[tclug-list] Reply-to on this list

[Dave Sherohman]

On Tue, Mar 02, 2010 at 01:03:32PM -0600, Yaron wrote:
> On Tue, 2 Mar 2010, Carl Wilhelm Soderstrom wrote:
> > I also have root access to the mailing list server, so if I wanted to be
> > autocratic about it I could just make the change unilaterally. However, I
> > think that would be rather irresponsible.
> 
> Well, so far we've got quite a few people saying they'd like the change, a 
> couple of people saying they don't need the change, and zero people saying 
> they're against it.

I've been holding my tongue thus far, as I'm no longer local to the LUG,
but, since you've said that there's nobody against it...  I'm against
it.

The canonical list of arguments against lists setting Reply-To would be
Chip Rosenthal's ""Reply-To" Munging Considered Harmful"[1], but that's
pretty ancient these days.  Google's first hit on it is a copy dated
2002, but Simon Hill's response, "Reply-To Munging Considered
Useful"[2], dates to at least 2000, so it's clearly older than that.

At some later point, Neale Pickett published ""Reply-To" Munging Still
Considered Harmful. Really."[3], in which he points out that, per RFC2822,
Reply-To is specifically to be used to indicate where the message's
author wants replies directed.  He then goes on to argue that, since the
list management software is not the author of the message, it is a
direct violation of the RFC for list software to set Reply-To.  (It
should use List-Post instead, as defined in RFC2369.  Unfortunately,
well over a decade later, clients which properly recognize List-Post
headers remain thin on the ground.)


Now that the historical archive has been presented, I'll finally get to
my reason for opposing the use of Reply-To headers by mailing list:
It's a matter of privacy and security.

Put simply, if a message which is intended to be public is sent
privately, it causes little to no harm.  As already seen on this thread,
it's easy for the recipient to include it in a public response, or the
original sender can trivially re-send it to the correct address.  The
net result is a minor inconvenience for the sender (who has to send it
twice) and possibly a minor annoyance for the private version's
recipient (who will receive two copies unless their mail software is
smart enough to filter out the duplicate).

A message intended to be private which is unintentionally made public,
on the other hand, can cause significant harm, ranging from simple
embarassment[4] to professional problems[5] to actual physical
danger[6].  Even when you consider that Reply-To munging will prevent
more problems than it causes, the potential damage caused by a single
exposure of private information is so much greater than the damage
caused by replies being unintentionally private that I believe, in the
balance, the net harm caused by Reply-To munging is greater than the net
benefit it provides.


But, like I said, I'm no longer local to the LUG and I hardly ever post
here any more, so I don't really have a dog in this fight.  My main
point is simply to present the arguments against Reply-To munging by
mailing list software because nobody else has done so.  If you decide to
start setting Reply-To headers anyhow, it's no skin off my teeth.


[1] http://www.unicom.com/pw/reply-to-harmful.html
[2] http://www.metasystema.net/essays/reply-to.mhtml
[3] http://woozle.org/~neale/papers/reply-to-still-harmful.html
[4] Someone discovering that you're going out with friends
    after lying to them about being sick
[5] A journalist accidentally revealing connections to an anonymous
    source
[6] See "Harriet Jacobs" (pseudonym), whose contacts and Google Reader
    data were automatically exposed to her abusive ex-husband by the
    Buzz launch; unfortunately, while you can find many references to
    the incident, her original rant describing it is no longer public

-- 
Dave Sherohman