[Top] [All Lists]

Re: Mandatory From field, anonymity, and hacks

2004-07-23 08:22:18

Charles Lindsey wrote:

Yes, we had long discussions about this in the USEFOR WG. The feeling was
that 'munging' addresses for spam avoidance was a Bad Thing, and that the
only socially acceptable thing was to use your genuine email address. But
we had to face the fact that people were going to do it anyway. OTOH, we
could not openly condone or deprecate the practice in a standards track

Two questions, based on the following text in an approved Standards Track
RFC (viz. RFC 2821):

3.8.4 Other Header Fields in Gatewaying

   The gateway MUST ensure that all header fields of a message that it
   forwards into the Internet mail environment meet the requirements for
   Internet mail.  In particular, all addresses in "From:", "To:",
   "Cc:", etc., fields MUST be transformed (if necessary) to satisfy RFC
   822 syntax, MUST reference only fully-qualified domain names, and
   MUST be effective and useful for sending replies.

Question 1: Why do you believe that the practice of using invalid
addresses cannot be "openly" deprecated in a Standards Track document
(N.B. "MUST be effective and useful" above, which goes well beyond
mere deprecation of ineffective and/or unusable addresses)?

Question 2: Since the text above places specific requirements on gateways
into the mail environment, _specifically_ and _in_ _detail_ how do you
propose that an invalid mailbox in a (mandatory per RFC 2822) From field
would be converted by a news-to-mail gateway into an "effective and useful"
mailbox in accordance with the mandatory requirements of RFC 2821
section 3.8.4? [note that there is no provision in the syntax of the
field for no mailbox]

What we did, therefore, was to use wording, essentially the same as RFC
2822, that the From address should be the email address of the

That is *NOT* what RFC 2822 says!

But we then added that if the poster should "for whatever
reasons" wish to use a non-working email address, then he SHOULD use a
domain ending in ".invalid".

And therein lies a problem, for that is not the intent of RFC 2026 in
making provision for a domain name for DNS testing purposes.

Making the From header field optional would eliminate the need
for such hacks
by persons who desire the degree of anonymity that such hacks
provide; those
persons could simply avoid including a From field at all, rather than
including a hacked bogus address in a From field.

But that does not really solve the problem.

It solves the problem faced by gateway implementors upon encountering
the ineffective and invalid addresses explicitly condoned by your
draft; implementors could drop the invalid/ineffective addresses and
if no addresses remain, then drop the field.

People still want to identify
themselves (and their readers certainly want to know who is writing to
them, whether in News or Email).

How do you propose differentiating one "John Doe" from another "John Doe"
in the absence of an email address?  For what practical purpose would
such a non-identifying "identity" be used?  If there is some pressing
need to refer to an anonymous author by a pseudonym, why not simply use
"Anonymous Coward" or something similar (N.B. there is existing practice
on the Internet for doing exactly that)?

So at least you need the <phrase> with
the Real Name (which might actually be a pseudonym), and the From field is
the proper place for that.

The mailboxes (N.B. no named groups) in the From field are used for replies
(in the absence of a Reply-To field).  So a hypothetical From field with
no mailbox is unworkable in the absence of a Reply-To field, and is
pointless in the presence of a Reply-To field.

One might argue that the <address> part of the
header could be omitted,

To, Cc, Bcc, and Reply-To address fields in the header are already optional,
and the Sender field is only required if the From field specifies more
than one mailbox.  So arguing "that the <address> part of the header
could be omitted" is the same as proposing that the From field be made
optional.  Nota Bene that prior to RFC 2822, at least one destination
field (To, Cc, Bcc) was required; dropping that requirement was a concession
to Usenet news, and in case you haven't guessed, I am proposing yet
another such concession.

but I think I would prefer to make people use
something ugly like the ".invalid" thing just to prevent it from becoming
a thing that everybody did as a matter of course

What exactly do you think people who are now inclined to use bogus
mailboxes in From fields will do?
a) ignore your recommendation (in which case it is pointless)
b) use effective and valid mailboxes (in which case why not simply require that)
c) inappropriately use .invalid just because you say so, causing massive
   problems for gateway implementors

It seems to me that the likely outcomes would be a and/or c, and it is
clear that you have not considered the implications for gateway