From: Theodore Ts'o <tytso@Athena.MIT.EDU>
Date: Sun, 28 Feb 93 17:44:25 PST
To: Marc.Ringuette@GS80.SP.CS.CMU.EDU
Subject: Re: Future of anonymity (short-term vs. long-term)
In-Reply-To: <9303010103.AA08082@toad.com>
Message-ID: <9303010143.AA25226@SOS>
MIME-Version: 1.0
Content-Type: text/plain


   Date: Sun, 28 Feb 1993 19:59-EST
   From: Marc.Ringuette@GS80.SP.CS.CMU.EDU

     1.  Agree on a header line which identifies all messages coming out of 
	 our remailers.  If someone wants to filter out all anonymous messages,
	 I think we should help them to do so.

This would indeed be a considerate thing to do.  In the short run, the
only way a mailing list maintainer can avoid being abused by someone
twit determined to hide behind your network of maintainers is to
disallow anonymous postings altogether.

Since John Gilmore, the maintainer of the Cypherpunks mailing list, is
one of the absolute free speach advocates --- let me ask a question
directly at you:  What would you do if sometime next week, someone
decided to flood the Cypherpunks mailing list with a large amount of
trash postings, routed through different combinations of remailers?  Let
us assume that the trash is generated by grabbing varying snippets from
USENET articles, so that current AI technology is not able to
distinguish a true Cypherpunks submission from the flooded trash
postings.  What would you do?  Now let's also suppose someone does the
same thing to all of the GNU newsgroups.  What would you do then?

I ask these questions well aware that somewhere out there, some immature
twit might get an idea from this scenario, and make the above questions
less hypothetical.  :-( 

(Sorry for sounding so cynical, but after being a News admin at MIT for
a long time, and dealing with a lot of people suffering from severe
cases of freshmanitis, I have a less than optimistic view about human
nature.)

	     source logging:  on a machine-by-machine basis, log the total
		 input volume over a fairly long period, with some random
		 noise added.  When a source is providing too much volume,
		 and it's not on your local list of "friendly" remailers,
		 then take action to reduce the volume.  I suggest that the
		 first action should be to INCREASE THE DELAY to reduce the
		 volume-per-unit-time of messages from that site.  If the
		 volume of spooled traffic from a site reaches a threshold, 
		 only then start throwing away messages.

This doesn't work.  Someone clever could easily redirect the message
through different (non-anonymous) SMTP servers before the message
entered the remailer network; this would completely defeat the volume
logging, and while the first hop would still be logged somewhere, unless
the remailer administrator reveals the input/output address mapping,
you'd still have no way to trace the message from the destination to the
source.

							- Ted