[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: anon.penet.fi hacking

> I would be cautious about a random "From:" line.  I think penet will
> probably reject input that at least has does not have a valid (but not
> necessarily truthful) return address.

I have no way to check the validity of an address, unless it's
syntactically illegal.

> For a while, Miron Cuperman's wimsey remailer was generating a bogus
> >From address, something like "[email protected]".  I tried
> chaining this to penet to post to newsgroups, but my anonymous
> messages never appeared in the newsgroups.  This was because,
> I think, penet sends a confirmation back to the sender. Since
> "kremlin.vax" is not in penet's net tables, this would cause
> the confirmation send to fail; my hypothesis is that this also
> causes the newsgroup post at penet to fail.

No, the posting must have failed fort some other reason. The problem is
that you never know why, as the error messages don't reach you...

> Wimsey could also establish its own penet password and automatically
> insert it whenever it detected a "to" address ending in penet.fi.

This could be one solution. But what do you do with bounces due to
some user error?

> I'd like to point out that so far the wimsey remailer is the only
> useful remailer from my point of view because it's the only one
> which allows me to delete the automatic sig.  This is because it
> only forwards encrypted text and discards any appended unencrypted
> text.

This will be solved using MIME. The .sig killer used at anon.penet.fi is
a pain in the rear...