[BALUG-Admin] "automatically" subscribe to BALUG-Announce if ... - various descriptive updates, etc.

Rick Moen rick@linuxmafia.com
Thu Aug 17 03:19:06 PDT 2017 

Quoting Michael Paoli (Michael.Paoli@cal.berkeley.edu):

> The additional introductory text sent also makes things fairly clear
> too ... and it's also on the list pages, and was well covered on the
> lists long ago.

When a system gets nominated for inclusion on a DNSBL for failing to
confirm the user's desire to subscribe, it'll be from someone who simply
didn't read those advisories -- or read them but then forgot, or read
them but got pissy and didn't care.

Then, the DNSBL will do some verification like what the reporting user
suggested.  ('I subscribed to balug-talk, and without confirmation ended
up on balug-announce.')  Et voila, your IP is listed in the DNSBL, and
potentially also in trouble with its hosting provider.

https://www.spamhaus.org/faq/section/Marketing%20FAQs#15

   Q: What is "confirmed opt-in" (COI)?

   A: Confirmed opt-in (COI) is a process by which a mailing list owner
   verifies that an opt-in request did in fact come from the owner of the
   email address and was therefore not spoofed, forged, typo'd or otherwise
   fraudulently subscribed. The essence of COI is that the subscriber MUST
   respond affirmatively to the initial message sent to their e-mail
   address or else they are NOT added to the list. COI ensures that all
   addresses are added to the list legitimately and only with the owner's
   permission. Note that simply sending a "welcome" message where the
   e-mail address owner is subscribed unless they take specific action in
   order to stop the mail is a form of "opt out" and does not fulfill the
   "opt in" standard required by Spamhaus' users.

   For the user subscribing to a mailing list, COI is as simple as replying
   to an automated confirmation e-mail or clicking a link in an automated
   confirmation e-mail. In professional list management software, COI
   utilizes a unique token (sort of like a single-use password) passed from
   the list software to the would-be subscriber, and the subscriber returns
   the token to confirm their permission. Such "closed-loop confirmation"
   has been Best Current Practice in mailing list management software since
   about 1996. Software handles all the token transactions and maintains
   logs to document each and every subscription.

https://www.spamhaus.org/whitepapers/mailinglists/

   Unconfirmed Opt-In
   [...]
   In the event of a "spam" accusation:

   The Bulk Email Sender has no verifiable proof that the recipient
   consented to be placed on the bulk mailing list and is therefore liable
   for having sent Unsolicited Bulk Email a/k/a Spam. Action can be taken
   against the Sender. The sending of Unsolicited Bulk Email is against all
   ISP Terms of Service worldwide, is illegal in many countries, and is
   against Spamhaus SBL policy.



https://www.scconsult.com/bill/dnsblhelp.html

   How to control spam without blacklists getting involved
   [...]

   o Use meticulous list management practices.
   [...]
     o  Do not add an address to any list until you have proof that
        someone who reads the mail sent to that address wants to 
        have the address added to the list.
        [...]

   The core principles behind good mailing list management are:

   o Mailings should be fully consensual
   o No one should ever have to unsubscribe from mailings to which they did
     not knowingly subscribe.
   o List owners should always know for sure whether an address owner
     actually wishes to be subscribed or not.

You feel we comply with those three principles through advisories.  The
problem is that it's very easy for any user to create a case that we
don't -- for lack of the confirmation step as to balug-announce.  And
then your IP is on the list of spam hosts.

_Or_, even without a complaint from a BALUG participant, one such DNSBL 
happens to test BALUG mailing lists with one of its spam trap email
addresses:

https://sendgrid.com/blog/avoiding-email-blacklists/

   How Do Email Blacklists Work?

   Most blacklists use networks of spam trap email addresses [link] to 
   identify IP addresses and domains that send unwanted commercial email. 
   Spam traps are email addresses that the operator believes should not 
   be receiving email from marketers, or any other source for that matter.
   [...]

   Reducing Your Risk

   There are several things that can be done to reduce this exposure:

   Confirmed opt-in: Before adding a new recipient address to your active
   mailing list(s),send a confirmation email.



> I suppose the only way one could never get exposed
> to that text would be if the subscription was done entirely via
> email - they it may be fair bit more of a surprise.

That's not the point, Michael.  The point is that mailing list hosts
that don't confirm opt-in tend to get put on DNSBLs and considered to 
exhibit spammer behaviour, and in some cases get in trouble with their
hosting.   No amount of saying 'But our documentation _warns_ we do
this' will change that.

More information about the BALUG-Admin mailing list