lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4b6ee93104112608513594c24d@mail.gmail.com>
From: xploitable at gmail.com (n3td3v)
Subject: Mailing lists and unsolicited/malicious spam

On the note of hiding e-mail addresses:

Yahoo! Groups, a fully featured user group and mailing list has taken
steps to prevent malicious users harvesting new e-mail addresses to
add to spam list databases. They (Yahoo) cut the e-mail address on the
website, so harvesting becomes impossible by only showing the user
side of the e-mail address. Example "n3td3v@...".

On the note of mailing lists and user groups having its own unique
(back-end off list) spam:

I have also noticed Yahoo!s own resident hax0rs, spammers, whatever
you wish to label them as, actually use Yahoo! users to create bot
yahoo accounts (by sending them a carefully crafted url, which relays
via google and queries the malicious webpage, which looks like a
legitimate Yahoo! word verification page) to later broadcast out to
Yahoo! users of Yahoo! Mail and Yahoo! Groups. So, in some instances,
mailing lists and user groups can have its internal scams going on (if
the network is big enough, which yahoo (mail and groups)

We could take Yahoo!s e-mail hiding idea, but take it a step further:

I was thinking, why are all e-mail addresses not encrypted as soon as
they leave the authors mail client, surely this would stop anyone
seeing the address, apart from the mail client at the other end the
message was intended for. And when a user mails a mailing list the
e-mail address could be read by the mailing list software, but stays
encrypted for the broadcast out to the subscribers of the list.

All you need to do to stop spam is have e-mail addresses encrpyted and
only readable by the person they were sent to. perhaps to make it
nicer, leave the user@ side of the e-mail address showing, but encrypt
the @domain side of the e-mail address.

Don't tell me, this has already been thought of and i'm the last to
think of it, oh well nevermind!

This would at least stop the malicious spammers harvesting new
addresses on mailing lists and the third party sites where mailing
list threads are published, example: seclists.org. I'm sure encrpyting
the domain side of e-mail addresses has its pitfalls and flaws. Its
just something I thought about on top of my head, I haven't researched
fully the pro's and con's (at least yet).

Thanks,
n3td3v@...fshjkewts


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ