[BALUG-Admin] "automatically" subscribe to BALUG-Announce if ... - various descriptive updates, etc.

Michael Paoli Michael.Paoli@cal.berkeley.edu
Thu Aug 17 04:08:16 PDT 2017


Good points as always.

Despite opting in and/or double/confirmed opting in, etc., some folks will
sometimes be idiots or forget or whatever and claim something is spam,
when it's not.  I've certainly seen that on much larger mailing lists,
e.g. >>1,000,000 subscribers.  And yes, such does happen, and then
have to deal with some blacklist or ISP or the like - but generally
fairly easy and relatively quick to get squared away - though it's
still a bit of a nuisance.  But even umbrella list configurations
have some of those same hazards.

To cover it yet a bit more fully :-) ... could also tweak the text
in the confirmation email, and on the confirmation web page.  That'd
cover it yet more fully.  And yes, some folks will still be idiots,
and not read what they're doing or agreeing to.

Likewise could also add the information to the BALUG-Announce
unsubscribe information.

Nearly 10 years the policy has been in place, over 800 subscribers,
and thus far hasn't been an issue.  >>1,000,000 subscribers, and
even perfectly run, there will be some problematic subscribers.

> From: "Rick Moen" <rick@linuxmafia.com>
> Subject: Re: [BALUG-Admin] "automatically" subscribe to  
> BALUG-Announce if ... - various	descriptive updates, etc.
> Date: Thu, 17 Aug 2017 03:19:06 -0700

> Quoting Michael Paoli (Michael.Paoli@cal.berkeley.edu):
>
>> The additional introductory text sent also makes things fairly clear
>> too ... and it's also on the list pages, and was well covered on the
>> lists long ago.
>
> When a system gets nominated for inclusion on a DNSBL for failing to
> confirm the user's desire to subscribe, it'll be from someone who simply
> didn't read those advisories -- or read them but then forgot, or read
> them but got pissy and didn't care.
>
> Then, the DNSBL will do some verification like what the reporting user
> suggested.  ('I subscribed to balug-talk, and without confirmation ended
> up on balug-announce.')  Et voila, your IP is listed in the DNSBL, and
> potentially also in trouble with its hosting provider.
>
> https://www.spamhaus.org/faq/section/Marketing%20FAQs#15
>
>    Q: What is "confirmed opt-in" (COI)?
>
>    A: Confirmed opt-in (COI) is a process by which a mailing list owner
>    verifies that an opt-in request did in fact come from the owner of the
>    email address and was therefore not spoofed, forged, typo'd or otherwise
>    fraudulently subscribed. The essence of COI is that the subscriber MUST
>    respond affirmatively to the initial message sent to their e-mail
>    address or else they are NOT added to the list. COI ensures that all
>    addresses are added to the list legitimately and only with the owner's
>    permission. Note that simply sending a "welcome" message where the
>    e-mail address owner is subscribed unless they take specific action in
>    order to stop the mail is a form of "opt out" and does not fulfill the
>    "opt in" standard required by Spamhaus' users.
>
>    For the user subscribing to a mailing list, COI is as simple as replying
>    to an automated confirmation e-mail or clicking a link in an automated
>    confirmation e-mail. In professional list management software, COI
>    utilizes a unique token (sort of like a single-use password) passed from
>    the list software to the would-be subscriber, and the subscriber returns
>    the token to confirm their permission. Such "closed-loop confirmation"
>    has been Best Current Practice in mailing list management software since
>    about 1996. Software handles all the token transactions and maintains
>    logs to document each and every subscription.
>
> https://www.spamhaus.org/whitepapers/mailinglists/
>
>    Unconfirmed Opt-In
>    [...]
>    In the event of a "spam" accusation:
>
>    The Bulk Email Sender has no verifiable proof that the recipient
>    consented to be placed on the bulk mailing list and is therefore liable
>    for having sent Unsolicited Bulk Email a/k/a Spam. Action can be taken
>    against the Sender. The sending of Unsolicited Bulk Email is against all
>    ISP Terms of Service worldwide, is illegal in many countries, and is
>    against Spamhaus SBL policy.
>
>
>
> https://www.scconsult.com/bill/dnsblhelp.html
>
>    How to control spam without blacklists getting involved
>    [...]
>
>    o Use meticulous list management practices.
>    [...]
>      o  Do not add an address to any list until you have proof that
>         someone who reads the mail sent to that address wants to
>         have the address added to the list.
>         [...]
>
>    The core principles behind good mailing list management are:
>
>    o Mailings should be fully consensual
>    o No one should ever have to unsubscribe from mailings to which they did
>      not knowingly subscribe.
>    o List owners should always know for sure whether an address owner
>      actually wishes to be subscribed or not.
>
> You feel we comply with those three principles through advisories.  The
> problem is that it's very easy for any user to create a case that we
> don't -- for lack of the confirmation step as to balug-announce.  And
> then your IP is on the list of spam hosts.
>
> _Or_, even without a complaint from a BALUG participant, one such DNSBL
> happens to test BALUG mailing lists with one of its spam trap email
> addresses:
>
> https://sendgrid.com/blog/avoiding-email-blacklists/
>
>    How Do Email Blacklists Work?
>
>    Most blacklists use networks of spam trap email addresses [link] to
>    identify IP addresses and domains that send unwanted commercial email.
>    Spam traps are email addresses that the operator believes should not
>    be receiving email from marketers, or any other source for that matter.
>    [...]
>
>    Reducing Your Risk
>
>    There are several things that can be done to reduce this exposure:
>
>    Confirmed opt-in: Before adding a new recipient address to your active
>    mailing list(s),send a confirmation email.
>
>
>
>> I suppose the only way one could never get exposed
>> to that text would be if the subscription was done entirely via
>> email - they it may be fair bit more of a surprise.
>
> That's not the point, Michael.  The point is that mailing list hosts
> that don't confirm opt-in tend to get put on DNSBLs and considered to
> exhibit spammer behaviour, and in some cases get in trouble with their
> hosting.   No amount of saying 'But our documentation _warns_ we do
> this' will change that.





More information about the BALUG-Admin mailing list