IPP> How to prevent spam in email notifications?

IPP> How to prevent spam in email notifications?

IPP> How to prevent spam in email notifications?

henrik.holst at i-data.com henrik.holst at i-data.com
Thu May 4 03:42:08 EDT 2000




Like Paul I don't understand all the talk about spamming mails. If I want to
spam you I can do it
today, and you won't be able to track me. That is Email.
Like in the Email notification proposal I think that,
|-----------------+--------------------->
|                 |                     |
|                 |                     |
| SMTP RFC 822    | SMTP Field Name     |
| section         |                     |
|                 |                     |
|-----------------+--------------------->
  >------------------------------------------------|
  |                                                |
  |                                                |
  | Subscription object attribute source for SNMP  |
  | field                                          |
  |                                                |
  >------------------------------------------------|
|-----------------+--------------------->
|                 |                     |
|                 |                     |
| 4.4.1           | From:               |
|                 |                     |
|-----------------+--------------------->
  >------------------------------------------------|
  |                                                |
  |                                                |
  | "printer-name"  <"subscriber-user-data">       |
  |                                                |
  |                                                |
  | Note:  The "printer-name" is the Mail Display  |
  | name.  And the "subscriber-user-data" inside   |
  | <> is assumed to be an SMTP mail address so    |
  | that the Notification Recipient can reply to   |
  | the subscriber.  For example, to say "I picked |
  | up your document, thanks"                      |
  |                                                |
  >------------------------------------------------|
|-----------------+--------------------->
|                 |                     |
|                 |                     |
| 4.4.2           | Sender:             |
|                 |                     |
|-----------------+--------------------->
  >------------------------------------------------|
  |                                                |
  |                                                |
  | "subscriber-user-name"                         |
  | <"subscriber-user-data">                       |
  |                                                |
  |                                                |
  | Note:  The "subscriber-user-name" is the Mail  |
  | Display name.  And the "subscriber-user-data"  |
  | inside <> is assumed to be an SMTP mail        |
  | address so that the mail system will send      |
  | failure to deliver mail messages to the mail   |
  | address specified by the                       |
  | "subscriber-user-data", not the Printer.  The  |
  | subscriber-user-data could be the subscriber   |
  | or anyone else.                                |
  |                                                |
  >------------------------------------------------|



We haven't specified anything about the REPLY-TO field, because it's normally
not used in mails today.
If you reply to a mail it use the FROM field.


Henrik





"Carl-Uno Manros" <carl at manros.com> on 02-05-2000 17:56:36

To:   ned.freed at innosoft.com
cc:   "Carl-Uno Manros" <manros at cp10.es.xerox.com>, ipp at pwg.org (bcc: Henrik
      Holst/INT)

Subject:  IPP> How to prevent spam in email notifications?




Ned,

You already answered our earlier question about UTF-8 and email, thanks.

I have a couple of more questions in this area, before we can finish up our
draft on IPP notifications over email.

When using email to return notifications about print jobs, we are aware that
there is an apparent spamming risk, also pointed out in an earlier IPP
meeting by John Klensin. How can we best try to protect against that,
without having to re-invent or re-design email all together, or drop the
idea of doing notifications via email?

Here are some ideas that have been discussed in the group, but around which
we have not yet reached consensus:

1) Mandate the inclusion of an email address for the subscriber, when
notifications over email are requested by a subscriber. This could
potentially be validated by the printer (or print server) before accepting
the subscription. The idea would be to also include the subscriber's email
address in each notification.If we did that, which email address field would
be appropriate? The REPLY-TO:? As an alternative/addition we could
potentially mandate use of security e.g. Digest Authentication for
subscription operations, but it would still be useful to have the subscriber
address in the notification message.

2) The next question is whether we should require some kind of validation of
the email address to which the notifications are to be sent? We are talking
about the email address in the form of a URL malto://... Are there any rules
on how you could screen out DLs for use as email addresses? If you ask to
have printer state notifications to a large DL, you could easily generate
enough traffic to spam a whole domain in no time etc. etc.

3) Another question is which SENDER address you should use in a printer
generated email notifcation? Some people have argued that it should be the
name of the printer itself e.g. printer-22 at foo.com, but it is highly
unlikely that the printer actually has an incoming mailbox and hence you
would have an emaill address to which no replis can be sent. An alternative
would be to use the email address of a person associated with the printer
e.g. joe.blo at printer-22.foo.com. Any recommendation on this?

4) Do you see any reason at all for a printer to generate email notification
messages asking for delivery notification? It could be done as a matter of
implementation, but we believe that it would be an overkill. Should we just
ignore it?

Hope you can give us some guidance on these subjects.

Carl-Uno









More information about the Ipp mailing list