[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Explanation] Re: "STOP SENDING ME THIS SHIT"



>      I run a small mailing list that has been subject to problems
> similar to the recent spate of "unscrives".  Apparently there is a
> list of mailing lists circulating the warez boards along with scripts
> for spoofing subscription requests.  Over the past few months my list

	Ah, KaNN3d t00Lz: the incompitent kRak3r'z best friend. :)

>      Crypto relevance:  This attack will be eliminated when more mail
> agents support public key crypto and the mailing list software can be
> modified to check signatures on subscription requests.

	But you're presupposing a public key distribution mechanism
such that the list software can get a key for that user.  And that
that's a valid key for that user, not a key that J Random kRak3r didn't
just send in for his clueless AOL victim before said victim established
a public key.

	At any rate, has something like this been put into the current
PGPdomo?  I don't think that it would be too hard to hack in a query
to a web keyserver to grab a key.  If the initial request's not
signed, maybe include a note about how to go about getting PGP and
putting a key on the keyserver (or a pointer to instructions on the
web).

---
Fletch                                                     __`'/|
[email protected]  "Lisa, in this house we obey the       \ o.O'    ______
404 713-0414(w)      Laws of Thermodynamics!" H. Simpson   =(___)= -| Ack. |
404 315-7264(h) PGP Print: 8D8736A8FC59B2E6 8E675B341E378E43  U      ------