[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Hardening lists against spam attacks



There seems to some confusion about what I actually proposed.  (I never
seem to be able to write clearly the first time.)  Let me describe in more
detail my currently preferred token distribution system.

First some definitions:
  Majordomo - The rule based administrator for the list
  List administrator - The rule maker.  Also does the things majordomo can't.
  poster - someone who wants to post a message to the list
  list member - those who receive the list.

Token distribution works like this:  A poster desiring a token sends a
request to majordomo and includes a public key.  This request can be sent
thru a remailer chain.  Majordomo generates a token (think of it as a
secret key), encyphers it with the public key, and posts it to the list.
Note that the poster does not have to be subscribed to the list.  The token
can be recovered from the archives or from a reflector list.  (Thanks to
Tim May for the suggestion of this method of distribution.)

Now we have given poster an anonymous token.  Since tokens are good
forever, true anonymity requires a new token for each post.  Otherwise the
poster only has a pseudonym.  I consider this feature an advantage.

Since tokens are good forever, majordomo will only give out a limited
number per day.  I suggest four.  This limit will somewhat protect against
the attack Ray Arachelian pointed out of having one abusive user collect
10,000,000 tokens.


It is important to recognize the class of problems I am trying to solve.
While I would like to solve the sporadic "make money fast" spam problem, I
agree with Tim that, at today's levels, it is only an annoyance.  I also
agree that the drivel that comes from some of our more prolific posters is
best handled by filtering by the list members themselves.  (I currently
have 3 of them going directly to the trash.  Perhaps aga should get
kickbacks from Qualcomm.  He managed to sell a copy of EudoraPro.)

The problem I am really concerned with is denial of service attacks via
flooding.  With 1000 list members, each message to the list requires a lot
of resources to handle compared with the ones it requires to send.  This
fact gives an attacker a bit advantage.  Tokens are designed to enable
majordomo to recognize the source of messages and provide lower performance
reception to those who are sending a lot of messages.  This technique is
similar to the technique used by the Whitehouse mail system to limit
flooding attacks.  (And the idea came from a description of that system
posted here some months ago.)

Tokens would also give the list administrator a tool to discourage certain
posters.  If John Gillmore wanted to make it hard for Dimitri to post, he
could cancel Dimitri's token.  Dimitri could get another one (under a
different name if Majordomo's instructions prevented it from giving him
one), but John could continue the cancel the new ones.  (N.B. There is no
evidence that John actually wanted to keep Dimitri from posting.  This
example is only a hypothetical.)


Sandy suggests gateways (i.e. distributed moderators) to preserve
anonymity.  While I don't think they are needed to preserve anonymity, they
will be useful for those who can't or won't encrypt their posts.  It is
important to note here that anyone with a token can act as a gateway.


I was trying to make only small changes in the dynamics of the list.  As
such, the market based solutions are more radical than I was willing to
consider.  I would like to see a market based system in actual use, but
perhaps elsewhere.  The idea seems better fitted to Robert Hettinga's e$pam
list.


-------------------------------------------------------------------------
Bill Frantz       | Client in California, POP3 | Periwinkle -- Consulting
(408)356-8506     | in Pittsburgh, Packets in  | 16345 Englewood Ave.
[email protected] | Pakistan. - me             | Los Gatos, CA 95032, USA