Re: [dispatch] FYI draft-levine-mailbomb-header-00

Sean Leonard <> Mon, 13 November 2017 01:55 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 416611241F5 for <>; Sun, 12 Nov 2017 17:55:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id PKy1OmzycpNU for <>; Sun, 12 Nov 2017 17:55:48 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7C395127698 for <>; Sun, 12 Nov 2017 17:55:48 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 9EF7227543; Sun, 12 Nov 2017 20:55:45 -0500 (EST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Sean Leonard <>
In-Reply-To: <alpine.OSX.2.21.1706201425260.36471@ary.qy>
Date: Mon, 13 Nov 2017 09:55:42 +0800
Cc: Cullen Jennings <>
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <20170619174225.10412.qmail@ary.lan> <> <alpine.OSX.2.21.1706201425260.36471@ary.qy>
To: John R Levine <>, Dispatch WG <>
X-Mailer: Apple Mail (2.3273)
Archived-At: <>
Subject: Re: [dispatch] FYI draft-levine-mailbomb-header-00
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DISPATCH Working Group Mail List <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 13 Nov 2017 01:55:50 -0000

Did this draft get followed up on?

I think it’s a good idea. I have seen form submission systems include this information in e-mail payload data, so there is a use case.

I do not share the privacy worries: if the system does not want to include it, it does not have to. It is up to the system and the local regulations under which it operates.

Other than the obvious need to clarify the ABNF, I think that it would be reasonable to reuse some syntax from another Internet standard for IP addresses, to handle “IPvFuture” (see, e.g., RFC 3986; General-address-literal of RFC 5321, etc.) without needing to update this document. On the other hand, if you take the exact syntax from another Internet standard, you may not be able to redact the IP address so easily: the ABNF would be different so the implementation would also be different.


> On Jun 21, 2017, at 2:27 AM, John R Levine <> wrote:
>> For v6, how much would typically be redacted ?
> I get the impression it'd usually either be the high half or the low half. We worked this out with some German ISPs who had strong opinions about what they would be allowed to include.
> Keep in mind that the alternative to a redacted IP is not a full IP, it's no IP at all.
> R's,
> John
>>> On Jun 19, 2017, at 11:42 AM, John Levine <> wrote:
>>> This draft came out of a discussion last week at M3AAWG.  The issue is
>>> that bad guys (or more likely bad bots) fill out web forms and include
>>> fake mail addresses, the forms provoke confirmation mail which then
>>> mailbombs the address(es).
>>> This draft adds a new header to indicate that a message is in response
>>> to a form submission:
>>> Form-Sub: v=1; ip4=198.51.x.x
>>> The IP address is that of the web client, which may be partly redacted
>>> with "x" for privacy reasons.  If a recipient mail system sees too
>>> many of them, it may block the system that's sending them.  The draft
>>> also asks for an enhanced status code which means we rejected this
>>> message because it's part of a flood with Form-Sub headers.
>>> When we had the discussion there were people from at least two large
>>> consumer mail systems and a dozen hosters and (sending) mail service
>>> providers in the room, so it is likely this will be implemented
>>> enough to see if it's useful.
>>> At this point the main point of writing the draft was to have a
>>> reference so I could ask IANA to register the header and status code.
>>> If it does turn out to be useful I'll come back and ask for it to be
>>> dispatched into a standards track document.
> _______________________________________________
> dispatch mailing list