From Newsgroup: alt.comp.software.firefox
s|b <
me@privacy.invalid> wrote:
Schugo <schugo@s-c-h-u-g-o.invalid> wrote:
WTF are the FF developers are smoking???
-off-topic-
WTF were you smoking when you set that From-header? You know Eternal September's Terms of use doesn't allow you to set an invalid address
like that, right? It's all over the place.
ciao..
The rule at ES is:
Sender Address
The e-mail addresses given in "From:", "Reply-To:", and "Sender:"
SHOULD be yours (i.e. you should be entitled to use it) and SHOULD be
valid (= should not bounce because of invalidity). Using addresses and
name space of other people without their consent is prohibited.
For the From: address, however, the Top Level Domain (TLD) invalid may
be used, as in
killefitz@example.invalid. See also RFC5537 and Usenet
Best Practice.
In RFC parlance, "should" does not mean "must". While ES prefers a
validly syntaxed address token in the From header, ES doesn't check.
Forging is prohibited, and the offenders ES account will get killed once
the victim notifies ES of the forgery.
While ES requires (well, you should use) a valid syntax for the [e-mail] address token in the From header, I doubt ES bothers to actually test
it, like starting an SMTP mail session with a mail server to the point
of specifying the username for the account, but aborting the mail
session, so no e-mail is actually sent. That is how some "Does it
exist" testers check if an e-mail address is defined at an e-mail
provider.
I don't remember if the e-mail testers (aka e-mail verifiers) relied on
status returned from the server after the client sent the RCPT-TO or
VRFY command. I think to defend against this type of intrusion, and
prevent spammers from culling the usernames for all accounts at an
e-mail provider, many if not most e-mail providers changed to always
returning an OK status, even for invalid usernames specifyied by the
probing client. That way, the client really didn't know if the username existed, or not. I remember using do-they-exist e-mail testers in the
past, but noticed more and more e-mail providers stopped divulging the
info, like they said "Yes, it exists" to every query, even for undefined usernames.
Is your name "Joe"? Yes.
Is your name "Mary"? Yes.
Is your name "Dead On Arrival"? Yes.
Whatever they ask, yes, it exists. Dole out no info if the username
does exist by saying all candidates exist.
Even if bogus status were returned, that's still a lot of overhead to
perform on every submit to ES, so I doubt ES checks if the From header
is both validly syntaxed, and is a valid e-mail address.
Since you have to register with ES to use it (beyond its own eternal-september.* hierarchy), whatever e-mail you use to get an
account at ES will require using a valid and monitored e-mail addres to
get the login credentials that ES assigns to you. However, that e-mail
address does not have to match the one you specify in the From header in
your submissions through ES. Unlike some e-mail providers that require
on sending e-mail that the From header match the account through which
you send, ES does not.
It would take extremely little effort by someone that wanted to expose
the OP's true e-mail address simply by editing his address token in the attribution of a reply. Notice how I edited his address in my reply
citing yours and its attribution line. Very easy to edit out the
"[SPAM] " string to divulge what might be his true e-mail address.
While his posts attempt to avoid harvest bots culling e-mail addresses
from Usenet, anyone replying to him, or to anyone that replied to him,
can edit the attribution line.
--- Synchronet 3.21a-Linux NewsLink 1.2