On 14 Oct 2016, at 17:24, Petr Bena wrote:
Also I don't understand why mailing lists /have to/ work this way. I
know it's long-time established standard just like e-mails, but flawed
and people are abusing it, because it's extremely easy to do that.
Welcome to the Internet: where almost every seemingly strange standard
practice is well-documented in a decades-old series of documents, many
of which get new revisions every few years but which almost no one reads
because they are too technically dense... RFC5598
(https://tools.ietf.org/html/rfc5598) is a great one that pulls together
a lot of the info from more technically specific email-related RFCs into
a Big Picture, but it's a bit longer than the average Tweet.
The RFC5321.MailFrom address is the address to which delivery failure
messages are sent by MTAs. It makes sense for this to match the
RFC5322.From for person-to-person messages but not for mailing lists,
where the original authors of messages don't care much about the
deliverability of their messages to each and every list member, while
the list admin should care but rarely cares enough to handle all the
bounces manually. Usually a mailing list RFC5321.MailFrom is unique to
each message and recipient, so that bounces can be processed and reacted
to by the mailing list software instead of requiring a human to figure
out their provenance and decide whether a list member has been bouncing
enough to be unsubbed. The human list members, on the other hand, want
their MUAs to show them who the human author of a message is,
canonically the RFC5322.From address. Complicating matters, different
lists have different purposes and cultures, such that in many cases it
makes the most sense for members to reply on-list but in others most or
all replies should be off-list. Tangling it up even more, those pesky
humans using mailing lists vary such that some prefer getting and/or
sending replies off-list, some prefer on-list, and others perniciously
insist on using "Reply All" and get snippy when others don't share their
obsession with getting duplicates of messages replying to them.
Shorter: mailing lists work this way because decades ago, people tried
simpler approaches and ran into various annoying edge and corner cases
where simpler ways needed tweaking.
Mailing list daemon doesn't have to pretend that e-mail was sent by me
or someone else, it could as well send it from its own address
users@spamassassin.apache.org and write somewhere else that the mail
was
sent by me to this list - in fact it could even hide the email or
somehow obfuscate it and keep just my real name, so that people
wouldn't
be able to send spam in there.
Some mailing lists are starting to do that in response to the attempt by
Yahoo and others to kill off open-access mailing lists with their
"p=reject" DMARC policies. Many users hate that munging, because it
means that their MUAs no longer can readily reply off-list, while
merrily showing the sender UI clues that they are doing so.