Draft specification for future X-Trace header

Olaf Titz olaf at bigred.inka.de
Wed Jul 12 11:29:15 UTC 2000 

> As mentioned elsewhere, I don't think we should encourage multiple
> instances of the header.  I think it makes more sense to say that the last
> injector wins.

Surely you mean "the first", or you could lose the more important instance.

> Bleh.  I have to admit that this is pretty ugly, and I just know that the
> first thing that Brad would say if he saw this is "why don't you just use
> MIME named parameters?"  And he's got a point.
>
> In other words, why not:
>
>     X-Trace: g212.hadiko.de poster="7F0quBAr148=" trace="riniJg54iM4="

Okay, I wasn't aware of that. Should we
(a) standardize the names,
(b) specify the names as opaque and require to compare parameters with
    the same name?
And what about truly opaque parameters (/ntoken/ as of my draft)?

> Why should it only last for a day?  I know that my spam filters stop the
> same spammer for a lot longer than that, sometimes (particularly for the
> jobs spammers).

Because of dynamic IP assignment. If you only use the IP address as a
token, an innocent user might get assigned the same IP previously used
by a spammer and his postings be flagged as spam. Adding a regularly
changing token prevents this. (Today's cleanfeed doesn't run into this
trap only because it combines the NNTP-Posting-Host with Lines and/or
body MD5, both of which are easy to evade.)

Furthermore, this satisfies some peoples' privacy concerns (which I
don't completely agree with, but I try to follow the principle "don't
collect or publish more data than absolutely necessary"). This holds
especially with authenticated user IDs. (Of course anonymizers need
other ways of generating abuse prevention tokens.)

> It can't really replace the X-Complaints-To header when that information
> is only in a comment, since comments can't be automatically parsed.

I'm not completely satisfied with a comment here too, but I wanted to
make it optional and had no other place where it would fit. :-)
But with a named parameter format this can be put into a parameter.

Olaf

More information about the inn-workers mailing list