[cairo] Don't print unobfuscated message IDs in your list archives

Wed Jul 12 07:18:34 PDT 2006

On Jul 12, 2006, at 00:23, Carl Worth wrote:

> On Wed, 5 Jul 2006 21:14:02 +0200, Ryan Schmidt wrote:
>> <!--3 01152124771/
>> F216A53F-3E22-4E7C-927F-96E46B7A65B6 at ryandesign.com- -->
>>
>> I would appreciate it if you would not print things on your web page
>> that look like (and are) valid email addresses at my domain, without
>> obfuscation, because the spambots find them in no time and I end up
>> receiving spam to them.
>
> I'm a little confused by the above request. I haven't looked up the
> relevant RFC, but isn't the Message-Id header quite under control of
> the original sender? At least everything to the left of the @ sign?
>
> So can't you just ensure that what you put there is not a valid email
> address and thereby eliminate any spam that would result from
> harvesting of Message-Id headers?

Well, a couple things... first, the format of the Message-Id my email  
client generates is not under my control. It always generates an ID  
of the from (uuid)@(domain), where (uuid) is generated with the BSD  
program uuidgen, and (domain) is the domain of my email address. My  
domain, like many personal domains, I think, is deliberately  
configured with a catch-all email address that receives mail to any  
address at that domain. Message-Ids of this form are therefore valid  
email addresses. I'm disinclined to turn off the catch-all at this  
point, as I have been using the catch-all for 7 years and would be  
hard-pressed to remember all the email addresses I've used in that  
time and still want to keep. It would be wonderful if I could tell my  
mail program to construct Message-Ids of the form (uuid)@messageid. 
(domain) since messageid.ryandesign.com has no MX record. But I don't  
expect there's a way to tell my email program to do this.

I have seen some messages with Message-Ids which use the pseudodomain  
phx.gbl so that they still look like email addresses while not being  
in a valid TLD. I am unable to find any official description of this  
practice however.

I've now brought this problem to Apple's attention (rdar://4625044)  
but any solution they may eventually come up with would obviously  
only be of use for new messages, not any already sent. They may wait  
to release the fix until the next non-free Mac OS X update. Or they  
may not consider the behavior broken, since it is RFC-compliant, and  
not change it at all.

>> I'm pretty sure it's possible to configure Pipermail/Mailman to not
>> output that, because the following Pipermail/Mailman installations
>> don't do that:
>
> If it's possible, I didn't find any obvious way to do it in a quick
> scan of the mailman configuration interface, (and I've never done any
> pipermail configuration, so I wouldn't even know where to start). So
> you might want to take this up with the freedesktop.org admins in
> general, (easiest way is to file a bug in bugs.freedesktop.org against
> freedesktop.org or similar).

I may do that, thanks.

> But wouldn't some people find the Message-Id headers extremely useful
> in the archives, since they are a reliable unique identifier for
> finding specific messages?

Possibly. But would someone be able to find a message that way?  
Certainly if they knew the month in which the message appeared, they  
could view that month's index, view the source, and find the Message- 
id there. But the Message-Id only appears in an HTML comment in your  
index, and I wouldn't expect search engines to index that, due to the  
liklihood of index spam.