Re: Penet Spoofing
-----BEGIN PGP SIGNED MESSAGE----- I would like to add that I have evidently been a victim of "penet spoofing" as well, since I too received the following message from penet:
You have sent a message using the anonymous contact service. You have been allocated the code name anXXXXX You can be reached anonymously using the address anXXXXX@anon.penet.fi.
Somebody is trying to be clever and forging mail to figure out my penet id (surprise, I don't have one, but now I do). When I got this message, I immediately sent off in an attempt to set my password. I haven't heard back yet, so I don't know if it was successful or not. If the password set fails, then somebody has taken over anXXXXX and I'll be mailing Julf in order to get it removed. Whoever wants to know my penet id... I'll save you some trouble: an4609 - my old (now expired) account elee9sf@menudo.uh.edu an5022 - my old (now expired/locked) account barrus@tree.egr.uh.edu Now, of course, I have a new one, which somebody has thoughtfully started up for me. Karl Barrus klbarrus@owlnet.rice.edu -----BEGIN PGP SIGNATURE----- Version: 2.3a iQCVAgUBLdUVG4OA7OpLWtYzAQFZuwP/aEHakMABw1IZhpgvW+VxPgzfJMxNsSD7 MflnwJr70NjZmk22QXgRhNGBMaiZQJHK+pYZZWS+yZihcLZyHKM722ya0FV3SXoe vlJoKxJPBAjkmq98Z7Yqo6Z2k2ZU+ODQ79l4xtL2tSpt0vheVLOVYSJkv7pSbehp mo5EaSNCHZE= =m3Ai -----END PGP SIGNATURE-----
Karl said:
Somebody is trying to be clever and forging mail to figure out my penet id (surprise, I don't have one, but now I do).
I doubt it's a forgery attack. More likely, somebody subscribed to the list under a anXXXX address rather than naXXXX -- possibly intentionally, but probably just by mistake. The effect is that everyone who posts to the list has their headers pseudonymized before their messages are passed to the subscriber. The people who were told they had been given anXXXX addresses were the lucky ones. People who already had unpassworded addresses, and who have unstripped .sigs or other indentifiers, have had their pseudonyms and truenames silently handed to the subscriber. Nasty failure mode. This has happened on the list a few times before. The first or second time was one of the major reasons Julf added the naXXXX capability, as I recall, to let anonymous users safely subscribe to mailing lists. Passwords were intended to stop the forgery attack, but are helpful here too. This mail, for example, should never reach the subscriber in question, because I didn't include my password. A handy stopgap would be for majordomo to screen out anXXXX addresses (better, convert them to naXXXX), and other known double-blinding addresses. The behavior of anon.penet.fi interacts poorly with mailing lists, but we've had that discussion before. Eli ebrandt@hmc.edu
I would like to add that I have evidently been a victim of "penet spoofing" as well, since I too received the following message from penet:
I have another theory: If an anXXX@anon.penet.fi address subscribes to the mailing list, then everybody who sends mail to the list will be given an anon alias. (Now to wait and see whether I get allocated an anon id from anon.penet.fi in response to this message.) I still say that double-blinding should not be the default action of servers like that at anon.penet.fi. Double blinding is sometimes useful, but one should have to request it explicitly. --apb (Alan Barrett)
participants (3)
-
Alan Barrett -
Eli Brandt -
Karl Lui Barrus