Re: [Shutup] [ietf-smtp] Proposed Charter for the "SMTP Headers Unhealthy To User Privacy" WG (fwd)

Chris Lewis <> Fri, 04 December 2015 16:14 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 091921A8961; Fri, 4 Dec 2015 08:14:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 3.043
X-Spam-Level: ***
X-Spam-Status: No, score=3.043 tagged_above=-999 required=5 tests=[BAYES_50=0.8, FH_RELAY_NODNS=1.451, RDNS_NONE=0.793, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id KSd-n0ubv2fG; Fri, 4 Dec 2015 08:14:50 -0800 (PST)
Received: from (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D4A491A8965; Fri, 4 Dec 2015 08:14:41 -0800 (PST)
Received: from [] ( []) (authenticated bits=0) by (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id tB4GEdjM009830 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Fri, 4 Dec 2015 11:14:39 -0500
To: Ted Lemon <>,
References: <20151130042819.10658.qmail@ary.lan> <> <> <> <> <> <> <> <> <> <>
From: Chris Lewis <>
X-Enigmail-Draft-Status: N1110
Message-ID: <>
Date: Fri, 4 Dec 2015 11:14:39 -0500
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv: Gecko/20090812 Thunderbird/ Mnenhy/
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [Shutup] [ietf-smtp] Proposed Charter for the "SMTP Headers Unhealthy To User Privacy" WG (fwd)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: SMTP Headers Unhealthy To User Privacy <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 04 Dec 2015 16:14:51 -0000

On 12/02/2015 08:50 AM, Ted Lemon wrote:

> So saying that because people don't care about privacy, we shouldn't try to protect their privacy, is wrong on two counts:

Claiming that's the stance of anyone here is wrong on several counts, 
not least being that a very large part of what we do is specifically 
aimed at anti-phishing (that "default no strangers" does little for 
these days, eg: address book spamming), and that's a vastly bigger 
privacy issue than a Received from clause.

The argument is that it's a relatively minor thing, the lack of which 
has worse privacy/operational and other implications, and there are more 
significant wins elsewhere.

Several years ago, a major anti-abuse industry organization invited a 
speaker from one of the privacy groups intimately involved with the 
issue of Syrian expats in the west being online harrassed, stalked and 
potentially harmed by SEA.  I had seen the reports earlier and did a 
little digging based upon what I could see (albeit rather indirectly, 
and without any contact with any of the true "point people" in the mess 
so it would be improper for me to act on my own).

The first thing out of his mouth was "I came here prepared with a 
diatribe about how your entire industry were endangering lives, and to 
my surprise learned that you were just as concerned about privacy as we 
are, and we should be treating you as allies".  After the end of the 
talk he was deluged with specific offers of assistance, which I think 
included taking down one of the sources of it (identified by headers 
such as the RFC wants to eliminate) I brought up in the Q&A: "Why is 
this still up?".