Re: Hardening lists against spam attacks
I think this is an interesting theoretical discussion, although it's not clear whether it is actually a good idea to try implementing this. From: nobody@replay.com (Anonymous)
A very good scheme, but why not give each subscriber a token when s/he subscribes? Something along the lines of:
- - - - - - - - - - - - - - - - - - - - Welcome to Cypherpunks.
Your unique token is: 0A553FC1771623109504522E31C07F44
This token must appear either as the first line of the message body or in an X-Token: header for any mail you send to the list. Any messages sent to the list address without this information will be discarded. [...] Bob wants to post something anonymously. His token isn't associated with his user ID -- the only thing Majordomo knows about it is that it's in the token file and it's flagged as active. He sends the message through the remailer network with his token in it, and Majordomo validates it, strips it out, and passes the message to the subscribers, decrementing the number of messages Bob has remaining for that day.
This requires Bob to trust the server to keep his identity secret. Although you _say_ that majordomo didn't associate the token with the userid, how does Bob know that? Certainly majordomo did, when Bob subscribed, see the association between the userid and the token. Now he has to trust that it has been forgotten. Even if it has, what about eavesdroppers on the list channel? What about the operator on the machine, who is peeking at what majordomo is doing? This mechanism will not provide enough anonymity for most posters. An alternative similar to what I proposed earlier is for majordomo to provide a blinded token, one which it doesn't see. This would be used specifically for anonymous postings. It does have the problem that it allows linking postings by the same pseudonymous nym - all will have the same token. But maybe we want to encourage that. (The full proposal I made involved use-once tokens, just like online digital cash, so that there would be no linkage and it would allow real anonymity.)
Mallory wants to spam the list. He subscribes and gets a token, which he uses to forward commercial announcements to the list. The list manager checks the logs to see which token was used, and reduces its posting limit or invalidates it. Mallory is no longer allowed to post, unless his token is reinstated (or he unsubscribes and resubscribes).
This unsubscribe/resubscribe issue has been mentioned before as a problem. I am not too concerned with it, for a few reasons. First, it may not be too difficult to recognize that it is happening. If the same user name is used we can prevent issuing new tokens on an unsubscribe/resubscribe cycle. If different user names are used but common domain names (an attack which many people could mount) we could recognize that with somewhat more difficulty, and mark those domains as special. Most people would have trouble getting lots of different accounts with different domain names. Eric Hughes maxim, "all crypto is economics", applies here. We can easily make it much more difficult for flooding attacks to occur. Hal
Hal Finney writes:
I think this is an interesting theoretical discussion, although it's not clear whether it is actually a good idea to try implementing this.
Yeah, I just floated it as a trial balloon of sorts. It seemed like a way to "harden" the list somewhat without forcing users to go to full encryption. I had a few extra brain cells to burn off yesterday. Your points are entirely correct, though: you have to trust the list admin, and you have to have some faith in the Majordomo software not to retain your ID once it generates your token. The usual eavesdropping concerns remain as well. [snip]
An alternative similar to what I proposed earlier is for majordomo to provide a blinded token, one which it doesn't see. This would be used specifically for anonymous postings.
In your scheme, I presume one would get a blinded token (in an encrypted message) when subscribing, and postings from non-subscribers would be checked for a valid token? (Please correct me if I'm wrong. . .)
It does have the problem that it allows linking postings by the same pseudonymous nym - all will have the same token. But maybe we want to encourage that.
Probably not the worst thing in the world.
(The full proposal I made involved use-once tokens, just like online digital cash, so that there would be no linkage and it would allow real anonymity.)
Hmm, an interesting tie-in. Maybe one could "buy" tokens to post anonymously? It'd give new meaning to the phrase "putting your money where your mouth is." :-) Thanks for the feedback! (returning to lurk mode now. . .)
nobody@replay.com (Anonymous) writes:
Your points are entirely correct, though: you have to trust the list admin, a you have to have some faith in the Majordomo software not to retain your ID once it generates your token. The usual eavesdropping concerns remain as well
Trusting the lying cocksucker John Gilmore is very foolish. --- Dr.Dimitri Vulis KOTM Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps
Hal Finney <hal@rain.org> writes:
This requires Bob to trust the server to keep his identity secret. Although you _say_ that majordomo didn't associate the token with the userid, how does Bob know that? Certainly majordomo did, when Bob subscribed, see the association between the userid and the token. Now he has to trust that it has been forgotten. Even if it has, what about eavesdroppers on the list channel? What about the operator on the machine, who is peeking at what majordomo is doing? This mechanism will not provide enough anonymity for most posters.
If the majordomo operator is the lying cocksucker John Gilmore, then he definitely should not be trusted. --- Dr.Dimitri Vulis KOTM Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps
participants (3)
-
dlv@bwalk.dm.com -
Hal Finney -
nobody@replay.com