Re: Making Remailers Widespread [REMAILERS]
At 09:37 AM 9/29/96 EDT, you wrote:
How about: maintain a list of trusted blocking-list sites (comparable to the list of remailers used for chaining) and when it comes the time to update the local copy of the blocking list, ask a random one on the list; if it's down, ask another random one on the list. There may even be more than one list. :-)
Getting more complex, but it might be workable.
sender-blocking list ... With most ISP's it's trivial to forge one's From: header in SMTP. Switching to another dime-a-dozen throwaway account is also trivial. Just admit that you can't block senders, and don't pretend that you can - false pretenses destroy one's credibility.
You obviously can't source-block a determined spammer, but you can slow down some spam attacks, especially if they're one individual using his/her regular account. It's no panacaea, but it helps. Also, if you source-block based on patterns anywhere in the header, you can catch less capable email forgers.
I think I see a way to accomplish this without too much trouble. When an e-mail is directed at u@c4.c3.c2...c1, the code that checks for blocking will search for the following records in the blocking list: u@c4.c3.c2...c1 (exact match) *@c4.c3.c2...c1 (replace user by *) u@*.c3.c2...c1 (replace leftmost .-separated piece of domain by *) *@*.c3.c2...c1 (both) and repeat until there are only 2 components left in the domain name.
That'd work. It's clunky, but there's no avoiding clunkiness for this sort of thing, and it does preserve privacy.
Now, the question is, who would be allowed to add records containing '*' to the blocking list using the cookie protocol? I suggest that it be one of the contacts listed in Internic's database.
postmaster@domain is (ostensibly) guaranteed to exist. The Internic database is an interesting alternative, but for this I suspect postmaster is good enough. There's also the problem that for many domains, where smallcompany.com is virtual on an ISP, the Internic database will generally list someone at the ISP, who probably has no interest in the issue, rather than someone responsible for making decisions about smallcompany.com
Thus a blocking record for cypherpunks@toad.com could be added by anyone listed in toad.com's Internic entry. There's no need for any Remailer Cabal [tinc] to maintain blocking lists.
For destination blocking, I agree that users should be able to block their own stuff as automagically as possible. For source blocking, most of the need is for spams and abusers that have been tracked down (or identify themselves in their postings), and that takes human thought. In particular, spammers are unlikely to block themselves from the remailers (:-), but forgers may try to block legitimate users.
One other suggestion: instead of storing one bit of information (the address is on the list or not), why not have several flag bits. E.g., the blocking list could contain records similar to: hash - e.g. 160-bit SHA flags - e.g. reserve 32 bits
Interesting. I suspect the state of the art would be to collect the bits with a disclaimer that there isn't any code to interpret them :-), but it does let you build a blocking database that's usable as capabilities grow. Any suggestions for flags besides block/allow one-way, block/allow two-way, and max-size? I'm thinking of doing a remailer that instead of sending you a message, it sends you a retrieval cookie and lets you send it back to collect the message; blocking that would be another flag. The other kind of blocking that needs adding is blocking by words in message bodies - the spammer that caused me to shut down my remailer and not bring it back up was posting hate messages with somebody else's name and email signed at the bottom. It only took one or two to generate a flood of flames to the victim, and my current remailer couldn't block any followups. Also, since the spammer wasn't generating the flames himself, his spam slipped under the remailer's spam counter, just as hipcrime's did. This sort of blocking also lets you block things like the hipcrime spam and MAKE MONEY FAST. But it's a much more sensitive problem - anybody who can add things to the body-checking list can start doing real censorship, and it's probably best to leave that to individual operators to block, or at least to turn on by hand rather than default. # Thanks; Bill # Bill Stewart, +1-415-442-2215 stewarts@ix.netcom.com # <A HREF="http://idiom.com/~wcs"> # You can get PGP software outside the US at ftp.ox.ac.uk/pub/crypto
Bill Stewart <stewarts@ix.netcom.com> writes:
At 09:37 AM 9/29/96 EDT, you wrote:
How about: maintain a list of trusted blocking-list sites (comparable to the list of remailers used for chaining) and when it comes the time to update th local copy of the blocking list, ask a random one on the list; if it's down, ask another random one on the list. There may even be more than one list. :-
Getting more complex, but it might be workable.
Unfortunately, making a system more reliable and available sometimes entails additional cost in terms of complexity and redundancy.
sender-blocking list ... With most ISP's it's trivial to forge one's From: header in SMTP. Switching to another dime-a-dozen throwaway account is also trivial. Just admit that you can't block senders, and don't pretend that you can - false pretenses destroy one's credibility.
You obviously can't source-block a determined spammer, but you can slow down some spam attacks, especially if they're one individual using his/her regular account. It's no panacaea, but it helps. Also, if you source-block based on patterns anywhere in the header, you can catch less capable email forgers.
If you don't see why I think it's wrong to pretend to be able to do something you can't do, then I probably can't explain it to you. Try asking your parents or your priest or something. :-)
I think I see a way to accomplish this without too much trouble. When an e-mail is directed at u@c4.c3.c2...c1, the code that checks for blocking will search for the following records in the blocking list: u@c4.c3.c2...c1 (exact match) *@c4.c3.c2...c1 (replace user by *) u@*.c3.c2...c1 (replace leftmost .-separated piece of domain by *) *@*.c3.c2...c1 (both) and repeat until there are only 2 components left in the domain name.
That'd work. It's clunky, but there's no avoiding clunkiness for this sort of thing, and it does preserve privacy.
I think it'll be pretty efficient, though.
Now, the question is, who would be allowed to add records containing '*' to the blocking list using the cookie protocol? I suggest that it be one of the contacts listed in Internic's database.
postmaster@domain is (ostensibly) guaranteed to exist. The Internic database is an interesting alternative, but for this I suspect postmaster is good enough. There's also the problem that for many domains, where smallcompany.com is virtual on an ISP, the Internic database will generally list someone at the ISP, who probably has no interest in the issue, rather than someone responsible for making decisions about smallcompany.com
That's a very good point: I retract the InterNIC siggestion. Also it's possible for someone to be reached at a certain address, but not be able to e-mail from that address. So here's the new improved version: Scenario 1. Alice used to be a student at nursery.edu, reachable as alice@nursery.edu. She can no longer log in there, but her e-mail is forwarded to alice@work.com. Alice doesn't wish to receive anonymous e-mail via her edu account unless it includes a reply block. Alice tells one of the 'bots maintaining the blocking lists that she wants alice@nursery.edu blocked. She should be able to make this request via a WWW form or by e-mailing a 'bot from alice@work.com. The 'bot sends a cookie to alice@nursery.edu, which is forwarded to alice@work.com. Alice sends back the cookie to confirm. (To prevent an obvious attack, the 'bot shouldn't send more than one cookie to a given address in a 24-hour period. Perhaps one of the flags should be 'don't send cookies unless the request is e-mailed from the account.) Scenario 2: root@bwalk.dm.com wants to add *@bwalk.dm.com to the blocking list. (Not likely. :-). Again, the request is submitted to one of the 'bots via a WWW form or by e-mail. Seeing that the address contains a wildcard, the 'bot sends a cookie to postmaster@bwalk.dm.com. Presumably whoever reads postmaster mailbox is authorized to send back the cookie and to confirm the wildcard block.
Thus a blocking record for cypherpunks@toad.com could be added by anyone listed in toad.com's Internic entry. There's no need for any Remailer Cabal [tinc] to maintain blocking lists.
For destination blocking, I agree that users should be able to block their own stuff as automagically as possible.
I think it's fair to assume that whoever demonstrates his ability to receive postmaster's mail by returning a cookie sent to postmaster has the authority to block receivers in that domain. I.e. there needs to be a way for postmaster@toad.com to say: block cypherpunks@toad.com, but send the cookie to postmaster@toad.com, not cypherpunks@toad.com. I think it's fair to assume that whoever gets a cookie sent to an address has the authority to block that address: that takes care of the .forward scenario I described.
For source blocking, most of the need is for spams and abusers that have been tracked down (or identify themselves in their postings), and that takes human thought. In particular, spammers are unlikely to block themselves from the remailers (:-), but forgers may try to block legitimate users.
One other suggestion: instead of storing one bit of information (the address is on the list or not), why not have several flag bits. E.g., the blocking list could contain records similar to: hash - e.g. 160-bit SHA flags - e.g. reserve 32 bits
Interesting. I suspect the state of the art would be to collect the bits with a disclaimer that there isn't any code to interpret them :-), but it does let you build a blocking database that's usable as capabilities grow. Any suggestions for flags besides block/allow one-way, block/allow two-way, and max-size? I'm thinking of doing a remailer that instead of sending you a message, it sends you a retrieval cookie and lets you send it back to collect the message; blocking that would be another flag.
I just came up with another one above. :-) I think reserving 32 bits should be enough for future expansion, or 64 to be really generous with disk space.
The other kind of blocking that needs adding is blocking by words in message bodies - the spammer that caused me to shut down my remailer and not bring it back up was posting hate messages with somebody else's name and email signed at the bottom. It only took one or two to generate a flood of flames to the victim, and my current remailer couldn't block any followups. Also, since the spammer wasn't generating the flames himself, his spam slipped under the remailer's spam counter, just as hipcrime's did. This sort of blocking also lets you block things like the hipcrime spam and MAKE MONEY FAST. But it's a much more sensitive problem - anybody who can add things to the body-checking list can start doing real censorship, and it's probably best to leave that to individual operators to block, or at least to turn on by hand rather than default.
I agree that each operator should be able to block what goes out of his remailer based on strings being contained in the body. However having some Cabal force this filtering automatically on all remailer operators is a very bad idea, even if the operators consent to it. In the scenario you described above, was the victim's address encrypted in the reply block, or was it in cleartext? If it was in cleartext, then it's little different from Peter Vorobiev forging garbage in my name and Timmy May (fart) quoting it as someting I really said. (Some time ago Vorobiev forged Usenet articles from my wife's seldom used account on another machine claiming that we split up. Dave Hayes actually asked me over the phone if it's true. There are strange people out there.) I'm not claiming to have all the solutions - this is merely a way to block recepients without taking up too much of operator's time. --- Dr.Dimitri Vulis KOTM Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps
One other suggestion: instead of storing one bit of information (the address is on the list or not), why not have several flag bits. E.g., the blocking list could contain records similar to: hash - e.g. 160-bit SHA flags - e.g. reserve 32 bits ... Any suggestions for flags besides block/allow one-way, block/allow two-way, and max-size?
Here are two more ideas: 1. A bit to indicate that the recipient doesn't want to receive anonymous e-mail if it contains the strings "fuck", "piss", "shit", "cunt", etc. Of course, this can be circumvented with "f*ck u c*nt", but it shows good faith. 2. Limit the maximum number of e-mails that one remailer can send to this address in a 24-hour period. I'd suggest using 2 bits: 00 - unlimited 01 - 10 / day 10 - 100 / day 11 - 1000 / day with the default being 10 / day for addresses not in the database and also for addresses added to the preferences database w/o specifying otherwise. Thus, if you do expect to receive more than 10 anonymous e-mails / day via one remailer, you must add your address to the database, not necessarily blocking anythihg, but specifing that you want 100, 1000, or an unlimited number of messages in a day. When the count goes over the limit, a single e-mail is sent to the recipient saying that there may be an attempt to mailbomb him, that some of his e-mail was being junked, and that he can change the settings if he wants to. This should prevent the kind of abuse you've described. --- Dr.Dimitri Vulis KOTM Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps
participants (2)
-
Bill Stewart -
dlv@bwalk.dm.com