1994-05-09 - Re: Is the list down?

Header Data

From: “Robert A. Hayden” <hayden@krypton.mankato.msus.edu>
To: Jim Gillogly <jim@rand.org>
Message Hash: 3e910c3a3bad864596dfc84d87ff96555c0b8b7b7b3d1ca0286dce58dad67bb0
Message ID: <Pine.3.89.9405091108.A29480-0100000@krypton.mankato.msus.edu>
Reply To: <9405091614.AA06838@mycroft.rand.org>
UTC Datetime: 1994-05-09 16:38:14 UTC
Raw Date: Mon, 9 May 94 09:38:14 PDT

Raw message

From: "Robert A. Hayden" <hayden@krypton.mankato.msus.edu>
Date: Mon, 9 May 94 09:38:14 PDT
To: Jim Gillogly <jim@rand.org>
Subject: Re: Is the list down?
In-Reply-To: <9405091614.AA06838@mycroft.rand.org>
Message-ID: <Pine.3.89.9405091108.A29480-0100000@krypton.mankato.msus.edu>
MIME-Version: 1.0
Content-Type: text/plain


On Mon, 9 May 1994, Jim Gillogly wrote:

> Well... countermeasures.  Majordomo could require its subscriptions signed
> with a valid public key (PGP or RIPEM) with the public key in the signed
> body, and process future transactions for that individual only if they're
> signed.  That's still open to a spam attack, though, where the attacker
> can subscribe 30 variations of (say) Jim Gillogly's address with different
> public keys constructed just for that, and Gillogly wouldn't be able to
> send the right unsubscriptions.

Or you could remove the ability to whois the subscribers of the list.  I 
know it can be done as queernet has done that for its majordomo lists.  
At the very least, that will remove the ability to get a listing of who 
is subscribed, although I kind think it's nice to be able to see who is 
on the list.

I worry that requiring PGP or some other signature could pose problems 
for those outside the U.S., especially if MIT-PGP is apparently not 
exportable.

Another choice is to require a confirmation from the subscriber.  I run 
several LISTSERV mailing lists, and while it doesn't require confirmation 
for unsibscription (just signing up), it does keep down on the number of 
"accidental" activities.  It'd be pretty trivial to hack majordomo to 
reply to the address in the whois list (instead of the Reply-To:) and 
maintain a small database of 'pending' people.  By requiring a, say, 
six-digit code in the subject line of the confirmation, the software can 
verify that it is genuine.

As I said, LISTSERV implements something similiar as an option for 
subscribing.  Maybe even for unsubscribing (I've never checked).

____        Robert A. Hayden          <=> hayden@krypton.mankato.msus.edu
\  /__          -=-=-=-=-             <=>          -=-=-=-=-
 \/  /   Finger for Geek Code Info    <=> Political Correctness is
   \/  Finger for PGP 2.3a Public Key <=> P.C. for "Thought Police"
-=-=-=-=-=-=-=-
(GEEK CODE 1.0.1)  GAT d- -p+(---) c++(++++) l++ u++ e+/* m++(*)@ s-/++
		       n-(---) h+(*) f+ g+ w++ t++ r++ y+(*)






Thread