From: John Stanley (stanley@peak.org)
Date: Wed Mar 01 2000 - 14:51:06 CST
The hypermail archive is back to "last arrived is only one shown" mode
again.
Erland Sommarskog writes:
"Hm, I've never posted through Deja myself, but I am under the impression
that Deja do require that you post through a usuable address. I suppose
that is carried by means if registration."
Deja appears not to allow you to use any address that you have not already
confirmed. This is not correct enforcement of the From: limitations
contained in the draft since the draft says that I may use any address
which the "owner of the mailbox" has authorized me to use. Deja
artificially limits which addresses I may use and does not seek
authorization, just the ability to intercept email to that address. (Or it
might just be the ability to scan a large number of web URLs; I haven't
looked at the verification URL to see how it is formed and if it can be
guessed.) It also does not verify validity at the time of posting, which
may result in the use of an address that is not authorized.
This is an example of what will happen if we encourage slipshod
enforcement of this RFC. They won't be enforcing this RFC, they will be
enforcing the only possible thing they CAN enforce, which is a very
limited subset of legality. Imagine if the only test the police could
apply was "going 35 MPH", and the speed limit was 35. You drive 34 and get
a ticket because the test for going the speed limit failed.
Brad writes:
"I don't think anybody dreams, until we have digital certificates of
course, of being able to verify individual e-mail addresses off of one's
own server."
At the site I post from, not even the server knows for sure who is
posting or what addresses they are or are not authorized to use.
"It is possible for anybody to determine if a *domain* exists or not,..."
Yes, unfortunately this is not relevant to the section of the draft under
discussion.
"Under my draft, there become three states:"
Under the proposed draft, which is the topic of discussion at this time,
there are two cases. You use a mailbox that is authorized by the owner of
the mailbox, or you do not and must add .invalid. You cannot determine the
former unless you actually ask the owner of the mailbox.
" b) A fake domain not ending in invalid: Somebody violating the
spec, or a spammer. Reject/cancel/nocem the article."
This is circular reasoning. We must prohibit something because it is bad,
it is bad because it is prohibited. Trying to paint all such usage
as "spammer" is ridiculous, and trying to lump the two together is
almost as bad. This section of the draft has no relevance to spammers;
it isn't intended as a news spam defense. It is intended to remove one
spam defense that news posters use, and that isn't anti-spam, that's
pro-spam.
Please provide some evidence that an address of the form
"no@replies.please" does any damage to the news system. Otherwise, there
is no reason to prohibit it. There must be some reason to make it a
violation of the "spec" other than "it pisses me off that someone can do
it" or "I don't need to do it so I don't want anyone else to do it
either."
If determining that the domain is invalid is sufficient, then why hasn't
this ability been taken advatage of by newsreaders? If an invalid domain
in a From: header breaks news as badly as a "MUST" implies, then why
haven't newsreaders universally acted to prevent this? Why doesn't my copy
of trn test the domain when I try an email reply? Why doesn't it have a
killfile flag that says "test the domain of the From and kill if invalid?"
Could it be because it isn't that serious a problem?
And if not being able to get email to someone makes their opinions
worthless and thus cancellable, why am I not able to get email to you?
Brad also writes:
"... If we do it, it means that there is no spam that is
not either illegal, from a rogue site, subject to some non-rogue site's
TOS enforcement, or ending in .invalid. That sounds good to me."
We have a plague of mosquitos. Should we use a shotgun to try killing
them? Why not? Because a shotgun is unlikely to hurt the mosquitos and
will damage other useful things. This section of the draft does not deal
with spamming.
"Ask people the #1 problem on USENET today and I know what they'll say."
I'm sure you think you know, but you've guessed wrong for this user. I see
almost no spam on news anymore. The #1 problem I see would not be fixed
by anything in this draft.
bill davidsen writes:
"May I suggest that the last paragraph read:
If an injecting agent determines that an address is not deliverable or
not authorized to the poster, it MUST reject the article."
No. It makes it look like a solvable problem, which people will try to
solve in their own incorrect ways. How does one test "deliverable"? How
does an injecting agent determine "not authorized"? This statement implies
both are possible, and results in unacceptable failure modes when it gets
it wrong.