Draft specification for future X-Trace header

Russ Allbery rra at stanford.edu
Wed Jul 12 08:06:23 UTC 2000

Olaf Titz <olaf at bigred.inka.de> writes:

> 1. Purpose

> Any news system which an article crosses MAY insert an X-Trace header.

As mentioned elsewhere, I don't think we should encourage multiple
instances of the header.  I think it makes more sense to say that the last
injector wins.

> 2. Syntax

> header          = "X-Trace:" LWSP systemid *(LWSP item)
> systemid        = domain-name
> item            = ctoken | ntoken | comment
> ctoken          = ":" data
> ntoken          = data
> data            = (any data in base64 encoding)
> comment         = "(" *pchar ")"
> pchar           = (any printable character except "(" and ")")
> LWSP            = linear-white-space

> with the following meanings:
> systemid        = the hostname of the generating system. This MUST be the
>                   same name the system puts in the Path header.
> ctoken          = Data item which is suitable to compare against the ctoken
>                   parts of other X-Trace headers generated by the same
>                   system to detect multiple postings.
> ntoken          = any other data, usually only relevant to the local admin.
> comment         = readable comment.

Bleh.  I have to admit that this is pretty ugly, and I just know that the
first thing that Brad would say if he saw this is "why don't you just use
MIME named parameters?"  And he's got a point.

In other words, why not:

    X-Trace: g212.hadiko.de poster="7F0quBAr148=" trace="riniJg54iM4="

Then you don't need the colon to distinguish.  It's a bit more trouble to
parse, but it's also more general.

> For local postings, the injection point SHOULD generate a /ctoken/ which
> is the same for all postings of one user over a certain period of time
> (recommendation: about one day) and always different for postings by
> different users. To prevent privacy problems, this token SHOULD be
> encrypted or hashed.

Why should it only last for a day?  I know that my spam filters stop the
same spammer for a lot longer than that, sometimes (particularly for the
jobs spammers).

> 3.2. Mailinglist to news gateways

As mentioned elsehwere, I don't think this is all that useful.

> 3.3. Posting robots

> Bulk postings by legitimate robots (e.g. weather reports, NoCeM notices)
> SHOULD generate no /ctoken/ at all, to exempt these posters from
> rate-limiting done by comparing /ctoken/ values. Additional information
> MAY be encoded into /ntoken/ items.

This, on the other hand, is a pretty good idea.  I like this.

> 5. Other headers

> The header presented here includes the information present in the
> existing INN-type X-Trace header, the NNTP-Posting-Host and (possibly)
> NNTP-Posting-Date headers, the X-Complaint-To header (as comment) and
> the "<address>.POSTED" Path entries. Generation of these items may
> therefore be omitted.

It can't really replace the X-Complaints-To header when that information
is only in a comment, since comments can't be automatically parsed.

Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

More information about the inn-workers mailing list