Subject: Re: SPAM Alert: Email Address Harvesting
To: Conrad T. Pino <NetBSD-Current@Pino.com>
From: James Chacon <jmc@NetBSD.org>
List: current-users
Date: 01/03/2004 03:27:15
On Sat, Jan 03, 2004 at 01:11:54AM -0800, Conrad T. Pino wrote:
> Problem Statement:
> 
> The sender's email client and the NetBSD list server expose the sender's
> email address in the following headers:
> 
> 	Return-Path: <current-users-owner-NetBSD-Current=Pino.com@NetBSD.org>
> 	From: "Conrad T. Pino" <Conrad@Pino.com>
> 	Message-ID: <NBBBKGBBDBMONCPMINHBAEMGKNAA.Conrad@Pino.com>
> 
> The "Return-Path" was rewritten by the NetBSD list server.  The output from
> Outlook normally reads "Return-Path: <conrad@pino.com>".
> 
> The "From" and "Message-ID" headers were written by Outlook.
> ----------------------------------------------------------------------------
> In general I propose the NetBSD list server rewrite all headers to remove
> the sender's email address and specifically as follows:
> 
> 1. Replace "Return-Path" value with "<current-users@NetBSD.org>"
> 
> 2. Remove "Reply-To" header.
> 
> 3. Rewrite "From" header value as follows:
> 
>       "Conrad T. Pino" <Conrad@Pino.com> => "Conrad T. Pino" <current-users@NetBSD.org>
> 
>       Conrad Pino <Conrad@Pino.com> => Conrad Pino <current-users@NetBSD.org>
> 
>       Conrad@Pino.com (Conrad T. Pino) => current-users@NetBSD.org (Conrad T. Pino)
> 
> 4. Replace "Message-ID" header value with new value ending with "@NetBSD.org".
> ----------------------------------------------------------------------------
> Impact assessment:
> 
> A. Replying directly to sender is impossible unless sender discloses their
>    email address in the message body i.e. no *private* conversations.
> 
> B. All replies are ALWAYS through the list i.e. no *private* conversations.

This is the sticking point and which I think a lot of folks will find
a complete showstopper. There are many threads I participate in where 
conversations migrate "offline" to discuss things. If the only way to even
start that would be to waste list bandwith with email of "XXX - please reply
with your email so I can contact you" that's pretty ridiculous to hide
something (your email address) which you then have to expose to the list
anyways...Do you honestly think spam harvesters only look at specific headers?
They're looking through entire content for addresses as well.

All this proposal seems to do is make legitimate contact/conversation harder
for no quantifiable measurable gains.

James