Subject: Re: SPAM Alert: Email Address Harvesting
To: NetBSD Current <>
From: Joel Baker <>
List: current-users
Date: 01/03/2004 09:12:34
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Jan 03, 2004 at 01:11:54AM -0800, Conrad T. Pino wrote:
> I've read all replies from respectively Bruce, Richard, Michael, Daniel,
> Bruce, Daniel and Joel.  Richard commented only on the prior discussion.
> Bruce would clearly like to see *something* done.  Michael, Daniel and
> Joel all raised valid issues that pertain to current sender address
> disclosure practices.
> My initial message was defective in that I made no specific proposal.  I'=
> correct that now.
> -------------------------------------------------------------------------=
> Problem Statement:
> The sender's email client and the NetBSD list server expose the sender's
> email address in the following headers:
> 	Return-Path: <>
> 	From: "Conrad T. Pino" <>
> 	Message-ID: <>
> The "Return-Path" was rewritten by the NetBSD list server.  The output fr=
> Outlook normally reads "Return-Path: <>".
> The "From" and "Message-ID" headers were written by Outlook.

Don't forget Mail-Followup-To, from some clients. And a bevy of other, less
standardized places where it might, or might not, show up.

> -------------------------------------------------------------------------=
> In general I propose the NetBSD list server rewrite all headers to remove
> the sender's email address and specifically as follows:
> 1. Replace "Return-Path" value with "<>"
> 2. Remove "Reply-To" header.
> 3. Rewrite "From" header value as follows:
>       "Conrad T. Pino" <> =3D> "Conrad T. Pino" <current-u=>
>       Conrad Pino <> =3D> Conrad Pino <current-users@NetBS=>
> (Conrad T. Pino) =3D> (Con=
rad T. Pino)
> 4. Replace "Message-ID" header value with new value ending with "@NetBSD.=

Doing some number of these things violates the SMTP RFCs. If you really
care which ones, and just which parts they violate, I can sit down and
quote you chapter and verse, but it isn't anything so subtle or benign as
the things about rewriting Reply-To (actually, there's one right offhand -
you aren't, in theory, supposed to touch that, though many mailing lists
redirect it to themselves, for various reasons - this is tacitly accepted
in most cases, but doing things like rewriting the From and Return-Path
headers to remove useable information means that there are some fairly
serious violations going on).

It does, however, appear that you're suggesting a complete double-blind
setup. It's the only thing that will prevent email harvesting, and the
reason it hasn't been done (it's *not* a new idea, not even remotely) is
that it violates the standards like a (insert crude metaphor of choice
Joel Baker                           System Administrator -    

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.2.3 (FreeBSD)