lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: bernhard at bksys.at (Bernhard Kuemel)
Subject: mailman email harvester

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Valdis.Kletnieks@...edu wrote:
| On Sat, 12 Feb 2005 02:48:56 +0100, Bernhard Kuemel said:
|
|
|>If hashcash (http://www.hashcash.org/) gets integrated in our mail
|>systems we no longer need to hide or obfuscate our email addresses.
|
|
| On the other hand, widespread distribution of hashcash will
probably mean
| the end of many mailing lists, because you can't trust users to
actually
| whitelist everything they subscribe to.

If a user choses to use hashcash he must understand it. If he
doesn't and subscribes to a mailing list all the list mail will go
to his spam folder. He will learn from that and whitelist list mail.

| And remember that the whole *idea*
| of hashcash is that you make it impractical for somebody to send
3,000 pieces
| of mail.  I'm sure netsys.com wouldn't want to keep
full-disclosure if they had
| to do hashcash for even 10% of their users.

They would not hashcash every mail, but sign each incoming mail so
spammers can't spam suscribers whose addresses then can be published
again.

| I'll overlook the issues caused when you *dont know* what to
whitelist.
| For instance - many mailing lists (including this one) have a
"confirmation
| of subscription" check.  For bonus points - should you have
whitelisted:
|
| a) full-disclosure@...ts.netsys.com    (the actual list name)
| b) full-disclosure-request@...ts.netsys.com (the rfc822 header on
my confirm)
| c) full-disclosure-admin@...ts.netsys.com (the rfc821 MAIL FROM:)
| d) mailman@
| e) majordomo@
| f) listserv@

Subscribing to mailing lists has always been a process of following
instructions. If you subscribe via a web page, this web page will
tell you which addresses to whitelist. If you subscribe via email
firstly there will also be some source of instructions how to
subscribe, and secondly you can whitelist replies that reference
(private) emails you sent recently.

| There's also all the stuff that things like amazon, ebay, your bank,
| your insurance company, your utility companies, etc... all send out,
| that users will forget to whitelist.

They can send hashcashed requests for being whitelisted which will
pop up a window similar to message receipt requests.

| Hashcash really sucks if you're a mail server admin who has to
crank 50,000
| hash cashes a day at 5 CPU seconds a pop because people forgot to
whitelist
| your server.

I don't understand the situation. Human edited mail is usually
created on a workstation that is capable of making hashcash while
the mail is edited. Mass mail generated on a server falls into
several categories:

1) spam: let them make hashcash
2) solicited recurring mail: send hashcashed whitelist request and
follow up with unpaid mail. If unpaid mail gets rejected stop
sending mail. Actually, there is little reason not to make the
whitelisting part of the service subscription process.
3) Replies should be whitelisted automatically.
4) legitimate systems that initiate mail conversation must make
hashcash. Can you think of any examples?

| Hashcash isn't even a tiny speed bump if you're a spammer and have
50,000
| zombies - each one only takes a 5 second hiccup and continues
spamming....

Configure your system to require more. 1 minute. Or 10. Or 20. The
amount of hashcash can be put in an email address comment or if
insufficient cash is sent, the receiving system can automatically
request more.

| But yeah, other than all those minor details, hashcash is a fine
solution. ;)

ecash may be even better. You don't have to accept the postage. Only
take it from unwanted mail.

Bernhard
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

iD8DBQFCDfJ89zL78+QhnUgRAu+pAJ95pzHYaMatinzyQ3wtIIeQqGb/uwCgi+4o
4I44MDzL2TeHQ1KLQGW7kts=
=HCYs
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ