cryptoanarchy.wiki

Arise, you have nothing to lose but your barbed wire fences!

1994-07-29 - Tuna fish and spam sandwich

Header Data

From: cjl <cjl@welchlink.welch.jhu.edu>
To: admin@penet.fi
Message Hash: a8cbbc5147a97d8027169176e3ed1ec46115ee2d34f7daf8c44cc93cd67d4ea4
Message ID: <Pine.3.89.9407282053.A17233-0100000@welchlink.welch.jhu.edu>
Reply To: N/A
UTC Datetime: 1994-07-29 01:02:01 UTC
Raw Date: Thu, 28 Jul 94 18:02:01 PDT

Raw message

From: cjl <cjl@welchlink.welch.jhu.edu>
Date: Thu, 28 Jul 94 18:02:01 PDT
To: admin@penet.fi
Subject: Tuna fish and spam sandwich
Message-ID: <Pine.3.89.9407282053.A17233-0100000@welchlink.welch.jhu.edu>
MIME-Version: 1.0
Content-Type: text/plain



I am curious about what is happening on alt.test.  

Someone is apparently forging letters containing the line:

I am (insert True Name and address here)

from a large list of account names and sending them through anon@penet.fi 
to alt.test.  If the address is not previously registered with 
penet.fi it generates a new acct number (thus the long list of messages 
with sequential acct nums anXXXXXX) however every once in a while 
there will be a message 

(they are all 43 lines long, and have the subject "tuna fish 
test numero nnn" making them easy to spot from real anon.testers) 

that will have an account number that is out of sequence (e.g. a much
lower number).  It would seem that this is revealing the anon acct numbers
of people who have already got accts at penet.fi.  There are a number of
messages posted to alt.test from apparently real acct addresses saying
that they never requested anon accts. and generally disavowing all
knowledge of how the "tuna fish" messages ended up posted.

Does this form of "lunch-sack" attack really work?  By spamming penet.fi
with "tuna fish" messages with forged From: lines can one really get the
true names and corresponding anon acct numbers of people from a list of 
addresses?  If this is possible then I'm sure it wouldn't take long for 
one of you mail-gurus to whip up some code to download a "who cypherpunks"
and feed it through a spam grinder to recover true names.  So much for 
trusting a Finnish Identity Escrow Agent.
HH
 C. J. Leonard                     (    /      "DNA is groovy"
                                   \ /                - Watson & Crick
<cjl@welchlink.welch.jhu.edu>      / \     <--  major groove
                                  (    \
Finger for public key               \   )
Strong-arm for secret key             /    <--  minor groove
Thumb-screws for pass-phrase        /   )

Thread