filtering headers from forwarded messages

[Daniel Kahn Gillmor <dkg@fifthhorseman.net>]

[-- Attachment #1: Type: text/plain, Size: 2281 bytes --]

hey folks--

i recently had cause to forward a set of messages to a colleague via
notmuch (thank you for "notmuch-show-forward-open-messages"!), and
noticed that forwarding messages that i've personally received leaks
quite a bit of metadata about message delivery paths that is (a)
generally not useful when i'm forwarding in order to transfer the
message content, and (b) potentially harmful to users whose message
routing path reveals something bad or awkward about their setup.

For example, maybe for some people, their incoming mail path shows that
they're actually reading their personal e-mail on their employer's
mailsystems, but they don't want to expose their place of employment to
someone just by forwarding a message.  (this path is exposed by
Received: headers)

Or, there are internal headers added by local antispam or antimalware
filters, and they don't want to expose the specifics of their filtering
defenses because it might enable attacks on those systems (or customized
bypass mechanisms).

So, it occurs to me that someone might want to forward a message (or
messages) while filtering the headers in some way.

Of course, for messages being forwarded for the purpose of debugging the
transit path, you *don't* want to filter out headers.

In notmuch-emacs, i can manually filter the headers by editing the reply
compose buffer, of course, but it's kind of a pain, and it'd be nice to
have it done automatically for me.

Some possible filters i can imagine (which might well have problems, i
would appreciate any review):

 - blocklist: remove all headers that are in a fixed set: (Received,
      Delivered-To, Received-SPF, X-Original-To, Return-Path,
      X-Virus-Check-By, X-Virus-Scanned, Authentication-Results, X-MS-*,
      X-Microsoft-*)
 
 - allowlist: remove all headers except for a fixed set (To, From, Cc,
      Subject, Date, Message-Id, References, In-Reply-To, MIME-Version,
      Content-*, List-*, Sender)

 - ordered removal: remove all headers up to and including the last
   Received line


Has anyone else considered this use case, or thought about how to make
it easy/simple to do the right thing when using Notmuch?  Are there
other factors that are worth considering?

    --dkg

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]