From: John Stanley (stanley@peak.org)
Date: Tue Feb 19 2002 - 14:28:26 CST
Bill Davidsen <davidsen@prodigy.com> writes:
> An
> injector which determines that the From and/or Sender header is
> incorrect SHOULD reject the article.
The whole point of this debate is that the injector cannot make this
determination. (To say that it can implies that the injector is redefining
the "correct" content of the From header away from what this standard
would say it is into something else. As this standard defines it, the
injector cannot say "I know this is wrong".) It CAN determine that the
From header does not match whatever limited data it has on hand. Those are
not the same.
And nobody is saying that an injector MUST, or even SHOULD, accept an
article if the operator wants to restrict users to authenticated data and
a user doesn't use it in his headers. The injector is free to REJECT any
article it wants to. The problem comes when the injector CHANGES the
headers and posts the article anyway.
Russ Allbery (rra@stanford.edu):
>But while it most certainly should be optional, some people are
>going to want to turn it on and are going to want the injector to put a
>real e-mail address in the headers. People who don't like that behavior
>can not use those servers.
People who don't like that behaviour may not find out about it until too
late to do anything about it, and long after the damage has been done.
Those who want to run restrictive injectors are free to do so -- as long
as they don't pretend to be able to do things they cannot, and don't do
things they should not. One of the former is saying "this address does not
meet the requirements of the From header in a way that needs a Subject
header inserted". The latter is putting a poster's spammable address in
his posting without his explicit permission when the poster has acted
explicitly so that it would not appear there.
If they want to reject the article with the error "invalid From header,
please use 'whatever@I.demand.from.you' to post", that's fine. That's
being upfront about the limitation. The poster isn't going to be surprised
by a sudden appearance of spam floods to an email address he has been
actively trying to protect from such abuse, just because the guy who runs
the injector thought he should put spammable addresses into each article
as they pass through his system.
Who is it that is telling people that injectors are required to accept
every article they are handed, to the point that they are allowed to
"correct" the data in the headers if they don't like it? Can we find that
person and gag him? Why can we not simply say "either accept these headers
as the user, who happens to be the only source of the data that really
knows what it is, gives them to you, or don't accept the article at all?"