On Wed 18/May/2022 03:01:49 +0200 Dave Crocker via mailop wrote:
On 5/17/2022 4:40 PM, Anne Mitchell via mailop wrote:
"why we can't do that", culminating in "the Commission concludes that, under
present conditions, a National Do Not Email Registry in any form would not
have any beneficial impact on the spam problem. It is clear, based on
spammers’ abilities to exploit the structure of the email system, that the
development of a practical and effective means of authentication is a
necessary tool to fight spam.
Note that, in spite of DMARC, we still do not have per-user authentication.
The FTC report required *domain-level* authentication. They wrote:
Even though domain-level authentication cannot necessarily
authenticate the particular person who sent an email, it
does authenticate the domain from which the email originated.
Law enforcement can then contact the domain to obtain
information that could identify the individual sender of the
email.
They were assuming that the ISP would at least have true payment records, that
would provide useful investigative leads, in case name and address were false.
More importantly, IMO, mechanisms like this really only apply to legitimate
businesses that might be a bit too aggressive.
Their proposed solution was an email address registry used for scrubbing lists
that legitimate business supplied in hashed form. That technique requires
users to register all the possibly deliverable address+extension forms.
Couldn't the Do Not Email Registry also be domain-based?...
While it is possible it would mitigate some of their aggression, the bigger
problem, IMO, are the folk who operate in a criminal style, ignoring rules.
Or, conversely, the domains that still don't sign their email traffic.
Best
Ale
--
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
