Duncan Frissell <frissell@panix.com> writes: Looks like we had a little denial of service attack from you know who.

Actually, I don't -- I can think of two likely suspects... of course, they could be tentacles of each other, but the styles don't match.

Everyone was unsubscribed.

I guess that means forging a message from each of us; when I first tried subscribing, it wouldn't accept my subscription from mycroft.rand.org for my mail address of rand.org without human intervention, so the attacker couldn't do it from his own account without forging. I just did an experiment verifying that "Reply-to" is honored by Majordomo, which would explain why I didn't get acked for the unsubscribe on Saturday. Cooperative anarchy works only when people can be either motivated or coerced into being cooperative. As the net keeps increasing exponentially the probability of sucking in a critical mass of loonies increases along with it. As with public key cryptography, it takes only a linear increase in loonies to seriously interfere with the exponentially increasing (relatively) sane population. Well... countermeasures. Majordomo could require its subscriptions signed with a valid public key (PGP or RIPEM) with the public key in the signed body, and process future transactions for that individual only if they're signed. That's still open to a spam attack, though, where the attacker can subscribe 30 variations of (say) Jim Gillogly's address with different public keys constructed just for that, and Gillogly wouldn't be able to send the right unsubscriptions. Hurm. Jim Gillogly Mersday, 18 Thrimidge S.R. 1994, 16:09

On Mon, 9 May 1994, Jim Gillogly wrote:

Well... countermeasures. Majordomo could require its subscriptions signed with a valid public key (PGP or RIPEM) with the public key in the signed body, and process future transactions for that individual only if they're signed. That's still open to a spam attack, though, where the attacker can subscribe 30 variations of (say) Jim Gillogly's address with different public keys constructed just for that, and Gillogly wouldn't be able to send the right unsubscriptions.

Or you could remove the ability to whois the subscribers of the list. I know it can be done as queernet has done that for its majordomo lists. At the very least, that will remove the ability to get a listing of who is subscribed, although I kind think it's nice to be able to see who is on the list. I worry that requiring PGP or some other signature could pose problems for those outside the U.S., especially if MIT-PGP is apparently not exportable. Another choice is to require a confirmation from the subscriber. I run several LISTSERV mailing lists, and while it doesn't require confirmation for unsibscription (just signing up), it does keep down on the number of "accidental" activities. It'd be pretty trivial to hack majordomo to reply to the address in the whois list (instead of the Reply-To:) and maintain a small database of 'pending' people. By requiring a, say, six-digit code in the subject line of the confirmation, the software can verify that it is genuine. As I said, LISTSERV implements something similiar as an option for subscribing. Maybe even for unsubscribing (I've never checked). ____ Robert A. Hayden <=> hayden@krypton.mankato.msus.edu \ /__ -=-=-=-=- <=> -=-=-=-=- \/ / Finger for Geek Code Info <=> Political Correctness is \/ Finger for PGP 2.3a Public Key <=> P.C. for "Thought Police" -=-=-=-=-=-=-=- (GEEK CODE 1.0.1) GAT d- -p+(---) c++(++++) l++ u++ e+/* m++(*)@ s-/++ n-(---) h+(*) f+ g+ w++ t++ r++ y+(*)