[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: remailer spam throttle

[email protected] (Igor Chudov @ home) writes:

> Dr.Dimitri Vulis KOTM wrote:
> > 
> > Hal Finney <[email protected]> writes:
> > > For example, one idea is to have a list of people who are willing to
> > > receive anonymous mail without questions.  It could be that the remailer
> > > is set up to ask before sending mail normally, but to people on such a
> > > list it doesn't have to ask, it just sends it, because they have given
> > > permission.
> > >
> > > Some people have objected to this proposal because the existence of the
> > > list might give a hint about which people send mail through the remailers
> > > Even though the list is of people willing to *receive* anonymous mail,
> > > it could well be that there is a strong correlation with people who want
> > > to send such mail.
> > 
> > Instead of keeping this list in cleartext, one could keep 1-way hashes
> > of the addresses. Thus a remailer (or anyone) can check whether a given
> > address is on the list, but they can't just go through the list and
> > "investigate" the addresses on it.
> Well, they can compile the list of addresses off of USENET postings and
> such and then compute the hashes of the compiled names and identify
> those that are on the anon acceptance list. Not that it completely
> invalidates the idea, but certainly it is a problem.
> 	- Igor.

That's a valid point.  One can obtain a list of "suspected" addreses,
say, from the subscribers to the cp list(s), and run that against the
hashed lists.

Another feature I really don't like about asking the first-time recipients
to agree to accept e-mail while it's on the reamailer is:

With the present scheme, if a remailer is "raided", it has precious little
interesting stuff on it at any one time. Now consider the scenario:

X sends 1000 copies of child porn/seditious libel to 100 people believed not
to be using remailers right now.  The remailer keeps the 100 e-mails onits
hard disk and e-mails each receipient a ping, inviting them to agree to the
disclaimer terms and to retrieve their anonymous e-mail.  The first recipient
to retrieve the e-mail gets upset and contacts the feds.  The feds figure, the
remailer still has the 99 other e-mails and the information on who's supposed
to receive them in its queue; why not seize it and take a look.

I just came up with another idea which definitely has some holes in it,
but perhaps someone wants to improve on it.

There's a big distributed database of pgp keys on the several keyservers.
Add a bit to the database specifying whether the key owner wants to receive
anonymous e-mail.  By default set it to true for the existing addresses.

When the final remailer in the chain wants to send someone an anonymous
message, it attempts to retrieve a key from the keyservers.

If it fails to find a key, it junks the mail (you don't want to keep it
around, it's baiting the LEAs!) and instead sends a notification to the
recipient that some anon e-mail was addressed to it, but it was junked;
and if they want to receive anon e-mail, they need to give a pgp key
to one of the key servers this remailer uses.

If it finds a key, it looks at the anon mail bit; if it's on, it encrypts 
the e-mail with the recipient's key and sends it; otherwise it junks it.

Obviously, the key servers would need to be modified to allow users to
specify whether they want anon e-mail when then store their keys, and
to change this setting any time.

Right now, there's a very large number of addresses in the key servers.
Instantly making them into a list of addresses that accept anon mail
will make it hard (hopefully infeasible) for the LEAs to investigate
everyone willing to accept anon e-mail as a suspect in sending it.


<a href="mailto:[email protected]">Dr.Dimitri Vulis KOTM</a>
Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps