lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu)
Subject: Re: mailman email harvester 

On Sat, 12 Feb 2005 13:11:41 +0100, Bernhard Kuemel said:

> If a user choses to use hashcash he must understand it. If he
> doesn't and subscribes to a mailing list all the list mail will go
> to his spam folder. He will learn from that and whitelist list mail.

Given the number of people who can't even learn "don't open the spam" and
"Don't click on the spyware links", I doubt enough users will both choose
and do it right to make a difference.

> | And remember that the whole *idea*
> | of hashcash is that you make it impractical for somebody to send
> 3,000 pieces
> | of mail.  I'm sure netsys.com wouldn't want to keep
> full-disclosure if they had
> | to do hashcash for even 10% of their users.
> 
> They would not hashcash every mail, but sign each incoming mail so
> spammers can't spam suscribers whose addresses then can be published
> again.

You missed the point - if a user forgets to whitelist netsys.com, then
*NETSYS.COM* has to do a hashcash to deliver the *outbound* mail to the
bozo's ISP.


> Subscribing to mailing lists has always been a process of following
> instructions. If you subscribe via a web page, this web page will
> tell you which addresses to whitelist. If you subscribe via email
> firstly there will also be some source of instructions how to
> subscribe, and secondly you can whitelist replies that reference
> (private) emails you sent recently.

You'd be surprised how many people get it wrong *now*, when the instructions
onlu say "send mail to *this* address with *this* in it'.  I've seen people
manage to get it wrong even when they have a link that says

mailto:majordom@...mple.com&body=subscribe listname

If you just say "and remember to whitelist foo@...ress" they won't know how/
And if you try to give directions, you'll have to have AOL instrucitons, and
Hotmail instructions, and Yahoo instructions, and GMail instructions, and at
least some of the Hotmail users will try to follow the Yahoo instructions just
because they're total yahoos as well as being hotmail subscribers..


> | There's also all the stuff that things like amazon, ebay, your bank,
> | your insurance company, your utility companies, etc... all send out,
> | that users will forget to whitelist.
> 
> They can send hashcashed requests for being whitelisted which will
> pop up a window similar to message receipt requests.

And the spammers can send hashcashed requests too - remember they have thousands
of zombies, so it doesn't bother them...

> I don't understand the situation. Human edited mail is usually
> created on a workstation that is capable of making hashcash while
> the mail is edited.

You missed a point here.  If I'm composing on a workstation, you *DONT*
want me to do a hashcash *THEN* - because if I'm a spammer, I can do the
hashcash ONCE, and send it to 75 different mailservers, and they'll never
know.

What ends up happening is the user composes it, hits "send", it goes to their
ISP's mail hub - and when the 75 copies go out, the mail hub has to do a
different hashcash for each of the 75 destinations that ask for a hashcash.

That's why hashcash is painful to mail hubs.

> Configure your system to require more. 1 minute. Or 10. Or 20. The
> amount of hashcash can be put in an email address comment or if
> insufficient cash is sent, the receiving system can automatically
> request more.

Remember that you have to pick a number that a legitimate ISP can calculate
a fair number of them a day - if you're cranking a million e-mails a day,
which even a fairly small site like ours manages to do, and only 1% of the
mail needs to be hash-cashed for one CPU minute, suddenly you need 6 CPUs
doing nothing but grinding hashcash.

On the other hand, if you're a spammer with 10K zombies, requiring a minute
of hashcash still means you can send 1.4M spam per day, using other people's
CPU.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050212/114b0506/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ