[Top] [All Lists]

RE: Mandatory From field, anonymity, and hacks

2004-07-19 13:24:40

From: owner-ietf-822(_at_)mail(_dot_)imc(_dot_)org 
Behalf Of Bruce Lilly
Sent: 15 July 2004 15:16
To: ietf-822mailing list
Subject: Mandatory From field, anonymity, and hacks

In some cases, a message author desires some degree of anonymity.  The
requirement for a From field has led to the use of some hacks in order to
comply with the letter of RFC 2822 and its predecessors, while
providing some
degree of anonymity and rendering the From field unusable for
manual replies.
For example, RFC 3261 section 23.4.3 and RFC 3323 section recommend
use of the reserved DNS ".invalid" domain (RFC 2606) to provide
some degree
of anonymity.  There are some Internet drafts which do likewise.
I believe
such use goes somewhat beyond the intent of RFC 2606 in
reserving names for
test and example purposes.

Yes, we had long discussions about this in the USEFOR WG. The feeling was
that 'munging' addresses for spam avoidance was a Bad Thing, and that the
only socially acceptable thing was to use your genuine email address. But
we had to face the fact that people were going to do it anyway. OTOH, we
could not openly condone or deprecate the practice in a standards track

What we did, therefore, was to use wording, essentially the same as RFC
2822, that the From address should be the email address of the
author/poster. But we then added that if the poster should "for whatever
reasons" wish to use a non-working email address, then he SHOULD use a
domain ending in ".invalid".

Making the From header field optional would eliminate the need
for such hacks
by persons who desire the degree of anonymity that such hacks
provide; those
persons could simply avoid including a From field at all, rather than
including a hacked bogus address in a From field.

But that does not really solve the problem. People still want to identify
themselves (and their readers certainly want to know who is writing to
them, whether in News or Email). So at least you need the <phrase> with
the Real Name (which might actually be a pseudonym), and the From field is
the proper place for that. One might argue that the <address> part of the
header could be omitted, but I think I would prefer to make people use
something ugly like the ".invalid" thing just to prevent it from becoming
a thing that everybody did as a matter of course (at which point the
spammers would simply move to some other method of garnering addresses).