[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: remailer spam throttle



On Sat, 29 Mar 1997, Dr.Dimitri Vulis KOTM wrote:

-> Sergey Goldgaber <[email protected]> writes:
-> >
-> > Unfortunately, key servers can not be trusted.  I'm sure you're aware that
-> > anyone can submit a key, and thus forgeries abound.
-> >
-> > If the above model is adopted, key servers will be the first target of
-> > the prospective spammer.
-> 
-> Why Sergey, you mean to tell me that there are key servers out there that
-> accept a key from a purported address and don't send back a cookie to that
-> address to see if it's not fake? :-) That's just terrible. Definitely no
-> key coming from such a server should be trusted. :-) :-)
-> 
-> Today is March 29, 1997 - almost April 1st. The Internet ain't what is
-> used to was 15 or 10 or even 2 years ago. If you get an e-mail that
-> purports to be from X, and it requests that you add X's public key
-> to your key server, or (un)subscribe X to a mailing list, or
-> block X from receiving anonymous e-mail - it may be a forgery.
-> Never act on such requests without trying to authenticate them
-> with a cookie.

DNS maps can easily be forged.  Key servers run on machines with questionable 
physical and operating system security.  Finally, key server ops themselves
can mess with keys.

This is why people who use keys off of keyservers are encouraged to verify
the key via it's key fingerprint, or at via the web of trust.

However, this can not be done via automation on a large scale for the purpose
of address blocking, unless via a certification authority.

The bottom line is that keyservers can not be trusted, despite any primitive
security measures they supposedly have in place.


 ............................................................................
 . Sergey Goldgaber <[email protected]>      System Administrator        el Net .
 ............................................................................
 .   To him who does not know the world is on fire, I have nothing to say   .
 .                                                      - Bertholt Brecht   .
 ............................................................................