IPP Mail Archive: IPP> How to prevent spam in email notifica

IPP Mail Archive: IPP> How to prevent spam in email notifica

IPP> How to prevent spam in email notifications?

From: Carl-Uno Manros (carl@manros.com)
Date: Tue May 02 2000 - 11:56:36 EDT

  • Next message: egglestn@lexmark.com: "IPP> Test"


    You already answered our earlier question about UTF-8 and email, thanks.

    I have a couple of more questions in this area, before we can finish up our
    draft on IPP notifications over email.

    When using email to return notifications about print jobs, we are aware that
    there is an apparent spamming risk, also pointed out in an earlier IPP
    meeting by John Klensin. How can we best try to protect against that,
    without having to re-invent or re-design email all together, or drop the
    idea of doing notifications via email?

    Here are some ideas that have been discussed in the group, but around which
    we have not yet reached consensus:

    1) Mandate the inclusion of an email address for the subscriber, when
    notifications over email are requested by a subscriber. This could
    potentially be validated by the printer (or print server) before accepting
    the subscription. The idea would be to also include the subscriber's email
    address in each notification.If we did that, which email address field would
    be appropriate? The REPLY-TO:? As an alternative/addition we could
    potentially mandate use of security e.g. Digest Authentication for
    subscription operations, but it would still be useful to have the subscriber
    address in the notification message.

    2) The next question is whether we should require some kind of validation of
    the email address to which the notifications are to be sent? We are talking
    about the email address in the form of a URL malto://... Are there any rules
    on how you could screen out DLs for use as email addresses? If you ask to
    have printer state notifications to a large DL, you could easily generate
    enough traffic to spam a whole domain in no time etc. etc.

    3) Another question is which SENDER address you should use in a printer
    generated email notifcation? Some people have argued that it should be the
    name of the printer itself e.g. printer-22@foo.com, but it is highly
    unlikely that the printer actually has an incoming mailbox and hence you
    would have an emaill address to which no replis can be sent. An alternative
    would be to use the email address of a person associated with the printer
    e.g. joe.blo@printer-22.foo.com. Any recommendation on this?

    4) Do you see any reason at all for a printer to generate email notification
    messages asking for delivery notification? It could be done as a matter of
    implementation, but we believe that it would be an overkill. Should we just
    ignore it?

    Hope you can give us some guidance on these subjects.


    This archive was generated by hypermail 2b29 : Tue May 02 2000 - 12:03:22 EDT