Hardening lists against spam attacks

The Christmas attack against this list shows the need to develop lists which are resistant to attacks. If cyberspace is to become the town square of the next century, we need to be able to discourage brown shirts attacks on political gatherings. If lists are to be a major part of the political life of the community, then they must be resistant to attacks from knowledgeable, well financed attackers, not just the shits who were the most recent perps. There are several principles which should be observed: (1) Since attacks are based on sending to the list, receiving the list should remain substantially unchanged. (2) Spam attacks should be throttled at the source, so they do not act as a denial of service attack on the list server. Here is a sketch of a protocol which attempts to achieve these goals: (1) All messages sent to the list must be encrypted with the list's public key. This requirement is primarily to protect the posting token (see below). However, it alone will probably reduce the problem. Certainly it will eliminate the effectiveness of the "subscribe the list to some other list" attacks. (2) In order to post to the list, the poster must have a valid posting token. These tokens are available, in limited number, anonymously. Tokens remain valid unless canceled for abuse. However, if too many posts are received with a given token, TCP performance on sockets using that token may become arbitrarily slow (or the circuit may be dropped). (3) In order to limit the number of posting tokens, the list server will only issue a few per day. The lucky few who get them, everyone who asks under normal circumstances, may be determined by an algorithm designed to limit token collection by future attackers. (This area is where this proposal needs work!) ------------------------------------------------------------------------- Bill Frantz | Client in California, POP3 | Periwinkle -- Consulting (408)356-8506 | in Pittsburgh, Packets in | 16345 Englewood Ave. frantz@netcom.com | Pakistan. - me | Los Gatos, CA 95032, USA

Bill Frantz wrote:
(3) In order to limit the number of posting tokens, the list server will only issue a few per day. The lucky few who get them, everyone who asks under normal circumstances, may be determined by an algorithm designed to limit token collection by future attackers. (This area is where this proposal needs work!)
Send a number of unique tokens to each subscriber each day. Enforce a rule that only posts with valid current tokens may be accepted. The number of tokens should initially be very small (say, one per day) and then should be quickly increased to a sufficient number, like 10 or 20, as the subscriber shows a record of using tokens properly (as defined by acceptable content rules). A database is kept as to who was issued which tokens. If tokens are used improperly (to post off-topic materials) the offending subscriber is denied any further tokens. The problem of this scheme is (besides its cost) that anonymous users will not be truly anonymous. - Igor.

Toto <toto@sk.sympatico.ca> writes:
Igor Chudov @ home wrote:
If tokens are used improperly (to post off-topic materials) the offending subscriber is denied any further tokens.
I'm sure that the NSA would be more than happy to take responsibility for deciding which posts are off-topic.
Cocksucker John Gilmore is an NSA shill who decides what's "off-topic" and unsubscrives whomever Arachelian@ASALA doesn't like. What an asshole. --- Dr.Dimitri Vulis KOTM Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, On Tue, 31 Dec 1996 ichudov@algebra.com wrote:
Send a number of unique tokens to each subscriber each day... ... A database is kept as to who was issued which tokens.
If tokens are used improperly (to post off-topic materials) the offending subscriber is denied any further tokens.
The problem of this scheme is (besides its cost) that anonymous users will not be truly anonymous.
There is a simple solution to keeping anonymous posters anonymous under this or any similar scheme. Volunteers could act as "gateways" for anonymous posts. Self-selected list members could announce that they would forward anonymous posts using one of their own tokens for the purpose. (In the alternative, the gateway volunteers could be given extra tokens solely for that purpose.) The gateway volunteers would be a firewall against flames and spam attacks, but would be a conduit for substantive anonymous posts. If gateway volunteers allowed inappropriate flames and spams through, they would have *their* tokens reduced. S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

On Tue, 31 Dec 1996, Sandy Sandfort wrote:
There is a simple solution to keeping anonymous posters anonymous under this or any similar scheme. Volunteers could act as "gateways" for anonymous posts. Self-selected list members could announce that they would forward anonymous posts using one of their own tokens for the purpose. (In the alternative, the gateway volunteers could be given extra tokens solely for that purpose.)
The gateway volunteers would be a firewall against flames and spam attacks, but would be a conduit for substantive anonymous posts. If gateway volunteers allowed inappropriate flames and spams through, they would have *their* tokens reduced.
Only problem is that the Vulis^H^H^H^H^Hspammer could still mail flood the gateway dudes. The gateway dudes should be ready for such attacks and should be able to handle them. Such a flood could result in a denyal of post since if you flood someone with ten thousand random spams, then the posts worth delivering will get lost among those. So the gateway dudes should be competent enough to deal with this sort of thing. I wouldn't mind running such a gateway if it will fly and I have the time since I already provide this sort of filtering anyway. =====================================Kaos=Keraunos=Kybernetos============== .+.^.+.| Ray Arachelian | "If you're gonna die, die with your|./|\. ..\|/..|sunder@sundernet.com|boots on; If you're gonna try, just |/\|/\ <--*-->| ------------------ |stick around; Gonna cry? Just move along|\/|\/ ../|\..| "A toast to Odin, |you're gonna die, you're gonna die!" |.\|/. .+.v.+.|God of screwdrivers"| --Iron Maiden "Die With Your Boots on"|..... ======================== http://www.sundernet.com =========================

-----BEGIN PGP SIGNED MESSAGE----- On Tue, 31 Dec 1996, Igor Chudov @ home wrote:
Send a number of unique tokens to each subscriber each day. Enforce a rule that only posts with valid current tokens may be accepted. The number of tokens should initially be very small (say, one per day) and then should be quickly increased to a sufficient number, like 10 or 20, as the subscriber shows a record of using tokens properly (as defined by acceptable content rules).
A database is kept as to who was issued which tokens.
If tokens are used improperly (to post off-topic materials) the offending subscriber is denied any further tokens.
The problem of this scheme is (besides its cost) that anonymous users will not be truly anonymous.
I think this problem can be solved by blind signing the tokens. A user generates a random number, multiplies it by the blinding factor, then sending it to a token server which would append a timestamp and sign the blinded token. All signature requests should be signed with a PGP key. The server response would be encrypted with the user's public key. A person's PGP key would be sent along with the subscription request and then saved by the list software. The token would be included in a user's list submission, removed, and saved by the list software to detect any duplicates. The server would issue a limited number of tokens to each public key registered with it. If two signed requests come from the same email address in the same day signed with different keys, only the tokens in the first request should be signed. The only problem with this scheme is the inconvenience of having to register a public key with the server before posting. Someone with many different email addresses could generate a public key for each address to get more tokens. The only way to prevent this is to control list subscriptions. Mark -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQEVAwUBMsk8uCzIPc7jvyFpAQHFvAgAoogQTxQH74MbtDUSQgfkbwDRIJ1rXaXQ zqf4D+JyRcpFXUv0cKuUoLGFTkTKdhtGrIBfqhZJvC/n/fWOV0DHIO4asNZWqtEa NFIsWPyJqrOceCPfTLv4wft9X8aMybu6nOy/B6/NHr+Lw2p5TsfFbms4pHvrE5zt daZ7zpPkI8l1qDI1I0XUaF6vBOGl3nJtg4NewCagpB8mZulT6wmetoe5NHmrTYEA OI+UhgCWZSUJTJ2kC+liBmCwZ7+Z1JW39rOpLP6Y4Eo/o8mGErePKFK3ZbTVvfV8 5KyZn7HTxwmoTkEkRt0lOLpqU3afXJVdca9McCBoSklwveMoNwOmEQ== =pvLP -----END PGP SIGNATURE-----

On Tue, 31 Dec 1996 ichudov@algebra.com wrote:
Send a number of unique tokens to each subscriber each day. Enforce a rule that only posts with valid current tokens may be accepted. The number of tokens should initially be very small (say, one per day) and then should be quickly increased to a sufficient number, like 10 or 20, as the subscriber shows a record of using tokens properly (as defined by acceptable content rules).
A database is kept as to who was issued which tokens.
If tokens are used improperly (to post off-topic materials) the offending subscriber is denied any further tokens.
The problem of this scheme is (besides its cost) that anonymous users will not be truly anonymous.
This scheme wouldn't necessarily map True Names to tokens; merely list subscriptions. If an account at a nymserver were to subscribe, there would be no way to identify the account holder. The real problem is that there could be a lot of subscriptions from a site like nymserver.bwalk.com . . . . Alan Bostick | I'm not cheating; I'm *winning*! mailto:abostick@netcom.com | Emma Michael Notkin news:alt.grelb | http://www.alumni.caltech.edu/~abostick

Alan Bostick <abostick@netcom.com> writes:
On Tue, 31 Dec 1996 ichudov@algebra.com wrote:
Send a number of unique tokens to each subscriber each day. Enforce a rule that only posts with valid current tokens may be accepted. The number of tokens should initially be very small (say, one per day) and then should be quickly increased to a sufficient number, like 10 or 20, as the subscriber shows a record of using tokens properly (as defined by acceptable content rules).
A database is kept as to who was issued which tokens.
If tokens are used improperly (to post off-topic materials) the offending subscriber is denied any further tokens.
The problem of this scheme is (besides its cost) that anonymous users will not be truly anonymous.
This scheme wouldn't necessarily map True Names to tokens; merely list subscriptions. If an account at a nymserver were to subscribe, there would be no way to identify the account holder.
The real problem is that there could be a lot of subscriptions from a site like nymserver.bwalk.com . . . .
Dr. Grubor has proposed that homosexuals be required to identify themselves in e-mail headers. What about banning people who identify themselves as homosexuals (or fraudulently fail to identify themselves)? By the way, how come it's mostly homos like Bostick who contribute to censorship threads? --- Dr.Dimitri Vulis KOTM Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps

Igor Chudov @ home wrote:
(3) In order to limit the number of posting tokens, the list server will only issue a few per day. The lucky few who get them, everyone who asks under normal circumstances, may be determined by an algorithm designed to limit token collection by future attackers. (This area is where this proposal needs work!)[snip] Send a number of unique tokens to each subscriber each day. Enforce a rule that only posts with valid current tokens may be accepted. The number of tokens should initially be very small (say, one per day) and
Bill Frantz wrote: then should be quickly increased to a sufficient number, like 10 or 20, as the subscriber shows a record of using tokens properly (as defined by acceptable content rules).[snip]
Why not have any list deal with a heirarchy of security, so that: n-number of posters will use the highest level of security m-number will use a lower level of security k-number will send plain text Flags can be assigned for various purposes: What level of encoding I send my messages with What level I can receive Restrictions on delivery of my messages according to a table maintained by the list managers

On Tue, 31 Dec 1996 ichudov@algebra.com wrote:
The problem of this scheme is (besides its cost) that anonymous users will not be truly anonymous.
Not only that, but what's the stop the anon users from claiming to be OTHER anon users and requesting tokens. Say have one true user (Vulis) create 10 zillion tentacles and request 10 zillion tokens, one from each tentacle and then use them all to post spam? Human review of posts is likely the only way. Sure, some things can be filtered out, you can look for messages that are less than 1K in size and have the words "Timmy" "Mayonaise" "Maya" and various other derogatory terms nearby and reject them pronto, but that will only have Vulis change the spelling of those words slightly each day and have them show up on the list anyway. =====================================Kaos=Keraunos=Kybernetos============== .+.^.+.| Ray Arachelian | "If you're gonna die, die with your|./|\. ..\|/..|sunder@sundernet.com|boots on; If you're gonna try, just |/\|/\ <--*-->| ------------------ |stick around; Gonna cry? Just move along|\/|\/ ../|\..| "A toast to Odin, |you're gonna die, you're gonna die!" |.\|/. .+.v.+.|God of screwdrivers"| --Iron Maiden "Die With Your Boots on"|..... ======================== http://www.sundernet.com =========================

This is the first posting I have seen (someone unSCUMscribed me a few days ago) which addresses the need for having defences in place against spamming attacks. The fact is, the InterNet is a global neighborhood, and everyone will be affected by the security or non-security of their neighbors. Since the Web is currently seen as the new 'gold rush', every Tom, Dick and Harry who wants to capitalize on it will be putting up web sites, with their concern being focused much more on increasing their piece of the pie, than on being good neighbors. So sports lists are going to make it easy-as-pie for 10,000 Laker's fans named Bubba to subscribe to their list and, as a result, make it also as easy-as-pie for people to take advantage of their come-one- come-all policy in order to engage in the sport of spamming. While there are many good list operators who take reasonable precautions against abuse of their system, they are often still left open to abuse coming from the system of less concerned list operators. It would seem to me that part of the solution would be to have in place a monitoring system which would reflect a sudden increase in email coming in from new (or current) sources. Then the source of any excessive increase could be put on 'hold' until the system operator has a chance to check on the validity of the reason behind the sudden increase. (20 messages from Bubba is an inconvenience, but 500 messages is a royal pain-in-the-ass) As for 'mailbots', I think that any solutions to the potential abuse will only be a 'stopping action', at best. My view is that the machines are starting to make their play towards taking over, and that we will eventually be doomed to be their slaves, and not the other way around. Toto Bill Frantz wrote:
The Christmas attack against this list shows the need to develop lists which are resistant to attacks. If cyberspace is to become the town square of the next century, we need to be able to discourage brown shirts attacks on political gatherings. If lists are to be a major part of the political life of the community, then they must be resistant to attacks from knowledgeable, well financed attackers, not just the shits who were the most recent perps.
There are several principles which should be observed:
(1) Since attacks are based on sending to the list, receiving the list should remain substantially unchanged.
(2) Spam attacks should be throttled at the source, so they do not act as a denial of service attack on the list server.
Here is a sketch of a protocol which attempts to achieve these goals:
(1) All messages sent to the list must be encrypted with the list's public key. This requirement is primarily to protect the posting token (see below). However, it alone will probably reduce the problem. Certainly it will eliminate the effectiveness of the "subscribe the list to some other list" attacks.
(2) In order to post to the list, the poster must have a valid posting token. These tokens are available, in limited number, anonymously. Tokens remain valid unless canceled for abuse. However, if too many posts are received with a given token, TCP performance on sockets using that token may become arbitrarily slow (or the circuit may be dropped).
(3) In order to limit the number of posting tokens, the list server will only issue a few per day. The lucky few who get them, everyone who asks under normal circumstances, may be determined by an algorithm designed to limit token collection by future attackers. (This area is where this proposal needs work!)
-------------------------------------------------------------------------> Bill Frantz | Client in California, POP3 | Periwinkle -- Consulting (408)356-8506 | in Pittsburgh, Packets in | 16345 Englewood Ave. frantz@netcom.com | Pakistan. - me | Los Gatos, CA 95032, USA

Bill Frantz wrote:
The Christmas attack against this list shows the need to develop lists which are resistant to attacks. If cyberspace is to become the town square of the next century, we need to be able to discourage brown shirts attacks on political gatherings. If lists are to be a major part of the political life of the community, then they must be resistant to attacks from knowledgeable, well financed attackers, not just the shits who were the most recent perps.
[snip]
All messages sent to the list must be encrypted with the list's public key.
So in order to post here, I hafta install and run PGP? Well, people were looking for the perfect formula to deny service to guys like me, and guess what? You found it! I will *not* install and run PGP.

On Tue, 31 Dec 1996, Dale Thorn wrote:
Bill Frantz wrote:
The Christmas attack against this list shows the need to develop lists which are resistant to attacks. If cyberspace is to become the town square of the next century, we need to be able to discourage brown shirts attacks on political gatherings. If lists are to be a major part of the political life of the community, then they must be resistant to attacks from knowledgeable, well financed attackers, not just the shits who were the most recent perps.
[snip]
All messages sent to the list must be encrypted with the list's public key.
So in order to post here, I hafta install and run PGP? Well, people were looking for the perfect formula to deny service to guys like me, and guess what? You found it! I will *not* install and run PGP.
I agree with Dale here...requiring PGP in order to post would probably deter low-level, idiot spammers, but it would also keep those people off the list who, for one reason or another, don't like/want/use PGP. Also, what about people who post to and read the list from someplace other than their home computer, like school or work? I have access to this account from my college, but I'm sure not going to leave my keys lying around my account just so I can post to a mailing list. Zach Babayco zachb@netcom.com <-------finger for PGP public key If you need to know how to set up a mail filter or defend against emailbombs, send me a message with the words "get helpfile" (without the " marks) in the SUBJECT: header, *NOT THE BODY OF THE MESSAGE!* I have several useful FAQs and documents available.

Babayco wrote:
I agree with Dale here...requiring PGP in order to post would probably deter low-level, idiot spammers, but it would also keep those people off the list who, for one reason or another, don't like/want/use PGP. Also,
This is cypherpunks, if we can't be bothered to use crypto software, then how can we tell others they should?
what about people who post to and read the list from someplace other than their home computer, like school or work? I have access to this account from my college, but I'm sure not going to leave my keys lying around my account just so I can post to a mailing list.
Seperate key for that account/mailing list. Petro, Christopher C. petro@suba.com <prefered for any non-list stuff> snow@smoke.suba.com

On Tue, 31 Dec 1996, snow wrote:
Babayco wrote: This is cypherpunks, if we can't be bothered to use crypto software, then how can we tell others they should? Do you think there is a difference between encouragement and dogma? Sorry. I apologize for my emotional involvement; I find this issue annoying, mainly because it will affect me directly.
what about people who post to and read the list from someplace other than their home computer, like school or work? I have access to this account from my college, but I'm sure not going to leave my keys lying around my account just so I can post to a mailing list.
Seperate key for that account/mailing list.
What about those without persistent storage? Many computer labs in schools and libraries choose to install security software of some sort. This causes their machines to behave in odd ways, insofar as they find and delete all foreign data. A variant of the same quirk prevents one from recognizing any but a select set of applications, no matter where they are placed. Netscape is one of these apps. PGP is not. My only access to e-mail, during much of the year, is through just such a lab. As a result, I am in the unenviable position of using hotmail.com and mailmasher.com for most of my correspondence. Even if it were possible to install PGP on these machines, there is no provision as yet for the kind of integration possible with, say, Eudora, PIdaho, or pine. Special client software might ameliorate the problem, but will not be installed without much administrative hand-wringing. I am fortunate enough to have my own computer. I can create messages there w/PGP and then bring them to a networked computer for sending. My chances of doing so are about equal to the chance that UNLV will win the Rose Bowl next year. The simple fact is that I am lazy. I respond to messages on cypherpunks spontaneously, as I see topics of interest (and this is one of 'em!). Rather than somehow forcing me to spend more "thought" and "energy" in my posts, these kinds of measures will create frustration and disillusionment, _ESPECIALLY_ when things fail to interface correctly and cause my messages to bounce. I have no patience for such arbitrary criteria. Making message delivery harder will not magically cause me to spend more time on the actual composition. It will simply take time away from the next message. I try to spend a fair amount of time on each post already...why should I be penalized for attempting to contribute? In any case, what bogeyman are we worried about, anyway? Pseudonyms? This list is already full of 'em. That's nothing new. Forged messages? If you trust anything you read on the Internet...well.. Privacy? It's a public mailing list, and one which I have long respected for its tradition of openness and inclusion. <casts nervous glance> Sorry about the ranting, but as I noted above, my own ox is being gored here. :-) -David Molnar

snow wrote:
The Thorn wrote:
Bill Frantz wrote:
All messages sent to the list must be encrypted with the list's public key.
So in order to post here, I hafta install and run PGP? Well, people were looking for the perfect formula to deny service to guys like me, and guess what? You found it! I will *not* install and run PGP.
Why not? There are acceptable email interfaces for just about every platform out there (pgp-elm, Eudora hooks, Private Idaho etc), and it really isn't _that_ much of a hassle to do.
I should clarify: I won't use it if I don't have to, and I could make a list of reasons if need be. I think the requirement to use PGP could be an excellent way to shake off a lot of subscribers/posters, many of whom heavy users of the list would like to see go away anyway. All I'm really pointing up is the exclusion of a class of subscribers.

-----BEGIN PGP SIGNED MESSAGE----- On Tue, 31 Dec 1996, snow wrote: [NON-Text Body part not included] That message said:
-----BEGIN PGP SIGNED MESSAGE-----
Bill Frantz wrote:
All messages sent to the list must be encrypted with the list's
The Thorn wrote: public key.
So in order to post here, I hafta install and run PGP? Well, people were looking for the perfect formula to deny service to guys like me, and guess what? You found it! I will *not* install and run PGP.
Why not? There are acceptable email interfaces for just about every platform out there (pgp-elm, Eudora hooks, Private Idaho etc), and it really isn't _that_ much of a hassle to do.
It isn't enough to _write_ the code, or even to talk about it, you have to USE it as well.
Petro, Christopher C. petro@suba.com <prefered for any non-list stuff> snow@smoke.suba.com
-----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv
iQCVAwUBMsmcRPee0/pvOCipAQH0fQP/aUpiKWhsR5l7IYKOHQ0KbW6haFee0IYB PS191z1Mb/yVdqlbVCoQrqIAMCNTnWWMsLzwJDwczFrNcCO/Gn9T+jD3Vcv3D9Jx mkXLSGBJUXW4/JosUJWHHh3yJFL0dYFveGPkkM4LUpe9waVdAbhUcXX7zbleK+Fs mXMRLOqhHf4= =uAlw -----END PGP SIGNATURE-----
I am using one of those email interfaces (premail + pine) and had trouble reading your last message. I had to save the PGP attachement to a file. To quote it, I had to read it in from a file. No big deal, and if I changed software I could probably make it automatic. I suspect most people on the list have yet to set up any software of this type. So if I, already using such software, had a little trouble with one message, how much trouble would others have? Then if the entire list were encrypted? I suspect the list would lose a lot of subscribers. - -------------------- Scott V. McGuire <svmcguir@syr.edu> PGP key available at http://web.syr.edu/~svmcguir Key fingerprint = 86 B1 10 3F 4E 48 75 0E 96 9B 1E 52 8B B1 26 05 -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBMsn4/d7xoXfnt4lpAQGVjgQAtBUbc4+1NJza4Dkpb5e5iH8oqkimPN1y L2OBkEwczlOmibGGQXju24jcubqbj5a+yl9GvmpA5kqoWvgMPSMWhHy0dya0nuZ5 f+9k1MqIBJzcC92GK3YM0e2kTL5GW8w+6FKgg7qNh5Tj3pSIq6o94pjNt05CO5qG O9dz0HNaOl0= =8CFz -----END PGP SIGNATURE-----

I guess from reading Scott McGuire's message I should have described the posting procedure as well as the token issuing procedure. Here is what you do to post: Poster writes the post and include the token in the required place (wherever that turns out to be). Poster encrypt the message with the list's secret key and sends it to the list. Majordomo decrypts the message, checks the token, and if the token check passes, sends the plaintext of the message to the list members. Important points: (1) You do not need a secret key to post. This feature allows you to post from machines where you don't want to store your secret key ring. (2) List members do not need PGP, only posters. (3) People who want to post who can't due to local policy (e.g. no PGP) have choices: (a) Get a real ISP and machine and become a first class citizen. (b) Send the post to someone who can post via private mail, explain the situation and ask to have it posted. The principle reason for using PGP for posting is to protect the token from theft. I don't know a single-message, one-way protocol where a person can show possession of a token without reveling it. If there is such a protocol, then PGP is no longer required. David Molnar asks:
In any case, what bogeyman are we worried about, anyway? Pseudonyms? This list is already full of 'em. That's nothing new. Forged messages? If you trust anything you read on the Internet...well.. Privacy? It's a public mailing list, and one which I have long respected for its tradition of openness and inclusion. <casts nervous glance>
The bogeyman is flooding attack which make the list server effectivity unavailable. I have tried to preserve all the features he lists. ------------------------------------------------------------------------- Bill Frantz | Client in California, POP3 | Periwinkle -- Consulting (408)356-8506 | in Pittsburgh, Packets in | 16345 Englewood Ave. frantz@netcom.com | Pakistan. - me | Los Gatos, CA 95032, USA

There seems to some confusion about what I actually proposed. (I never seem to be able to write clearly the first time.) Let me describe in more detail my currently preferred token distribution system. First some definitions: Majordomo - The rule based administrator for the list List administrator - The rule maker. Also does the things majordomo can't. poster - someone who wants to post a message to the list list member - those who receive the list. Token distribution works like this: A poster desiring a token sends a request to majordomo and includes a public key. This request can be sent thru a remailer chain. Majordomo generates a token (think of it as a secret key), encyphers it with the public key, and posts it to the list. Note that the poster does not have to be subscribed to the list. The token can be recovered from the archives or from a reflector list. (Thanks to Tim May for the suggestion of this method of distribution.) Now we have given poster an anonymous token. Since tokens are good forever, true anonymity requires a new token for each post. Otherwise the poster only has a pseudonym. I consider this feature an advantage. Since tokens are good forever, majordomo will only give out a limited number per day. I suggest four. This limit will somewhat protect against the attack Ray Arachelian pointed out of having one abusive user collect 10,000,000 tokens. It is important to recognize the class of problems I am trying to solve. While I would like to solve the sporadic "make money fast" spam problem, I agree with Tim that, at today's levels, it is only an annoyance. I also agree that the drivel that comes from some of our more prolific posters is best handled by filtering by the list members themselves. (I currently have 3 of them going directly to the trash. Perhaps aga should get kickbacks from Qualcomm. He managed to sell a copy of EudoraPro.) The problem I am really concerned with is denial of service attacks via flooding. With 1000 list members, each message to the list requires a lot of resources to handle compared with the ones it requires to send. This fact gives an attacker a bit advantage. Tokens are designed to enable majordomo to recognize the source of messages and provide lower performance reception to those who are sending a lot of messages. This technique is similar to the technique used by the Whitehouse mail system to limit flooding attacks. (And the idea came from a description of that system posted here some months ago.) Tokens would also give the list administrator a tool to discourage certain posters. If John Gillmore wanted to make it hard for Dimitri to post, he could cancel Dimitri's token. Dimitri could get another one (under a different name if Majordomo's instructions prevented it from giving him one), but John could continue the cancel the new ones. (N.B. There is no evidence that John actually wanted to keep Dimitri from posting. This example is only a hypothetical.) Sandy suggests gateways (i.e. distributed moderators) to preserve anonymity. While I don't think they are needed to preserve anonymity, they will be useful for those who can't or won't encrypt their posts. It is important to note here that anyone with a token can act as a gateway. I was trying to make only small changes in the dynamics of the list. As such, the market based solutions are more radical than I was willing to consider. I would like to see a market based system in actual use, but perhaps elsewhere. The idea seems better fitted to Robert Hettinga's e$pam list. ------------------------------------------------------------------------- Bill Frantz | Client in California, POP3 | Periwinkle -- Consulting (408)356-8506 | in Pittsburgh, Packets in | 16345 Englewood Ave. frantz@netcom.com | Pakistan. - me | Los Gatos, CA 95032, USA

Bill Frantz <frantz@netcom.com> writes:
There seems to some confusion about what I actually proposed. (I never seem to be able to write clearly the first time.) Let me describe in more detail my currently preferred token distribution system. ...
There's no confusion. You propose even more censorship than there is now.
Since tokens are good forever, majordomo will only give out a limited number per day. I suggest four. This limit will somewhat protect against the attack Ray Arachelian pointed out of having one abusive user collect 10,000,000 tokens.
Ray "Arsenic" Arachelian of ASALA/Earthweb is a lying piece of shit, like the rest of the "cypher punks". You can complain about Ray Arachelian's libel, spam, forgery, and other net-abuse to the owners of Earthweb, LLC - the Web designer employing Ray as an associate network administrator - Jack Hidary <jack@earthweb.com>, Murray Hidary <murray@earthweb.com>, and Nova Spivack <nova@earthweb.com>.
have 3 of them going directly to the trash. Perhaps aga should get kickbacks from Qualcomm. He managed to sell a copy of EudoraPro.)
Qualcomm fired Kent Paul Dolan, so they're not all that bad.
Tokens would also give the list administrator a tool to discourage certain posters. If John Gillmore wanted to make it hard for Dimitri to post, he could cancel Dimitri's token. Dimitri could get another one (under a different name if Majordomo's instructions prevented it from giving him one), but John could continue the cancel the new ones.
I'm sure the cocksucker John Gilmore would masturbate every time he did that. --- Dr.Dimitri Vulis KOTM Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps

Bill Frantz writes: [snip lots of good ideas about token distribution] A very good scheme, but why not give each subscriber a token when s/he subscribes? Something along the lines of: - - - - - - - - - - - - - - - - - - - - Welcome to Cypherpunks. Your unique token is: 0A553FC1771623109504522E31C07F44 This token must appear either as the first line of the message body or in an X-Token: header for any mail you send to the list. Any messages sent to the list address without this information will be discarded. Your token is initially good for <n> postings per day. - - - - - - - - - - - - - - - - - - - - Generate a token thus: Let X be some known information like the From: line of a subscriber's message. Let T be some unique information for each subscriber, like the exact time that Majordomo processed the subscribe request. Let F be the contents of some (non-changing) file on the machine running Majordomo (a "secrets" file). Use a hash function H(X+T+F) to generate your token. Store the token, the unique information (time, in my example) and the number of posts allowed per day in a file you can use to validate user requests. Every time a user sends mail to the list address, Majordomo checks for a token. If there's a valid one, it strips it out and distributes the message. Otherwise it throws it away. This way no one else sees which token was used to post a message. Alice posts all the time using her real name. She just sticks her token in the first line of her post. Majordomo sees it, validates it, and strips it out before passing the message along. It decrements Alice's remaining message count for the day. Bob wants to post something anonymously. His token isn't associated with his user ID -- the only thing Majordomo knows about it is that it's in the token file and it's flagged as active. He sends the message through the remailer network with his token in it, and Majordomo validates it, strips it out, and passes the message to the subscribers, decrementing the number of messages Bob has remaining for that day. Charlie wants to unsubscribe from the list. He sends an unsubscribe message to majordomo with his token in it. Majordomo uses the known information (his "From:" line in my example), plus the time it kept from when his token was generated and the secrets file to validate his request. If it matches up, he's unsubscribed and his token's invalidated; if not, he's warned that someone else tried to unsubscribe him. (In order to allow people whose tokens have been invalidated to unsubscribe, don't make sure the token is valid -- just that it matches up with the user.) Mallory wants to spam the list. He subscribes and gets a token, which he uses to forward commercial announcements to the list. The list manager checks the logs to see which token was used, and reduces its posting limit or invalidates it. Mallory is no longer allowed to post, unless his token is reinstated (or he unsubscribes and resubscribes). Majordomo also has to keep track of how many posts have been associated with a token in any give day, but that seems like a small problem. Users could appeal to the list admin if they wanted a higher limit than the default. Keeping the number fairly low also discourages protracted flamewars somewhat. This isn't an extremely "hard" mechanism (I know it's still vulnerable to eavesdropping attacks), but it'd preserve the ability to post anonymously and make it tougher for spammers to decrease the S/N. Abusers would have to unsubscribe and resubscribe repeatedly to get new tokens, which would make them easier for the list admin to track down. Thoughts?

[...] the drivel that comes from some of our more prolific posters is best handled by filtering by the list members themselves. (I currently have 3 of them going directly to the trash. Perhaps aga should get kickbacks from Qualcomm. He managed to sell a copy of EudoraPro.)
It would be nice if each user could install filters on Majordomo itself. Not only would we not need to buy Eudora Pro, but we wouldn't have to pay to download messages we didn't want to read, and without having to employ a moderator (censor). The most serious drawback I can think of is the slight loss of privacy involved in revealing one's filtering preferences to the server - however, the people who get filtered are generally no secret. You just told the list you filter aga for example. In conjunction with your token scheme (maybe even without it), something like that could cut volume really nicely. In conjunction with anonymous subscription, people might be willing to run more powerful filters on the server end (positive filtering, keyword search, etc) [that would need some kind of token scheme, else spammers/mailbombers could just stuff their articles with keywords]. It might even be possible to implement a feature like 'subscribe cypherpunks-lite', where you get subscribed to a list minus the most filtered posters... Cheers, Frank O'Dwyer

Frank O'Dwyer writes:
[...] the drivel that comes from some of our more prolific posters is best handled by filtering by the list members themselves. (I currently have 3 of them going directly to the trash. Perhaps aga should get kickbacks from Qualcomm. He managed to sell a copy of EudoraPro.)
It would be nice if each user could install filters on Majordomo itself. Not only would we not need to buy Eudora Pro, but we wouldn't have to pay to download messages we didn't want to read, and without having to employ a moderator (censor).
Bad idea. It's tough enough on the host running a list with 1500 or 2000 people on it. Adding outbound filtering for each user would be a real burden on the list host. It's better to distribute the processing by making the user agent (or mail transport that's delivering to the user) do the filtering. In addition, a filtering majordomo will only 'protect' the lists that it serves. I don't know about you but I get a lot of spam from all sorts of different sources. I need to have a filter anyhow. It's not hard to add some more rules to filter out each lists's bozos. It's a lot simpler to do that than it would be to upload filter rules to each of the 10 or 12 listservers I get mail from. There's also a security issue. How are you going to set it up so that I can't say hack Tim May's filters to send him nothing but posts from Phil H-B and Detwiler? Yea, you can do it with passwords or PGP or whatever, but it's still more overhead. Why bother with it when you don't need to? -- Eric Murray ericm@lne.com ericm@motorcycle.com http://www.lne.com/ericm PGP keyid:E03F65E5 fingerprint:50 B0 A2 4C 7D 86 FC 03 92 E8 AC E6 7E 27 29 AF

It would be nice if each user could install filters on Majordomo itself. Not only would we not need to buy Eudora Pro, but we wouldn't have to pay to download messages we didn't want to read, and without having to employ a moderator (censor).
Bad idea. It's tough enough on the host running a list with 1500 or 2000 people on it. Adding outbound filtering for each user would be a real burden on the list host. It's better to distribute the processing by making the user agent (or mail transport that's delivering to the user) do the filtering.
I guess you're not paying for your mail then :-) Just stand back from this for a moment - doesn't it seem just nonsensical to have a robot (majordomo) cranking out 10s of messages to 1000s of users, day in day out, just for other robots (filters) to delete them? And to pay for the privilege? I mean, is it really better to consume the cycles on _everybody's_ machine, _plus_ use all that bandwidth? I'd say that's not obvious. Granted, it takes my creaking old 486 about 10 minutes for exmh to do a filtered 'inc' on the new mail. However I have to pay the phone bills to download all the cruft in the first place, just in order to get the rare nugget. And I can't use my mailer while the 'inc' is running. And if everyone else is paying and and waiting too, then maybe it turns out to be better for the messages to be filtered centrally, so we all waste less time and money, even if the server does heat up a little. (Hell, I might even chip in to upgrade the list server if that's what it took, and still save money.) Besides, it's not necessarily true that filtering would make the server load significantly worse (certainly not if PGP is the other option), or even that it makes it worse at all. For example, the overhead on doing a lookup on a short list of filtered users might well be more than offset by not having to send the message. (Having once seen a DEC alpha brought to its knees by 'sendmail', I can believe that...). If processing turned out to be a genuine problem then maybe the list could be split over several servers. (In an ideal world, of course, the filtering agents would be mobile, and would learn to back all the way up the pipe and would eventually run on the spammer's machines :-)
In addition, a filtering majordomo will only 'protect' the lists that it serves. I don't know about you but I get a lot of spam from all sorts of different sources. I need to have a filter anyhow. It's not hard to add some more rules to filter out each lists's bozos. It's a lot simpler to do that than it would be to upload filter rules to each of the 10 or 12 listservers I get mail from.
True, but I'd sure love not to have to download some of the cruft down the old 28.8 line in the first place...I suppose IMAP would have the same thing going for it but it's not here yet (plus you still have all that list cruft that 99% of people filter or delete going up and down the internet). [ deletia ... The security issues you mention are real, but so are the solutions you mention :-) ] Cheers, Frank O'Dwyer.

Frank O'Dwyer wrote:
[...] the drivel that comes from some of our more prolific posters is best handled by filtering by the list members themselves. (I currently have 3 of them going directly to the trash. Perhaps aga should get kickbacks from Qualcomm. He managed to sell a copy of EudoraPro.)
It would be nice if each user could install filters on Majordomo itself. Not only would we not need to buy Eudora Pro, but we wouldn't have to pay to download messages we didn't want to read, and without having to employ a moderator (censor). The most serious drawback I can think of is the slight loss of privacy involved in revealing one's filtering preferences to the server
[snip] The most serious drawback is the precedent you'd be setting.
participants (16)
-
Alan Bostick
-
Bill Frantz
-
Dale Thorn
-
David Molnar
-
dlv@bwalk.dm.com
-
Eric Murray
-
Frank O'Dwyer
-
ichudov@algebra.com
-
Mark M.
-
nobody@replay.com
-
Ray Arachelian
-
Sandy Sandfort
-
Scott V. McGuire
-
snow
-
Toto
-
Z.B.