1997-03-30 - Re: remailer spam throttle

Header Data

From: Sergey Goldgaber <sergey@el.net>
To: “Dr.Dimitri Vulis KOTM” <dlv@bwalk.dm.com>
Message Hash: 93025bd24601d582bcc33f78040426c481e4a0cd5892850c6d0ca030366eb080
Message ID: <Pine.LNX.3.95.970329232929.142F-100000@void.el.net>
Reply To: <g5Fc5D4w165w@bwalk.dm.com>
UTC Datetime: 1997-03-30 04:48:26 UTC
Raw Date: Sat, 29 Mar 1997 20:48:26 -0800 (PST)

Raw message

From: Sergey Goldgaber <sergey@el.net>
Date: Sat, 29 Mar 1997 20:48:26 -0800 (PST)
To: "Dr.Dimitri Vulis KOTM" <dlv@bwalk.dm.com>
Subject: Re: remailer spam throttle
In-Reply-To: <g5Fc5D4w165w@bwalk.dm.com>
Message-ID: <Pine.LNX.3.95.970329232929.142F-100000@void.el.net>
MIME-Version: 1.0
Content-Type: text/plain


On Sat, 29 Mar 1997, Dr.Dimitri Vulis KOTM wrote:

-> Sergey Goldgaber <sergey@el.net> writes:
-> >
-> > Unfortunately, key servers can not be trusted.  I'm sure you're aware that
-> > anyone can submit a key, and thus forgeries abound.
-> >
-> > If the above model is adopted, key servers will be the first target of
-> > the prospective spammer.
-> 
-> Why Sergey, you mean to tell me that there are key servers out there that
-> accept a key from a purported address and don't send back a cookie to that
-> address to see if it's not fake? :-) That's just terrible. Definitely no
-> key coming from such a server should be trusted. :-) :-)
-> 
-> Today is March 29, 1997 - almost April 1st. The Internet ain't what is
-> used to was 15 or 10 or even 2 years ago. If you get an e-mail that
-> purports to be from X, and it requests that you add X's public key
-> to your key server, or (un)subscribe X to a mailing list, or
-> block X from receiving anonymous e-mail - it may be a forgery.
-> Never act on such requests without trying to authenticate them
-> with a cookie.

DNS maps can easily be forged.  Key servers run on machines with questionable 
physical and operating system security.  Finally, key server ops themselves
can mess with keys.

This is why people who use keys off of keyservers are encouraged to verify
the key via it's key fingerprint, or at via the web of trust.

However, this can not be done via automation on a large scale for the purpose
of address blocking, unless via a certification authority.

The bottom line is that keyservers can not be trusted, despite any primitive
security measures they supposedly have in place.


 ............................................................................
 . Sergey Goldgaber <sergey@el.net>      System Administrator        el Net .
 ............................................................................
 .   To him who does not know the world is on fire, I have nothing to say   .
 .                                                      - Bertholt Brecht   .
 ............................................................................






Thread