From: Andrew Gierth (andrew@erlenstar.demon.co.uk)
Date: Thu Nov 04 1999 - 22:28:16 CST
>>>>> "Charles" == Charles Lindsey <chl@clw.cs.man.ac.uk> writes:
>>> In order for a cancel message to remove an article, the
>>> addr-specs contained in the From header of the original article
>>> MUST match those contained in the From header of the cancel
>>> message.
>> Please kill this. It's not used for at least some third-party
>> cancels,
the overwhelming majority of spam-cancels, for example
>> which use the Sender check in INN to allow them to put
>> the real address of the issuer in the From header, which is far
>> superior. And it doesn't work for pre-cancels anyway. This is
>> trivial authentication and really doesn't serve any useful
>> purpose.
Charles> OK, I would like to hear some more opinions on this, since
Charles> you are proposing a departure from what is _believed_ by
Charles> most people to be current practice. I was not aware that
Charles> third-party cancellers were currently using their own From
Charles> headers.
The currently preferred form for third-party cancels has the
canceller's address in From, and the (Sender || From) header of
the original article in the Sender header of the cancel.
I don't know the historical evolution of this, because it was the
preferred form when I started analysing cancels (which was before I
started issuing them myself).
(Putting the original address in the From field has some obvious
drawbacks when one is cancelling forgeries, for example; cancels can
provoke a certain amount of email response, whether from test
responders, broken mailing list gateways, and even the occasional
FAQ-bot, and such things don't always respect Reply-To.)
Charles> And what does the Sender check in INN actually do?
INN's check works like this:
The "originator" of a message is the Sender header if present,
otherwise the From header.
The originator of the cancel must match the originator of the
original message. (Real names and comments are stripped first.)
-- Andrew.