[cairo] Don't print unobfuscated message IDs in your list archives
Ryan Schmidt
cairo-2006c at ryandesign.com
Wed Jul 12 07:18:34 PDT 2006
On Jul 12, 2006, at 00:23, Carl Worth wrote:
> On Wed, 5 Jul 2006 21:14:02 +0200, Ryan Schmidt wrote:
>> <!--3 01152124771/
>> F216A53F-3E22-4E7C-927F-96E46B7A65B6 at ryandesign.com- -->
>>
>> I would appreciate it if you would not print things on your web page
>> that look like (and are) valid email addresses at my domain, without
>> obfuscation, because the spambots find them in no time and I end up
>> receiving spam to them.
>
> I'm a little confused by the above request. I haven't looked up the
> relevant RFC, but isn't the Message-Id header quite under control of
> the original sender? At least everything to the left of the @ sign?
>
> So can't you just ensure that what you put there is not a valid email
> address and thereby eliminate any spam that would result from
> harvesting of Message-Id headers?
Well, a couple things... first, the format of the Message-Id my email
client generates is not under my control. It always generates an ID
of the from (uuid)@(domain), where (uuid) is generated with the BSD
program uuidgen, and (domain) is the domain of my email address. My
domain, like many personal domains, I think, is deliberately
configured with a catch-all email address that receives mail to any
address at that domain. Message-Ids of this form are therefore valid
email addresses. I'm disinclined to turn off the catch-all at this
point, as I have been using the catch-all for 7 years and would be
hard-pressed to remember all the email addresses I've used in that
time and still want to keep. It would be wonderful if I could tell my
mail program to construct Message-Ids of the form (uuid)@messageid.
(domain) since messageid.ryandesign.com has no MX record. But I don't
expect there's a way to tell my email program to do this.
I have seen some messages with Message-Ids which use the pseudodomain
phx.gbl so that they still look like email addresses while not being
in a valid TLD. I am unable to find any official description of this
practice however.
I've now brought this problem to Apple's attention (rdar://4625044)
but any solution they may eventually come up with would obviously
only be of use for new messages, not any already sent. They may wait
to release the fix until the next non-free Mac OS X update. Or they
may not consider the behavior broken, since it is RFC-compliant, and
not change it at all.
>> I'm pretty sure it's possible to configure Pipermail/Mailman to not
>> output that, because the following Pipermail/Mailman installations
>> don't do that:
>
> If it's possible, I didn't find any obvious way to do it in a quick
> scan of the mailman configuration interface, (and I've never done any
> pipermail configuration, so I wouldn't even know where to start). So
> you might want to take this up with the freedesktop.org admins in
> general, (easiest way is to file a bug in bugs.freedesktop.org against
> freedesktop.org or similar).
I may do that, thanks.
> But wouldn't some people find the Message-Id headers extremely useful
> in the archives, since they are a reliable unique identifier for
> finding specific messages?
Possibly. But would someone be able to find a message that way?
Certainly if they knew the month in which the message appeared, they
could view that month's index, view the source, and find the Message-
id there. But the Message-Id only appears in an HTML comment in your
index, and I wouldn't expect search engines to index that, due to the
liklihood of index spam.
More information about the cairo
mailing list