Skip to content

Two new RFCs for Usenet and other netnews systems

After eight and twelve years of work, respectively, two normative RFCs on netnews — newsgroups and their use — have been published. Together, “Netnews Article Format” (RFC 5536) and “Netnews Architecture and Protocols” (RFC 5537) make obsolete “Standard for Interchange of USENET Messages” (RFC 1036), which was published some 22 years ago.


MIME conformance

MIME officially becomes an integral part of netnews, which has previously been an ASCII-only protocol.

User agents must meet the definition of MIME conformance in “Multipurpose Internet Mail Extensions (MIME) Part Five: Conformance Criteria and Examples” (RFC 2049) and must support “MIME Parameter Value and Encoded Word Extensions: Character Sets, Languages, and Continuations” (RFC 2231).

The media type application/news-transmission

This new media type is intended to be used when an entire news article needs to be encapsulated, such as when emailing it to a moderator.

The User-Agent header

The User-Agent line describes the newsreader or other software that generated the article. Currently, X-Http-User-Agent, X-Newsreader, X-Mailer and X-Posting-Agent are used for this purpose. (The prefix “X-” indicates that a header is experimental rather than standardized.)

The authors of RFC 5536 intend the User-Agent header to be suitable also for email.

The References header

This well-established header line indicates the previous articles to which the previous article replies or otherwise refers. In lengthy threads of newsgroup articles, the Reference lines can also become very long. RFC 5537 now specifies that user agents must ensure that the References header is less than 999 characters long.

The Archive header

Currently, the X-No-Archive header is used to indicate whether the author wishes for the article to be archived e.g. by search engines. X-No-Archive is now obsolete by the Archive header, which takes the value “yes” or “no”.


The Injection-Info header

This new header field contains information provided by the injecting news server as to how an article entered the netnews system. The header, which assists in tracing the article’s origin, may include a “posting-host”, a “posting-account”, “logging-data” (such as the session number in which the articled was posted) and a list of “mail-complaints-to” addresses.

The NNTP-Posting-Host, X-Trace and X-Complaints-To headers are obsolete, as the Injection-Info header includes the functionality they provide.

The Path header

The identities on the Path line are traditionally delimited with the “!” character. RFCs 5536 and 5537 define the “!!” delimiter, which indicates that the agent to its left has verified the identity of the agent to its right. Folding the Path header onto new lines is now permissible.

Cancel messages

Cancel control messages are liberated from the futile formality of having From: and Sender headers matching those of the target message.

Other changes

The above is only a summary of a few notable changes. In all, RFC 5536 comprises 35 pages, and RFC 5537 48 pages.

Security

RFC 5537 identifies several security considerations, such as the following:

  • System integrity may be compromised by control messages (which can be used to approve and delete articles as well as to create and delete newsgroups), malicious content (e.g. attempts to exploit buffer overflow vulnerabilities) and malicious or compromised peers.
  • Denial of service can also be induced through posting large numbers of articles that are irrelevant or identical as well as by falsifying the sender information (thus indirectly inflicting a large amount of email on the victim).
  • News servers accepting articles for posting should prevent the posting of malicious articles. In cases where server administrators do not fulfil that responsibility, their servers may be excluded from the netnews system (as in the “Usenet Death Penalty”).
  • Senders cannot enforce the restrictions stated in Archive and Distribution headers. Because of this, articles may “leak” into environments not intended by their senders.

Authors of RFCs 5536 and 5537

Congratulations to the authors: Kenneth Murchison, Charles H. Lindsey, Dan Kohn and Russ Allbery!

What do you think?

Please post your comments!

Post a comment Trackbacks closed RSS 2.0 feed for these comments This entry (permalink) was posted on Sunday, November 29, 2009, at 08:05:23 by Thor Kottelin. Filed in Internetworking/Mail and news, Security and tagged , , , , , , , , , , .

Post a Comment

Your email is never published nor shared. Required fields are marked *
*
*