[Top] [All Lists]

Re: 2821bis: received: ... for clause

2007-06-17 19:10:04

--On Sunday, 17 June, 2007 20:28 -0400 "David F. Skoll"
<dfs(_at_)roaringpenguin(_dot_)com> wrote:

Robert A. Rosenberg wrote:

Given the single-mailbox constraint, the exposure of the
address in a for clause, should be a non-issue no matter how
the address ended up in the RCPT-TO envelope list (Address in
To/Cc/Bcc or via a mailing list subscribe) since the message
is being delivered to that single mailbox not more than one
mailbox at that domain.

I gave an admittedly-contrived example of how this could be a
major issue:

MAIL FROM:<boss(_at_)example(_dot_)com>
RCPT TO:<suckers-to-be-laid-off-next-week(_at_)example(_dot_)com>
From: boss(_at_)example(_dot_)com
To: dummy(_at_)example(_dot_)com
Subject: Memo about stock-option vesting


In other words, you may not want members of an alias to know
which alias they're on.

But doesn't the current (as of 2821) warning under Security
Considerations adequately cover this case?  If not, what
language would you suggest?