[mail-vet-discuss] Draft as of 9/4/2007
Michael Thomas
mike at mtcc.com
Sun Oct 14 13:24:51 PDT 2007
We're obviously talking past each other, but let's see if we have
consensus that
the draft doesn't make a recommendation to strip or not at all. It's a
local policy
decision at it's root so I don't see we should try to be any more heroic.
Mike
John L wrote:
>> The point I'm trying to make is that net-nanny like pronouncements of
>> MUST/SHOULD NOT are pointless if an admin thinks some part of their
>> population is going to be fooled by it: they'll just ignore it and
>> strip away.
>
> Admins do stupid things every day. We all agree about that.
>
> I fear you're suffering from a rather severe failure of imagination.
>
> Anybody who picks up mail from more than one mailbox, which is a whole
> lot of people these days, is going to have to check that an AR header
> arrived via an appropriate path before believing it. Otherwise there's
> an obvious attack if one path manages AR headers and the other one
> doesn't. Ditto people who forward an address on system A to system B,
> if A does AR and B doesn't. Once you're checking the path, it's a
> trivial amount of extra work to check another hop or two and look at
> AR's added farther away.
>
> If you want to strip off potentially useful AR headers, nobody can
> keep you from doing that, but don't pretend you're doing your users a
> favor when you do.
>
> R's,
> John
>
> PS: I get a lot of mail where the From: header is forged. Perhaps
> just to be safe I should strip all of them, too.
More information about the mail-vet-discuss
mailing list