Re: [Full-Disclosure] Mailing lists and unsolicited/malicious spam

Valdis.Kletnieks_at_vt.edu
Date: 11/27/04

  • Next message: kf_lists: "Re: [Full-Disclosure] To anybody who's offended by my disclosure policy"
    To: n3td3v <xploitable@gmail.com>
    Date: Fri, 26 Nov 2004 18:21:49 -0500
    
    
    

    On Fri, 26 Nov 2004 16:51:27 GMT, n3td3v said:

    > I was thinking, why are all e-mail addresses not encrypted as soon as
    > they leave the authors mail client, surely this would stop anyone
    > seeing the address, apart from the mail client at the other end the
    > message was intended for. And when a user mails a mailing list the
    > e-mail address could be read by the mailing list software, but stays
    > encrypted for the broadcast out to the subscribers of the list.

    The biggest problem here is that "reply" breaks.

    The less obvious problem is that you are implying a way for the mailing
    list software to decrypt the address, but *not* allow a spammer to decrypt
    the address. The only obvious solution for *that* is to encrypt to the
    public key of the mailing list (forget a "shared secret" scheme, that won't
    scale at all). This however implies that your MUA knows about the public
    keys for all lists you post to (which also means that you can't send e-mail
    from a internet cafe or any machine that doesn't know what lists you are on).

    An even less obvious problem is that you lose all cross-list identity - perhaps
    'n3d3v' only posts to F-D, but I post to a number of lists, and a large number
    of people read my postings on multiple lists. As such, things like "Oh, he's
    the guy who posts clued stuff on NANOG" or "Oh, that's Harlan Carvey, he has a
    clue over on that other list" are difficult to correlate across lists....

    (It cuts both ways - it also means that you have to re-learn that a given user
    is a total idiot over and over, once for each list, rendering kill files much
    less useful...)

    I'm sure if I think some more, I'll spot some more problems.. :)

    
    

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html



  • Next message: kf_lists: "Re: [Full-Disclosure] To anybody who's offended by my disclosure policy"