From: Brad Templeton (brad@templetons.com)
Date: Sun Jan 21 2001 - 20:48:41 CST
On Sun, Jan 21, 2001 at 09:27:18PM -0500, Seth Breidbart wrote:
> My general feeling is that arbitrary tokens are better than IP
> addresses (for all the reasons Brad gives); however, IP addresses do
> have some advantages in combatting abuse. More important, however, is
> the fact that IP addresses are the most common tokens now used, and I
> wouldn't want to make existing software nonconformant for using them.
>
> Hence, I'd support a statement that some sort of tokens (possibly IP
> addresses) SHOULD be used, and a token that maps to the user/session
> only via private information Ought to be used.
Actually, as drafted injector-info (or whatever equivalent is laid out)
is an optional header, not a SHOULD at all,
The debate was over if this header is to be generated, what should
be the recommended or default form of unique user ident, namely IP address or
some token without personal identification. This is important for
both sides of the debate because 90%+ of sites will output the
default form.
I am curious if much software out there actually understands the
semantics of the IP address, or just uses it as a token. Ie. which
filter/spam-detector software tries to say that if there is a large
amount of posting from a block of adjacent IP addresses that this
might be one party.
If software does that, it is of course both taking steps to stop spam
from the more sophisticated corporate spammer, but also taking a significant
risk of filtering the innocent.
So does anybody do this?
I will also reiterate that whatever is used, be in IP address or token
or anything else, I remain surprised that it needs a whole new header.
As far as I can see, all the proposed parameters for the injector info
header are of very limited utility or duplicated elsewhere
except for the token or IP address.