1993-02-22 - Beware of anon.penet.fi message!

Header Data

From: nobody@rosebud.ee.uh.edu
To: cypherpunks@toad.com
Message Hash: 5eb2c6b2a9637369ed00f8b51fc10532f27d67afe827567e11a45377adb655de
Message ID: <9302222044.AA22982@toad.com>
Reply To: N/A
UTC Datetime: 1993-02-22 20:44:13 UTC
Raw Date: Mon, 22 Feb 93 12:44:13 PST

Raw message

From: nobody@rosebud.ee.uh.edu
Date: Mon, 22 Feb 93 12:44:13 PST
To: cypherpunks@toad.com
Subject: Beware of anon.penet.fi message!
Message-ID: <9302222044.AA22982@toad.com>
MIME-Version: 1.0
Content-Type: text/plain


Beware of the message about the security bug in the anon.penet.fi software!

If you do as requested, and send your true email address to an5877@anon.penet.fi
then he will see both your true email address and your anonymous address
(if you have one - if you don't, you will be assigned one and he will see
that).  Any future use you make of this anonymous server (say, to post
anonymously) will appear under that same anonymous address - and this
person will know your true email address that goes with it.

an5877's message appears to be a trick, designed to collect anonymous/real
address pairs.  Johan Helsingius should take action against this trickster.
Since he is learning other people's real addresses, perhaps it would be
appropriate for his own real address to be revealed.

But, this does point out that these systems which automatically assign
anonymous addrsses have several security flaws.  Johan has already had
to introduce a "password" feature to make it more difficult to send fakemail
that appears to be from a particular email address through the server,
thus revealing the corresponding anonymous address when it is delivered.

an5877's trick is a variant on one discussed in news.admin.policy where
it is pointed out that you can mail to someone via anon.penet.fi and
ask for information; when the return mail comes back it will be from that
person's anonymous address.  So again you can pair up real and anonymous
addresses.

These are serious problems.  We need some discussion of how to avoid these
simple tricks for defeating the anonymity while still having an easy-to-use
system.

::Xavier::






Thread