[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Hardening lists against spam attacks



-----BEGIN PGP SIGNED MESSAGE-----

On Tue, 31 Dec 1996, Igor Chudov @ home wrote:

> Send a number of unique tokens to each subscriber each day.  Enforce a
> rule that only posts with valid current tokens may be accepted. The
> number of tokens should initially be very small (say, one per day) and
> then should be quickly increased to a sufficient number, like 10 or 20,
> as the subscriber shows a record of using tokens properly (as defined by
> acceptable content rules).
> 
> A database is kept as to who was issued which tokens.
> 
> If tokens are used improperly (to post off-topic materials) the 
> offending subscriber is denied any further tokens.
> 
> The problem of this scheme is (besides its cost) that anonymous users
> will not be truly anonymous.

I think this problem can be solved by blind signing the tokens.  A user
generates a random number, multiplies it by the blinding factor, then sending
it to a token server which would append a timestamp and sign the blinded
token.  All signature requests should be signed with a PGP key.  The server
response would be encrypted with the user's public key.  A person's PGP key
would be sent along with the subscription request and then saved by the list
software.

The token would be included in a user's list submission, removed, and saved by
the list software to detect any duplicates.  The server would issue a limited
number of tokens to each public key registered with it.  If two signed requests
come from the same email address in the same day signed with different keys,
only the tokens in the first request should be signed.

The only problem with this scheme is the inconvenience of having to register
a public key with the server before posting.  Someone with many different email
addresses could generate a public key for each address to get more tokens.  The
only way to prevent this is to control list subscriptions.


Mark
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3
Charset: noconv

iQEVAwUBMsk8uCzIPc7jvyFpAQHFvAgAoogQTxQH74MbtDUSQgfkbwDRIJ1rXaXQ
zqf4D+JyRcpFXUv0cKuUoLGFTkTKdhtGrIBfqhZJvC/n/fWOV0DHIO4asNZWqtEa
NFIsWPyJqrOceCPfTLv4wft9X8aMybu6nOy/B6/NHr+Lw2p5TsfFbms4pHvrE5zt
daZ7zpPkI8l1qDI1I0XUaF6vBOGl3nJtg4NewCagpB8mZulT6wmetoe5NHmrTYEA
OI+UhgCWZSUJTJ2kC+liBmCwZ7+Z1JW39rOpLP6Y4Eo/o8mGErePKFK3ZbTVvfV8
5KyZn7HTxwmoTkEkRt0lOLpqU3afXJVdca9McCBoSklwveMoNwOmEQ==
=pvLP
-----END PGP SIGNATURE-----