Unfortunately, distributed lists of hashes of e-mails don't work for secrecy.
Spammers have lists of millions of email addresses. They can just compare
the hashes against them and turn the list of hashes into a list of real
addresses. At least for those on the lists. Which is most of us. If you
get spam, you're on these lists. If you don't get spam, you don't have
much reason to get on the opt-out list.

In fact, anything that will "clean" a list of opted-out people is a way to,
using the 50 million email address spammer's database, get almost all the
list of people who opted out.

Now the question is, do you need secrecy of the names? It certainly would
be nice, since you should ideally not have to declare your address in public
in order to get your privacy! But there is no great solution here.

In fact, the only solution I have come up with requires us to all get new
E-mail addresses. This would be a pattern, such as a reserved word lower
level domain part. Thus ***@ns.elan.net (with "ns" in it) would be
an address declared to have opted out.

That's not very exciting but I am open to other solutions for an opt out list.

The other reason it's necessary is that email addresses are not unique.
Many people own whole domains and get all mail to *@domain.com. All
sendmail users get all mail to username+*@domain.com. All qmail users
get all mail to username-*@domain.com. There are many other examples.

Also, user%***@otherdomain.com is a valid e-mail for you if otherdomain
relays. There are an infinite number of variations.

That leaves us with option 3, which can deal with that. Problem is (legit)
relaying. This requires every MX server to know the policy of every user it
MXs for.


I think it sucks, but a reserved word domain is the only solution I have been
able to come up with. Thus plus is that while we all have to get new emails
if you want such a system, it's pretty easy to guess the new address from the
old one.


However, in the end, opt-out and opt-in laws are pretty demonstrably fruitless.
We have 25 laws already, and leaving aside their highly debatable
constitutionality, that they are entirely ineffective does not seem subject
to debate any more.

There are psuedo standards (Maybe there's an RFC? I haven't checked.
Probably.) such as the one followed by this list:

List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>,
<mailto:asrg-***@ietf.org?subject=unsubscribe>

I should note that there seems to be some variation in the format of
that field (I had to write a parser for it last month).

I'm not sure where mail-based opt-out systems fall in what you are
putting together.

The other two semi-standards are the listname-***@example.com
(with subject unsubscribe) and listname-***@example.com.

Here are my updated notes on Opt-Out:

I. Use of Opt-Out
1. How far is opt out applied
a. To do global opt-out for all commercial email services
b. To do opt-out for some special email-list or particular types of email
2. Timing reference for opting out
a. For existing ones that already send you email and participate in
the system.
b. For future ones that may want to send you email
c. For certain period of time (when you're on vacacation)
and can not receive as much email

I could not yet formulate what is to be said in this section, please help!

II. How opt-out is delivered

1. Distributed lists which use some type of encryption to allow validation
of particular address but not see enter list.
Pros:
a. Opt-out lists can be easily cleaned up before the transmission
b. Distribution of lists can be controlled by tightly controlled
Cons:
a. Serious issues that the encryption technology maybe broken
later on and as such allow to get clear list of all opted-out
email addresses
b. Distribution lists can easily go sub-distributed and go beyoned
authenticated base and thereafter abused
c. Patents relating to the encryption technologies exists
d. Concerns about who and how will make opt-out lists and distribute
them
e. Concerns that opt-out lists will instead be used to verify if
email address in spammer database is real

2. Opt-out server. Here special service/server is made available to
legit bulk-mailers. Anybody wishing to check if the address is
opt-out or not can connect to that server and check
Variations:
2a. One unified service is made available by the goverment or icann, etc
2b. A number of special opt-out servers exist in parallel which

are used/run by different groups of commercial mailers
Pros:
a. Opt-out lists can be cleaned up before the transmission begins
b. Distribution of lists can be controlled by tightly controlled
the authentication means can be well controlled to not allow
distribution certain allowed list of entities
Cons:
a. Special opt-out verification protocol may have to be developed
b. Concerns about who and how will run opt-out service
c. Concerns that opt-out service will instead be used to verify if
email address in spammer database is real

3. Opt-out system maintained together with mail servers on per-domain basis.
Variations:
3a. Service made available as part of mail server, new command added
to SMTP to check opt-out preference of user on email server
3b. Service made available as part of mail transmission and is more
tightly integrated with actually sending email, i.e. email being
sent contains some preference for opt-out check and email server
can based on that return email back with proper error code
Note: to a degree this is what some filters already do ...
3c. Service made available through separate protocol to be run by ISP
on per-domain basis.
Pros:
a. An opt-out is controlled by mail server operator and not any
questinable central agency.
b. Depending on how system is implemented it maybe a lot harder to
actually gather list of valid email addresses (mail server
operator may choose to answer opted-out for any email address
that does not exist, for example)
Cons:
a. A new protocol (or extensions to SMTP) need to be developed
b. It maybe a lot harder to clean up lists before emailing
(maybe this this also good thing?)
c. If implemented as in 3a all MX servers (even backups) may need
to answer yes on question of opt-out, this created
implementation problems and seems unnecessary

4. Modification of Email address to show opt-out choice.
Variations:
4a. General opt-out choice recognized by everybody, which may
actually be some variation of mail service domain/subdomain
4b. Opt-in choice specific to particular situation or mailing list
example - email+***@domain.com
Pros:
a. Very easy to implement and does not require new technology, 4b
is already actively used by many
b. Address itself shows optout choice, so spammers can not do
email address cleanup for purposes of finding valid address
Note: this is also a Con!
c. Opt-out choice is controlled by each individual user and not by
external entity (be it central agency or mail service provider)
Cons:
a. This generally requires us to use different email address then
what we already do, often even more then one. It does not address
issues with existing currently use email addresses (see
section I on what we want to do), this is a BIG Con.
b. Use of "special" email address may also be taken by spammers as
verification that email address is valid!

III. Enforcement of Opt-Out
Note: #1 and #2 below may well be done in parallel
1. Done by goverment by legislation to have all commercial email marketers
participate in some system or abide by specific protocol standards
Enforcement is afterwards left to courts
Pros:
a. There would be clear guidelines for commercial email senders to
follow and if they do not they will pay an actual price for it
b. Its a lot more likely commercial businesses will follow the law
Cons:
a. This maybe problematic when considering email as global system
and not specific to US or EU laws
b. It takes some time for laws to be passed and then be verified
in courts to be workable
2. Enforcement is left to ISP/mail server operators through use of
filters if email is found to be from commercial email marketer
that is known to mail server operator
Pros:
a. Filtering is already well adapted technology
b. When email is found to have violated opt-out choice, stopping
future email from the particular marketer is easy and fast
(blacklist) but it does require marketers to be well identified
Cons:
a. Use of filtering means some email will inevitably be filtered
b. Filters will never completed stop unwanted email even with
opt-out choice, some email marketers may choose not to follow it


------
William Leibzon
Elan Communications Inc.
***@elan.net

Intellectual Property, Legal cases and Patents

I would be prepared to keep track of patents, IP and spam cases and report
on them.
I have experience in IP law (Class of '76 - PunchCard 301) and am very
interested in how this mail problem will be solved. The law approach itself
is severely limited in its jurisdiction, and is most often geographically
applied. Reliable evidence is also a problem ie. how and from whom can it be
obtained
It may be that a spam solution will be almost exclusively, a technical one.
There are many patents in the Internet space and some covering commerce
systems may have aspects which have partial application in the solution of
this problem.

Brian

----- Original Message -----
From: <***@elan.net>
To: "Paul Judge" <***@ciphertrust.com>
Cc: <***@ietf.org>
Sent: Monday, March 24, 2003 6:03 PM
Subject: Re: [Asrg] ASRG work items

I think that some type of extended response would be very valuable.
If people are really going to implement challenge/response systems of
one kind or another, they need a standard mechanism for instructing a
sender. This is going to involve, at minimum, some text followed by
a URL (which might be as simple as a mailto: for a "white hole"
address that the sender can send to complain about a blacklist).
Possibly the text should be split into human readable and machine
readable sections.

I think this should be specified at both the SMTP and
returned-message level. This is the only hope we have of getting
mailing lists and automated mail systems to work in an environment
with lots of different anti-spam systems. We *really* don't want to
go back to the mess that existed 10-15 years ago with zillions of
different mail systems providing completely different bounce
messages. Been there, done that.

Why wouldn't RFC 2919 and RFC 2369 headers be sufficient?

Why wouldn't yet more new SMTP gadgets only make things worse?


Vernon Schryver ***@rhyolite.com

but I tend to go further: you can be discriminate here, but still not
have consent.

This is a rewrite of something I just sent to Brad privately that might
illuminate what I mean. To preface it, I'll note I think people abuse
the word spam horribly, to the point where it almost has no meaning any
more, so any attempt to "stop spam" is going to fail because nobody can
agree how to define it.

going down the rabbit hole of defining this stuff, I make a hard
delineation between:

1) spam, which in my mind are those idiots that send stuff fraudulently
with forged return addresses and all that other stuff.

2) legitimate marketing stuff, where the real issue is a consent issue,
not a fraud issue.

for (1), the root cause is the easy ability to forge spam and the
difficulty of stopping people. Since I see this kind of crap as 90% of
the overall problem (or more), finding ways to lock them out of the
universe is my top priority.

2) where you have real companies doing stupid things, gets lumped in
with 1, but is really a different problem, and has nothing to do with
cheap costs or whatever. It has to do with marketing people who ought
to be kneecapped for being more worried about how many messages got
sent and not about how many sales were generated...

In both cases, volume is an accelerator to the process, not a cause.

I think the issues of "solving spam" and "dealing with e-marketing
consent issues" are skew. One is shutting down fraudulent operations,
the other is regulating legitimate businesses who's practices might or
might not be up to snuff. But they tend to get lumped together, and
that adds complexity to the the problem and confuses the issues, and we
end up going round and round and accomplishing nothing.

They're separate issues, needing separate solutions. I realize there's
a segment that thinks all e-marketing is by definition spam, but the
moderate position understands it's not. And no, I'm not excusing badly
build e-marketing systems, not at all. but the amount of hassle they
cause is nothing compared to the spam that's fraudulently stuffed down
out throats every day. And the solutions are different.

but IMHO, you could fix every freaking e-marketer to have perfect
systems with perfect consent that updates based on telepathy two days
before the end-user thinks of unsubscribing -- and the typical user
wouldn't notice because of all the noise and pain caused by the fraud
spammers. Worse, the e-marketing stuff keeps getting dumped onto the
same bonfire by the "burn witches! more witches!" crowd, which
basically derails the process from allowing anyone to focus on solving
the first, major problem.

I'd like to suggest that we focus on the first, big problem: the group
of mass mailers that are overtly avoiding allowing users to define
consent through various fraudulent means. Until that issue is solved,
nothing else matters. If folks want to start a sub-group to hash out
issues of consent and try to work with the legitimate e-mailers to
build a standard, great, but even if that gets resolved to everyone's
satisfaction, it won't matter if we all wake up to 45 messages every
morning with pretty pictures of zebras in them.

I keep thinking this group sidetracks itself by being unable to really
define the problems it's trying to solve (instead, looking for *a*
problem and defining *a* solution), and not setting priorities among
them. In all honesty, if we could cut those 45 messages with zebras to
20 messages with little bluu pills, this group would still be
considered massive heroes, but there doesn't seem to be any interest or
motivation towards fixing a chunk of the problem, and instead we turn
around and chase our tails.

Don't think for a second I think this group's been useless, by the way.
There are lots of useful things being done and lots of good mixing and
sharing and considering. But I'm not seeing it moved to the next step,
and the group itself seems to be somewhat passive about moving itself.
And I think that's why the frustration level on the group is building,
because we're tail chasing now, and nobody's defined which rabbit gets
chased first...

And the reality is, there are a lot of rabbits and a lot of holes, and
we need to be careful lest we step in a hole and break our ankle -- but
right now, I feel like we're sitting in the kennel chasing each other.

And what would it have accomplished that CNN couldn't ? Asides from
tying up bandwidth which could've been used by people to let relatives
know they were safe ?
Except that some of them will quickly become ex-customers.
Most participants in this group seem to be male. Therefore, ads for
penis enlargement, meet-lonely-women, and viagra would definitely be
"targetted messages" by your criteria.
It would be on-topic for this group.

How would you validate them? And if you don't, why wouldn't some
helpful person do a dictionary attack on the opt-out list in order to
remove everyone.

The privacy goals are twofold. We would like to avoid having to declare
publicly your desire to opt-out, though frankly this is not that much of
a killer.

Secondly, we would want to avoid spammers deliberately spamming all the people
who opted out because they can get a list of all of them.


The seeding idea is interesting. It doesn't solve the first problem, your
name will still go on a list that can be made public, but as I said we can
probably survive that, it's just somewhat ironic to have to go public to
protect your privacy.

You would need to seed the opt-out list with hashes of tens of millions of fake
addresses, and those fake addresses would need to be ones that can't be
spotted as fake (they don't bounce) and which occur on popular spamming lists,
but which are not anybody's mailbox.

That's a bit of a tall order!


Reversing a secure hash is (of course) not an issue here, you don't need to
do it to turn the list of hashed addresses into real addresses when you have
the database of 50 million valid emails on CD the spammers trade around. If
you get spam, you're on their lists, so they can make a list of everybody
on the opt-out list who is on a common spammer's list.

Now why they want to spam it I don't know, possibly for spite. Only well hidden
overseas spammers would do it, but they would.

It is also a DoS attack on people. If you hate somebody, extract the list of
opted out people, then fake mail from the hated person to thousands of opted
out people. Presuming the opt-out is working, the recipients will be extra
angry, this would bring down a rain of trouble on the poor soul.

Perhaps this is the greatest danger of the opt-out list. It also applies to
the special domain I described and all other systems though. If opt-in were
morally acceptable, it would certainly be easier to implement, but it isn't.

Technology advances, both in terms of scientific research on cryptography
and just pure computational force power. You can never assume it'll not be
broken...

In reality I was thinking more in terms of trying to add somewhat easily
guessable poison email address to catch those doing dictionary attacks
and using the results improperly.

But Brad is also right, if somebody has 100 million email addresses
gathered from everywhere else and they wanted to clean it up to real
addresses, they would check with this opt-out list of 20million addresses,
there is good bet 99% of those 20million are contained in those 100million
(people would opt-out when they are already receiving too much unwanted
email and their email is already known), that however does not mean there
are no valid email addresses in remaining 80million so spammer would
probably continue to send to all 100million anyway.

But this does expose the problem that if you distribute list and let
email marketing company do all validation on their own, they will get
almost entire list. With cental server, while this is still also possible,
at least the authority providing the service can gather statistics of how
many queries each particulr authorized client is doing and if they see
somebody doing brutal force check of their 100million addresses, they
probably know its not a legit bulk mailer company. With opt-out specific
to each domain, the ability to do central verification is gone so even if
you see somebody doing this kind of check (which is difficult - you only
know statistics for your domain), its unclear if you can have any serious
response to it.

Can you be more specific as to how that solves the problem?

My issue is this. If you have a system -- any system at all -- which
will "clean" (ie. remove opted out addresses) from a large spammer's master
list (such as the lists they trade around on CD, you all have gotten spams
to buy them) then it is inherent that you will be giving them back a list
of all people on their list not in the opt-out list, and thus a list of
all people on their list who _are_ on the opt-out list.

The only way to avoid that would be what direct marketers do. The cleaner
also delivers the spam! You would need bonded companies which send
spam, but remove any opted out address from the mailing. They are bonded
to not reveal the contents of the list.

This may seem bizarre but in fact is not out of the question. This is how
the direct marketing business works. Of course the postal service is the
only company which delivers the mail.

But if you want to do a direct mailing, the list sellers don't give you a
copy of their list. They prefer to give it to a trusted 3rd company that
is mailing your ads for you. (Often they print, stuff and address for you.)
You hand them the ad, and tell them what lists you are buying, and they
clean the lists (of dups) print, stuff, address and take it to the post
office for you.)

However, larger mailers are trusted to get lists, and for a price you can buy
them.

To avoid people "stealing" the lists, they seed them with special trap addresses.
If they get a direct mailing that they didn't rent the list for, they come and
get you.



So if there were a "official" spamhuases, which respected the opt-out list,
you would not even need to blacklist it, because you could just opt-out and
encourage your users to opt-out.

Spammers who wanted to deliver their own spam would not be able to clean their
lists, and would be subject to the full wrath of anti-spam systems.

This sort of thing has been proposed by spammers in the past, and quite
correctly we have not trusted them. If the mailing houses however were
approved by us (meaning IETF folks and major ISPs) it's not as silly as it
sounds. At least until everybody gets on the opt-out list, and the company
becomes moot, and we start over again, unfortunately.

Non sequitur
n.
An inference which does not *follow* from the premises.
(not "unrelated")

It's possible (as demonstrated) to infer the contrary
from the same premises.





--

Can't the mailing list mention on its website what (sub)domain or
machine their mail is coming from ? rDNS can be forged, as can
envelope-sender. However, if you say that email will be coming from
machine bad.example.com, then it's a simple matter of comparing output
from a domain lookup of bad.example.com against the IP address of the
MTA sending you the email. Note the following...

[m1800//home/waltdnes]host cnn.com
cnn.com has address 64.236.16.84
cnn.com has address 64.236.16.116
cnn.com has address 64.236.24.4
cnn.com has address 64.236.24.12
cnn.com has address 64.236.24.20
cnn.com has address 64.236.24.28
cnn.com has address 64.236.16.20
cnn.com has address 64.236.16.52

..yes, one name can return multiple addresses. This allows backup MTAs
and load-balancing. Going via DNS also means that...

1) You can change IP addresses, and DNS will still get you there.

2) During a switchover, you can list both old and new addresses.