[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Penet Spoofing

Karl said:
> Somebody is trying to be clever and forging mail to figure out
> my penet id (surprise, I don't have one, but now I do).

I doubt it's a forgery attack.  More likely, somebody subscribed to
the list under a anXXXX address rather than naXXXX -- possibly
intentionally, but probably just by mistake.  The effect is that
everyone who posts to the list has their headers pseudonymized
before their messages are passed to the subscriber.

The people who were told they had been given anXXXX addresses were
the lucky ones.  People who already had unpassworded addresses, and
who have unstripped .sigs or other indentifiers, have had their
pseudonyms and truenames silently handed to the subscriber.  Nasty
failure mode.

This has happened on the list a few times before.  The first or
second time was one of the major reasons Julf added the naXXXX
capability, as I recall, to let anonymous users safely subscribe to
mailing lists.  Passwords were intended to stop the forgery attack,
but are helpful here too.  This mail, for example, should never
reach the subscriber in question, because I didn't include my

A handy stopgap would be for majordomo to screen out anXXXX
addresses (better, convert them to naXXXX), and other known
double-blinding addresses.  The behavior of anon.penet.fi interacts
poorly with mailing lists, but we've had that discussion before.

   Eli   [email protected]