[Full-Disclosure] mailman email harvester
From: Bernhard Kuemel (bernhard_at_bksys.at)
Date: Sat, 12 Feb 2005 13:11:41 +0100 To: Valdis.Kletnieks@vt.edu
-----BEGIN PGP SIGNED MESSAGE-----
| On Sat, 12 Feb 2005 02:48:56 +0100, Bernhard Kuemel said:
|>If hashcash (http://www.hashcash.org/) gets integrated in our mail
|>systems we no longer need to hide or obfuscate our email addresses.
| On the other hand, widespread distribution of hashcash will
| the end of many mailing lists, because you can't trust users to
| whitelist everything they subscribe to.
If a user choses to use hashcash he must understand it. If he
doesn't and subscribes to a mailing list all the list mail will go
to his spam folder. He will learn from that and whitelist list mail.
| And remember that the whole *idea*
| of hashcash is that you make it impractical for somebody to send
| of mail. I'm sure netsys.com wouldn't want to keep
full-disclosure if they had
| to do hashcash for even 10% of their users.
They would not hashcash every mail, but sign each incoming mail so
spammers can't spam suscribers whose addresses then can be published
| I'll overlook the issues caused when you *dont know* what to
| For instance - many mailing lists (including this one) have a
| of subscription" check. For bonus points - should you have
| a) firstname.lastname@example.org (the actual list name)
| b) email@example.com (the rfc822 header on
| c) firstname.lastname@example.org (the rfc821 MAIL FROM:)
| d) mailman@
| e) majordomo@
| f) listserv@
Subscribing to mailing lists has always been a process of following
instructions. If you subscribe via a web page, this web page will
tell you which addresses to whitelist. If you subscribe via email
firstly there will also be some source of instructions how to
subscribe, and secondly you can whitelist replies that reference
(private) emails you sent recently.
| There's also all the stuff that things like amazon, ebay, your bank,
| your insurance company, your utility companies, etc... all send out,
| that users will forget to whitelist.
They can send hashcashed requests for being whitelisted which will
pop up a window similar to message receipt requests.
| Hashcash really sucks if you're a mail server admin who has to
| hash cashes a day at 5 CPU seconds a pop because people forgot to
| your server.
I don't understand the situation. Human edited mail is usually
created on a workstation that is capable of making hashcash while
the mail is edited. Mass mail generated on a server falls into
1) spam: let them make hashcash
2) solicited recurring mail: send hashcashed whitelist request and
follow up with unpaid mail. If unpaid mail gets rejected stop
sending mail. Actually, there is little reason not to make the
whitelisting part of the service subscription process.
3) Replies should be whitelisted automatically.
4) legitimate systems that initiate mail conversation must make
hashcash. Can you think of any examples?
| Hashcash isn't even a tiny speed bump if you're a spammer and have
| zombies - each one only takes a 5 second hiccup and continues
Configure your system to require more. 1 minute. Or 10. Or 20. The
amount of hashcash can be put in an email address comment or if
insufficient cash is sent, the receiving system can automatically
| But yeah, other than all those minor details, hashcash is a fine
ecash may be even better. You don't have to accept the postage. Only
take it from unwanted mail.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
Full-Disclosure - We believe in it.