Re: regarding IETF lists using mailman: nodupes considered harmful

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2005-08-26 at 03:56 -0400, Ken Raeburn wrote:

> On Aug 26, 2005, at 03:14, Jeroen Massar wrote:
> > Indeed when some 'malicious' person would add Cc's/To's and would
> > instruct his SMTP to not forward to the additional addresses in the
> > Cc/To the users will effectively not receive the message.
> 
> > But how exactly does this cause a problem?
> 
> Isn't that enough?  Tricking the list software into excluding certain  
> people from part of a discussion, even if it's only the part sent by  
> one certain submitter?  It gives a false impression to the other list  
> members that certain list members are part of the discussion when  
> they have quietly been left out.

Yes, which is why it might be good if the IETF Secretariat would:

 * Disable the nodupes feature
   That is, that per default it is disabled and folks get 'dupes'.

 * Notify, once, the users who have nodupes active, that it might
   affect the amount of mail they are getting, referencing or
   including Keiths original message.

Does this a) sound like a good idea, then b) can this be requested?

Rest of this discussion follows but can be skipped by most folks...

> If that's not bad enough, what if the message in question were forged  
> as being from someone who was also excluded from receiving it through  
> this mechanism? 
<SNIP>
> (Of course, if the person is offline for a  
> vacation or something, the same might happen.  And habitually signing  
> one's messages may help call attention to the forgery, but we've got  
> a ways to go to make that commonplace.)

This part can be indeed only be solved by that simple step, which you
and I are already using: PGP sign the message.

Though privacy-folks then say 'but then I can't repudiate my message' to
which my silly answer is: either say something or don't.

I would actually be in favor of a mechanism where only PGP signed
messages get forwarded onto the list, others bounced back to the origin
stating that the sender can't be verified and that this might be because
it is not the original sender + how to setup and use PGP. This also
avoids having to check if a message from 'the iesg' actually comes from
the iesg by checking the headers. SPF will only help partially in this
case.

> Malicious intent aside, it's also useful to know sometimes if the  
> mailing list software is somehow munging your messages in a way you  
> didn't intend.  Stripping out attachments, converting encodings,  
> changing HTML to plain text, etc.  (And I've seen mailman  
> occasionally botch some such processing, leaving empty messages, but  
> I don't recall the specifics at the moment, or if it's been fixed.)

They have fixed quite a number of issues in that department
fortunately ;)

I personally like the 'nodupes' feature very much as messages that I get
cc'd on, thus most likely a reply to something doesn't get caught by the
List-Id header and then sorted in the correct folder, thus ending up in
my direct-message folder on this subject so I know that it is a reply
and I need to pay attention to it.

Something semi-related, nobody complains about the fact that one can Bcc
people which thus leads to other people than indicated in the To/Cc to
read the message, not that one knows the membership of most mailinglists
but still...

Greets,
 Jeroen

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]