subject:"\[mailop\] Mailchimp \/ Mandrill App\: European VS US Privacy Laws"

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

2016-06-14 Thread Benoit Panizzon

Hi Eric

> So all I need to do to shut down a competitor is sign up for their
> mailing list, then issue a complaint to their ESP?

It's not that easy :-). If you signed up, your competitor can provide a
proof (Time, IP-Address, received verification email) you signed up to
you and the ESP. So you agreed to receive those emails.

Even if that proof is fake (made up by a fraudulent adress broker) you
could not blame the ESP. You could probably blame the naive buyer of
this data, you can try to sue the adress broker, if he refuses to
delete your data.

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

2016-06-14 Thread Benoit Panizzon

Hi Jay

> ESP to victim: That mail was sent on behalf of ABC Company, and you
> can contact them [here]. We don't tolerate spammers, and our customer 
> contracts require openness so these issues can be resolved. Attached
> is a PDF of their signed statement where they certify that they have
> your permission and agree that we may release their identity on
> demand.

This is what I would have expected from Mailchimp. This is what I got
from other ESP.

Unfortunately in past cases Mailchimp replied more according to your
scenario 1.

> Why would a legitimate ESP insist on hiding the identity of its 
> customers from their victims? Isn't the point of bona-fide 
> permission-based bulk mail to build that relationship with the ESP a 
> transparent background entity? What legitimate company sends bulk 
> permission-based mail anonymously?

Yes why, this is also what I wonder. If they hide and protect their
spaming customers, they are getting blocked. They probably loose
legitimate customers.

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

2016-06-14 Thread Benoit Panizzon

Hi Laura

> > There is no need to involve a lawyer.
> 
> There is if you’re asking a company to release customer information
> to you. Which is what your request of Mailchimp is. 

Could you please provide legal background to your statement?

I have been in contact with the legal advisers of OFCOM Switzerland and
Federal Data Protection and Information Commissioner (FDPIC). They
confirmed to me, that any individual can request such information from
a company without the need to get it via a layer (which would generate
unnecessary costs).

> > For this you need the identity of the sender first. So if you try to
> > file a complaint without knowing the identity of the sender, the
> > police will tell you to first make use of the applicable laws and
> > to contact the ISP of the sender to provide the identity of the
> > sender.
> 
> That’s what you need the lawyer for - to get the ISP of the sender to
> release their customer information. 

I have been told otherwise, which I am sure you can quickly verify by
sending an email to OFCOM or the FDPIC requesting advice on the legal
procedure to follow.

I'm pretty sure that this works similarly for most other countries as
such laws tend to be coordinated intenationaly.

I'm not so sure about the US and this is what I try to find out.

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

2016-06-13 Thread Eric Henson

So all I need to do to shut down a competitor is sign up for their mailing 
list, then issue a complaint to their ESP?


-Original Message-
From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Laura Atkins
Sent: Monday, June 13, 2016 12:08 PM
To: mailop
Subject: Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws


> On Jun 13, 2016, at 9:59 AM, Jay Hennigan <mailop-l...@keycodes.com> wrote:
> 
> On 6/13/16 12:45 AM, Suresh Ramasubramanian wrote:
>> Now you’re arguing legal contracts here - that vendor has a legal contract 
>> with whoever this spammer is.  While they can terminate the account in 
>> question, they certainly can’t expose any customer data to you.
> 
> In the US, they aren't under legal obligation to do so, which seems to vary 
> from some laws elsewhere.
> 
> However, if the ESP is claiming to be white-hat and only send mail where 
> permission exists, one would think that they would share it freely and 
> include a clause in their customer terms and conditions that their customer's 
> identity would be released to a recipient on request.

Scenario 3:

Victim to ESP: I got this spam from your IP and have no idea why. It touts some 
product, but all of the links are tracking bugs that point back to you. Where 
did you get my address and on whose behalf did you send it?

ESP to victim: We believe you and we have disconnected the customer. We’re 
unable to share any other information with you.

laura 

-- 
Having an Email Crisis?  800 823-9674 

Laura Atkins
Word to the Wise
la...@wordtothewise.com
(650) 437-0741  

Email Delivery Blog: http://wordtothewise.com/blog  






___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

2016-06-13 Thread Laura Atkins


> On Jun 13, 2016, at 9:59 AM, Jay Hennigan  wrote:
> 
> On 6/13/16 12:45 AM, Suresh Ramasubramanian wrote:
>> Now you’re arguing legal contracts here - that vendor has a legal contract 
>> with whoever this spammer is.  While they can terminate the account in 
>> question, they certainly can’t expose any customer data to you.
> 
> In the US, they aren't under legal obligation to do so, which seems to vary 
> from some laws elsewhere.
> 
> However, if the ESP is claiming to be white-hat and only send mail where 
> permission exists, one would think that they would share it freely and 
> include a clause in their customer terms and conditions that their customer's 
> identity would be released to a recipient on request.

Scenario 3:

Victim to ESP: I got this spam from your IP and have no idea why. It touts some 
product, but all of the links are tracking bugs that point back to you. Where 
did you get my address and on whose behalf did you send it?

ESP to victim: We believe you and we have disconnected the customer. We’re 
unable to share any other information with you.

laura 

-- 
Having an Email Crisis?  800 823-9674 

Laura Atkins
Word to the Wise
la...@wordtothewise.com
(650) 437-0741  

Email Delivery Blog: http://wordtothewise.com/blog  






___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

2016-06-13 Thread Jay Hennigan


On 6/13/16 12:45 AM, Suresh Ramasubramanian wrote:

Now you’re arguing legal contracts here - that vendor has a legal contract with 
whoever this spammer is.  While they can terminate the account in question, 
they certainly can’t expose any customer data to you.


In the US, they aren't under legal obligation to do so, which seems to 
vary from some laws elsewhere.


However, if the ESP is claiming to be white-hat and only send mail where 
permission exists, one would think that they would share it freely and 
include a clause in their customer terms and conditions that their 
customer's identity would be released to a recipient on request.


Scenario 1:

Victim to ESP: I got this spam from your IP and have no idea why. It 
touts some product, but all of the links are tracking bugs that point 
back to you. Where did you get my address and on whose behalf did you 
send it?


ESP to victim: None of your business, but our customer said that they 
have your permission and we trust them more than we trust you. Besides, 
they are the one paying us and you're not. Shut up and eat your spam.


Victim to ESP: Well I don't think they do have permission, and I'd like 
to ask them to stop contacting me. Seeing as you've hidden the actual 
sender via tracked links that just point back to you, I have no way of 
verifying if it's legitimate.


ESP to victim: We're not telling. So sue me. If you ask really nicely 
we'll listwash you, but just for this one customer and we're not telling 
you who it is.


Scenario 2:

Victim to ESP: I got this spam from your IP and have no idea why. It 
touts some product, but all of the links are tracking bugs that point 
back to you. Where did you get my address and on whose behalf did you 
send it?


ESP to victim: That mail was sent on behalf of ABC Company, and you can 
contact them [here]. We don't tolerate spammers, and our customer 
contracts require openness so these issues can be resolved. Attached is 
a PDF of their signed statement where they certify that they have your 
permission and agree that we may release their identity on demand.


  ***

Why would a legitimate ESP insist on hiding the identity of its 
customers from their victims? Isn't the point of bona-fide 
permission-based bulk mail to build that relationship with the ESP a 
transparent background entity? What legitimate company sends bulk 
permission-based mail anonymously?


IMNSHO, if you send bulk promotional mail, and it generates complaints, 
and you shield the identity of the sender from the recipient, you aren't 
an ESP. You're a spammer-for-hire.


--
Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

2016-06-13 Thread Laura Atkins


> On Jun 13, 2016, at 12:14 AM, Benoit Panizzon  wrote:
> 
> Hi Laura
> 
>> Again, were you approaching this as an individual or was your lawyer
>> involved?
> 
> There is no need to involve a lawyer.

There is if you’re asking a company to release customer information to you. 
Which is what your request of Mailchimp is. 

> For this you need the identity of the sender first. So if you try to
> file a complaint without knowing the identity of the sender, the police
> will tell you to first make use of the applicable laws and to contact
> the ISP of the sender to provide the identity of the sender.

That’s what you need the lawyer for - to get the ISP of the sender to release 
their customer information. 

laura 

-- 
Having an Email Crisis?  800 823-9674 

Laura Atkins
Word to the Wise
la...@wordtothewise.com
(650) 437-0741  

Email Delivery Blog: http://wordtothewise.com/blog  






___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

2016-06-13 Thread David Hofstee

If you want to create a digital opt-in, that is transferrable between ESPs et 
al, you need:

the digital opt-in to tell you:
- who the recipient is
- what the allowed sender-domain or sender-email address is that you want to 
permit sending emails to you (rfc5322-to)
- when the opt-in was created
- how long the opt-in is valid (so that an opt-in can vanish if you don't use 
it! Very important.)
- where/how to verify the digital signature

the sender must:
- use DMARC (to also avoid criminals being able to steal the opt-in). 

the ESP must be able to
- verify it online (possibly before or during sending an email)
- provide the opt-in with the mail being sent
- refresh it automatically (e.g. be able to request a refresh after sending an 
email)
- if a customers leaves; provide the customer with fresh digital opt-in's. 

for mail hosting orgs; it must be able to
- integrate it in current mta setups
- have a user-interface to guide this process for the end-user
- be able to work with a mixed-system (mails with and without digital opt-in)

the recipient-domain should/must:
- have some sort of policy to advise that senders may (or must) use digital 
opt-in. Useful for changing to such a system. 
- tell where/how to verify the digital signature

Met vriendelijke groet,


David Hofstee

Deliverability Management
MailPlus B.V. Netherlands (ESP)

- Oorspronkelijk bericht -
Van: "Michael Wise via mailop" <mailop@mailop.org>
Aan: "Ted Cooper" <ml-mailop...@elcsplace.com>, mailop@mailop.org
Verzonden: Zaterdag 11 juni 2016 03:11:12
Onderwerp: Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

Keep that one sign-up message.
It's a very small per-user piece of data, and it would certainly be proof 
enough and to spare for me.

Aloha,
Michael.
-- 
Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been 
Processed." | Got the Junk Mail Reporting Tool ?

-Original Message-
From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Ted Cooper
Sent: Friday, June 10, 2016 5:17 PM
To: mailop@mailop.org
Subject: Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

On 11/06/16 09:29, Michael Wise via mailop wrote:
> 
> ... when the server receives it, it gets authenticated.
> Or did you forget this?

That doesn't help when attempting to provide "proof" of signup at some future 
date - it will simply be a message with a DKIM sig that can no longer be 
confirmed. I don't store old key information and I don't think anyone else 
does. I'm not going to trust a 3rd party to say "it was signed when I got it! I 
swear!" - it may as well be made up.



___
mailop mailing list
mailop@mailop.org
https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fchilli.nosignal.org%2fcgi-bin%2fmailman%2flistinfo%2fmailop=01%7c01%7cmichael.wise%40microsoft.com%7c62b7f00ad8f542153c4f08d3918e7fa4%7c72f988bf86f141af91ab2d7cd011db47%7c1=NTM%2b8ppZaN3fK9zFumEUP97%2fD7Pd2m8OtjfZ96KQNWk%3d
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

2016-06-13 Thread Suresh Ramasubramanian

Now you’re arguing legal contracts here - that vendor has a legal contract with 
whoever this spammer is.  While they can terminate the account in question, 
they certainly can’t expose any customer data to you.

You could of course contact local law enforcement and have them subpoena the 
data.  You will never guess how long it takes to execute such a cross border 
subpoena, as the buzzfeed headlines say.

> On 13-Jun-2016, at 12:59 PM, Benoit Panizzon  wrote:
> 
> By doing a purchase, you get into a legal contract with that customer
> you don't want to comply with, but by which you get informations which
> you would not have got in another way. This could be legally turned
> against you.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

2016-06-13 Thread Benoit Panizzon

Hi Laura

> Again, were you approaching this as an individual or was your lawyer
> involved?

There is no need to involve a lawyer.

You don't need one. You contact the sender and request the proof of
opt-in. If he does not comply, you file a complaint with the SECO (or
you could try to fill one with the police).

For this you need the identity of the sender first. So if you try to
file a complaint without knowing the identity of the sender, the police
will tell you to first make use of the applicable laws and to contact
the ISP of the sender to provide the identity of the sender.

In most cases, the issue can be resolved quite fast when the recipient
contacts the sender.

Either the sender can provide a proof of opt-in or previous
business relationship, and everything is fine. (In Switzerland it is
unfortunately possible to buy customers data from bankrupt companies
during the insolvency process, so the 'past business' could be with a
company who has nothing directly to do with the sender, but from which
the sender bought this data)

Or the sender provides a proof which can be rebutted by the recipient.
Mostly the issue is then settled when the sender apologizes and
provides more information where he got the information from. Or if the
sender then himself takes legal actions against the company or person
who provided the data.

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

2016-06-13 Thread Benoit Panizzon

Hi Tim

> Rule #1: Spammers lie. What sort of "proof of opt-in" could they
> provide that can't be forged? Also, it does not follow from that
> requirement that senders must be "identifiable." That may be a
> separate legal requirement, but it doesn't logically follow from the
> opt-in proof requirement.

As a sender of advertisement emails is required to provide a proof of
opt-in to the recipient of those emails, the recipients needs to be
able to identify that sender to contact him and request that proof.

Otherwise this legal requirement would not make sense.

Spamers don't always lie. Some are naive and buy 'garanteed opt-in'
email addresses from liars. Some just don't do opt-in and get victim of
joe-jobs flooding their subsciption tools with collected email
addresses. I have also come across cases of contest cards who were
filled with a just plain wrong email address.

But yes, usually if the spamer tries to hide his identity, he knows
exactly what he is doing and why.

> I also do not see how this matters when it comes to blacklist
> operations. "Tell me who your customer is so legal action can be
> taken against them" is what the law you cite seems to amount to. You
> are perfectly to block or blocklist anyone you want no matter what
> the law says.

In case of Mailchimp, the problem is that some of the users of our
blacklist would like to get email from them, because they subscribed to
legitimate senders using Mailchimp. Some of our users complain that we
don't completely blacklist them, because they have customers who
repeatedly 'anonymously' send spam and they seem to protect their
spaming customers instead of helping the spam victims.

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

2016-06-11 Thread John Levine

>> And why pull the public one if you do?
>
>That's how you invalidate the old key, mitigating the stolen key problem.
>The point of cycling keys is to invalidate old ones.

Also, by design, DKIM is intended for validating mail in transit, not
long term archives.  For that we have S/MIME and PGP.

R's,
John


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

2016-06-11 Thread Brandon Long via mailop

Why rotate keys that often?

And why pull the public one if you do?

Brandon

On Jun 10, 2016 3:59 PM, "Ted Cooper"  wrote:

> On 11/06/16 05:02, Michael Wise via mailop wrote:
> > Well, the From: domain would be a good start.
> >
> > It would certainly cut down on the trivial forgeries, and could easily
> > be transferred from the web to email with a single mailto: link.
>
> Any signed DKIM message can only be authenticated while the key remains
> in DNS - I cycle mine once a month, and pull the key after that. Once it
> is no longer available, the signature may as well be made up.
>
>
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

2016-06-10 Thread Michael Wise via mailop

Keep that one sign-up message.
It's a very small per-user piece of data, and it would certainly be proof 
enough and to spare for me.

Aloha,
Michael.
-- 
Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been 
Processed." | Got the Junk Mail Reporting Tool ?

-Original Message-
From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Ted Cooper
Sent: Friday, June 10, 2016 5:17 PM
To: mailop@mailop.org
Subject: Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

On 11/06/16 09:29, Michael Wise via mailop wrote:
> 
> ... when the server receives it, it gets authenticated.
> Or did you forget this?

That doesn't help when attempting to provide "proof" of signup at some future 
date - it will simply be a message with a DKIM sig that can no longer be 
confirmed. I don't store old key information and I don't think anyone else 
does. I'm not going to trust a 3rd party to say "it was signed when I got it! I 
swear!" - it may as well be made up.

___
mailop mailing list
mailop@mailop.org
https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fchilli.nosignal.org%2fcgi-bin%2fmailman%2flistinfo%2fmailop=01%7c01%7cmichael.wise%40microsoft.com%7c62b7f00ad8f542153c4f08d3918e7fa4%7c72f988bf86f141af91ab2d7cd011db47%7c1=NTM%2b8ppZaN3fK9zFumEUP97%2fD7Pd2m8OtjfZ96KQNWk%3d
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

2016-06-10 Thread Ted Cooper

On 11/06/16 09:29, Michael Wise via mailop wrote:
> 
> ... when the server receives it, it gets authenticated.
> Or did you forget this?

That doesn't help when attempting to provide "proof" of signup at some
future date - it will simply be a message with a DKIM sig that can no
longer be confirmed. I don't store old key information and I don't think
anyone else does. I'm not going to trust a 3rd party to say "it was
signed when I got it! I swear!" - it may as well be made up.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

2016-06-10 Thread Michael Wise via mailop


... when the server receives it, it gets authenticated.
Or did you forget this?

Aloha,
Michael.
-- 
Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been 
Processed." | Got the Junk Mail Reporting Tool ?

-Original Message-
From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Ted Cooper
Sent: Friday, June 10, 2016 3:53 PM
To: mailop@mailop.org
Subject: Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

On 11/06/16 05:02, Michael Wise via mailop wrote:
> Well, the From: domain would be a good start.
> 
> It would certainly cut down on the trivial forgeries, and could easily 
> be transferred from the web to email with a single mailto: link.

Any signed DKIM message can only be authenticated while the key remains in DNS 
- I cycle mine once a month, and pull the key after that. Once it is no longer 
available, the signature may as well be made up.



___
mailop mailing list
mailop@mailop.org
https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fchilli.nosignal.org%2fcgi-bin%2fmailman%2flistinfo%2fmailop=01%7c01%7cmichael.wise%40microsoft.com%7cec21ae59f1fc4603545f08d39183208d%7c72f988bf86f141af91ab2d7cd011db47%7c1=7LhEfh5PmM8JNfOSwW06m5fcsGgQmDbx4%2bh638LXfts%3d
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

2016-06-10 Thread Ted Cooper

On 11/06/16 05:02, Michael Wise via mailop wrote:
> Well, the From: domain would be a good start.
> 
> It would certainly cut down on the trivial forgeries, and could easily
> be transferred from the web to email with a single mailto: link.

Any signed DKIM message can only be authenticated while the key remains
in DNS - I cycle mine once a month, and pull the key after that. Once it
is no longer available, the signature may as well be made up.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

2016-06-10 Thread Michael Wise via mailop

Well, the From: domain would be a good start.
It would certainly cut down on the trivial forgeries, and could easily be 
transferred from the web to email with a single mailto: link.

Aloha,
Michael.
--
Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been 
Processed." | Got the Junk Mail Reporting 
Tool<http://www.microsoft.com/en-us/download/details.aspx?id=18275> ?

From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Tim Starr
Sent: Friday, June 10, 2016 11:55 AM
To: mailop@mailop.org
Subject: Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

Signed by whom? First off, this would require that sign-ups be transferred from 
web to email. Secondly, I can see how it could easily be forged. All I'd have 
to do is set up a mail server to send DKIM-signed email for each "opt-in" 
request, each with a different DKIM domain out of a set of pre-registered 
rotating domains. Bingo! "proof" of opt-in. Spammers have been doing this for 
years w/ IP-based date/time/IP-formatted opt-in proof requests.

-Tim

On Fri, Jun 10, 2016 at 12:32 PM, Michael Wise 
<michael.w...@microsoft.com<mailto:michael.w...@microsoft.com>> wrote:
A DKIM-signed submission request?
With IP, time stamp, and such like would be pretty undeniable intent to 
subscribe, IMHO.
Or provide plenty of fodder for the sysadmin of the domain in question to track 
down the imposter.

Aloha,
Michael.
--
Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been 
Processed." | Got the Junk Mail Reporting 
Tool<https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.microsoft.com%2fen-us%2fdownload%2fdetails.aspx%3fid%3d18275=01%7c01%7cmichael.wise%40microsoft.com%7c9c44b6eae7c44e47486e08d39161683b%7c72f988bf86f141af91ab2d7cd011db47%7c1=pI4EI419HKwxb%2bzF7aHDKUFK6YSmrnfMzHDA1ehvnSY%3d>
 ?

From: mailop 
[mailto:mailop-boun...@mailop.org<mailto:mailop-boun...@mailop.org>] On Behalf 
Of Tim Starr
Sent: Friday, June 10, 2016 11:14 AM
To: mailop@mailop.org<mailto:mailop@mailop.org>
Subject: Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

Rule #1: Spammers lie. What sort of "proof of opt-in" could they provide that 
can't be forged? Also, it does not follow from that requirement that senders 
must be "identifiable." That may be a separate legal requirement, but it 
doesn't logically follow from the opt-in proof requirement.

I also do not see how this matters when it comes to blacklist operations. "Tell 
me who your customer is so legal action can be taken against them" is what the 
law you cite seems to amount to. You are perfectly to block or blocklist anyone 
you want no matter what the law says.

Tim Starr

On Fri, Jun 10, 2016 at 2:50 AM, Benoit Panizzon 
<benoit.paniz...@imp.ch<mailto:benoit.paniz...@imp.ch>> wrote:
Hi Suresh

> They aren’t under any obligation to reveal customer identity to you
> and would potentially face legal liability for doing so.

This is exactly the problem.

Privacy Laws in Switzerland (and most other countires I know) states,
that the sender must provide proof of opt-in.

Therefore, the sender must be identifiable. If the sender is not
identifiable, the ISP of the sender must provide the identity of the
sender.

So an ISP does not face any legal liability on providing the identity
of the sender as this is a legal requirement and the ISP acts according
the law.

There are court cases confirming this procedure.

If this procedure and priority of privacy requirements is not observed,
a spamer can never be prosecuted or blocked. The spamer can just
pretend, that all his addresses are opt-in and that he acts legally but
never has to prove it. Therefore Mailchimp cannot block him, or he can
request to be unblocked because he claims towards mailchimp, that the
spam reports are wrong and he has proof of opt-in from the recipients,
which he never has to show anyone.

The spamer could probably even prosecute mailchimp for blocking him or
canceling his services.

The users of our Blacklist request that we block mailchimp for not
respecting privacy laws and not providing the legal identity of the
spamers so they can provide a proof of opt-in or be made liable for not
respecting the mass advertising law.

So, do you have any suggestions on how to solve this issue?

Legal References:

Art. 8 Right to information
https://www.admin.ch/opc/en/classified-compilation/19920153/index.html#a8<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.admin.ch%2fopc%2fen%2fclassified-compilation%2f19920153%2findex.html%23a8=01%7c01%7cmichael.wise%40microsoft.com%7c48b91e0665e546c77d9d08d3915bba9f%7c72f988bf86f141af91ab2d7cd011db47%7c1=ZpGFu3qWItPwow8WXAZu4rPhu7VSH%2foL4GqMOoqxzbU%3d>

Art. 82 Communication of data to identify nuisance calls and unfair
mass advertising
https://www.admin.ch/opc/en/classified-compila

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

2016-06-10 Thread Tim Starr

Signed by whom? First off, this would require that sign-ups be transferred
from web to email. Secondly, I can see how it could easily be forged. All
I'd have to do is set up a mail server to send DKIM-signed email for each
"opt-in" request, each with a different DKIM domain out of a set of
pre-registered rotating domains. Bingo! "proof" of opt-in. Spammers have
been doing this for years w/ IP-based date/time/IP-formatted opt-in proof
requests.

-Tim

On Fri, Jun 10, 2016 at 12:32 PM, Michael Wise <michael.w...@microsoft.com>
wrote:

> A DKIM-signed submission request?
>
> With IP, time stamp, and such like would be pretty undeniable intent to
> subscribe, IMHO.
>
> Or provide plenty of fodder for the sysadmin of the domain in question to
> track down the imposter.
>
>
>
> Aloha,
>
> Michael.
>
> --
>
> *Michael J Wise* | Microsoft | Spam Analysis | "Your Spam Specimen Has
> Been Processed." | Got the Junk Mail Reporting Tool
> <http://www.microsoft.com/en-us/download/details.aspx?id=18275> ?
>
>
>
> *From:* mailop [mailto:mailop-boun...@mailop.org] *On Behalf Of *Tim Starr
> *Sent:* Friday, June 10, 2016 11:14 AM
> *To:* mailop@mailop.org
> *Subject:* Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy
> Laws
>
>
>
> Rule #1: Spammers lie. What sort of "proof of opt-in" could they provide
> that can't be forged? Also, it does not follow from that requirement that
> senders must be "identifiable." That may be a separate legal requirement,
> but it doesn't logically follow from the opt-in proof requirement.
>
>
>
> I also do not see how this matters when it comes to blacklist operations.
> "Tell me who your customer is so legal action can be taken against them" is
> what the law you cite seems to amount to. You are perfectly to block or
> blocklist anyone you want no matter what the law says.
>
>
>
> Tim Starr
>
>
>
> On Fri, Jun 10, 2016 at 2:50 AM, Benoit Panizzon <benoit.paniz...@imp.ch>
> wrote:
>
> Hi Suresh
>
> > They aren’t under any obligation to reveal customer identity to you
> > and would potentially face legal liability for doing so.
>
> This is exactly the problem.
>
> Privacy Laws in Switzerland (and most other countires I know) states,
> that the sender must provide proof of opt-in.
>
> Therefore, the sender must be identifiable. If the sender is not
> identifiable, the ISP of the sender must provide the identity of the
> sender.
>
> So an ISP does not face any legal liability on providing the identity
> of the sender as this is a legal requirement and the ISP acts according
> the law.
>
> There are court cases confirming this procedure.
>
> If this procedure and priority of privacy requirements is not observed,
> a spamer can never be prosecuted or blocked. The spamer can just
> pretend, that all his addresses are opt-in and that he acts legally but
> never has to prove it. Therefore Mailchimp cannot block him, or he can
> request to be unblocked because he claims towards mailchimp, that the
> spam reports are wrong and he has proof of opt-in from the recipients,
> which he never has to show anyone.
>
> The spamer could probably even prosecute mailchimp for blocking him or
> canceling his services.
>
> The users of our Blacklist request that we block mailchimp for not
> respecting privacy laws and not providing the legal identity of the
> spamers so they can provide a proof of opt-in or be made liable for not
> respecting the mass advertising law.
>
> So, do you have any suggestions on how to solve this issue?
>
> Legal References:
>
> Art. 8 Right to information
> https://www.admin.ch/opc/en/classified-compilation/19920153/index.html#a8
> <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.admin.ch%2fopc%2fen%2fclassified-compilation%2f19920153%2findex.html%23a8=01%7c01%7cmichael.wise%40microsoft.com%7c48b91e0665e546c77d9d08d3915bba9f%7c72f988bf86f141af91ab2d7cd011db47%7c1=ZpGFu3qWItPwow8WXAZu4rPhu7VSH%2foL4GqMOoqxzbU%3d>
>
> Art. 82 Communication of data to identify nuisance calls and unfair
> mass advertising
> https://www.admin.ch/opc/en/classified-compilation/20063267/index.html#a82
> <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.admin.ch%2fopc%2fen%2fclassified-compilation%2f20063267%2findex.html%23a82=01%7c01%7cmichael.wise%40microsoft.com%7c48b91e0665e546c77d9d08d3915bba9f%7c72f988bf86f141af91ab2d7cd011db47%7c1=9DONBln1QKev3dAyS2Kq3h64xwH0vdMa5JEr1yDbRqE%3d>
>
> Bundesgesetz gegen den unlauteren Wettbewerb (unfortunately not
> translated by admin.ch
> <https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fadmin.ch=0

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

2016-06-10 Thread Michael Wise via mailop

A DKIM-signed submission request?
With IP, time stamp, and such like would be pretty undeniable intent to 
subscribe, IMHO.
Or provide plenty of fodder for the sysadmin of the domain in question to track 
down the imposter.

Aloha,
Michael.
--
Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been 
Processed." | Got the Junk Mail Reporting 
Tool<http://www.microsoft.com/en-us/download/details.aspx?id=18275> ?

From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Tim Starr
Sent: Friday, June 10, 2016 11:14 AM
To: mailop@mailop.org
Subject: Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

Rule #1: Spammers lie. What sort of "proof of opt-in" could they provide that 
can't be forged? Also, it does not follow from that requirement that senders 
must be "identifiable." That may be a separate legal requirement, but it 
doesn't logically follow from the opt-in proof requirement.

I also do not see how this matters when it comes to blacklist operations. "Tell 
me who your customer is so legal action can be taken against them" is what the 
law you cite seems to amount to. You are perfectly to block or blocklist anyone 
you want no matter what the law says.

Tim Starr

On Fri, Jun 10, 2016 at 2:50 AM, Benoit Panizzon 
<benoit.paniz...@imp.ch<mailto:benoit.paniz...@imp.ch>> wrote:
Hi Suresh

> They aren’t under any obligation to reveal customer identity to you
> and would potentially face legal liability for doing so.

This is exactly the problem.

Privacy Laws in Switzerland (and most other countires I know) states,
that the sender must provide proof of opt-in.

Therefore, the sender must be identifiable. If the sender is not
identifiable, the ISP of the sender must provide the identity of the
sender.

So an ISP does not face any legal liability on providing the identity
of the sender as this is a legal requirement and the ISP acts according
the law.

There are court cases confirming this procedure.

If this procedure and priority of privacy requirements is not observed,
a spamer can never be prosecuted or blocked. The spamer can just
pretend, that all his addresses are opt-in and that he acts legally but
never has to prove it. Therefore Mailchimp cannot block him, or he can
request to be unblocked because he claims towards mailchimp, that the
spam reports are wrong and he has proof of opt-in from the recipients,
which he never has to show anyone.

The spamer could probably even prosecute mailchimp for blocking him or
canceling his services.

The users of our Blacklist request that we block mailchimp for not
respecting privacy laws and not providing the legal identity of the
spamers so they can provide a proof of opt-in or be made liable for not
respecting the mass advertising law.

So, do you have any suggestions on how to solve this issue?

Legal References:

Art. 8 Right to information
https://www.admin.ch/opc/en/classified-compilation/19920153/index.html#a8<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.admin.ch%2fopc%2fen%2fclassified-compilation%2f19920153%2findex.html%23a8=01%7c01%7cmichael.wise%40microsoft.com%7c48b91e0665e546c77d9d08d3915bba9f%7c72f988bf86f141af91ab2d7cd011db47%7c1=ZpGFu3qWItPwow8WXAZu4rPhu7VSH%2foL4GqMOoqxzbU%3d>

Art. 82 Communication of data to identify nuisance calls and unfair
mass advertising
https://www.admin.ch/opc/en/classified-compilation/20063267/index.html#a82<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.admin.ch%2fopc%2fen%2fclassified-compilation%2f20063267%2findex.html%23a82=01%7c01%7cmichael.wise%40microsoft.com%7c48b91e0665e546c77d9d08d3915bba9f%7c72f988bf86f141af91ab2d7cd011db47%7c1=9DONBln1QKev3dAyS2Kq3h64xwH0vdMa5JEr1yDbRqE%3d>

Bundesgesetz gegen den unlauteren Wettbewerb (unfortunately not
translated by 
admin.ch<https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fadmin.ch=01%7c01%7cmichael.wise%40microsoft.com%7c48b91e0665e546c77d9d08d3915bba9f%7c72f988bf86f141af91ab2d7cd011db47%7c1=QQrBwhHA%2f9%2bwmi%2fTBVgpOoCtS13CfblYjNFk6XX0%2bZA%3d>)
https://www.admin.ch/opc/de/classified-compilation/19860391/index.html<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.admin.ch%2fopc%2fde%2fclassified-compilation%2f19860391%2findex.html=01%7c01%7cmichael.wise%40microsoft.com%7c48b91e0665e546c77d9d08d3915bba9f%7c72f988bf86f141af91ab2d7cd011db47%7c1=w%2btWSiBOIud2wDmjI13WsNIeNJlxYRRoRD7HMiuqpQM%3d>

-Benoît Panizzon-
--
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 
00<tel:%2B41%2061%20826%2093%2000>
CH-4133 PrattelnFax  +41 61 826 93 
01<tel:%2B41%2061%20826%2093%2001>
Schweiz Web  
http://www.imp.ch<https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.imp.ch=01%7c01%7cmichael.wise%40micros

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

2016-06-10 Thread Michelle Sullivan


Benoit Panizzon wrote:

So the Mailchimp Abuse Desk was asked, with reference to the according
legal articles and proof that the email was sent by their customer, to
please disclose the identity of the customer sending those emails.

Mailchimp always answers, that they are a US company and are only
obliged to US law where providing an opt-out link is good enough and
disclosure of the identity of their customer is not possible under US
law. Also they can not block a customer because of spaming if the
customer provides an opt-out mechanism, which is all what us laws
require.

You know this amuses me and I wonder if the EU law is in anyway similar 
to the Au law which you didn't mention...


In AU law it specifically states that a company is considered within the 
AU jurisdiction and therefore subject to AU Law (the Spam Act 2003) if 
it delivers email to Australian domains and/or Australian Hosted 
domains/mailboxes.  I wonder how Mailchimp would answer that...  I 
wonder how it holds up in the real world?


Regards,

--
Michelle Sullivan
http://www.mhix.org/


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

2016-06-10 Thread Steve Atkins

> On Jun 10, 2016, at 10:30 AM, John Levine  wrote:
> 
>> With regard to Mailchimp, as a non-customer observer it seems to me that 
>> pre-Mandrill was excellent, post-Mandrill not as much.
> 
> Mandrill is automated, which makes vetting the customers a lot harder.
> 
> They are painfully aware of that, not sure what they're currently
> doing about it.

They shut down Mandrill as a standalone service at the end of April; it's now
an addon to MailChimp service (i.e. they're doing the same sort of thing
as other full ESPs do by providing transactional as an additional service,
rather than competing with sendgrids and sparkposts of the world).

Reading between the lines this seems to have been triggered by the
abuse of mandrill, and (from my perspective) spam from there has pretty
much vanished.

Cheers,
  Steve

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

2016-06-10 Thread Tim Starr

Rule #1: Spammers lie. What sort of "proof of opt-in" could they provide
that can't be forged? Also, it does not follow from that requirement that
senders must be "identifiable." That may be a separate legal requirement,
but it doesn't logically follow from the opt-in proof requirement.

I also do not see how this matters when it comes to blacklist operations.
"Tell me who your customer is so legal action can be taken against them" is
what the law you cite seems to amount to. You are perfectly to block or
blocklist anyone you want no matter what the law says.

Tim Starr

On Fri, Jun 10, 2016 at 2:50 AM, Benoit Panizzon 
wrote:

> Hi Suresh
>
> > They aren’t under any obligation to reveal customer identity to you
> > and would potentially face legal liability for doing so.
>
> This is exactly the problem.
>
> Privacy Laws in Switzerland (and most other countires I know) states,
> that the sender must provide proof of opt-in.
>
> Therefore, the sender must be identifiable. If the sender is not
> identifiable, the ISP of the sender must provide the identity of the
> sender.
>
> So an ISP does not face any legal liability on providing the identity
> of the sender as this is a legal requirement and the ISP acts according
> the law.
>
> There are court cases confirming this procedure.
>
> If this procedure and priority of privacy requirements is not observed,
> a spamer can never be prosecuted or blocked. The spamer can just
> pretend, that all his addresses are opt-in and that he acts legally but
> never has to prove it. Therefore Mailchimp cannot block him, or he can
> request to be unblocked because he claims towards mailchimp, that the
> spam reports are wrong and he has proof of opt-in from the recipients,
> which he never has to show anyone.
>
> The spamer could probably even prosecute mailchimp for blocking him or
> canceling his services.
>
> The users of our Blacklist request that we block mailchimp for not
> respecting privacy laws and not providing the legal identity of the
> spamers so they can provide a proof of opt-in or be made liable for not
> respecting the mass advertising law.
>
> So, do you have any suggestions on how to solve this issue?
>
> Legal References:
>
> Art. 8 Right to information
> https://www.admin.ch/opc/en/classified-compilation/19920153/index.html#a8
>
> Art. 82 Communication of data to identify nuisance calls and unfair
> mass advertising
> https://www.admin.ch/opc/en/classified-compilation/20063267/index.html#a82
>
> Bundesgesetz gegen den unlauteren Wettbewerb (unfortunately not
> translated by admin.ch)
> https://www.admin.ch/opc/de/classified-compilation/19860391/index.html
>
> -Benoît Panizzon-
> --
> I m p r o W a r e   A G-Leiter Commerce Kunden
> __
>
> Zurlindenstrasse 29 Tel  +41 61 826 93 00
> CH-4133 PrattelnFax  +41 61 826 93 01
> Schweiz Web  http://www.imp.ch
> __
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

2016-06-10 Thread Laura Atkins

> On Jun 10, 2016, at 10:30 AM, John Levine  wrote:
> 
>> With regard to Mailchimp, as a non-customer observer it seems to me that 
>> pre-Mandrill was excellent, post-Mandrill not as much.
> 
> Mandrill is automated, which makes vetting the customers a lot harder.
> 
> They are painfully aware of that, not sure what they're currently
> doing about it.

They’re doing stuff. Closing down the free option was a part of their fix. 
They’ve made a few other changes as well. When I was there last month to give a 
talk to their employees I had a long chat with some of the policy folks. 

A lot of Mailchimp’s automated monitoring and pre-emptive handling is based on 
the email address lists uploaded. That didn’t map well onto the Mandrill model, 
where they don’t have pre-loaded lists. Overall, I think they’re getting a 
handle on it. 

But I really don’t expect any ESP to provide information to people just because 
they ask for it, no matter what the jurisdiction is. If you want a local 
provision enforced, then get a court order and have it enforced. Saying “you 
have to do this because my laws say you do “ and expecting them to do it, is 
naive at best. There are privacy issues involved here, and I don’t have any 
problem with a US company not releasing customer information to a foreign 
national just because the foreign national says they have to by law.

laura 

-- 
Having an Email Crisis?  800 823-9674 

Laura Atkins
Word to the Wise
la...@wordtothewise.com
(650) 437-0741  

Email Delivery Blog: http://wordtothewise.com/blog  

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

2016-06-10 Thread Anne Mitchell


> 
> International law?  There's no international spam law.  I know people
> who spend full time trying to piece together spam cases using whatever
> law applies in whatever places bits of the spamming happens.
> 
> As others have noted, US companies are not subject to Swiss law, just
> as Swiss companies are not subject to US law.

Of course there isn't *universal* law - by "international" law I meant "not US" 
law.

Anne

Anne P. Mitchell, 
Attorney at Law
CEO/President, Institute for Social Internet Public Policy
Member, Cal. Bar Cyberspace Law Committee
Member, Colorado Cyber Committee
Member, Asilomar Microcomputer Workshop Committee
Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law)
Ret. Professor of Law, Lincoln Law School of San Jose
Ret. Chair, Asilomar Microcomputer Workshop


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

2016-06-10 Thread John Levine

>I agree.  But that doesn't mean he can't get a satisfactory answer about the 
>international law aspect.  And by satisfactory I
>mean one that makes sense, not necessarily one that he is going to like. ;-)

International law?  There's no international spam law.  I know people
who spend full time trying to piece together spam cases using whatever
law applies in whatever places bits of the spamming happens.

As others have noted, US companies are not subject to Swiss law, just
as Swiss companies are not subject to US law.

R's,
John

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

2016-06-10 Thread John Levine

>With regard to Mailchimp, as a non-customer observer it seems to me that 
>pre-Mandrill was excellent, post-Mandrill not as much.

Mandrill is automated, which makes vetting the customers a lot harder.

They are painfully aware of that, not sure what they're currently
doing about it.


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

2016-06-10 Thread Jay Hennigan


On 6/10/16 8:31 AM, Suresh Ramasubramanian wrote:

I would guess they're happy to can their customer but they are refusing to tell 
Benoit who the customer is.  Which sounds fair to me.


May be fair, may be not depending on the proactive/reactive weight.

In other words, weight given to preventing pests from infestation vs. 
exterminating them once they've established a presence.


With regard to Mailchimp, as a non-customer observer it seems to me that 
pre-Mandrill was excellent, post-Mandrill not as much.


--
--
Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

2016-06-10 Thread Anne Mitchell

> Venturing an opinion on how much jurisdiction a law enforcement or regulatory 
> Organization is prepared to assert in a cross border scenario isn't going to 
> fly too far 
> 
> Did you try to identify the spammer with a dummy purchase If he is doing 
> something illegal?
> 
> --srs
> 
>> On 10-Jun-2016, at 9:09 PM, Anne Mitchell  wrote:
>> 
>> I agree.  But that doesn't mean he can't get a satisfactory answer about the 
>> international law aspect.  And by satisfactory I mean one that makes sense, 
>> not necessarily one that he is going to like. ;-)

Ok, just to be clear, I'm not the one with the spammer (I was just offering to 
try to get info for Benoit from MC).

Anne

Anne P. Mitchell, 
Attorney at Law
CEO/President, 
SuretyMail Email Reputation and Inbox Deliverability Certification Program 
http://www.SuretyMail.com/
http://www.SuretyMail.eu/

"Email marketing is the one place where it's better to ask permission than 
forgiveness." - Me

Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law)
Member, California Bar Cyberspace Law Committee
Member, Colorado Cybersecurity Consortium
Member, Asilomar Microcomputer Workshop Committee
Ret. Professor of Law, Lincoln Law School of San Jose
Ret. Chair, Asilomar Microcomputer Workshop
amitch...@isipp.com | @AnnePMitchell
Facebook/AnnePMitchell  | LinkedIn/in/annemitchell

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

2016-06-10 Thread Suresh Ramasubramanian

Venturing an opinion on how much jurisdiction a law enforcement or regulatory 
Organization is prepared to assert in a cross border scenario isn't going to 
fly too far 

Did you try to identify the spammer with a dummy purchase If he is doing 
something illegal?

--srs

> On 10-Jun-2016, at 9:09 PM, Anne Mitchell  wrote:
> 
> I agree.  But that doesn't mean he can't get a satisfactory answer about the 
> international law aspect.  And by satisfactory I mean one that makes sense, 
> not necessarily one that he is going to like. ;-)

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

2016-06-10 Thread Suresh Ramasubramanian

I would guess they're happy to can their customer but they are refusing to tell 
Benoit who the customer is.  Which sounds fair to me.

--srs

> On 10-Jun-2016, at 8:44 PM, Anne Mitchell  wrote:
> 
> Benoit, please contact me offlist, and I will see about getting you to the 
> right person (MC is a certification customer of ours, and I can confirm what 
> Suresh says - they are *very* responsive to spam complaints, but yes, yours 
> isn't really of that nature, at least not in a straight-forward sort of way 
> that their abuse department is used to).
> 
> Anne
> 
> Anne P. Mitchell, 
> Attorney at Law
> CEO/President, 
> SuretyMail Email Reputation and Inbox Deliverability Certification Program 
> http://www.SuretyMail.com/
> http://www.SuretyMail.eu/
> 
> "Email marketing is the one place where it's better to ask permission than 
> forgiveness." - Me
> 
> Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law)
> Member, California Bar Cyberspace Law Committee
> Member, Colorado Cybersecurity Consortium
> Member, Asilomar Microcomputer Workshop Committee
> Ret. Professor of Law, Lincoln Law School of San Jose
> Ret. Chair, Asilomar Microcomputer Workshop
> amitch...@isipp.com | @AnnePMitchell
> Facebook/AnnePMitchell  | LinkedIn/in/annemitchell
> 
> 
> 
>> Hi List
>> 
>> I wonder how other Email Ops, especially in Europe, handle Mailchimp and
>> Mandrill App.
>> 
>> They are a constant issue with the Swinog Blacklists.
>> 
>> The problem boils down with differences in the privacy laws of US vs EU.
>> 
>> In Switzerland (and probably most EU countries too), a company who
>> sends advertising emails, must first get the agreement of the recipient
>> to receive those emails or must be able to proof, that the recipient is
>> a customer who in the past ordered services of the sender.
>> 
>> Therefore the recipient must be able to identify and contact the sender.
>> 
>> If the sender is hiding behind anonymously registered domains etc. the
>> ISP must identify his customer upon request. Curt cases have confirmed,
>> that the interest of the recipient to get the identity of the sender is
>> more important than the interest of the sender to have his identity
>> protected by his ISP.
>> 
>> I came across several cases of anonymous 'spam' emails sent via
>> Mailchimp. Obviously by swiss or European spamers targeting swiss
>> email addresses they bought or harvested illegally.
>> 
>> Anonymous Spam means:
>> 
>> * Domain registered by anonymous proxy.
>> * No Imprint on Website.
>> * No further contact information on the email except the website.
>> * Order Form on Website, Payment anonymously via Paypal.
>> 
>> So the Mailchimp Abuse Desk was asked, with reference to the according
>> legal articles and proof that the email was sent by their customer, to
>> please disclose the identity of the customer sending those emails.
>> 
>> Mailchimp always answers, that they are a US company and are only
>> obliged to US law where providing an opt-out link is good enough and
>> disclosure of the identity of their customer is not possible under US
>> law. Also they can not block a customer because of spaming if the
>> customer provides an opt-out mechanism, which is all what us laws
>> require.
>> 
>> I was without success trying to find a solution to this issue with the
>> Mailchimp Abuse Desk.
>> 
>> Well this is a big blinking sign telling 'SAFE HARBOUR' to all spamers
>> out there, as they do not have to fear any legal prosecution, as they
>> are very hard to identify. This is also why Mailchimp keeps being
>> abused over and over again by spamers and is often being blacklisted
>> because their customers send emails to SWINOG Blacklist spamtraps. Of
>> course their delivery agents then contact us, but usually we don't find
>> a solution, because they stay with the statement, that their customer
>> did nothing wrong and swinog is wrong by blocking such emails.
>> 
>> What are your observations/experiences with Mailchimp regarding this
>> kind of legal issue?
>> 
>> Is there any chance that they would accept applying European laws when
>> their customers are from countries in Europe and targeting European
>> recipients?
>> Or any chance they would alter their anti-spam and privacy policy to be
>> less spamer friendly?
>> 
>> Kind regards
>> 
>> -Benoît Panizzon-
>> I m p r o W a r e   A G-Leiter Commerce Kunden
>> __
>> 
>> Zurlindenstrasse 29 Tel  +41 61 826 93 00
>> CH-4133 PrattelnFax  +41 61 826 93 01
>> Schweiz Web  http://www.imp.ch
>> __
>> 
>> ___
>> mailop mailing list
>> mailop@mailop.org
>> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
> 
> 
> ___
> mailop mailing list
> mailop@mailop.org
>

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

2016-06-10 Thread Laura Atkins


> On Jun 10, 2016, at 1:09 AM, Benoit Panizzon  wrote:
> 
> I have seen similar cases on many occasions.
> 
> But what disturbed me most here, is the lack of legal cooperation from
> mailchimp. It was obvious, that the sender was located in either
> Switzerland or italy. The spamvertized website was in perfect German,
> with prices in Swiss Francs, advertising products from Italy.
> Recipients were probably only email addresses under the .ch tld.

They ignored a legal request? 

Or they ignored a personal request for them to violate their own privacy policy 
and terms and conditions?

The two things are very, very different. 

I’ve got to side with Mailchimp here, there’s a US company and they follow US 
law.

> So it would, under swiss law and probably most other countries in
> europe, have been the duty of Mailchimp, to disclose his identity.
> 
> Mailchimp refused with reference to US law. And yes, the case was
> forwarded to the legal department of Mailchimp.

Again, were you approaching this as an individual or was your lawyer involved?

laura 

-- 
Having an Email Crisis?  800 823-9674 

Laura Atkins
Word to the Wise
la...@wordtothewise.com
(650) 437-0741  

Email Delivery Blog: http://wordtothewise.com/blog  






___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

2016-06-10 Thread Benoit Panizzon

Hi Matthias

> > Therefore, the sender must be identifiable. If the sender is not
> > identifiable, the ISP of the sender must provide the identity of the
> > sender.
> 
> On what legal theory is this based on? 

I am not a lawyer, but in my job I had some contacts with OFCOM, SECO,
Lauterkeitskommision etc. about similar issues.

So this is derived from the information I got from them.

> > Art. 8 Right to information
> > https://www.admin.ch/opc/en/classified-compilation/19920153/index.html#a8
> > 
> 
> The best course of action you may find here is to define the provider
> as the „controller of a data file“, if he will not identify the
> actual controller to you. At most, you will get the information about
> when your email address was added to the providers’ database. 

This article concerns the controller of the data file (the email
addresses database). So the customer of Mailchimp, not Mailchimp
them self. So there must be a way to contact the customer of Mailchimp.

> > Art. 82 Communication of data to identify nuisance calls and unfair
> > mass advertising
> > https://www.admin.ch/opc/en/classified-compilation/20063267/index.html#a82
> > 
> 
> This only applies to telecommunications services providers as defined
> in ordinance (and the telecommuncations law). OFCOM has a list of all
> registered telecomuncations services providers. It does *not* apply
> to anybody else. Yes, this is a gigantic loophole, and I spoke out
> against it during the consultation process.  But you can’t just make
> up stuff.

No, according to information I got from the OFCOM legal department, this
applies to any service provider who sourced the communication in
question.

In case of telephone calls, this applies to the TSP who originated the
call and all others in between, should the originating TSP not be
identifiable because the CallerID has been faked.

In case of IP Communication this applies to the ISP in control of the
source IP of said communication.

Could you please state where you got your information from?

> > Bundesgesetz gegen den unlauteren Wettbewerb (unfortunately not
> > translated by admin.ch)
> > https://www.admin.ch/opc/de/classified-compilation/19860391/index.html
> > 
> 
> The unfair competition law (Art 3 lit o and s) is nice, but hardly
> relevant. A single spam(mer) will usually not pass the threshold of
> „to threaten the economic well-being“. Yes, another gigantic
> loophole. 

The list under Art 3 are, as I understand, a list of cases where the
circumstance of "unfair competition" is given.

In case of advertisement emails sent without consent of the recipient
and without proof of previous business relationship. I think Art 3 lit
o is fulfilled.

> Even leaving jurisdiction issues aside, you will have a hard time to
> legally force a provider to reveal the identity of the spammer. I’m
> sorry that I don’t have better news.

Within Switzerland, I got some success. Sometimes I have to tell the
service providers to consult ofcom or the 'Lauterkeitskommision' and
then I get the data requested.

With TSP Germany and some international telephone carrier I also
have some success tracking abusive calls back to the source.

With ISP in Germany and France I got some success getting the identity
of repeating spamers. Well they mostly didn't try to hide too hard and
were just cases of 'I bought your address from eBay and the seller
told me they are guaranteed opt-in'. In some cases this gave the ISP a
reason to disconnect their customer without fearing him taking legal
actions against them, because their customer acted against their
anti-spam policy.

But right, eBay also refuses to tell who their customers are.

Still I feel massmailing companies like Mailchimp could do more to
prevent spam. Like just the small alterations to their policy.

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

2016-06-10 Thread Matthias Leisi

Benoit,

> Therefore, the sender must be identifiable. If the sender is not
> identifiable, the ISP of the sender must provide the identity of the
> sender.

On what legal theory is this based on? 

> Art. 8 Right to information
> https://www.admin.ch/opc/en/classified-compilation/19920153/index.html#a8 
> 

The best course of action you may find here is to define the provider as the 
„controller of a data file“, if he will not identify the actual controller to 
you. At most, you will get the information about when your email address was 
added to the providers’ database. 

> Art. 82 Communication of data to identify nuisance calls and unfair
> mass advertising
> https://www.admin.ch/opc/en/classified-compilation/20063267/index.html#a82 
> 

This only applies to telecommunications services providers as defined in 
ordinance (and the telecommuncations law). OFCOM has a list of all registered 
telecomuncations services providers. It does *not* apply to anybody else. Yes, 
this is a gigantic loophole, and I spoke out against it during the consultation 
process.  But you can’t just make up stuff.

> Bundesgesetz gegen den unlauteren Wettbewerb (unfortunately not
> translated by admin.ch)
> https://www.admin.ch/opc/de/classified-compilation/19860391/index.html 
> 

The unfair competition law (Art 3 lit o and s) is nice, but hardly relevant. A 
single spam(mer) will usually not pass the threshold of „to threaten the 
economic well-being“. Yes, another gigantic loophole. 

Even leaving jurisdiction issues aside, you will have a hard time to legally 
force a provider to reveal the identity of the spammer. I’m sorry that I don’t 
have better news.

— Matthias

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

2016-06-10 Thread Benoit Panizzon

Hi Suresh

> As I doubt that mailchimp operates under Swiss jurisdiction- and they
> probably have a customer contract that stipulates US jurisdiction ..
> you'd have to rely on them suspending the spammer.

I am aware of that. But the way mailchimp operates now, is as a spamer
heaven.

I don't know the legal situation in the US, but the swiss (and european
one) makes some sense, the US one, as I understand it at the moment,
does not. I hope you agree.

I know there is a CAN-SPAM-ACT, but I have no clue how this can be
applied if the sender and recipeints are in switzerland..

I know the users of mailchimp break swiss laws and by not being
identifiable, avoid getting complaints from the recipients and even
legal prosecution. I know that trying to get a legal complaint from
switzerland to the US is nearly impossible. The police in switzerland
drops the case with explanations like 'we have been trying in the past
but our colleagues in the US don't even react to our requests so it's
pointless trying again and would cost us too much effort'. Please come
again if you are affected by more serious crimes.

Therefore the SWINOG Blacklist listed mailchimp repeatedly to protect
it's users from spam sent via Mailchimp.
 
> I can't and won't speak for them but I have known them to actively
> suspend spammers 

Yes, they do. And then the spamers get unblocked and keeps going.
A Spamer Heaven, as told.

Ok I just notice I've mistaken you with Joey Rothledge from the
MailChimp delivery Team.

It would be nice to get a comment from him on that issue.

I just feel, that adapting their policy in a way I suggested, that
would not affect legitimate users, would make it very much harder for
spamers to use their services.

All would benefit from this:

* Recipients would get less spam via Mailchimp.
* Legitimate Users of Mailchimp would get less trouble with blocked
  emails.
* Mailchimp Abuse Desk would get less work with blacklisting and abuse
  issues.
* Less success for spamers!

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

2016-06-10 Thread Benoit Panizzon

Hi Suresh

> They aren’t under any obligation to reveal customer identity to you
> and would potentially face legal liability for doing so.

This is exactly the problem.

Privacy Laws in Switzerland (and most other countires I know) states,
that the sender must provide proof of opt-in.

Therefore, the sender must be identifiable. If the sender is not
identifiable, the ISP of the sender must provide the identity of the
sender.

So an ISP does not face any legal liability on providing the identity
of the sender as this is a legal requirement and the ISP acts according
the law.

There are court cases confirming this procedure.

If this procedure and priority of privacy requirements is not observed,
a spamer can never be prosecuted or blocked. The spamer can just
pretend, that all his addresses are opt-in and that he acts legally but
never has to prove it. Therefore Mailchimp cannot block him, or he can
request to be unblocked because he claims towards mailchimp, that the
spam reports are wrong and he has proof of opt-in from the recipients,
which he never has to show anyone.

The spamer could probably even prosecute mailchimp for blocking him or
canceling his services.

The users of our Blacklist request that we block mailchimp for not
respecting privacy laws and not providing the legal identity of the
spamers so they can provide a proof of opt-in or be made liable for not
respecting the mass advertising law.

So, do you have any suggestions on how to solve this issue?

Legal References:

Art. 8 Right to information
https://www.admin.ch/opc/en/classified-compilation/19920153/index.html#a8

Art. 82 Communication of data to identify nuisance calls and unfair
mass advertising
https://www.admin.ch/opc/en/classified-compilation/20063267/index.html#a82

Bundesgesetz gegen den unlauteren Wettbewerb (unfortunately not
translated by admin.ch)
https://www.admin.ch/opc/de/classified-compilation/19860391/index.html

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

2016-06-10 Thread Suresh Ramasubramanian

There seems to be a miscommunication - I personally have seen Mailchimp / 
Mandrill suspend a large number of spamming customers.

However your request - which asks to identify a customer - would probably get 
routed to the legal department rather than a competent abuse team and that 
might explain the mixed messages you are seeing.

regards
suresh

> On 10-Jun-2016, at 12:41 PM, Benoit Panizzon  wrote:
> 
> Mailchimp always answers, that they are a US company and are only
> obliged to US law where providing an opt-out link is good enough and
> disclosure of the identity of their customer is not possible under US
> law. Also they can not block a customer because of spaming if the
> customer provides an opt-out mechanism, which is all what us laws
> require.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Mailchimp / Mandrill App: European VS US Privacy Laws

2016-06-10 Thread Benoit Panizzon

Hi List

I wonder how other Email Ops, especially in Europe, handle Mailchimp and
Mandrill App.

They are a constant issue with the Swinog Blacklists.

The problem boils down with differences in the privacy laws of US vs EU.

In Switzerland (and probably most EU countries too), a company who
sends advertising emails, must first get the agreement of the recipient
to receive those emails or must be able to proof, that the recipient is
a customer who in the past ordered services of the sender.

Therefore the recipient must be able to identify and contact the sender.

If the sender is hiding behind anonymously registered domains etc. the
ISP must identify his customer upon request. Curt cases have confirmed,
that the interest of the recipient to get the identity of the sender is
more important than the interest of the sender to have his identity
protected by his ISP.

I came across several cases of anonymous 'spam' emails sent via
Mailchimp. Obviously by swiss or European spamers targeting swiss
email addresses they bought or harvested illegally.

Anonymous Spam means:

* Domain registered by anonymous proxy.
* No Imprint on Website.
* No further contact information on the email except the website.
* Order Form on Website, Payment anonymously via Paypal.

So the Mailchimp Abuse Desk was asked, with reference to the according
legal articles and proof that the email was sent by their customer, to
please disclose the identity of the customer sending those emails.

Mailchimp always answers, that they are a US company and are only
obliged to US law where providing an opt-out link is good enough and
disclosure of the identity of their customer is not possible under US
law. Also they can not block a customer because of spaming if the
customer provides an opt-out mechanism, which is all what us laws
require.

I was without success trying to find a solution to this issue with the
Mailchimp Abuse Desk.

Well this is a big blinking sign telling 'SAFE HARBOUR' to all spamers
out there, as they do not have to fear any legal prosecution, as they
are very hard to identify. This is also why Mailchimp keeps being
abused over and over again by spamers and is often being blacklisted
because their customers send emails to SWINOG Blacklist spamtraps. Of
course their delivery agents then contact us, but usually we don't find
a solution, because they stay with the statement, that their customer
did nothing wrong and swinog is wrong by blocking such emails.

What are your observations/experiences with Mailchimp regarding this
kind of legal issue?

Is there any chance that they would accept applying European laws when
their customers are from countries in Europe and targeting European
recipients?
Or any chance they would alter their anti-spam and privacy policy to be
less spamer friendly?

Kind regards

-Benoît Panizzon-
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

38 matches

Mail list logo