Re: [mailop] help with running a listserv and DMARC

[Dave Warren]

On 2015-02-12 23:33, Michael Wise wrote:

Or better yet, strip the DKIM record and resign it with your own key.

Bottom line, end of the matter is, your list, your responsibility. The 
traffic needs to be seen as coming from you, but with enough details 
to identify the original author for auditing and forensics.


That will cause DMARC to throw an alignment failure, which won't 
alleviate the problem. However, you could add a key, multiple DKIM keys 
are permissible, and it would show that the message was signed by the 
original sender, as well as signed by the list too.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren



___
mailop mailing list
mailop@mailop.org
http://chilli.nosignal.org/mailman/listinfo/mailop

Re: [mailop] help with running a listserv and DMARC

[ben]

That is what the RFC822 Sender header is for. The fact that DMARC bases it’s 
“validation” on the From header instead of the Sender header is a flaw in DMARC 
and why DMARC shouldn’t be used until this is fixed. 


The RFC4407 Purported Responsible Address rules are correct and should be used, 
and displayed to the user if they differ from the “From” address.




The distinction between the author of the message and the sender has existed 
since letters were written and was embedded in email from the very beginning. 
The fact that DMARC cannot cope with this is insane.



(DMARC is an attempt to fix broken MUAs which don’t display the Sender header. 
But the proper fix is in the MUAs. What’s more insane is the big promoters and 
users of DMARC control the MUA as well in many cases - yahoo webmail, gmail 
app. The most popular business MUA, Outlook, handles this correctly and always 
has done.)





Cheers,
Ben Liddicott





From: Dave Warren
Sent: ‎Friday‎, ‎13‎ ‎February‎ ‎2015 ‎08‎:‎12
To: Mailop





On 2015-02-12 23:33, Michael Wise wrote:
> Or better yet, strip the DKIM record and resign it with your own key.
>
> Bottom line, end of the matter is, your list, your responsibility. The 
> traffic needs to be seen as coming from you, but with enough details 
> to identify the original author for auditing and forensics.

That will cause DMARC to throw an alignment failure, which won't 
alleviate the problem. However, you could add a key, multiple DKIM keys 
are permissible, and it would show that the message was signed by the 
original sender, as well as signed by the list too.

-- 
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren



___
mailop mailing list
mailop@mailop.org
http://chilli.nosignal.org/mailman/listinfo/mailop___
mailop mailing list
mailop@mailop.org
http://chilli.nosignal.org/mailman/listinfo/mailop

Re: [mailop] help with running a listserv and DMARC

[Steve Atkins]

On Feb 12, 2015, at 9:31 PM, Dave Warren  wrote:

> On 2015-02-12 16:35, Michael Orlitzky wrote:
>> On 02/12/2015 01:26 PM, Michael Wise wrote:
>>> You need to rewrite the From: Header.
>>> 
>> To elaborate: if you send a message claiming to be From: u...@aol.com,
>> it's going to be rejected by anyone who checks their DMARC policy.
>> Because you aren't AOL. Rewrite the header so it says "From:
>> your-listserv on behalf of u...@aol.com ". Then the
>> recipient won't care about AOL's DMARC policy.
> 
> Or if the message is DKIM signed with a restrictive DMARC policy, just don't 
> modify the message. If you're not modifying the subject or adding a footer or 
> whatever, a message can successfully pass through a mailing list with DKIM 
> signature intact.
> 
> This isn't necessarily compatible with all mailing lists though, for obvious 
> reasons.
> 
> Such is life. Personally, I have no problem mangling or blocking messages 
> from users using a domain with a restrictive DMARC policy as needed.

Mangling encourages bad behaviour. Blocking discourages it.

Cheers,
  Steve


___
mailop mailing list
mailop@mailop.org
http://chilli.nosignal.org/mailman/listinfo/mailop

Re: [mailop] help with running a listserv and DMARC

[Al Iverson]

On Fri, Feb 13, 2015 at 7:46 AM, Steve Atkins  wrote:

>> Such is life. Personally, I have no problem mangling or blocking messages 
>> from users using a domain with a restrictive DMARC policy as needed.
>
> Mangling encourages bad behaviour. Blocking discourages it.

Blocking, aka rejecting participation from legitimate users because of
their domain, might be easy for hobbyists to stomach, but is not
always the best path for an existing group or enterprise. It leaves
the affected end users feeling hurt and caught in the middle in a
scenario they can't easily change. (They certainly can't force AOL to
change DMARC policy and they may have legitimate reasons as to why
they don't wish to change mail providers.)

It doesn't seem to me to be a reasonable solution for everyone. That
may be why Yahoo Groups and Google Groups both chose to implement
header changes -- instead of telling subscribers to go away.

For folks looking for a point of view other than "just lock those
users out," I'd suggest checking out some of my suggestions. Looks to
me that these align with the paths taken by Yahoo and Google (and
maybe Mailman, too).

http://www.spamresource.com/2014/04/run-email-discussion-list-heres-how-to.html

And if you're looking for more in depth on DMARC policy issues like
this overall, I'd suggest looking here:

http://www.spamresource.com/search/label/dmarc

Cheers,
Al


-- 
Al Iverson | Minneapolis, MN | (312) 725-0130
aliverson.com | spamresource.com | @aliverson

___
mailop mailing list
mailop@mailop.org
http://chilli.nosignal.org/mailman/listinfo/mailop

Re: [mailop] help with running a listserv and DMARC

[Xavier Beaudouin]

Hi,

> Blocking, aka rejecting participation from legitimate users because of
> their domain, might be easy for hobbyists to stomach, but is not
> always the best path for an existing group or enterprise. It leaves
> the affected end users feeling hurt and caught in the middle in a
> scenario they can't easily change. (They certainly can't force AOL to
> change DMARC policy and they may have legitimate reasons as to why
> they don't wish to change mail providers.)

I totaly agree even if some "corporate" mail servers are badly configured 
and maybe that mail operator work is really not a good understand work
for most companies.

Anyway, as usual, big mail companies make the "law" on this place, and
maybe this will allow work for real postmasters... :(

Xavier

___
mailop mailing list
mailop@mailop.org
http://chilli.nosignal.org/mailman/listinfo/mailop

Re: [mailop] help with running a listserv and DMARC

[Steve Atkins]

On Feb 13, 2015, at 8:13 AM, Al Iverson  wrote:

> On Fri, Feb 13, 2015 at 7:46 AM, Steve Atkins  wrote:
> 
>>> Such is life. Personally, I have no problem mangling or blocking messages 
>>> from users using a domain with a restrictive DMARC policy as needed.
>> 
>> Mangling encourages bad behaviour. Blocking discourages it.
> 
> Blocking, aka rejecting participation from legitimate users because of
> their domain, might be easy for hobbyists to stomach, but is not
> always the best path for an existing group or enterprise. It leaves
> the affected end users feeling hurt and caught in the middle in a
> scenario they can't easily change. (They certainly can't force AOL to
> change DMARC policy and they may have legitimate reasons as to why
> they don't wish to change mail providers.)

I agree completely.

Sometimes your requirements mean that you have to encourage
bad behaviour. But it's good to be clear that that's what you're doing,
and that you're making discussion lists less usable (forever) for
everyone other than AOL and Yahoo users in the process.

Cheers,
  Steve


___
mailop mailing list
mailop@mailop.org
http://chilli.nosignal.org/mailman/listinfo/mailop

Re: [mailop] help with running a listserv and DMARC

[Michael Wise]

/golf_clap ☺

Especially the bit about, “nearly useless”.
It is distressing that almost everyone pays more attention to how the sender 
describes themselves in a comment than the easily forge-able 822 From: address, 
and the trivially spoofable 821 MAIL FROM address, and that all of this traffic 
so easily side-steps SPF, DKIM and DMARC authentication by means of a 
throw-away domain with all the trimmings that doesn’t even need to bear any 
resemblance to the target domain being froggered.

We really need a solution for mail validation that goes all the way from ISO 1 
thru 7.

So many people figure it can just be addressed at one layer, but you need to 
build a case at each step, and finally present the user with a thumbs-up or 
down at the presentation layer, but … surprisingly, stunningly little done to 
address the WHOLE problem.

Aloha,
Michael.
--
Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been 
Processed." | Got the Junk Mail Reporting 
Tool ?

From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Brandon Long
Sent: Friday, February 13, 2015 11:53 AM
To: Steve Atkins
Cc: mailop
Subject: Re: [mailop] help with running a listserv and DMARC



On Fri, Feb 13, 2015 at 10:51 AM, Steve Atkins 
mailto:st...@blighty.com>> wrote:

On Feb 13, 2015, at 8:13 AM, Al Iverson 
mailto:aiver...@spamresource.com>> wrote:

> On Fri, Feb 13, 2015 at 7:46 AM, Steve Atkins 
> mailto:st...@blighty.com>> wrote:
>
>>> Such is life. Personally, I have no problem mangling or blocking messages 
>>> from users using a domain with a restrictive DMARC policy as needed.
>>
>> Mangling encourages bad behaviour. Blocking discourages it.
>
> Blocking, aka rejecting participation from legitimate users because of
> their domain, might be easy for hobbyists to stomach, but is not
> always the best path for an existing group or enterprise. It leaves
> the affected end users feeling hurt and caught in the middle in a
> scenario they can't easily change. (They certainly can't force AOL to
> change DMARC policy and they may have legitimate reasons as to why
> they don't wish to change mail providers.)

I agree completely.

Sometimes your requirements mean that you have to encourage
bad behaviour. But it's good to be clear that that's what you're doing,
and that you're making discussion lists less usable (forever) for
everyone other than AOL and Yahoo users in the process.

Probably because fewer people by several orders of magnitude use discussion 
lists than are affected by the phishing problems that DMARC and the AOL/Yahoo 
MSPs are trying to solve.

And probably another couple orders of magnitude care about the fact that the 
From header is now munged or what the PRA is.

And phishing has real world financial consequences far in excess of whatever 
the cost of munging the from header might be.  Not to mention real world 
spamming consequences probably far exceeding mailing list traffic as well.

And Gmail does show the Sender information, though only when we think its 
necessary.  And user studies have shown its nearly useless to the majority of 
users when it comes to preventing phishing.

That said, of course any postmaster/listmaster is allowed to run their systems 
however they wish.

Brandon
___
mailop mailing list
mailop@mailop.org
http://chilli.nosignal.org/mailman/listinfo/mailop

Re: [mailop] help with running a listserv and DMARC

[Steve Atkins]

On Feb 13, 2015, at 11:53 AM, Brandon Long  wrote:

> 
> 
> On Fri, Feb 13, 2015 at 10:51 AM, Steve Atkins  wrote:
> 
>> 
>> Sometimes your requirements mean that you have to encourage
>> bad behaviour. But it's good to be clear that that's what you're doing,
>> and that you're making discussion lists less usable (forever) for
>> everyone other than AOL and Yahoo users in the process.
>> 
> Probably because fewer people by several orders of magnitude use discussion 
> lists than are affected by the phishing problems that DMARC and the AOL/Yahoo 
> MSPs are trying to solve.
> 
> And probably another couple orders of magnitude care about the fact that the 
> From header is now munged or what the PRA is.
> 
> And phishing has real world financial consequences far in excess of whatever 
> the cost of munging the from header might be.  Not to mention real world 
> spamming consequences probably far exceeding mailing list traffic as well.
> 
> And Gmail does show the Sender information, though only when we think its 
> necessary.  And user studies have shown its nearly useless to the majority of 
> users when it comes to preventing phishing.
> 

Sure. DMARC protects a field that most people don't care about or, in some 
cases even see. I'm not surprised that it's nearly useless to the majority of 
users in preventing phishing. While the number of people who participate in 
mailing lists and care about who the other recipients are may be fairly small, 
the benefits of DMARC deployment to end users seem to be - for many use cases - 
pretty small too (unless you consider the abstract "brand protection" where you 
don't let others play with your toys, at least not in the 822.From a benefit).

(Those small number who do participate in mailing lists are being trained to 
ignore the 822.From when working out who a piece of email is from, of course.)

Any reduction in volume of phishing mail seems to have been extremely 
temporary, and I doubt it's made any impact on how effective phishing mail is 
either. I've not seen any compelling research that argues either way on that, 
though, so ICBW.

> That said, of course any postmaster/listmaster is allowed to run their 
> systems however they wish.

Of course. Their decisions do affect everyone else, though.

Cheers,
  Steve
___
mailop mailing list
mailop@mailop.org
http://chilli.nosignal.org/mailman/listinfo/mailop

Re: [mailop] help with running a listserv and DMARC

[Steve Atkins]

On Feb 13, 2015, at 12:48 PM, Brandon Long  wrote:

> On Fri, Feb 13, 2015 at 12:33 PM, Steve Atkins  wrote:
> 
>> 
>> Sure. DMARC protects a field that most people don't care about or, in some 
>> cases even see. I'm not surprised that it's nearly useless to the majority 
>> of users in preventing phishing. While the number of people who participate 
>> in mailing lists and care about who the other recipients are may be fairly 
>> small, the benefits of DMARC deployment to end users seem to be - for many 
>> use cases - pretty small too (unless you consider the abstract "brand 
>> protection" where you don't let others play with your toys, at least not in 
>> the 822.From a benefit).
> 
> Supposedly, it helps you be harsher on the contents of the message and what 
> not as you know what "good" looks like with strong conviction... at least, 
> that's what our spam/abuse folks tell me.  Like everything else, its only one 
> piece of the puzzle.

I'm sure that's so. But you need quite a lot of additional data to be able to 
say not only "this email came from the domain in the 822.From" but also "this 
email is likely to be wanted / legitimate". It's a big step from one to the 
other.

How different would that conclusion be if it were based on DKIM+SPF+that data 
instead of DKIM+SPF+DMARC+that data?

(I mean use of DMARC p=reject here. Using DMARC just for reporting in order to 
clean up and understand your use of email is a completely different thing that 
seems like a good idea, and I'm sure it makes legitimate senders mail streams 
easier to understand correctly by the sort of approaches Gmail and friends use 
to observe them).

> Also, there is a definite benefit in terms of actually letting through good 
> mail, though that largely applies more to the transactional mail that DMARC 
> started with.

That too. It's not really DMARC so much as DKIM / SPF, though.
 
>> (Those small number who do participate in mailing lists are being trained to 
>> ignore the 822.From when working out who a piece of email is from, of 
>> course.)
>> 
>> Any reduction in volume of phishing mail seems to have been extremely 
>> temporary, and I doubt it's made any impact on how effective phishing mail 
>> is either. I've not seen any compelling research that argues either way on 
>> that, though, so ICBW.
> 
> Obviously this doesn't speak to how temporary it was, but to hear the 
> Yahoo/AOL folks tell it, there was an immediate drop-off in very visible 
> effects (ie, they were having a large support volume issue due to people 
> actually calling them about this) and it hasn't come back. 

Oh, sure. But that was their customers panicking about mail "from" them being 
sent to their friends and mail "from" their friends being sent to them, after 
they had those big address book compromises, AIUI.

Definitely a customer support cost - one they mitigated by pushing the cost on 
to others - but not really anything to do with how effective it was against 
actual phishing.

Cheers,
  Steve


___
mailop mailing list
mailop@mailop.org
http://chilli.nosignal.org/mailman/listinfo/mailop

Re: [mailop] help with running a listserv and DMARC

[Michael Wise]

Being able to render a judgment on the validity of the 822 From is too far away 
from the real question, and gets back to my point about a whole stack approach. 
The issue isn't the 822 From, or even the 821 MAIL FROM, but ... did this email 
come from whom the classical "Elderly Parents Reading Email" (let alone the 
"Reasonable Man") would *presume* that it came from?

At this point, there is no current technology that can connect all the dots 
necessary.
People give classes on reading headers and WHOIS lookups ... it's all pointless 
and falls on deaf ears even if they do have hearing aids ...

Aloha,
Michael.
-- 
Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been 
Processed." | Got the Junk Mail Reporting Tool ?

-Original Message-
From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Steve Atkins
Sent: Friday, February 13, 2015 1:02 PM
To: mailop
Subject: Re: [mailop] help with running a listserv and DMARC


On Feb 13, 2015, at 12:48 PM, Brandon Long  wrote:

> On Fri, Feb 13, 2015 at 12:33 PM, Steve Atkins  wrote:
> 
>> 
>> Sure. DMARC protects a field that most people don't care about or, in some 
>> cases even see. I'm not surprised that it's nearly useless to the majority 
>> of users in preventing phishing. While the number of people who participate 
>> in mailing lists and care about who the other recipients are may be fairly 
>> small, the benefits of DMARC deployment to end users seem to be - for many 
>> use cases - pretty small too (unless you consider the abstract "brand 
>> protection" where you don't let others play with your toys, at least not in 
>> the 822.From a benefit).
> 
> Supposedly, it helps you be harsher on the contents of the message and what 
> not as you know what "good" looks like with strong conviction... at least, 
> that's what our spam/abuse folks tell me.  Like everything else, its only one 
> piece of the puzzle.

I'm sure that's so. But you need quite a lot of additional data to be able to 
say not only "this email came from the domain in the 822.From" but also "this 
email is likely to be wanted / legitimate". It's a big step from one to the 
other.

How different would that conclusion be if it were based on DKIM+SPF+that data 
instead of DKIM+SPF+DMARC+that data?

(I mean use of DMARC p=reject here. Using DMARC just for reporting in order to 
clean up and understand your use of email is a completely different thing that 
seems like a good idea, and I'm sure it makes legitimate senders mail streams 
easier to understand correctly by the sort of approaches Gmail and friends use 
to observe them).

> Also, there is a definite benefit in terms of actually letting through good 
> mail, though that largely applies more to the transactional mail that DMARC 
> started with.

That too. It's not really DMARC so much as DKIM / SPF, though.
 
>> (Those small number who do participate in mailing lists are being trained to 
>> ignore the 822.From when working out who a piece of email is from, of 
>> course.)
>> 
>> Any reduction in volume of phishing mail seems to have been extremely 
>> temporary, and I doubt it's made any impact on how effective phishing mail 
>> is either. I've not seen any compelling research that argues either way on 
>> that, though, so ICBW.
> 
> Obviously this doesn't speak to how temporary it was, but to hear the 
> Yahoo/AOL folks tell it, there was an immediate drop-off in very visible 
> effects (ie, they were having a large support volume issue due to people 
> actually calling them about this) and it hasn't come back. 

Oh, sure. But that was their customers panicking about mail "from" them being 
sent to their friends and mail "from" their friends being sent to them, after 
they had those big address book compromises, AIUI.

Definitely a customer support cost - one they mitigated by pushing the cost on 
to others - but not really anything to do with how effective it was against 
actual phishing.

Cheers,
  Steve


___
mailop mailing list
mailop@mailop.org
http://chilli.nosignal.org/mailman/listinfo/mailop

___
mailop mailing list
mailop@mailop.org
http://chilli.nosignal.org/mailman/listinfo/mailop

Re: [mailop] help with running a listserv and DMARC

[Franck Martin]

DMARC is just the shiny top of the iceberg, that gets people motivated to do 
something.

then you learn more, and then it is just a ploy to add more domain 
authentication to emails (SPF/DKIM/TLS), because there is a benefit to do so 
(get the DMARC reports) and it helps find infrastructure that could behave 
better with DKIM with people motivated to make a change.

then, with this momentum, you shift from IP reputation to domain reputation, 
and check that the domains in envelope from, from header, reply-to, sender,… 
are legit, exists, accept emails and are not on some form of blocklists…

and then also you start to accept less and less malformed emails, because 
Postel did not say to accept anything, but to be lenient when it is not clear 
what you should accept.

Will it make rainbows? no. Will it help? I hope so, even if it is not that 
much… it is still something.


signature.asc
Description: Message signed with OpenPGP using GPGMail
___
mailop mailing list
mailop@mailop.org
http://chilli.nosignal.org/mailman/listinfo/mailop

[mailop] AOL SCOMP messages

[Geoff Mulligan]

Thank you to everyone that provided ideas on how I should deal with aol, 
yahoo and such with my listserv.


I've modified my software to do some header munging and I'll see how 
that works.


I'm still confused though on how I'm supposed to deal with SCOMP 
messages from AOL.


Since I'm on and never have been more will ever be an AOL user I don't 
know how these SCOMP messages are generated.


Is it automated or are my subscribers "indicating" that messages coming 
from my mail list are SPAM.


Thanks,
Geoff


___
mailop mailing list
mailop@mailop.org
http://chilli.nosignal.org/mailman/listinfo/mailop

Re: [mailop] AOL SCOMP messages

[Michael Wise]

They are in response to someone with an AOL mailbox clicking on an email sent 
from your IP and then on the, "Report Spam" button.

You should look at the traffic and either ... ignore it if it's a one-off, 
block the sender, or unsub the recipient.
It's a bit of a time figuring out which is the best approach at any given time, 
but those are pretty much your choices.

Oh, and ... if you can't figure out who the recipient is (because it's probably 
redacted), what's where putting a tag in the .Signature may become necessary at 
some point.

Two things I would recommend most highly, not just for AOL recipients but 
others as well.

1) emphasize the desirability of adding the mailing list address to Safe 
Senders, preferably at the top of the email.
2) emphasize how easy it is to unsubscribe, also at the TOP of the email.

Having your recipient Safe Sender the traffic has ... how shall I say this? 
Non-obvious hidden benefits with some sites.
And if a recipient doesn't want your traffic, the sooner you get them off your 
list, the better.

Aloha,
Michael.
-- 
Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been 
Processed." | Got the Junk Mail Reporting Tool ?

-Original Message-
From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Geoff Mulligan
Sent: Friday, February 13, 2015 2:11 PM
To: mailop@mailop.org
Subject: [mailop] AOL SCOMP messages

Thank you to everyone that provided ideas on how I should deal with aol, 
yahoo and such with my listserv.

I've modified my software to do some header munging and I'll see how 
that works.

I'm still confused though on how I'm supposed to deal with SCOMP 
messages from AOL.

Since I'm on and never have been more will ever be an AOL user I don't 
know how these SCOMP messages are generated.

Is it automated or are my subscribers "indicating" that messages coming 
from my mail list are SPAM.

 Thanks,
 Geoff


___
mailop mailing list
mailop@mailop.org
http://chilli.nosignal.org/mailman/listinfo/mailop

___
mailop mailing list
mailop@mailop.org
http://chilli.nosignal.org/mailman/listinfo/mailop

Re: [mailop] help with running a listserv and DMARC

[Michael Wise]

It's a part of the jigsaw puzzle, surely.
But to make the pretty picture, many pieces are required, and at the end of the 
day, all the pieces must lock together.

Aloha,
Michael.
-- 
Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been 
Processed." | Got the Junk Mail Reporting Tool ?

-Original Message-
From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Franck Martin
Sent: Friday, February 13, 2015 2:08 PM
To: Steve Atkins
Cc: Brandon Long; mailop
Subject: Re: [mailop] help with running a listserv and DMARC

DMARC is just the shiny top of the iceberg, that gets people motivated to do 
something.

then you learn more, and then it is just a ploy to add more domain 
authentication to emails (SPF/DKIM/TLS), because there is a benefit to do so 
(get the DMARC reports) and it helps find infrastructure that could behave 
better with DKIM with people motivated to make a change.

then, with this momentum, you shift from IP reputation to domain reputation, 
and check that the domains in envelope from, from header, reply-to, sender,. 
are legit, exists, accept emails and are not on some form of blocklists.

and then also you start to accept less and less malformed emails, because 
Postel did not say to accept anything, but to be lenient when it is not clear 
what you should accept.

Will it make rainbows? no. Will it help? I hope so, even if it is not that 
much. it is still something.

___
mailop mailing list
mailop@mailop.org
http://chilli.nosignal.org/mailman/listinfo/mailop

Re: [mailop] AOL SCOMP messages

[Jay Hennigan]

On 2/13/15 14:11, Geoff Mulligan wrote:
> Thank you to everyone that provided ideas on how I should deal with aol,
> yahoo and such with my listserv.
> 
> I've modified my software to do some header munging and I'll see how
> that works.
> 
> I'm still confused though on how I'm supposed to deal with SCOMP
> messages from AOL.
> 
> Since I'm on and never have been more will ever be an AOL user I don't
> know how these SCOMP messages are generated.

The SCOMP messages are part of your feedback loop from AOL. This is not
directly related to the DMARC brokenness that they and Y! introduced a
few months ago.

Whenever an AOL user clicks the "Report as spam" button on email, a copy
of the email is sent to the address that you configured for your
feedback loop, addressed from SCOMP@AOL.

The purpose of this is to give you an early warning of any spammers
inhabiting your IP space, so that you can take action.

However

Either the AOL user interface is confusing and the "Delete" and "Report
as spam" buttons are easily confused, or the reading comprehension and
intelligence of AOL users as a group is miniscule, or both.

We see LOTS of reported spam from AOL users that is clearly
transactional and often rather personal in nature, clearly not spam.

> Is it automated or are my subscribers "indicating" that messages coming
> from my mail list are SPAM.

It is triggered by the recipient flagging that particular message as spam.

I would suspect that these reports are also likely tied to an internal
AOL algorithm that will filter or reject email should some threshold be
exceeded likely based on source IP, content, etc. So far to the best of
my knowledge we haven't run into this despite numerous SCOMP reports
(close to 100% user error based on reading the reports).

--
Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

___
mailop mailing list
mailop@mailop.org
http://chilli.nosignal.org/mailman/listinfo/mailop

Re: [mailop] AOL SCOMP messages

[Mike A]

On Fri, Feb 13, 2015 at 02:39:36PM -0800, Jay Hennigan wrote:
> On 2/13/15 14:11, Geoff Mulligan wrote:
> > Thank you to everyone that provided ideas on how I should deal with aol,
> > yahoo and such with my listserv.
> > 
> > I've modified my software to do some header munging and I'll see how
> > that works.
> > 
> > I'm still confused though on how I'm supposed to deal with SCOMP
> > messages from AOL.
> > 
> > Since I'm on and never have been more will ever be an AOL user I don't
> > know how these SCOMP messages are generated.
> 
> The SCOMP messages are part of your feedback loop from AOL. This is not
> directly related to the DMARC brokenness that they and Y! introduced a
> few months ago.
> 
> Whenever an AOL user clicks the "Report as spam" button on email, a copy
> of the email is sent to the address that you configured for your
> feedback loop, addressed from SCOMP@AOL.
> 
> The purpose of this is to give you an early warning of any spammers
> inhabiting your IP space, so that you can take action.
> 
> However
> 
> Either the AOL user interface is confusing and the "Delete" and "Report
> as spam" buttons are easily confused, or the reading comprehension and
> intelligence of AOL users as a group is miniscule, or both.
> 
> We see LOTS of reported spam from AOL users that is clearly
> transactional and often rather personal in nature, clearly not spam.

I work for a state government; AOL users frequently flag as spam the
following from our various state agencies: 

o   drivers license expiration notices
o   lottery wining number reports
o   realtor™ license expiration notices
o   tax payment receipts
o   pikepass account statements
o   vendor application approval notices 
o   inspection reports
o   phone lists
o   notices of proposed rulemaking
o   hunter education cards 

and many other things which the recipient requested. Most of them, especially
the notices and statements, are things that the recipient will have wanted at
some time, and some are things that the recipient *definitely* will want. We
see hundreds of these in a week, sometimes thousands. 

I can only conclude that the "Delete" and "Report as spam" buttons are close
together and tiny, or that they are easily confused, or that many AOL users
are easily confused, or that many AOL users just see the "Report as spam"
button as a way to disappear the mail. 

-- 
Mike Andrews, W5EGO
mi...@mikea.ath.cx
Tired old sysadmin 

___
mailop mailing list
mailop@mailop.org
http://chilli.nosignal.org/mailman/listinfo/mailop

Re: [mailop] AOL SCOMP messages

[Franck Martin]

On Feb 13, 2015, at 3:03 PM, Mike A  wrote:

> On Fri, Feb 13, 2015 at 02:39:36PM -0800, Jay Hennigan wrote:
>> On 2/13/15 14:11, Geoff Mulligan wrote:
>>> Thank you to everyone that provided ideas on how I should deal with aol,
>>> yahoo and such with my listserv.
>>> 
>>> I've modified my software to do some header munging and I'll see how
>>> that works.
>>> 
>>> I'm still confused though on how I'm supposed to deal with SCOMP
>>> messages from AOL.
>>> 
>>> Since I'm on and never have been more will ever be an AOL user I don't
>>> know how these SCOMP messages are generated.
>> 
>> The SCOMP messages are part of your feedback loop from AOL. This is not
>> directly related to the DMARC brokenness that they and Y! introduced a
>> few months ago.
>> 
>> Whenever an AOL user clicks the "Report as spam" button on email, a copy
>> of the email is sent to the address that you configured for your
>> feedback loop, addressed from SCOMP@AOL.
>> 
>> The purpose of this is to give you an early warning of any spammers
>> inhabiting your IP space, so that you can take action.
>> 
>> However
>> 
>> Either the AOL user interface is confusing and the "Delete" and "Report
>> as spam" buttons are easily confused, or the reading comprehension and
>> intelligence of AOL users as a group is miniscule, or both.
>> 
>> We see LOTS of reported spam from AOL users that is clearly
>> transactional and often rather personal in nature, clearly not spam.
> 
> I work for a state government; AOL users frequently flag as spam the
> following from our various state agencies: 
> 
> o   drivers license expiration notices
> o   lottery wining number reports
> o   realtor™ license expiration notices
> o   tax payment receipts
> o   pikepass account statements
> o   vendor application approval notices 
> o   inspection reports
> o   phone lists
> o   notices of proposed rulemaking
> o   hunter education cards 
> 
> and many other things which the recipient requested. Most of them, especially
> the notices and statements, are things that the recipient will have wanted at
> some time, and some are things that the recipient *definitely* will want. We
> see hundreds of these in a week, sometimes thousands. 
> 
> I can only conclude that the "Delete" and "Report as spam" buttons are close
> together and tiny, or that they are easily confused, or that many AOL users
> are easily confused, or that many AOL users just see the "Report as spam"
> button as a way to disappear the mail. 
> 
Ot that AOL users cannot make the difference between the emails you send and 
the email you don’t send?…

Also, are you sure they gave you their correct email address?… You cannot 
imagine the real email I receive at my gmail address from people trying to 
contact my homonyms...



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
mailop mailing list
mailop@mailop.org
http://chilli.nosignal.org/mailman/listinfo/mailop

Re: [mailop] help with running a listserv and DMARC

[Michael Peddemors]

On 15-02-13 02:08 PM, Franck Martin wrote:

DMARC is just the shiny top of the iceberg, that gets people motivated to do 
something.

then you learn more, and then it is just a ploy to add more domain 
authentication to emails (SPF/DKIM/TLS), because there is a benefit to do so 
(get the DMARC reports) and it helps find infrastructure that could behave 
better with DKIM with people motivated to make a change.

then, with this momentum, you shift from IP reputation to domain reputation, 
and check that the domains in envelope from, from header, reply-to, sender,… 
are legit, exists, accept emails and are not on some form of blocklists…

and then also you start to accept less and less malformed emails, because 
Postel did not say to accept anything, but to be lenient when it is not clear 
what you should accept.



And it just keeps adding burdens, and network traffic..
And then spam and phishing get confused, and 'best approach' starts 
tripping over each other..And no one can do it properly..


To be truthful? (sheepish grin) So far, all we use DMARC/DKIM for is as 
part of our spam detector filters.. to identify known patterns that are 
associated with certain spammers .. Eg, always signs with DKIM.. Likes 
using V1.. Never uses DMARC


IP Reputation is still the most powerful tool, with the lowest 
footprint.. The onus should be passed on to the sender.. not the 
receiver.. Sending servers should make sure nothing goes out their MTA 
unless the domain is something they are responsible for..


Mailing Lists should send out using the domain of the sender who 
instigated the mailing, not the mailing list operator..


(I see even banks using 3rd parties to send email out, from a domain 
totally unrelated.. @3rdpartybulkmailer.com is bound to have problems, 
when both good guys and bad guys use the same service)


And I get 'hey, is this really from this company I do business with?' 
all the time...


And then SPF is probably the next lightest.. Any domain that is really 
worried about someone forging their domain should have an SPF record of 
course, and not those sloppy ones that say 'maybe' our mail doesn't come 
from somewhere else..


99% of our spam protection happens directly in the edge SMTP layer, and 
all the other fancy 'anti-phishing' will get relegated to filtering...


For us, we would rather see the companies that are pushing so hard for 
DMARC/DKIM do a little better job on what's leaving their mail servers :)


Still a little hard to put the big guys on reputation lists.. ;)

And of course, the hosting companies are soon going to have to start 
thinking about this, while renting to spammers might be a nice way to 
justify more IP space, or make them a little fast money, soon it won't 
matter how they sign emails.


It is amazing how much damage a single /29 can do in just a few hours, 
across the whole internet.. renting by hour, and allowing them to 
consume as much bandwidth as needed, isn't going to get you any friends 
in the spam protection space..


Enough, now I am just ranting..

PS..

Yeah, your subscribers are probably marking it as spam ;)

(Always surprises me the times someone tries to report an uncaught spam 
accidentally.. for emails they want... or did subscribe to)






--
"Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic

A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.

___
mailop mailing list
mailop@mailop.org
http://chilli.nosignal.org/mailman/listinfo/mailop

Re: [mailop] AOL SCOMP messages

[Mark Keymer]

There might be some of that. However, I have seen conversations. (Nested 
RE:'s) come back in our feedback loop.


And I have thought MANY times that some of these people simple use the 
"Report as spam" vs "delete". Maybe it removes them faster? I have never 
used AOL but maybe they need to work on there interface?


Sincerely,

Mark Keymer

On 2/13/2015 3:26 PM, Franck Martin wrote:
Ot that AOL users cannot make the difference between the emails you 
send and the email you don’t send?…



Also, are you sure they gave you their correct email address?… You 
cannot imagine the real email I receive at my gmail address from 
people trying to contact my homonyms...




___
mailop mailing list
mailop@mailop.org
http://chilli.nosignal.org/mailman/listinfo/mailop


___
mailop mailing list
mailop@mailop.org
http://chilli.nosignal.org/mailman/listinfo/mailop

Re: [mailop] AOL SCOMP messages

[Eric Tykwinski]

Great story,  we did email for a local school district.  Little Johnny would 
come home from school and check email first so that he could mark his teacher's 
disciplinary messages as spam before Mom and Dad and came home.  We would just 
forward off the reports to the Sys Admin to deal with, the amount were so low 
that it never effected them, but I think it's a good example of how the system 
fails without some human oversight.

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

> On Feb 13, 2015, at 7:07 PM, Mark Keymer  wrote:
> 
> There might be some of that. However, I have seen conversations. (Nested 
> RE:'s) come back in our feedback loop. 
> 
> And I have thought MANY times that some of these people simple use the 
> "Report as spam" vs "delete". Maybe it removes them faster? I have never used 
> AOL but maybe they need to work on there interface? 
> 
> Sincerely,
> Mark Keymer
> 
> On 2/13/2015 3:26 PM, Franck Martin wrote:
>> Ot that AOL users cannot make the difference between the emails you send and 
>> the email you don’t send?…
>> 
>> 
>> Also, are you sure they gave you their correct email address?… You cannot 
>> imagine the real email I receive at my gmail address from people trying to 
>> contact my homonyms...
>> 
>> 
>> 
>> ___
>> mailop mailing list
>> 
>> mailop@mailop.org
>> http://chilli.nosignal.org/mailman/listinfo/mailop
> 
> ___
> mailop mailing list
> mailop@mailop.org
> http://chilli.nosignal.org/mailman/listinfo/mailop



___
mailop mailing list
mailop@mailop.org
http://chilli.nosignal.org/mailman/listinfo/mailop

Re: [mailop] AOL SCOMP messages

[W Kern]

I have been told but have not verified that if the AOL user leaves the 
email in spam box and then empties the spam box without moving good 
email into the normal inbox, then all email in the spam box is thus 
treated as SPAM and reported as such.


This actually explains those situation where we get  6-8 SCOMPS at the 
same time consisting of consecutive weeks of a weekly newsletters (that 
the customer subscribed to).


-William Kern

On 2/13/2015 4:07 PM, Mark Keymer wrote:
There might be some of that. However, I have seen conversations. 
(Nested RE:'s) come back in our feedback loop.


And I have thought MANY times that some of these people simple use the 
"Report as spam" vs "delete". Maybe it removes them faster? I have 
never used AOL but maybe they need to work on there interface?


Sincerely,
Mark Keymer
On 2/13/2015 3:26 PM, Franck Martin wrote:
Ot that AOL users cannot make the difference between the emails you 
send and the email you don’t send?…



Also, are you sure they gave you their correct email address?… You 
cannot imagine the real email I receive at my gmail address from 
people trying to contact my homonyms...




___
mailop mailing list
mailop@mailop.org
http://chilli.nosignal.org/mailman/listinfo/mailop




___
mailop mailing list
mailop@mailop.org
http://chilli.nosignal.org/mailman/listinfo/mailop


___
mailop mailing list
mailop@mailop.org
http://chilli.nosignal.org/mailman/listinfo/mailop

Re: [mailop] AOL SCOMP messages

[Dave Warren]

On 2015-02-13 15:26, Franck Martin wrote:


On Feb 13, 2015, at 3:03 PM, Mike A > wrote:



On Fri, Feb 13, 2015 at 02:39:36PM -0800, Jay Hennigan wrote:

On 2/13/15 14:11, Geoff Mulligan wrote:
Thank you to everyone that provided ideas on how I should deal with 
aol,

yahoo and such with my listserv.

I've modified my software to do some header munging and I'll see how
that works.

I'm still confused though on how I'm supposed to deal with SCOMP
messages from AOL.

Since I'm on and never have been more will ever be an AOL user I don't
know how these SCOMP messages are generated.


The SCOMP messages are part of your feedback loop from AOL. This is not
directly related to the DMARC brokenness that they and Y! introduced a
few months ago.

Whenever an AOL user clicks the "Report as spam" button on email, a copy
of the email is sent to the address that you configured for your
feedback loop, addressed from SCOMP@AOL.

The purpose of this is to give you an early warning of any spammers
inhabiting your IP space, so that you can take action.

However

Either the AOL user interface is confusing and the "Delete" and "Report
as spam" buttons are easily confused, or the reading comprehension and
intelligence of AOL users as a group is miniscule, or both.

We see LOTS of reported spam from AOL users that is clearly
transactional and often rather personal in nature, clearly not spam.


I work for a state government; AOL users frequently flag as spam the
following from our various state agencies:

o   drivers license expiration notices
o   lottery wining number reports
o   realtor^(TM) license expiration notices
o   tax payment receipts
o   pikepass account statements
o   vendor application approval notices
o   inspection reports
o   phone lists
o   notices of proposed rulemaking
o   hunter education cards

and many other things which the recipient requested. Most of them, 
especially
the notices and statements, are things that the recipient will have 
wanted at
some time, and some are things that the recipient *definitely* will 
want. We

see hundreds of these in a week, sometimes thousands.

I can only conclude that the "Delete" and "Report as spam" buttons 
are close
together and tiny, or that they are easily confused, or that many AOL 
users

are easily confused, or that many AOL users just see the "Report as spam"
button as a way to disappear the mail.

Ot that AOL users cannot make the difference between the emails you 
send and the email you don't send?...


Also, are you sure they gave you their correct email address?... You 
cannot imagine the real email I receive at my gmail address from 
people trying to contact my homonyms...





It may also just be only a certain "type" of user still uses AOL at this 
point.


I have one particular user on my server who generates more SCOMP 
messages than every other user combined. One of these AOL users 
regularly emails my client requests for quotes, then reports the 
requested quote as spam. The AOL user is real customer, and regularly 
accepts the quote and does business with my user, so there's nothing 
nefarious or suspicious here, no one is trying to fly under the radar, etc.


For whatever reason my client seems to have a bunch of AOL using 
friends, they regularly mark her personal mail as spam, often in obvious 
mailbox cleanups (when I get dozens of SCOMPs at once for mail that is 
weeks/months old) -- Haven't seen one of these in a few months though, 
so maybe AOL finally stopped sending them for old junk?


Upon regular review of AOL's SCOMPs, nothing is really broken, except 
for some combination of the AOL interface and userbase.


On the other hand, when I've had actual compromised accounts that start 
spamming, AOL's SCOMPs have always been the first external report, so I 
actually find them quite useful. Only once did they notice a problem 
before I did (or my systems) found and plugged the hole, but still, it's 
nice to have the feedback. Other feedback loops seem far less useful to 
me, most sent more messages in the verification/signup phase than have 
sent actual ARF reports. Maybe I just don't send enough spam to get 
value out of the other FBLs out there?


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
mailop mailing list
mailop@mailop.org
http://chilli.nosignal.org/mailman/listinfo/mailop

Re: [mailop] AOL SCOMP messages

[W Kern]

On the other hand, when I've had actual compromised accounts that 
start spamming, AOL's SCOMPs have always been the first external 
report, so I actually find them quite useful. Only once did they 
notice a problem before I did (or my systems) found and plugged the 
hole, but still, it's nice to have the feedback. Other feedback loops 
seem far less useful to me, most sent more messages in the 
verification/signup phase than have sent actual ARF reports. Maybe I 
just don't send enough spam to get value out of the other FBLs out there?




Yes, AOL SCOMPs are invaluable for that.  Unfortunately, we have seen 
situations where the SCOMP WAS our notification because rather than 
being obvious and sending out spam/malware full blast, the spammer was 
being sly and throttling the output to a couple a second, where it 
blended in with real email.




___
mailop mailing list
mailop@mailop.org
http://chilli.nosignal.org/mailman/listinfo/mailop

Re: [mailop] AOL SCOMP messages

[Michael Wise]

Exactly.

We only really take AOL SCOMP reports at face value when there is a cluster of 
them; enough to lift the complaint above the noise down I the dust. It's very 
noisy, but has a tendency to be a canary in the coal mine to be sure.

Aloha,
Michael.
--
Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been 
Processed." | Got the Junk Mail Reporting 
Tool ?

From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Dave Warren
Sent: Friday, February 13, 2015 4:24 PM
To: mailop@mailop.org
Subject: Re: [mailop] AOL SCOMP messages

On 2015-02-13 15:26, Franck Martin wrote:

On Feb 13, 2015, at 3:03 PM, Mike A 
mailto:mi...@mikea.ath.cx>> wrote:


On Fri, Feb 13, 2015 at 02:39:36PM -0800, Jay Hennigan wrote:

On 2/13/15 14:11, Geoff Mulligan wrote:

Thank you to everyone that provided ideas on how I should deal with aol,
yahoo and such with my listserv.

I've modified my software to do some header munging and I'll see how
that works.

I'm still confused though on how I'm supposed to deal with SCOMP
messages from AOL.

Since I'm on and never have been more will ever be an AOL user I don't
know how these SCOMP messages are generated.

The SCOMP messages are part of your feedback loop from AOL. This is not
directly related to the DMARC brokenness that they and Y! introduced a
few months ago.

Whenever an AOL user clicks the "Report as spam" button on email, a copy
of the email is sent to the address that you configured for your
feedback loop, addressed from SCOMP@AOL.

The purpose of this is to give you an early warning of any spammers
inhabiting your IP space, so that you can take action.

However

Either the AOL user interface is confusing and the "Delete" and "Report
as spam" buttons are easily confused, or the reading comprehension and
intelligence of AOL users as a group is miniscule, or both.

We see LOTS of reported spam from AOL users that is clearly
transactional and often rather personal in nature, clearly not spam.

I work for a state government; AOL users frequently flag as spam the
following from our various state agencies:

o   drivers license expiration notices
o   lottery wining number reports
o   realtor(tm) license expiration notices
o   tax payment receipts
o   pikepass account statements
o   vendor application approval notices
o   inspection reports
o   phone lists
o   notices of proposed rulemaking
o   hunter education cards

and many other things which the recipient requested. Most of them, especially
the notices and statements, are things that the recipient will have wanted at
some time, and some are things that the recipient *definitely* will want. We
see hundreds of these in a week, sometimes thousands.

I can only conclude that the "Delete" and "Report as spam" buttons are close
together and tiny, or that they are easily confused, or that many AOL users
are easily confused, or that many AOL users just see the "Report as spam"
button as a way to disappear the mail.
Ot that AOL users cannot make the difference between the emails you send and 
the email you don't send?...

Also, are you sure they gave you their correct email address?... You cannot 
imagine the real email I receive at my gmail address from people trying to 
contact my homonyms...



It may also just be only a certain "type" of user still uses AOL at this point.

I have one particular user on my server who generates more SCOMP messages than 
every other user combined. One of these AOL users regularly emails my client 
requests for quotes, then reports the requested quote as spam. The AOL user is 
real customer, and regularly accepts the quote and does business with my user, 
so there's nothing nefarious or suspicious here, no one is trying to fly under 
the radar, etc.

For whatever reason my client seems to have a bunch of AOL using friends, they 
regularly mark her personal mail as spam, often in obvious mailbox cleanups 
(when I get dozens of SCOMPs at once for mail that is weeks/months old) -- 
Haven't seen one of these in a few months though, so maybe AOL finally stopped 
sending them for old junk?

Upon regular review of AOL's SCOMPs, nothing is really broken, except for some 
combination of the AOL interface and userbase.

On the other hand, when I've had actual compromised accounts that start 
spamming, AOL's SCOMPs have always been the first external report, so I 
actually find them quite useful. Only once did they notice a problem before I 
did (or my systems) found and plugged the hole, but still, it's nice to have 
the feedback. Other feedback loops seem far less useful to me, most sent more 
messages in the verification/signup phase than have sent actual ARF reports. 
Maybe I just don't send enough spam to get value out of the other FBLs out 
there?



--

Dave Warren

http://www.hireahit.com/

http://ca.linkedin.com/in/davejwarren


___
mailop mailing list
mailop@mailop.org
h

Re: [mailop] AOL SCOMP messages

[Eric Tykwinski]

This is were I wish there was some standardization of bounce messages.  If 
email server operators could receive reports of X number of bounces reliably it 
may cut down on the number of compromised accounts considerably, by scripting 
some sort of shutdown of the account.

At the current state it seems like Exim, Exchange, SmarterTools, sendmail, et 
al all have their own format which makes this error prone to say the least.  
SmarterTools is trying bounce.io to inform the end-client, but as I’m sure you 
are all aware that they will just delete and continue like it’s just more spam.

> On Feb 13, 2015, at 7:36 PM, W Kern  wrote:
> 
> 
>> On the other hand, when I've had actual compromised accounts that start 
>> spamming, AOL's SCOMPs have always been the first external report, so I 
>> actually find them quite useful. Only once did they notice a problem before 
>> I did (or my systems) found and plugged the hole, but still, it's nice to 
>> have the feedback. Other feedback loops seem far less useful to me, most 
>> sent more messages in the verification/signup phase than have sent actual 
>> ARF reports. Maybe I just don't send enough spam to get value out of the 
>> other FBLs out there?
>> 
> 
> Yes, AOL SCOMPs are invaluable for that.  Unfortunately, we have seen 
> situations where the SCOMP WAS our notification because rather than being 
> obvious and sending out spam/malware full blast, the spammer was being sly 
> and throttling the output to a couple a second, where it blended in with real 
> email.
> 
> 
> 
> ___
> mailop mailing list
> mailop@mailop.org
> http://chilli.nosignal.org/mailman/listinfo/mailop



___
mailop mailing list
mailop@mailop.org
http://chilli.nosignal.org/mailman/listinfo/mailop

Re: [mailop] AOL SCOMP messages

[Hal Murray]

> 2) emphasize how easy it is to unsubscribe, also at the TOP of the email. 

I agree that people who sign up for a mailing list should unsubscribe when 
they change their mind, but there are a lot of senders who add people to 
lists without asking or even mentioning that the list exists.


> 1) emphasize the desirability of adding the mailing list address to Safe
> Senders, preferably at the top of the email.

I'm still surprised that the bulk senders and the big receivers haven't 
worked out some setup for the receiver to piggyback on the confirmed-opt-in 
exchange.  That might even encourage senders to actually confirm that people 
want their stuff and that they have reached the right person.

Is there any header that indicates that the sender thinks a message is 
transactional?  Have spammers started forging it?  Is there any registry of 
known legitimate transactional senders?



-- 
These are my opinions.  I hate spam.




___
mailop mailing list
mailop@mailop.org
http://chilli.nosignal.org/mailman/listinfo/mailop

Re: [mailop] AOL SCOMP messages

[Michael Wise]

Yes, and we call people who add other people to lists without their explicit 
permission, "Spammers". :)
How you acquire permission, or better yet prove it after the fact ... questions 
for another day.

Aloha,
Michael.
-- 
Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been 
Processed." | Got the Junk Mail Reporting Tool ?

-Original Message-
From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Hal Murray
Sent: Friday, February 13, 2015 4:58 PM
To: mailop@mailop.org
Cc: Hal Murray
Subject: Re: [mailop] AOL SCOMP messages


> 2) emphasize how easy it is to unsubscribe, also at the TOP of the email. 

I agree that people who sign up for a mailing list should unsubscribe when 
they change their mind, but there are a lot of senders who add people to 
lists without asking or even mentioning that the list exists.


> 1) emphasize the desirability of adding the mailing list address to Safe
> Senders, preferably at the top of the email.

I'm still surprised that the bulk senders and the big receivers haven't 
worked out some setup for the receiver to piggyback on the confirmed-opt-in 
exchange.  That might even encourage senders to actually confirm that people 
want their stuff and that they have reached the right person.

Is there any header that indicates that the sender thinks a message is 
transactional?  Have spammers started forging it?  Is there any registry of 
known legitimate transactional senders?



-- 
These are my opinions.  I hate spam.




___
mailop mailing list
mailop@mailop.org
http://chilli.nosignal.org/mailman/listinfo/mailop

___
mailop mailing list
mailop@mailop.org
http://chilli.nosignal.org/mailman/listinfo/mailop

Re: [mailop] AOL SCOMP messages

[Hugo Slabbert]

>> 2) emphasize how easy it is to unsubscribe, also at the TOP of the email. 
> 
> I agree that people who sign up for a mailing list should unsubscribe when 
> they change their mind, but there are a lot of senders who add people to 
> lists without asking or even mentioning that the list exists.

In the latter case the message would be unsolicited and spam by my count. If 
we're taking about a proper mailing list, then this should not be 
possible/allowed as the user would need to have been added without a 
confirmation / address verification mechanism, and the mailing list operator 
deserves to get spanked for not enforcing proper sign-up verification. If we're 
taking about something like a newsletter mailout, then that's just bad form on 
the sender's part and they also deserve to get spanked for it. 

- Original Message -
From: Hal Murray 
Sent: 2015-02-13 - 16:57
To: mailop@mailop.org
Subject: Re: [mailop] AOL SCOMP messages

> 
>> 2) emphasize how easy it is to unsubscribe, also at the TOP of the email. 
> 
> I agree that people who sign up for a mailing list should unsubscribe when 
> they change their mind, but there are a lot of senders who add people to 
> lists without asking or even mentioning that the list exists.
> 
> 
>> 1) emphasize the desirability of adding the mailing list address to Safe
>> Senders, preferably at the top of the email.
> 
> I'm still surprised that the bulk senders and the big receivers haven't 
> worked out some setup for the receiver to piggyback on the confirmed-opt-in 
> exchange.  That might even encourage senders to actually confirm that people 
> want their stuff and that they have reached the right person.
> 
> Is there any header that indicates that the sender thinks a message is 
> transactional?  Have spammers started forging it?  Is there any registry of 
> known legitimate transactional senders?
> 
> 
> 
> -- 
> These are my opinions.  I hate spam.
> 
> 
> 
> 
> ___
> mailop mailing list
> mailop@mailop.org
> http://chilli.nosignal.org/mailman/listinfo/mailop
> 



___
mailop mailing list
mailop@mailop.org
http://chilli.nosignal.org/mailman/listinfo/mailop