On Tue, Jun 14, 2016 at 1:55 AM, Benoit Panizzon wrote:
> Hi Laura
>
>> > There is no need to involve a lawyer.
>>
>> There is if you’re asking a company to release customer information
>> to you. Which is what your request of Mailchimp is.
>
> Could you please provide legal background to your sta
Paul Smith wrote:
On 13/06/2016 19:31, Jay Hennigan wrote:
What legitimate reason would an ESP have to shield the identity of a
permission-based sender from its recipients? What legitimate sender
uses an ESP to send permission-based mail anonymously?
The problem is that there are privacy l
On 13/06/2016 19:31, Jay Hennigan wrote:
What legitimate reason would an ESP have to shield the identity of a
permission-based sender from its recipients? What legitimate sender
uses an ESP to send permission-based mail anonymously?
The problem is that there are privacy laws (eg data protec
Hi Eric
> So all I need to do to shut down a competitor is sign up for their
> mailing list, then issue a complaint to their ESP?
It's not that easy :-). If you signed up, your competitor can provide a
proof (Time, IP-Address, received verification email) you signed up to
you and the ESP. So you
I do think, if there is a permission based sender, then there will be a
full imprint in the email (or at least a link to one), so that the
recipient knows the sender. At our company, we enforce an imprint in
every mail.
I don't think Benoit is talking about a legitimate sender.
Cheers,
Mathia
Hi Jay
> ESP to victim: That mail was sent on behalf of ABC Company, and you
> can contact them [here]. We don't tolerate spammers, and our customer
> contracts require openness so these issues can be resolved. Attached
> is a PDF of their signed statement where they certify that they have
> your
> Victim to ESP: I got this spam from your IP and have no idea why. It
> touts some product, but all of the links are tracking bugs that point
> back to you. Where did you get my address and on whose behalf did you
> send it?
>
> ESP to victim: We believe you and we have disconnected the customer.
Hi Laura
> > There is no need to involve a lawyer.
>
> There is if you’re asking a company to release customer information
> to you. Which is what your request of Mailchimp is.
Could you please provide legal background to your statement?
I have been in contact with the legal advisers of OFCOM
On 6/13/16 10:08 AM, Laura Atkins wrote:
Scenario 3:
Victim to ESP: I got this spam from your IP and have no idea why. It touts some
product, but all of the links are tracking bugs that point back to you. Where
did you get my address and on whose behalf did you send it?
ESP to victim: We bel
day, June 13, 2016 12:08 PM
> To: mailop
> Subject: Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws
>
>
>> On Jun 13, 2016, at 9:59 AM, Jay Hennigan wrote:
>>
>> On 6/13/16 12:45 AM, Suresh Ramasubramanian wrote:
>>> Now you’re arguing le
] Mailchimp / Mandrill App: European VS US Privacy Laws
> On Jun 13, 2016, at 9:59 AM, Jay Hennigan wrote:
>
> On 6/13/16 12:45 AM, Suresh Ramasubramanian wrote:
>> Now you’re arguing legal contracts here - that vendor has a legal contract
>> with whoever this spammer is. While t
> On Jun 13, 2016, at 9:59 AM, Jay Hennigan wrote:
>
> On 6/13/16 12:45 AM, Suresh Ramasubramanian wrote:
>> Now you’re arguing legal contracts here - that vendor has a legal contract
>> with whoever this spammer is. While they can terminate the account in
>> question, they certainly can’t ex
On 6/13/16 12:45 AM, Suresh Ramasubramanian wrote:
Now you’re arguing legal contracts here - that vendor has a legal contract with
whoever this spammer is. While they can terminate the account in question,
they certainly can’t expose any customer data to you.
In the US, they aren't under leg
> On Jun 13, 2016, at 12:14 AM, Benoit Panizzon wrote:
>
> Hi Laura
>
>> Again, were you approaching this as an individual or was your lawyer
>> involved?
>
> There is no need to involve a lawyer.
There is if you’re asking a company to release customer information to you.
Which is what your
rzonden: Zaterdag 11 juni 2016 03:11:12
Onderwerp: Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws
Keep that one sign-up message.
It's a very small per-user piece of data, and it would certainly be proof
enough and to spare for me.
Aloha,
Michael.
--
Michael J Wise | Mic
Hey there,
to answer Michelle's question: yes, if you are sending emails to a
European citizen, the European law applies, or to be more specific, the
law of the recipient's country. Meaning, if somebody sends mail to me,
German law applies. It should be the same in Canada aswell, should it not
Now you’re arguing legal contracts here - that vendor has a legal contract with
whoever this spammer is. While they can terminate the account in question,
they certainly can’t expose any customer data to you.
You could of course contact local law enforcement and have them subpoena the
data. Y
Hi Suresh
> Did you try to identify the spammer with a dummy purchase If he is
> doing something illegal?
In my opinion, this is very dangerous and could get back on you.
By doing a purchase, you get into a legal contract with that customer
you don't want to comply with, but by which you get inf
Hi Laura
> Again, were you approaching this as an individual or was your lawyer
> involved?
There is no need to involve a lawyer.
You don't need one. You contact the sender and request the proof of
opt-in. If he does not comply, you file a complaint with the SECO (or
you could try to fill one wi
Hi Tim
> Rule #1: Spammers lie. What sort of "proof of opt-in" could they
> provide that can't be forged? Also, it does not follow from that
> requirement that senders must be "identifiable." That may be a
> separate legal requirement, but it doesn't logically follow from the
> opt-in proof requir
>> And why pull the public one if you do?
>
>That's how you invalidate the old key, mitigating the stolen key problem.
>The point of cycling keys is to invalidate old ones.
Also, by design, DKIM is intended for validating mail in transit, not
long term archives. For that we have S/MIME and PGP.
> On Jun 11, 2016, at 2:38 PM, Brandon Long via mailop
> wrote:
>
> Why rotate keys that often?
>
Because the main attack against DKIM signatures is (ex?) staff walking off with
the key pairs.
It's not a _big_ risk, in most cases, I don't think, but it's the main one if
you're using keys of
Why rotate keys that often?
And why pull the public one if you do?
Brandon
On Jun 10, 2016 3:59 PM, "Ted Cooper" wrote:
> On 11/06/16 05:02, Michael Wise via mailop wrote:
> > Well, the From: domain would be a good start.
> >
> > It would certainly cut down on the trivial forgeries, and could
-Original Message-
From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Ted Cooper
Sent: Friday, June 10, 2016 5:17 PM
To: mailop@mailop.org
Subject: Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws
On 11/06/16 09:29, Michael Wise via mailop wrote:
>
> ... whe
On 11/06/16 09:29, Michael Wise via mailop wrote:
>
> ... when the server receives it, it gets authenticated.
> Or did you forget this?
That doesn't help when attempting to provide "proof" of signup at some
future date - it will simply be a message with a DKIM sig that can no
longer be confirmed.
ailop-boun...@mailop.org] On Behalf Of Ted Cooper
Sent: Friday, June 10, 2016 3:53 PM
To: mailop@mailop.org
Subject: Re: [mailop] Mailchimp / Mandrill App: European VS US Privacy Laws
On 11/06/16 05:02, Michael Wise via mailop wrote:
> Well, the From: domain would be a good start.
>
> It would certai
On 11/06/16 05:02, Michael Wise via mailop wrote:
> Well, the From: domain would be a good start.
>
> It would certainly cut down on the trivial forgeries, and could easily
> be transferred from the web to email with a single mailto: link.
Any signed DKIM message can only be authenticated while t
uot; | Got the Junk Mail Reporting
Tool<http://www.microsoft.com/en-us/download/details.aspx?id=18275> ?
From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Tim Starr
Sent: Friday, June 10, 2016 11:55 AM
To: mailop@mailop.org
Subject: Re: [mailop] Mailchimp / Mandrill App: European VS
am Analysis | "Your Spam Specimen Has
> Been Processed." | Got the Junk Mail Reporting Tool
> <http://www.microsoft.com/en-us/download/details.aspx?id=18275> ?
>
>
>
> *From:* mailop [mailto:mailop-boun...@mailop.org] *On Behalf Of *Tim Starr
> *Sent:* Friday, Ju
ailop] Mailchimp / Mandrill App: European VS US Privacy Laws
Rule #1: Spammers lie. What sort of "proof of opt-in" could they provide that
can't be forged? Also, it does not follow from that requirement that senders
must be "identifiable." That may be a separate legal requ
Benoit Panizzon wrote:
So the Mailchimp Abuse Desk was asked, with reference to the according
legal articles and proof that the email was sent by their customer, to
please disclose the identity of the customer sending those emails.
Mailchimp always answers, that they are a US company and are onl
> On Jun 10, 2016, at 10:30 AM, John Levine wrote:
>
>> With regard to Mailchimp, as a non-customer observer it seems to me that
>> pre-Mandrill was excellent, post-Mandrill not as much.
>
> Mandrill is automated, which makes vetting the customers a lot harder.
>
> They are painfully aware of
Rule #1: Spammers lie. What sort of "proof of opt-in" could they provide
that can't be forged? Also, it does not follow from that requirement that
senders must be "identifiable." That may be a separate legal requirement,
but it doesn't logically follow from the opt-in proof requirement.
I also do
> On Jun 10, 2016, at 10:30 AM, John Levine wrote:
>
>> With regard to Mailchimp, as a non-customer observer it seems to me that
>> pre-Mandrill was excellent, post-Mandrill not as much.
>
> Mandrill is automated, which makes vetting the customers a lot harder.
>
> They are painfully aware of
>
> International law? There's no international spam law. I know people
> who spend full time trying to piece together spam cases using whatever
> law applies in whatever places bits of the spamming happens.
>
> As others have noted, US companies are not subject to Swiss law, just
> as Swiss c
>I agree. But that doesn't mean he can't get a satisfactory answer about the
>international law aspect. And by satisfactory I
>mean one that makes sense, not necessarily one that he is going to like. ;-)
International law? There's no international spam law. I know people
who spend full time t
>With regard to Mailchimp, as a non-customer observer it seems to me that
>pre-Mandrill was excellent, post-Mandrill not as much.
Mandrill is automated, which makes vetting the customers a lot harder.
They are painfully aware of that, not sure what they're currently
doing about it.
___
On 6/10/16 8:31 AM, Suresh Ramasubramanian wrote:
I would guess they're happy to can their customer but they are refusing to tell
Benoit who the customer is. Which sounds fair to me.
May be fair, may be not depending on the proactive/reactive weight.
In other words, weight given to preventin
> Venturing an opinion on how much jurisdiction a law enforcement or regulatory
> Organization is prepared to assert in a cross border scenario isn't going to
> fly too far
>
> Did you try to identify the spammer with a dummy purchase If he is doing
> something illegal?
>
> --srs
>
>> On 10
Venturing an opinion on how much jurisdiction a law enforcement or regulatory
Organization is prepared to assert in a cross border scenario isn't going to
fly too far
Did you try to identify the spammer with a dummy purchase If he is doing
something illegal?
--srs
> On 10-Jun-2016, at 9:09 P
> I would guess they're happy to can their customer but they are refusing to
> tell Benoit who the customer is. Which sounds fair to me.
I agree. But that doesn't mean he can't get a satisfactory answer about the
international law aspect. And by satisfactory I mean one that makes sense, not
I would guess they're happy to can their customer but they are refusing to tell
Benoit who the customer is. Which sounds fair to me.
--srs
> On 10-Jun-2016, at 8:44 PM, Anne Mitchell wrote:
>
> Benoit, please contact me offlist, and I will see about getting you to the
> right person (MC is a
Benoit, please contact me offlist, and I will see about getting you to the
right person (MC is a certification customer of ours, and I can confirm what
Suresh says - they are *very* responsive to spam complaints, but yes, yours
isn't really of that nature, at least not in a straight-forward sort
> On Jun 10, 2016, at 1:09 AM, Benoit Panizzon wrote:
>
> I have seen similar cases on many occasions.
>
> But what disturbed me most here, is the lack of legal cooperation from
> mailchimp. It was obvious, that the sender was located in either
> Switzerland or italy. The spamvertized website w
Hi Matthias
> > Therefore, the sender must be identifiable. If the sender is not
> > identifiable, the ISP of the sender must provide the identity of the
> > sender.
>
> On what legal theory is this based on?
I am not a lawyer, but in my job I had some contacts with OFCOM, SECO,
Lauterkeitskomm
Benoit,
> Therefore, the sender must be identifiable. If the sender is not
> identifiable, the ISP of the sender must provide the identity of the
> sender.
On what legal theory is this based on?
> Art. 8 Right to information
> https://www.admin.ch/opc/en/classified-compilation/19920153/index.ht
Hi Suresh
> As I doubt that mailchimp operates under Swiss jurisdiction- and they
> probably have a customer contract that stipulates US jurisdiction ..
> you'd have to rely on them suspending the spammer.
I am aware of that. But the way mailchimp operates now, is as a spamer
heaven.
I don't kno
Hi Suresh
> They aren’t under any obligation to reveal customer identity to you
> and would potentially face legal liability for doing so.
This is exactly the problem.
Privacy Laws in Switzerland (and most other countires I know) states,
that the sender must provide proof of opt-in.
Therefore,
As I doubt that mailchimp operates under Swiss jurisdiction- and they probably
have a customer contract that stipulates US jurisdiction .. you'd have to rely
on them suspending the spammer.
I can't and won't speak for them but I have known them to actively suspend
spammers
--srs
> On 10-Jun
Personally - no, I don’t operate a blocklist but I have operated spam filters
on rather large ISPs.
I’d say - if the spammers in question are suspended I doubt that you’d see any
need to block them.
They aren’t under any obligation to reveal customer identity to you and would
potentially face
Hi Suresh
> There seems to be a miscommunication - I personally have seen
> Mailchimp / Mandrill suspend a large number of spamming customers.
Yes, the Mailchimp Customer I remember most, because one of my personal
email addresses were targeted, was suspended, but probably re-subscribed
under a s
There seems to be a miscommunication - I personally have seen Mailchimp /
Mandrill suspend a large number of spamming customers.
However your request - which asks to identify a customer - would probably get
routed to the legal department rather than a competent abuse team and that
might explain
Hi List
I wonder how other Email Ops, especially in Europe, handle Mailchimp and
Mandrill App.
They are a constant issue with the Swinog Blacklists.
The problem boils down with differences in the privacy laws of US vs EU.
In Switzerland (and probably most EU countries too), a company who
sends
53 matches
Mail list logo
