Subject: RE: SPAM Alert: Email Address Harvesting
To: NetBSD Current <current-users@netbsd.org>
From: Conrad T. Pino <NetBSD-Current@Pino.com>
List: current-users
Date: 01/03/2004 01:11:54
I've read all replies from respectively Bruce, Richard, Michael, Daniel,
Bruce, Daniel and Joel. Richard commented only on the prior discussion.
Bruce would clearly like to see *something* done. Michael, Daniel and
Joel all raised valid issues that pertain to current sender address
disclosure practices.
My initial message was defective in that I made no specific proposal. I'll
correct that now.
----------------------------------------------------------------------------
Problem Statement:
The sender's email client and the NetBSD list server expose the sender's
email address in the following headers:
Return-Path: <current-users-owner-NetBSD-Current=Pino.com@NetBSD.org>
From: "Conrad T. Pino" <Conrad@Pino.com>
Message-ID: <NBBBKGBBDBMONCPMINHBAEMGKNAA.Conrad@Pino.com>
The "Return-Path" was rewritten by the NetBSD list server. The output from
Outlook normally reads "Return-Path: <conrad@pino.com>".
The "From" and "Message-ID" headers were written by Outlook.
----------------------------------------------------------------------------
In general I propose the NetBSD list server rewrite all headers to remove
the sender's email address and specifically as follows:
1. Replace "Return-Path" value with "<current-users@NetBSD.org>"
2. Remove "Reply-To" header.
3. Rewrite "From" header value as follows:
"Conrad T. Pino" <Conrad@Pino.com> => "Conrad T. Pino" <current-users@NetBSD.org>
Conrad Pino <Conrad@Pino.com> => Conrad Pino <current-users@NetBSD.org>
Conrad@Pino.com (Conrad T. Pino) => current-users@NetBSD.org (Conrad T. Pino)
4. Replace "Message-ID" header value with new value ending with "@NetBSD.org".
----------------------------------------------------------------------------
Impact assessment:
A. Replying directly to sender is impossible unless sender discloses their
email address in the message body i.e. no *private* conversations.
B. All replies are ALWAYS through the list i.e. no *private* conversations.
C. Replies from WWW archives are ALWAYS through the list i.e. ditto.
D. Replies from UseNet are ALWAYS through the list i.e. ditto.
E. Policing SPAM sent TO the list will be harder unless the list server
leaves behind an audit trail that identifies the sender from Message-ID.
----------------------------------------------------------------------------
I look forward to your comments on the above proposal.
Conrad
============================================================================
Headers from my original message on this topic follow for reference:
by richmond.skyline.pino.net (Post.Office MTA v3.5.3 release 223
ID# 0-55170U200L100S0V35) with SMTP id net
for <NetBSD-Current@Pino.com>; Fri, 2 Jan 2004 11:29:31 -0800
by mail.netbsd.org with SMTP; 2 Jan 2004 19:28:53 -0000
by richmond.skyline.pino.net (Post.Office MTA v3.5.3 release 223
ID# 0-55170U200L100S0V35) with SMTP id net
for <current-users@netbsd.org>; Fri, 2 Jan 2004 11:28:52 -0800
From: "Conrad T. Pino" <Conrad@Pino.com>
To: "NetBSD Current" <current-users@netbsd.org>
Subject: SPAM Alert: Email Address Harvesting
Date: Fri, 2 Jan 2004 11:28:52 -0800
Message-ID: <NBBBKGBBDBMONCPMINHBAEMGKNAA.Conrad@Pino.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Importance: Normal
Sender: current-users-owner@NetBSD.org
============================================================================