At 02:21 09/20/2000 -0400, Riad S. Wahby wrote:
You should read up on Type 1 and Type 2 remailers. Both involve encryption. In the case of Type 2 remailers, you only need to trust one in the chain that you use in order to be sure that your identity is securely hidden.
I do understand how both types work, however, the opportunity for subterfuge is always present. I was making a point that the assumed security of a remailer should not factor in if you intend to put yourself at risk. Assumptions are dangerous all over the place, and if your assumption could get you into trouble, it's better to verify it or not instead of just proceeding blindly, if at all possible.
Wrong again. By default in versions of sendmail since 4.9, all sent mails are logged right along with the failures--and this includes the IP address from which the connection was made to the SMTP server. Simply setting your SMTP server is not nearly enough. If 'they' have the IP address from which the mail was sent, 'they' have you. As I said above, please read up on Type 1 and Type 2 remailers before making such outrageous claims.
What is the outrageous claim? That someone could purposely set up an insecure remailer, claim that it's secure, and that people could then unwittingly use it to incriminate themselves? As for Sendmail, you are correct; Sendmail defaults to a log level of nine, but it's utterly admin configurable, and with successful messages logs the delivery as successful. This setting is also only present in the default configuration if you get the tarball from sendmail. Options vary by OS vendor, and loglevels may be different (by default) on a newly installed OS that ships with sendmail (most unix variants, if not all, do) or if sendmail was installed via a package distribution method. This could go on and on, but it's twisting the point I was making a great deal and turning the argument away from the topic that started it. I'm not debating the relative merits of remailers, I know they serve a need that cannot be duplicated with great ease, and honestly my comment about faking the return addresses was in no way to say that this method could replace remailers; I was just pointing out that it is a far stretch of the imagination to call it "port 25 hacking" or whatever Tim said. I'm going to stop myself here.. The original email I sent was simply a question about what could be done to possibly quell the flow of spam generated by this list, followed by a few suggestions. It's gotten utterly out of hand because somebody apparently took it as a personal attack, and responded with a series of attacks of his own. As I said before, if [you] (the reader on the list) don't want to hear these questions, then what's good for the goose is good for the gander. Filter my emails if you like; It'll be a lot easier for you to filter them automatically than it will be to filter the spam messages in any event.
Finding open relays that don't do logging is difficult at best.
I agree they are not easier to find than just trusting the word of someone that a particular remailer is secure, but in my opinion that is ass backwards. Trust should be a lot harder to earn than simply doing a little legwork. You suggested finding a remailer in a country unfriendly with the one that is likely to come after you for posting whatever you wish to post, so that it will be harder for law enforcement to pry any information out of the hands of the remailer operator; I find the same logic applies to doing the header forging. If you're in the US as in your example, using an smtp server in Iraq (for example) to send your email through is a pretty safe bet that even if it logs every line of the file including the message body, that the chances of them cooperating one iota with the authorities is pretty small.
As I said above, in the case of the Type 2 remailer, you only have to trust one server in the chain, and presumably you can find one that you're likely to trust not to disclose information to the people from whom you want to hide your identity. In the case of a US national, for example, post through a remailer in a country that the US doesn't like much--there are plenty of those--and you're fine. That, or trust that, for example, the MIT LCS remailer is reasonably secure (and it is--I know the person who runs it), and make sure it's in your chain.
Just as a preamble here, I'll say flat-out that I totally understand the need some people have for anonymous remailers. That said, I have not personally had occasion to use one yet, or need to. I have been in situations where anonymity would have possibly been desirable to some, but more often then not I have chosen to simply waive any kind of real anonymity, and just get out there with what I was doing. I used to run a very large site critical of the CoS, and I kept -everything- online. My domain name records were forged, and I didn't go out of my way to attach my actual name to anything, but I didn't go to any great lengths to hide it either. When the CoS found out about it, they sent Ms. Kobrin after me. She claimed she wanted to send me a hardcopy of their copyrights on the material that I had posted, because I told her if she could prove ownership of any of it, that I would take it down. I told her that an email copy of the information would be sufficient, and that she should send it straight away. I even took the material down and gave them two weeks to produce. When they didn't, I emailed them and put the material back online. This part repeated, and I repeated my request. Instead, I received another nasty letter, and then a few days later a call from my upstream provider. They denied her request to deliver up my name and address, but told me that if I didn't take the information down that it would be a violation of the service agreement, and that they would disconnect the frame relay. I explained to their (the ISPs) lawyer the situation, and that they did not actually own the copyrights in question. He responded with "I know, but considering their history, they are very willing to take us to court over this, and honestly we don't want to deal with that. Take it down or we shut you down, we don't care who's right, we just don't want a lawsuit." Needless to say, faced with the entire site being removed, I removed the materials.
very good chance at hitting something
Again, I ask you to produce an example of an open relay that you are reasonably sure does not do logging.
After my diatribe above you ask me to find a server that I *trust* is not doing logging? In that case I'll trust only those that I admin, so that even in the case that they are doing logging, I can remove the logs myself afterwards. Finding an open relay first off is easy though.. www.orbs.org. Finding one that doesn't log, difficult to verify logging or not, so you just look for one run by an entity unlikely to cooperate, as we covered before.
So please filter, and don't complain. Or unsubscribe. It's the responsibility of new readers to peruse the archives. If you had done so, you would not have angered those who have heard this argument 10^9 times.
THAT is exactly what I'm talking about. I wasn't complaining, at least not as loudly as some of the rest. I was trying to get something -done- and there is a difference. As far as I'm concerned, if people don't want to hear this again, then THEY can filter or unsubscribe. I personally like to believe any amount of discussion on this list is more meaningful than the spam, even if it's all been said and done before. It is an open list after all right?
No. The people of the list expect that you have gone over the archives so that what you say is not repetitive and a waste of time and bandwidth. If a bit of time and bandwidth spent now can reinforce the practice of archive reading before you post, then it is well spent, and is, in the long run, a net savings of both bandwidth and time.
I see. But trying to find a way to save even more time and bandwidth by even attempting to figure out a solution to this problem is not as valuable? It comes down to a simple bit of confusion on my part. I cannot understand the mentality of someone who has the time and resources to effectively combat the spam on this list, and yet who does not have the time or resource to either respond in a somewhat civil fashion, or to just delete the message along with the rest of the refuse. You seemed to be a bit more level headed, so while I still totally disagree that it's a waste of time to try and figure a way around this problem, I haven't utterly lost respect for you as I have with Tim. "Pillar of the community" or not, the guy is an utter asshole. -------signature file------- PGP Key Fingerprint: 446B 7718 B219 9F1E 43DD 8E4A 6BE9 D739 CCC5 7FD7 "I don't think [Linux] will be very successful in the long run." "My experience and some of my friends' experience is that Linux is quite unreliable. Microsoft is really unreliable but Linux is worse." -Ken Thompson, Interview May 1999. http://www.freebsd.org FreeBSD - The Power to Serve http://www.rfnj.org Radio Free New Jersey - 395 streams - 96kbps @ 44.1khz