Re: Novel use of Usenet and remailers to mailbomb from luzskru@cpcnet.com
At 10:25 PM 1/12/96 GMT, John Lull wrote:
On Fri, 12 Jan 1996 10:55:12 -0800, you wrote:
Cypherpunks: is there any way to respond to, or prevent, this sort of attack short of actually shutting down the remailer?
Yes, very simply.
The remailer could calculate a hash for the body of each encrypted message received (the same portion which will be decrypted by PGP), tabulate the last few thousand hashes, and simply discard any messages with a duplicate hash. The target of the attack would receive only the first copy of the message.
I am afraid it is not that simple. Remember that the mailbombing consists of many, many horny little geeks responding to a single message. They are replying to the same message (and probibly adding a few "me too!" lines), not mailing the same one over and over again. Another idea would be to keep a md5 (or other) hash list of the reply block used and have a disabled list for such spam attacks. (Unfortunatly this requires code, thus time.) Pretty nasty variation on a "denial of service" attack. What next? Fake "David Rhodes does e-cash" messages with the target's e-mail address? Alan Olsen -- alano@teleport.com -- Contract Web Design & Instruction `finger -l alano@teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "Is the operating system half NT or half full?"
On Fri, 12 Jan 1996 16:22:03 -0800, Alan Olsen wrote:
At 10:25 PM 1/12/96 GMT, John Lull wrote:
On Fri, 12 Jan 1996 10:55:12 -0800, you wrote:
Cypherpunks: is there any way to respond to, or prevent, this sort of attack short of actually shutting down the remailer?
Yes, very simply.
The remailer could calculate a hash for the body of each encrypted message received (the same portion which will be decrypted by PGP), tabulate the last few thousand hashes, and simply discard any messages with a duplicate hash. The target of the attack would receive only the first copy of the message.
I am afraid it is not that simple. Remember that the mailbombing consists of many, many horny little geeks responding to a single message. They are replying to the same message (and probibly adding a few "me too!" lines), not mailing the same one over and over again.
The specific attack referred to had an entire encrypted message, not just a reply block. Obviously this solution does not work if only a reply block is encrypted.
Another idea would be to keep a md5 (or other) hash list of the reply block used and have a disabled list for such spam attacks. (Unfortunatly this requires code, thus time.)
Even worse, it requires manual intervention for each attack unless you are willing to add reply blocks to the list based simply on the volume of messages using that reply block. That could prevent the remailer network being overwhelmed, but is not likely to be seen as adequate by the target, who would likely still see the first several dozen messages before the specified threshold was reached. There is another related solution for the attack using just a reply block, however. The final remailer could collect messages either using a given reply block, or addressed to a given address, if more that a few were received in a relatively short period of time. It could then forward the first half-dozen or so, along with a note that another X thousand messages were waiting, and asking if the intended recipient wanted them forwarded or trashed. Unfortunately this would not prevent the remailer network from being overwhelmed. Perhaps some combination of these solutions would be required -- rationing based on the reply block at each remailer, and collection & recipient notification at the final remailer.
Alan Olsen <alano@teleport.com> writes: ...
Pretty nasty variation on a "denial of service" attack. What next? Fake "David Rhodes does e-cash" messages with the target's e-mail address?
I've seen worse on soc.culture.*. :-) I think, an appropriate response for the victim would be to accept only digitally signed e-mail from people he wishes to receive e-mail from, and to junk all other e-mail (unsigned or from strangers). --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps
participants (3)
-
Alan Olsen -
dlv@bwalk.dm.com -
lull@acm.org