At 2:53 PM -0800 11/29/15, Jim Fenton wrote:
On 11/29/2015 09:12 AM, Chris Newman wrote:
I oppose the current shutup charter text and
draft-josefsson-email-received-privacy as both promote the
elimination of mechanisms that protect users from fraud and abuse.
Agreed,
Also agree.
and to be more specific:
The proposed charter speaks of Received header fields leaking
address information that can expose user location. Yes, they can.
But, in general, that information is essential to identifying
spoofed header fields: it's by tracing the chain of "from"
addresses in Received header fields that one can determine that
someone is attempting to do something fraudulent.
Very true. It seems to me that every few years, proposals are made
to effectively destroy 'Received' header fields without understanding
how and why they are so useful.
Further, I don't have a lot of sympathy for organizations that
rely on the secrecy of their network topologies as an essential
security component. We're trying to increase the trust in email,
not reduce it.
Agree. This is security through obscurity, and generally promoted by
people who can't explain how it really helps.
draft-josefsson-email-received-privacy mentions the issue of
senders' locations appearing on mailing lists and in mailing list
archives. I have long felt that we are conflicted on whether the
output of a mailing list is a new message or the same as the one
sent to the mailing list. It usually has a different MAIL FROM
address, and often has text added to the message body, which I
would think is enough of a change to make it a new message. Yet the
Message-ID and Received header fields are preserved. I would think
that an entire new message should be created, a new Message-ID
assigned, and DKIM signed by the mailing list's domain (of
course!). Only selected header fields would be transferred to the
new message. The original incoming header fields should be
available only to the list administrators, who deal with abuse
issues.
This assumes that each mailing list has the best possible spam
filtering and does the best possible job detecting forged header
fields. Since that isn't the case, we need to permit each mailing
list subscriber to see how a message was sent to the list.
--
Randall Gellens
Opinions are personal; facts are suspect; I speak for myself only
-------------- Randomly selected tag: ---------------
When I was younger, I could remember anything, whether it had
happened or not. --Mark Twain
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp