[Mailman-Users] AOL redacts user addresses even with VERP and full personalization enabled

Stephen J. Turnbull stephen at xemacs.org
Mon Jun 18 19:11:17 CEST 2012

Lindsay Haisley writes:

 > Good suggestion.  I assume that Mailman never inserts
 > "Resent-Message-ID" into posts, is that correct?

Currently it doesn't, it seems, but there have been proposals to make
it do so (related to DKIM IIRC).  However, if and when it does, it
wouldn't hurt to add your obfuscated user id to it.

 > I'd rather not mess with "Message-ID" which provides a traceable
 > path to the original sender.

Right.  My comment about "content" was for the case where the list
owner is the only (or main) original sender.

 > Why would, say, hashlib.md5(recip).hexdigest() be any more or less
 > detectable than a reversible encryption?

Because once the idea becomes public, anybody can check the nonesense
strings in your headers to see if any of them hash to the user's id.
That's a lot more difficult if you use encryption based on a secret

 > IMHO, AOL's days on this planet are numbered.  They'll go the way of
 > Compuserve :)

Yeah, I hope so.  Unfortunately, where I live, NiftyServe still exists
and its customers still put raw Shift JIS in their headers
occasionally.  I'm not going to bet on AOL's timely demise.

 > I've seen Email Feedback Reports come in on posts that went out six
 > months prior.  Parsing Message IDs out of this many MBs of back mail
 > logs, most of them compressed, would be hugely expensive of processing
 > time.

Seriously?  How many feedback reports do you get per second?  Yes, it
would be a little costly, but presumably they give something like a
date, you can narrow it down to a few MB I would guess.

More information about the Mailman-Users mailing list