(Subject changed in an attempt to conform to posting guidelines. I think the
subject under discussion -- mail sent from A to B at the request of third
party C -- falls under section 1a.)
Alan DeKok wrote:
Is it really that difficult for your local browser to copy the web
page, and send it?
Seth Breidbart responded:
Difficult? No. Copyright violation? Yes.
To which I say:
How much sympathy are we due to offer in cases where the obstacle is
self-imposed? Arbitrary publication X probably offers a "mail this item to a
friend" service in preference to simply authorising you to do the same on the
basis that the former alternative gives them greater data about who is
getting their articles. Theoretically, it reveals to publication X the email
addresses of two readers: a sender, and a person that the sender thinks is an
interested party. Assuming that the sender isn't abusing the facility, that
is.
The major problem with this kind of third party mail request is that it does
not fit with any viable proposed method of sender authorisation. The only
viable practice that I can envisage involves the publication using its own
address as the envelope-sender address, and the "Sender:" address in the
message. The "From:" address in the message can be set to the address used by
the person requesting the mailing. If the transmission is blocked due to
policy constraints at the recipient's end, then that's just tough luck. If
failure to verify the veracity of data entered in such a web-form results in
widespread abuse and consequent blacklisting of the publication's mail
servers, then that's par for the course.
I guess I'm proposing a BCP, really. It goes like this:
Scenario: party A sends mail to party B at the request of party C. Example:
Chris wants publisher Aardvarks.example.com to mail an article to Bob. The
subsequent mail transaction has Aardvarks.example.com as the SMTP-sender, and
Bob's mail server as the SMTP-receiver. "MAIL From:" is given as a
bounce-handling address at Aardvarks.example.com (possibly utilising VERP),
which allows an LMAP-like system to bless the use of the given address. This
would not be possible if Chris' address were used at this point. "RCPT To:"
is given as Bob's address. In the message itself, "Sender:" is an appropriate
Aardvarks.example.com address, "From:" is Chris' address, and "To:" is Bob's
address. If the message is refused for any reason, the bounce-handler at
Aardvarks.example.com is in a position to notify Chris of this failure via
email.
It is the responsibility of Aardvarks.example.com to make sure that all
potential abuse vectors in this system are minimised, since it bears the risk
of blacklisting if third parties attempt to use it as a weapon of abuse. I
won't engage in a comprehensive review of potential abuse vectors here. I do
note that the use of Aardvarks.example.com as a "MAIL From:" address closes
one potential abuse path, since there is no possibility that a bounce will be
directed at an innocent third party. Contrast this with the case where "MAIL
From:" is the address provided in the web-form.
Regards,
TFBW
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg