[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Explanation] Re: "STOP SENDING ME THIS SHIT"
> I run a small mailing list that has been subject to problems
> similar to the recent spate of "unscrives". Apparently there is a
> list of mailing lists circulating the warez boards along with scripts
> for spoofing subscription requests. Over the past few months my list
Ah, KaNN3d t00Lz: the incompitent kRak3r'z best friend. :)
> Crypto relevance: This attack will be eliminated when more mail
> agents support public key crypto and the mailing list software can be
> modified to check signatures on subscription requests.
But you're presupposing a public key distribution mechanism
such that the list software can get a key for that user. And that
that's a valid key for that user, not a key that J Random kRak3r didn't
just send in for his clueless AOL victim before said victim established
a public key.
At any rate, has something like this been put into the current
PGPdomo? I don't think that it would be too hard to hack in a query
to a web keyserver to grab a key. If the initial request's not
signed, maybe include a note about how to go about getting PGP and
putting a key on the keyserver (or a pointer to instructions on the
web).
---
Fletch __`'/|
[email protected] "Lisa, in this house we obey the \ o.O' ______
404 713-0414(w) Laws of Thermodynamics!" H. Simpson =(___)= -| Ack. |
404 315-7264(h) PGP Print: 8D8736A8FC59B2E6 8E675B341E378E43 U ------