--y0ulUmNC+osPPQO6
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Jan 03, 2004 at 01:11:54AM -0800, Conrad T. Pino wrote:
> I've read all replies from respectively Bruce, Richard, Michael, Daniel,
> Bruce, Daniel and Joel.  Richard commented only on the prior discussion.
> Bruce would clearly like to see *something* done.  Michael, Daniel and
> Joel all raised valid issues that pertain to current sender address
> disclosure practices.
>=20
> My initial message was defective in that I made no specific proposal.  I'=
ll
> correct that now.
> -------------------------------------------------------------------------=
---
> Problem Statement:
>=20
> The sender's email client and the NetBSD list server expose the sender's
> email address in the following headers:
>=20
> 	Return-Path: <current-users-owner-NetBSD-Current=3DPino.com@NetBSD.org>
> 	From: "Conrad T. Pino" <Conrad@Pino.com>
> 	Message-ID: <NBBBKGBBDBMONCPMINHBAEMGKNAA.Conrad@Pino.com>
>=20
> The "Return-Path" was rewritten by the NetBSD list server.  The output fr=
om
> Outlook normally reads "Return-Path: <conrad@pino.com>".
>=20
> The "From" and "Message-ID" headers were written by Outlook.

Don't forget Mail-Followup-To, from some clients. And a bevy of other, less
standardized places where it might, or might not, show up.

> -------------------------------------------------------------------------=
---
> In general I propose the NetBSD list server rewrite all headers to remove
> the sender's email address and specifically as follows:
>=20
> 1. Replace "Return-Path" value with "<current-users@NetBSD.org>"
>=20
> 2. Remove "Reply-To" header.
>=20
> 3. Rewrite "From" header value as follows:
>=20
>       "Conrad T. Pino" <Conrad@Pino.com> =3D> "Conrad T. Pino" <current-u=
sers@NetBSD.org>
>=20
>       Conrad Pino <Conrad@Pino.com> =3D> Conrad Pino <current-users@NetBS=
D.org>
>=20
>       Conrad@Pino.com (Conrad T. Pino) =3D> current-users@NetBSD.org (Con=
rad T. Pino)
>=20
> 4. Replace "Message-ID" header value with new value ending with "@NetBSD.=
org".

Doing some number of these things violates the SMTP RFCs. If you really
care which ones, and just which parts they violate, I can sit down and
quote you chapter and verse, but it isn't anything so subtle or benign as
the things about rewriting Reply-To (actually, there's one right offhand -
you aren't, in theory, supposed to touch that, though many mailing lists
redirect it to themselves, for various reasons - this is tacitly accepted
in most cases, but doing things like rewriting the From and Return-Path
headers to remove useable information means that there are some fairly
serious violations going on).

It does, however, appear that you're suggesting a complete double-blind
setup. It's the only thing that will prevent email harvesting, and the
reason it hasn't been done (it's *not* a new idea, not even remotely) is
that it violates the standards like a (insert crude metaphor of choice
here).
--=20
***************************************************************************
Joel Baker                           System Administrator - lightbearer.com
lucifer@lightbearer.com              http://users.lightbearer.com/lucifer/

--y0ulUmNC+osPPQO6
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)

iD8DBQE/9uny13sEBdj5qMURAhQ8AJwKr6TotgJydGXjBehvPRhtrhfeHwCgiw2y
DjM+vqP23n4LmFK6npu/+9g=
=wVcV
-----END PGP SIGNATURE-----

--y0ulUmNC+osPPQO6--