Pasting in From:

Andy Dustman andy at neptune.chem.uga.edu
Tue Dec 2 09:27:18 PST 1997



On 2 Dec 1997, Charlie Comsec wrote:

> As long as blocking requests are authenticated with some sort of "cookie"
> token scheme, that would be acceptable.  That goes for INDIVIDUAL blocking
> requests.

I used to require that people reply to a confirmation message before I
would block them, but it was really too much effort. I check the headers,
and as long as it looks like the request came from them, I block them and
send them a message that they are blocked, so at least if it's a spoofed
request, they will know they have been spoofed.

>  Somewhat more discretion ought to be used for requests to block
> an entire domain. That should probably only be done upon request from the
> "postmaster" at that domain, and when an entire domain is blocked,

I do exactly that, or require a request from the internic-listed contact.

> The problem with eliminating any feature that gets abused is that it's an open
> invitation for someone to deliberately abuse it just to get it eliminated.
> Whenever possible, a solution should be sought which eliminates abuse while still
> allowing legitimate use.

Agreed, and I think I've worked out a reasonable compromise, because even
if you do try to forge somebody, it should scream, "Hey, you should be
suspicious about where this really came from."

Andy Dustman / Computational Center for Molecular Structure and Design
For a great anti-spam procmail recipe, send me mail with subject "spam".
Append "+spamsucks" to my username to ensure delivery.  KeyID=0xC72F3F1D
Encryption is too important to leave to the government. -- Bruce Schneier
http://www.athens.net/~dustman mailto:andy at neptune.chem.uga.edu   <}+++<







More information about the cypherpunks-legacy mailing list