Proposing a secure global opt-out list

The long view of security strategies for your network.

In my last column, I raised the issue of the difficulty we e-mail recipients have of getting off all the lists controlled by legitimate e-mail distribution firms. Today I propose a way to reach that goal.

* * *

First, readers should be aware that not all marketing e-mail can safely be responded to even for a supposed opt-out function. Think about it: criminals can use a response from an opt-out e-mail or Web-page visit as a way to verify that an e-mail address (out of the millions they spewed out in their mailing) is actually valid. It seems to me that the chances that criminals will delete your e-mail address are low; much more reasonable is to guess that they will file your address automatically in their "valid address – can be sold to some other sucker" file.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

In my last column, I raised the issue of the difficulty we e-mail recipients have of getting off all the lists controlled by legitimate e-mail distribution firms. Today I propose a way to reach that goal.

* * *

First, readers should be aware that not all marketing e-mail can safely be responded to even for a supposed opt-out function. Think about it: criminals can use a response from an opt-out e-mail or Web-page visit as a way to verify that an e-mail address (out of the millions they spewed out in their mailing) is actually valid. It seems to me that the chances that criminals will delete your e-mail address are low; much more reasonable is to guess that they will file your address automatically in their "valid address – can be sold to some other sucker" file.

But no laws are going to stop criminal spammers in any significant way in a world where someone can use a spambot to send junk e-mail out on other people's computers with no cost or consequences to the criminal.

I originally wrote that I'd love to see a federal law or at least an FCC regulation that forces every legitimate e-mail marketing company to provide a form on their Web site to allow victims to stop all further messages from that company with a single instruction. However, in light of the information supplied by Marketfish, it is clear that the e-mail-campaign companies are at the mercy of their actual clients and that therefore no one firm can individually coordinate a global e-mail opt-out list – even for their own clients.

One solution I can envisage is that there be an industry-wide global opt-out database that all clients (such as people who want to send commercial e-mail) could use to screen their e-mail lists and that all recipients could populate with their own interdicted e-mail addresses – but in a way that would prevent criminals from using the list as just another source of e-mail addresses.

• Every company legitimately involved in e-mail marketing could cooperate by providing a link to a Web page serving the central database.

• Any user wanting to opt out of all commercial e-mail for a specific e-mail address would fill in a simple form with the selected e-mail address.

• To avoid automated denial-of-service against the list owners and against the e-mail address holders, there would be some form of confirmation such as a CAPTCHA-restricted follow-up page to send a confirmation e-mail to the potentially interdicted account.

• To avoid having the list turn into a goldmine for criminal spammers, the e-mail addresses could be securely one-way encrypted. Scanning a list would consist of comparing the one-way encrypted hashes of all the addresses on the list to a table of hashes in the opt-out list. Assuming a low rate of collisions, presumably this method would allow removal of opted-out addresses from any scanned list without revealing the actual global opt-out list. (I wish the phone DO-NOT-CALL list had used a similar method to stop criminal phone abusers from using it as a free CALL-THESE-PEOPLE list.)

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.