Quoting Michael Paoli (Michael.Paoli@cal.berkeley.edu):
The additional introductory text sent also makes things fairly clear too ... and it's also on the list pages, and was well covered on the lists long ago.
When a system gets nominated for inclusion on a DNSBL for failing to confirm the user's desire to subscribe, it'll be from someone who simply didn't read those advisories -- or read them but then forgot, or read them but got pissy and didn't care.
Then, the DNSBL will do some verification like what the reporting user suggested. ('I subscribed to balug-talk, and without confirmation ended up on balug-announce.') Et voila, your IP is listed in the DNSBL, and potentially also in trouble with its hosting provider.
https://www.spamhaus.org/faq/section/Marketing%20FAQs#15
Q: What is "confirmed opt-in" (COI)?
A: Confirmed opt-in (COI) is a process by which a mailing list owner verifies that an opt-in request did in fact come from the owner of the email address and was therefore not spoofed, forged, typo'd or otherwise fraudulently subscribed. The essence of COI is that the subscriber MUST respond affirmatively to the initial message sent to their e-mail address or else they are NOT added to the list. COI ensures that all addresses are added to the list legitimately and only with the owner's permission. Note that simply sending a "welcome" message where the e-mail address owner is subscribed unless they take specific action in order to stop the mail is a form of "opt out" and does not fulfill the "opt in" standard required by Spamhaus' users.
For the user subscribing to a mailing list, COI is as simple as replying to an automated confirmation e-mail or clicking a link in an automated confirmation e-mail. In professional list management software, COI utilizes a unique token (sort of like a single-use password) passed from the list software to the would-be subscriber, and the subscriber returns the token to confirm their permission. Such "closed-loop confirmation" has been Best Current Practice in mailing list management software since about 1996. Software handles all the token transactions and maintains logs to document each and every subscription.
https://www.spamhaus.org/whitepapers/mailinglists/
Unconfirmed Opt-In [...] In the event of a "spam" accusation:
The Bulk Email Sender has no verifiable proof that the recipient consented to be placed on the bulk mailing list and is therefore liable for having sent Unsolicited Bulk Email a/k/a Spam. Action can be taken against the Sender. The sending of Unsolicited Bulk Email is against all ISP Terms of Service worldwide, is illegal in many countries, and is against Spamhaus SBL policy.
https://www.scconsult.com/bill/dnsblhelp.html
How to control spam without blacklists getting involved [...]
o Use meticulous list management practices. [...] o Do not add an address to any list until you have proof that someone who reads the mail sent to that address wants to have the address added to the list. [...]
The core principles behind good mailing list management are:
o Mailings should be fully consensual o No one should ever have to unsubscribe from mailings to which they did not knowingly subscribe. o List owners should always know for sure whether an address owner actually wishes to be subscribed or not.
You feel we comply with those three principles through advisories. The problem is that it's very easy for any user to create a case that we don't -- for lack of the confirmation step as to balug-announce. And then your IP is on the list of spam hosts.
_Or_, even without a complaint from a BALUG participant, one such DNSBL happens to test BALUG mailing lists with one of its spam trap email addresses:
https://sendgrid.com/blog/avoiding-email-blacklists/
How Do Email Blacklists Work?
Most blacklists use networks of spam trap email addresses [link] to identify IP addresses and domains that send unwanted commercial email. Spam traps are email addresses that the operator believes should not be receiving email from marketers, or any other source for that matter. [...]
Reducing Your Risk
There are several things that can be done to reduce this exposure:
Confirmed opt-in: Before adding a new recipient address to your active mailing list(s),send a confirmation email.
I suppose the only way one could never get exposed to that text would be if the subscription was done entirely via email - they it may be fair bit more of a surprise.
That's not the point, Michael. The point is that mailing list hosts that don't confirm opt-in tend to get put on DNSBLs and considered to exhibit spammer behaviour, and in some cases get in trouble with their hosting. No amount of saying 'But our documentation _warns_ we do this' will change that.