[Full-Disclosure] mailman email harvester

From: Bernhard Kuemel (bernhard_at_bksys.at)
Date: 02/12/05

  • Next message: Jelmer Kuperus: "Re: [Full-Disclosure] Fireflashing [Firefox 1.0]"
    Date: Sat, 12 Feb 2005 13:11:41 +0100
    To: Valdis.Kletnieks@vt.edu

    Hash: SHA1

    Valdis.Kletnieks@vt.edu wrote:
    | On Sat, 12 Feb 2005 02:48:56 +0100, Bernhard Kuemel said:
    |>If hashcash (http://www.hashcash.org/) gets integrated in our mail
    |>systems we no longer need to hide or obfuscate our email addresses.
    | On the other hand, widespread distribution of hashcash will
    probably mean
    | the end of many mailing lists, because you can't trust users to
    | whitelist everything they subscribe to.

    If a user choses to use hashcash he must understand it. If he
    doesn't and subscribes to a mailing list all the list mail will go
    to his spam folder. He will learn from that and whitelist list mail.

    | And remember that the whole *idea*
    | of hashcash is that you make it impractical for somebody to send
    3,000 pieces
    | of mail. I'm sure netsys.com wouldn't want to keep
    full-disclosure if they had
    | to do hashcash for even 10% of their users.

    They would not hashcash every mail, but sign each incoming mail so
    spammers can't spam suscribers whose addresses then can be published

    | I'll overlook the issues caused when you *dont know* what to
    | For instance - many mailing lists (including this one) have a
    | of subscription" check. For bonus points - should you have
    | a) full-disclosure@lists.netsys.com (the actual list name)
    | b) full-disclosure-request@lists.netsys.com (the rfc822 header on
    my confirm)
    | c) full-disclosure-admin@lists.netsys.com (the rfc821 MAIL FROM:)
    | d) mailman@
    | e) majordomo@
    | f) listserv@

    Subscribing to mailing lists has always been a process of following
    instructions. If you subscribe via a web page, this web page will
    tell you which addresses to whitelist. If you subscribe via email
    firstly there will also be some source of instructions how to
    subscribe, and secondly you can whitelist replies that reference
    (private) emails you sent recently.

    | There's also all the stuff that things like amazon, ebay, your bank,
    | your insurance company, your utility companies, etc... all send out,
    | that users will forget to whitelist.

    They can send hashcashed requests for being whitelisted which will
    pop up a window similar to message receipt requests.

    | Hashcash really sucks if you're a mail server admin who has to
    crank 50,000
    | hash cashes a day at 5 CPU seconds a pop because people forgot to
    | your server.

    I don't understand the situation. Human edited mail is usually
    created on a workstation that is capable of making hashcash while
    the mail is edited. Mass mail generated on a server falls into
    several categories:

    1) spam: let them make hashcash
    2) solicited recurring mail: send hashcashed whitelist request and
    follow up with unpaid mail. If unpaid mail gets rejected stop
    sending mail. Actually, there is little reason not to make the
    whitelisting part of the service subscription process.
    3) Replies should be whitelisted automatically.
    4) legitimate systems that initiate mail conversation must make
    hashcash. Can you think of any examples?

    | Hashcash isn't even a tiny speed bump if you're a spammer and have
    | zombies - each one only takes a 5 second hiccup and continues

    Configure your system to require more. 1 minute. Or 10. Or 20. The
    amount of hashcash can be put in an email address comment or if
    insufficient cash is sent, the receiving system can automatically
    request more.

    | But yeah, other than all those minor details, hashcash is a fine
    solution. ;)

    ecash may be even better. You don't have to accept the postage. Only
    take it from unwanted mail.

    Version: GnuPG v1.2.5 (GNU/Linux)
    Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

    -----END PGP SIGNATURE-----
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Jelmer Kuperus: "Re: [Full-Disclosure] Fireflashing [Firefox 1.0]"