Proposing a secure global opt-out list

In my last column, I raised the issue of the difficulty we e-mail recipients have of getting off all the lists controlled by legitimate e-mail distribution firms. Today I propose a way to reach that goal.

* * *

First, readers should be aware that not all marketing e-mail can safely be responded to even for a supposed opt-out function. Think about it: criminals can use a response from an opt-out e-mail or Web-page visit as a way to verify that an e-mail address (out of the millions they spewed out in their mailing) is actually valid. It seems to me that the chances that criminals will delete your e-mail address are low; much more reasonable is to guess that they will file your address automatically in their "valid address – can be sold to some other sucker" file.

But no laws are going to stop criminal spammers in any significant way in a world where someone can use a spambot to send junk e-mail out on other people's computers with no cost or consequences to the criminal.

I originally wrote that I'd love to see a federal law or at least an FCC regulation that forces every legitimate e-mail marketing company to provide a form on their Web site to allow victims to stop all further messages from that company with a single instruction. However, in light of the information supplied by Marketfish, it is clear that the e-mail-campaign companies are at the mercy of their actual clients and that therefore no one firm can individually coordinate a global e-mail opt-out list – even for their own clients.

One solution I can envisage is that there be an industry-wide global opt-out database that all clients (such as people who want to send commercial e-mail) could use to screen their e-mail lists and that all recipients could populate with their own interdicted e-mail addresses – but in a way that would prevent criminals from using the list as just another source of e-mail addresses.

• Every company legitimately involved in e-mail marketing could cooperate by providing a link to a Web page serving the central database.

• Any user wanting to opt out of all commercial e-mail for a specific e-mail address would fill in a simple form with the selected e-mail address.

• To avoid automated denial-of-service against the list owners and against the e-mail address holders, there would be some form of confirmation such as a CAPTCHA-restricted follow-up page to send a confirmation e-mail to the potentially interdicted account.

• To avoid having the list turn into a goldmine for criminal spammers, the e-mail addresses could be securely one-way encrypted. Scanning a list would consist of comparing the one-way encrypted hashes of all the addresses on the list to a table of hashes in the opt-out list. Assuming a low rate of collisions, presumably this method would allow removal of opted-out addresses from any scanned list without revealing the actual global opt-out list. (I wish the phone DO-NOT-CALL list had used a similar method to stop criminal phone abusers from using it as a free CALL-THESE-PEOPLE list.)

I contacted MAAWG (Messaging Anti-Abuse Working Group) regarding my original concerns. Dennis Dayman, a member of the MAAWG Board of Directors and Chief Privacy and Deliverability Officer at Eloqua, responded as follows:

"We're not familiar with this particular vendor or its relationship with the lists it provides and can therefore only share the best practices developed by the industry for providing unsubscribe options. MAAWG is the only e-mail organization in which senders, receivers and anti-spam providers have come together in agreement to release a Sender Best Communications Practices document for the industry and non-members to use as a guide in reducing messaging abuse.

In this document, the experienced members within MAAWG have agreed on a set of principles that creates greater transparency and helps distinguish legitimate e-mailers from criminal spammers. This BCP also advocates technologies and practices that help to make e-mail a more secure and reliable communications channel. MAAWG makes the recommendations that (quoting, with "email" changed to "e-mail"):

1. Senders should make the unsubscribe process as clear and easy to use as reasonably possible.

2. Senders should process unsubscribe requests as quickly as reasonably possible and with the recipient in mind.

3. Senders should have the capability to process [e-mail]-based unsubscribe requests. Senders should also consider making offline unsubscribe mechanisms available.

4. When new subscribers are presented with hyperlinked online subscription preference centers with multiple subscription options, the specific list-unsubscribe option should be pre-checked by default for those lists in which users are subscribed.

5. Senders should accept abuse-related complaints at "role" account [e-mail] addresses, including abuse@sender-domain and postmaster@sender-domain, as well as monitor complaints sent to the WHOIS or other domain directory service contact [e-mail] address for that particular sending domain name.

More can be seen in MAAWG's best-practices document which is freely available online."

I am grateful to the team at Marketfish for their helpful responses and hope to continue the dialog as the research into this problem continues. Thanks also to Dennis Dayman and his colleagues at MAAWG.

In the meantime, if (and only if) you are confident that the e-mail you have received is completely legitimate (and not from a phisher or other criminal), keep clicking on those opt-out buttons!

Copyright © 2010 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022