via mailop wrote:
> > All what recipients AND mailers want is a reliable email service,
> > 
> You really REALLY do not want your mail provider to deliver every
> message.

Agree.  What I do want (but probably not even Santa can give me) is to
make ISPs liable for every bit that emanates from their network the
same way a land owner is liable for the pollution emanating from their
land, and to block out completely countries that do not enforce such
stringent standard.


> Spammers really do ruin everything.

Slackers do too, and our governments have been giving too much slack to
the industry who lobbied so successfully for a hands-off approach to
encourage innovation.  That industry is no longer in its infancy and
self-regulation has failed.
 
--
Yuval Levy, JD, MBA, CFA
Ontario-licensed lawyer
https :// moneylaw.ca
Tel: 519.488.1783 (does not receive MMS)
Tel: 1.844.234.5389
Fax: 1.888.900.5709
2201-323 Colborne Street
London, ON N6B 3N8

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] protection.outlook.com refusing to accept mail with misleading temp error message

[yuv via mailop]

On Tue, 2021-06-01 at 21:22 -0400, John Levine via mailop wrote:
> if the recipients of the mail don't complain when they
> don't get it, it's hard for the mail system operator to feel very
> motivated

The recipients don't even know they have a reason to complain.  The
motivation *should* come from service standards, RFCs, and
professionalism.  Not from complaints.


> It's not just bulk mailers who overestimate how much their recipients
> want their mail.

All what recipients AND mailers want is a reliable email service, like
snail mail.  I don't like the invoices, solicitations, and other things
that land in my snail box, but I do like the fact that if someone puts
a letter with my address in a post office box anywhere in the world, it
makes its way to my snail box within a reliable service standard.

The result of this attitude is that users are pushed to alternatives. 
iMessages, Telegram, SMS, you name it.  It is still an electronic
signal traveling through the wires, but the intermediary has much more
power over the users than in a federated internet email system.

--
Yuval Levy, JD, MBA, CFA
Ontario-licensed lawyer


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] protection.outlook.com refusing to accept mail with misleading temp error message

[yuv via mailop]

On Tue, 2021-06-01 at 15:39 -0400, John Levine via mailop wrote:
> It appears that Johann Klasek via mailop <
> klasek+mai...@zid.tuwien.ac.at> said:
> > the aim is, that everyone on the recipient site
> > is obligated to provide best possible reachability.
> 
> No, it's to deliver the mail that the users want. One point that bulk
> mailers often miss is that, while the recipients at large providers
> do not object to getting the bulk mail, they also do not really want
> it.

I am by no way a bulk mailer.  My server sends only legal documents and
invoice, all as PDF attachment and with no HTML or other eyecandy or
trackware.  And yet Microsoft's StupidWhatever(TM)  eats the mail
without notice to either recipient or sender.  How can the recipients
know that this is what they want?

On Tue, 2021-06-01 at 21:19 +0200, Johann Klasek via mailop wrote:
> On Tue, Jun 01, 2021 at 02:48:23PM -0400, John Levine via mailop
> wrote:
> > 
> > You should definitely demand a full refund of all the money you've
> > paid Microsoft to deliver your mail.
> > Oh, wait, ...
> 
> Sorry, I can't here this capitalistic sarcasm anymore

That reply has nothing to do with capitalism, and even as sarcasm it is
stale.

The capitalistic answer is to make the provider responsible / liable
for the damages caused by its non-reacheability.

It is plain wrong to substitute the provider's StupidWhatever(TM) whims
for the individual recipient's decision what is spam and how to deal
with it.  The individual recipient is the only person entitled to have
whims and to ignore incoming mail, at his own responsibility.

--
Yuval Levy, JD, MBA, CFA
Ontario-licensed lawyer


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop