On Sun, 30 Nov 1997, Lance Cottrell wrote:
The risks of allowing pasted From: lines far outweigh the benefits. Pasting of From lines makes remailer operators much more vulnerable to charges of fostering forgery rather than simple anonymity.
Spam baiting is another obvious risk. Forged postings with deplorable content will bring down retribution on the forgery victim. Forged From lines can also be used to subscribe victims to thousands of mailing lists.
The uses of this "feature" can be duplicated with other mechanisms such as nym-servers, which provide persistent unique From lines without the possibility of forgery of arbitrary addresses. Users desiring greater security can simply point the reply capability of the nym server at the nearest /dev/null.
I've said all of this before myself, and still people want it. So there will be two safeguards which should prevent the aforementioned problems: 1) The From: address on USENET posts will be mangled a la mail2news_nospam to prevent spam baiting. Most of the posts I see with pasted From: lines (from replay, in alt.privacy.anon-server) use a fake address and aren't trying to impersonate anyone. 2) Whenever a From: line is pasted, a disclaimer will be inserted at the top of the body, stating that the original sender has set the From: line, and that the identification cannot be verified. The fact that it is up at the top of the body should mean people should actually see it before reacting. 3) As someone else has suggested, it does indeed insert a Sender: header with the remailer's address. Two basic points also about "forgeries". First, you can forge headers pretty easily without any programs other than telnet. Second, if this actually does become misused frequently, all I need to do is delete one character from one file (a # in headers.del) and it will be disabled. I consider this an experimental feature, and if it doesn't work out, I'll just turn it back off. Andy Dustman / Computational Center for Molecular Structure and Design For a great anti-spam procmail recipe, send me mail with subject "spam". Append "+spamsucks" to my username to ensure delivery. KeyID=0xC72F3F1D Encryption is too important to leave to the government. -- Bruce Schneier http://www.athens.net/~dustman mailto:andy@neptune.chem.uga.edu <}+++<