Re: [Ietf-message-headers] Provisional Registration for "Wrong-Recipient" mail header
David Weekly <david@weekly.org> Wed, 03 January 2024 20:12 UTC
Return-Path: <dweekly@gmail.com>
X-Original-To: ietf-message-headers@ietfa.amsl.com
Delivered-To: ietf-message-headers@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6847C14F698 for <ietf-message-headers@ietfa.amsl.com>; Wed, 3 Jan 2024 12:12:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.506
X-Spam-Level:
X-Spam-Status: No, score=-1.506 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=weekly.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kddC2OHkqDey for <ietf-message-headers@ietfa.amsl.com>; Wed, 3 Jan 2024 12:12:01 -0800 (PST)
Received: from mail-yw1-x1135.google.com (mail-yw1-x1135.google.com [IPv6:2607:f8b0:4864:20::1135]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A9C18C14F68E for <ietf-message-headers@ietf.org>; Wed, 3 Jan 2024 12:12:01 -0800 (PST)
Received: by mail-yw1-x1135.google.com with SMTP id 00721157ae682-5edfcba97e3so62002997b3.2 for <ietf-message-headers@ietf.org>; Wed, 03 Jan 2024 12:12:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=weekly.org; s=google; t=1704312720; x=1704917520; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=O+tYS5Cc771QTXYBXk803rz6i6mW2EP1cIQhcTf3sWo=; b=KoLocRxMr5exzYEnwjN4ufFsxVHJA39fIwQ0MSJW11RsoXGxV7B17XeCZlfPLEhQ38 mpdlTnrh4J2oXQebVbJzK5r7DWXBf5A49g/KdCQzA5C6O5n3/TJxMDZciIqEO2BfsUBy SPDgC7U8Mk1xU0wuQbIVF02PLGA5lx1LwNtRo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1704312720; x=1704917520; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=O+tYS5Cc771QTXYBXk803rz6i6mW2EP1cIQhcTf3sWo=; b=gFN0v4SmXOD9UHTaMeDXqFy7ekUDWIWUpzThtyzyYJxlDYDQDEQShhVKZH1rf3jSfP GVJdLgcSbqWYb8FYeflDe8crR4HtnxfBeAZfVAKO1TW8xN373FfxNNQpDU6cPdhuKuwX JVeSQ4pkmynjcbIKNLQaZZTi5VEpsc6+Fhgm4y5cZ62CG8OLpJKsMF009AfwwXpQ/2Du gFn/Xde7F95y/Ar+pQDp0KiVD9tTfv7s0aHnWbfLLn08W2GXT9W1dk3iQTlv0a1aTGai gTmucMMVRUOd4hucM+82H9UyFBgs5c9o+Dn+eDOmlz1+An4+FkYOwSCgnlwKiNW35uFj 5uRw==
X-Gm-Message-State: AOJu0Yxe/DESDcJkbX30hgJfwfadjjhtvTUh9JA3qi4EMzCqJTMULfXr ZQsFSwUmYYMTEatVUkBBenbdKAqIVtWBvNJkorPLQenDKIa6ZVvv
X-Google-Smtp-Source: AGHT+IFoQynIACIutJcr2LZmp3gPM6rYvMhoj2U4322EZh7JQcq3zgfr3hmUYaAnwLQknD1e6xcCrxtNcKiK3qcx0pg=
X-Received: by 2002:a81:844e:0:b0:5e8:2eac:d77b with SMTP id u75-20020a81844e000000b005e82eacd77bmr13954722ywf.9.1704312720405; Wed, 03 Jan 2024 12:12:00 -0800 (PST)
MIME-Version: 1.0
References: <CAD0F4Ng4iRUsfTgOKeitJzCYvjfWm2-uCtGDUf3qRC6WAt0YjA@mail.gmail.com> <87edeyr8y8.fsf@kaka.sjd.se>
In-Reply-To: <87edeyr8y8.fsf@kaka.sjd.se>
From: David Weekly <david@weekly.org>
Date: Thu, 04 Jan 2024 08:11:49 +1200
Message-ID: <CAD0F4Njj_MiZNhxkU7MubSZXtPEDqzST7owiYFZMdzsaskZ5DQ@mail.gmail.com>
To: Simon Josefsson <simon@josefsson.org>
Cc: ietf-message-headers@ietf.org
Content-Type: multipart/alternative; boundary="000000000000493b67060e103ada"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-message-headers/C-lC9fisMK4KZCoAcP93akmJ2lM>
Subject: Re: [Ietf-message-headers] Provisional Registration for "Wrong-Recipient" mail header
X-BeenThere: ietf-message-headers@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Discussion list for header fields used in Internet messaging applications." <ietf-message-headers.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-message-headers>, <mailto:ietf-message-headers-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-message-headers/>
List-Post: <mailto:ietf-message-headers@ietf.org>
List-Help: <mailto:ietf-message-headers-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-message-headers>, <mailto:ietf-message-headers-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jan 2024 20:12:06 -0000
Simon, It's a fair point -- and one that applies to List-Unsubscribe (RFC 8058) as well. If a spammer sends you an email for which you then unsubscribe they are aware that the email address is valid. The same is true here, so this suggests we should use similar language. To wit, if I were to plagiarize the following from RFC8058, would that address the concern? The Wrong-Sender operation provides a strong hint to the mailer that the address to which the message was sent was valid, and could in principle be used as a way to test whether an email address is valid. In practice, though, there are simpler ways such as embedding image links into the HTML of a message and seeing whether the recipient fetches the images. Cheers, David E. Weekly (@dweekly) On Wed, Jan 3, 2024 at 10:46 PM Simon Josefsson <simon@josefsson.org> wrote: > David Weekly <david=40weekly.org@dmarc.ietf.org> writes: > > > Header field name: Wrong-Recipient > > Protocol: mail > > Status: provisional > > Author: David Weekly <david@weekly.org> > > Specification: > > https://datatracker.ietf.org/doc/draft-dweekly-wrong-recipient/ > > > > Current intent is to attempt to develop the above draft I-D into an RFC > > with IETF, am just beginning that process. > > > > This is a "cousin" to List-Unsubscribe (RFC 4021) and > List-Unsubscribe-Post > > (RFC 8058) meant to allow an email reader to explicitly indicate they are > > the wrong recipient of an email from a service. > > > > Interesting. > > There should be discussion about the potential for security problems for > a user if she follows the link in the header: the user will leak to the > service that she has received and read the e-mail. This design may lead > to an attack where malicious sites sends e-mails with this header, and > unsuspecting users will click the button to avoid future such e-mails, > and the malicious site has learned that this is a valid e-mail address > read by a human (with a modern e-mail client that supports this > feature). > > The draft doesn't say what the client should do with the response from > the POST. Is this to be displayed in a browser? Or merely as a > background POST from the MUA? Users would want some form of feedback > after pressing that button. > > /Simon >
- [Ietf-message-headers] Provisional Registration f… David Weekly
- Re: [Ietf-message-headers] Provisional Registrati… Simon Josefsson
- Re: [Ietf-message-headers] Provisional Registrati… David Weekly
- Re: [Ietf-message-headers] Provisional Registrati… Graham Klyne