[Mailman-Developers] Reply-To: handling

Chuq Von Rospach chuqui@plaidworks.com
Fri, 19 Oct 2001 15:32:44 -0700


On 10/19/01 3:21 PM, "J C Lawrence" <claw@2wire.com> wrote:

> Note: This does expose an abuse vector:
> 
> I don't like Bubba.
> 
> I send a troll to a busy list with Reply-To set to Bubba.

Aka the "set your followup to /dev/null" on usenet hack.

I'm of the opinion, and I don't expect to be in the majority, that
"reply-to" should not transport through a mail list. Either the mail list
replaces it with a list-centric one, or it deletes it.

The only people overtly screwed over by this are the people who insist on
mailing from one address and getting you to reply elsewhere. Something like:

From: chuq@apple.com
Subject: spoofed headers!
To: mailman-developers@python.org
Reply-to: chuqles-da-clown@hotmail.com

Which is a lame attempt (IMHO) to use a single subscribed address from
multiple places, which I don't think should be encouraged anyway (instead
use the NOMAIL hack, dammit! grin. The real answer are aliases attached to a
subscripiton)

My argument is that when I send mail to the list, the list processes it and
then sends out a new message that my message is the basis of it. At that
point, the original reply-to is no longer valid, it's what the list software
says should happen that matters. As the bubba-hack shows, to NOT do this
opens up lists to abuse in not-necessarily-obvious ways, and worse, you
leave things in ambiguous states, depending on factors most users don't
understand. Lists act differently based on whether it reply-to coerces and
whether the original poster coerces reply-to, and you have the issue of
which coerced reply-to 'wins'.

How is the typical user to understand how this all works together, and why
when they reply to a list, this happens, except when it's fred's message?

It seems from a consistency's sake, the MLM ought to handle this stuff
unambiguously, which means ONLY mailman's reply-to (or lack of it) ought be
be propogated.