From: Andy Dustman <andy@neptune.chem.uga.edu>
Date: Thu, 13 Nov 1997 04:34:39 +0800
To: remailer-operators@anon.lcs.mit.edu
Subject: Re: Databasix conspiracy theories
In-Reply-To: <199711121408.PAA07532@basement.replay.com>
Message-ID: <Pine.LNX.3.94.971112144125.8435f-100000@neptune.chem.uga.edu>
MIME-Version: 1.0
Content-Type: text/plain



On Wed, 12 Nov 1997, Anonymous wrote:

> Andy Dustman <andy@neptune.chem.uga.edu> wrote:
> > 
> > If you really want the post to have the From: address of your nym, send
> > the post with your nym and not with the remailer as the last hop. The
> > point of anonymous remailers is to be anonymous. If you want to use a
> > psuedonym, use a nymserver.
> 
> If I remember correctly, the documentation for at least one of the nymservers
> suggested that posting through a remailer and pasting in the return address
> would be quicker and impose less burden on the server than having to process
> each outgoing message through the server.

That's possible, and if true, it's probably in the documentation for
redneck. Personally, I would prefer to have the server handle those
messages, simply because there is a certain amount of "authentication",
i.e., you can be reasonably sure that that nym really sent the message and
wasn't forged.

> > Cracker does have a spam-bait mangler which is somewhat simpler than the
> > scheme Jeff used. In a nutshell, if there are an inordinately large number
> > of addresses (compared to other text), the addresses are mangled, i.e.,
> > president@whitehouse.gov becomes president <AT> whitehouse <DOT> gov.
> > Still human-readable but useless for address harvesters. No posts get
> > dropped or filtered out under this scheme, and no keywords or particular
> > addresses are looked for.
> 
> I'm not sure that even that is a wise precedent to set.  In itself it seems
> innocuous enough, but it could always lead to a demand, "Well, you already
> mangle e-mail addresses contained in the bodies of posts, so why not also
> alter the contents of posts in the following way..."

Well, I'm not real happy to have to do it. It was in response to a very
active spam-baiting campaign, apparently directed at the Databasix people,
and primarily consisted of lists of addresses with no (or very little)
other text. I doubt this methodology could realistically be applied to
anything else (or that I would consider doing it for anything else).

> Also, I hope that your mangler is smart enough to distinguish e-mail addresses
> from lists of Usenet message IDs, since a list of such references should be
> perfectly valid in the body of a post.

It's not.

> The problem with destroying machine readability of e-mail addresses is
> that many newsreaders will turn an e-mail address into a hot link where
> one could simply click on it to send e-mail.  If someone were to
> anonymously post a message in support of or in opposition to a certain
> piece of legislation, and include a list of the e-mail addresses of the
> Congress-critters on a certain committee considering that bill, such a
> scheme might defeat the purpose of the list.  IMO, anything that makes
> posting via a remailer less functional than doing so non-anonymously is
> ultimately detrimental to the cause of privacy. 

I agree with you in principle. I think in practice, though, not being able
do just click on the address to send mail (and then only in newsreaders
that support it) is not a huge loss of functionality, as the address is
still readable (by humans).

> BTW, is there any evidence to indicate that anyone is really harvesting e-mail
> addresses from the BODIES of Usenet posts?  Gary Burnore posts his flames quite
> widely, so it's quite likely that any bulk e-mailing lists he's on is the
> result of his (non-mangled) e-mail address being in the From: line of his own 
> posts.

I really don't know. I do know when the spam-baiting campaign started, the
spam-baiters would also use the remailers to contact the people
spam-baited to let them know they had been spam-baited so they would
complain to us. (There was another set of letters going around claiming to
be pro-remailer, but I was always skeptical that that was the true
intention.)

> Perhaps the ultimate reality check is whether someone is seeking to impose a
> standard on remailers that's stricter than the one imposed on the phone company
> or the postal service.  I can drop some coins in a pay phone and call anyone at
> any time.  The functionality of a public phone is not restricted merely because
> the users are not identified.  Similarly, I can drop a letter in a public mailbox
> without anyone verifying my identity.  No return address is required.  Or I can
> write in a return address and nobody will check whether it's "genuine" or
> "forged".  It would be ludicrous, for example, for someone who had received a
> couple of crank phone calls from payphones to demand that the phone company
> either totally prevent this abuse from ever happening again or else remove all of 
> its pay phones!  And yet those are exactly the demands that anti-privacy zealots 
> have made on remailers, and often they've succeeded.

Well, I agree, and I don't do anything to messages that are mailed from
person-to-person (except drop exact duplicates). The only anti-abuse stuff
I have works on USENET posts, so it's not quite analogous to the phone
company or postal service. (I use that analogy all the time when people
complain about messages they receive.)

> Should one's willingness to broadcast his/her name and e-mail address 
> indiscriminately to a WORLDWIDE newsgroup be a prerequisite for one to express
> one's views?  Is that not tantamount to saying that one cannot walk down the
> street without wearing a badge containing his name, address, and phone number for
> all to read?  Or should one's name and e-mail address be considered his property
> to be divulged only if and when he chooses?

And I agree with you here too. I guess I'd have to or I wouldn't be
running a remailer.

Andy Dustman / Computational Center for Molecular Structure and Design
For a great anti-spam procmail recipe, send me mail with subject "spam".
Append "+spamsucks" to my username to ensure delivery.  KeyID=0xC72F3F1D
Encryption is too important to leave to the government. -- Bruce Schneier
http://www.athens.net/~dustman mailto:andy@neptune.chem.uga.edu   <}+++<