With the current discussion about a global remailer address block, it
reminded me of a possible loophole with address blocking in general.
This is nothing new introduced with the discussed global block but a
problem that exists with the current system too.

It is standard in many mail servers to accept the form:
username+whatever@domain.com and deliver that to 'username'. It can be
disabled, but it works in many (most?) mail servers.

Way before services popped up allowing aliases to be used for spam
prevention purposes, people would use this form of email address so
they could see who was selling their email address for example. I used
to do this about 10 years ago and give an individual +name to anyone I
gave my email address to.

Currently, if a user requests their email address username@domain.com
to be blocked and a remop obliged, an abuser could send to
username+blah@domain.com and still get it through.

As there is talk of updating the way remailers block addresses, I
thought it would be a good time to mention it. Ideally, the remailer
software should simply remove the +whatever part as removing it won't
affect mail delivery because the end mail server ignores that part
anyway. It would also ensure any blocks can't be bypassed.

[ Post a follow-up to this message ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Thu, 20 Sep 2007 17:10:10 +0200 (CEST), Nomen Nescio wrote in
Message-Id: <7af8821dd2f14003ad7fdf0b502814b9@dizum.com>:

> As there is talk of updating the way remailers block addresses, I
> thought it would be a good time to mention it. Ideally, the remailer
> software should simply remove the +whatever part as removing it won't
> affect mail delivery because the end mail server ignores that part
> anyway. It would also ensure any blocks can't be bypassed.

Hey, that's a very good point!  I'll add it to the Mixmaster TODO list
to ensure that matching is done without consideration of any
+extensions.  I'll also update the RAB software to ensure that these
extensions are ignored.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

 iD8DBQFG8pD4lKZ6CY7Vd0MRCv65AJ9MCSSB+61y
dT90InEA9gWSbfTPAACgmd95
5g/nuL/wPOvHydCGChnlFkU=
=F0pn
-----END PGP SIGNATURE-----

--
pub  1024D/8ED57743 2003-07-08 Bananasplit Operator
Key fingerprint = 796F 67E0 E890 A0BB BDAE  EBB4 94A6 7A09 8ED5 7743
uid                            Admin <admin.bananasplit.info>

[ Post a follow-up to this message ]

In article <fcu3do$6mq$1@bananasplit.info>
Zax <admin@bananasplit.info> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> On Thu, 20 Sep 2007 17:10:10 +0200 (CEST), Nomen Nescio wrote in
> Message-Id: <7af8821dd2f14003ad7fdf0b502814b9@dizum.com>:
> 
>
> Hey, that's a very good point!  I'll add it to the Mixmaster TODO list
> to ensure that matching is done without consideration of any
> +extensions.  I'll also update the RAB software to ensure that these
> extensions are ignored.

Not a good idea. Our organisation has email addresses in the
form of service+username@organisation.org. I might want remailer
mail delivered to me but Sue or Bob might not. Ignoring the
+username blocks all mail.

[ Post a follow-up to this message ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Thu, 20 Sep 2007 23:55:03 +0000 (UTC), Anonymous Sender wrote in
Message-Id: < c158c537f7fa28738ba02aff5e285417@remaile
r.metacolo.com>:

> Not a good idea. Our organisation has email addresses in the
> form of service+username@organisation.org. I might want remailer
> mail delivered to me but Sue or Bob might not. Ignoring the
> +username blocks all mail.

Yup, that's the problem I've been considering.  There is no standard
delimiter between the address and the extension.  Some default to '+',
others to '-' and the majority probably use none.  I've added code for
stripping extensions but I suspect it will remain dormant unless it's
used in conjunction with a table for cross-referencing domain names to
the delimiter they use.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

 iD8DBQFG84DFlKZ6CY7Vd0MRCpB+AJ4hVPZO2Qc5
Cyy1No3fOQDtg6QpuACdHBB2
7+Kf6WztIqbHZ31ydwENick=
=Zq9h
-----END PGP SIGNATURE-----

--
pub  1024D/8ED57743 2003-07-08 Bananasplit Operator
Key fingerprint = 796F 67E0 E890 A0BB BDAE  EBB4 94A6 7A09 8ED5 7743
uid                            Admin <admin.bananasplit.info>

[ Post a follow-up to this message ]