Full Disclosure mailing list archives
Re: mailman email harvester
From: Valdis.Kletnieks () vt edu
Date: Sat, 12 Feb 2005 23:30:36 -0500
On Sat, 12 Feb 2005 13:11:41 +0100, Bernhard Kuemel said:
If a user choses to use hashcash he must understand it. If he doesn't and subscribes to a mailing list all the list mail will go to his spam folder. He will learn from that and whitelist list mail.
Given the number of people who can't even learn "don't open the spam" and "Don't click on the spyware links", I doubt enough users will both choose and do it right to make a difference.
| And remember that the whole *idea* | of hashcash is that you make it impractical for somebody to send 3,000 pieces | of mail. I'm sure netsys.com wouldn't want to keep full-disclosure if they had | to do hashcash for even 10% of their users. They would not hashcash every mail, but sign each incoming mail so spammers can't spam suscribers whose addresses then can be published again.
You missed the point - if a user forgets to whitelist netsys.com, then *NETSYS.COM* has to do a hashcash to deliver the *outbound* mail to the bozo's ISP.
Subscribing to mailing lists has always been a process of following instructions. If you subscribe via a web page, this web page will tell you which addresses to whitelist. If you subscribe via email firstly there will also be some source of instructions how to subscribe, and secondly you can whitelist replies that reference (private) emails you sent recently.
You'd be surprised how many people get it wrong *now*, when the instructions onlu say "send mail to *this* address with *this* in it'. I've seen people manage to get it wrong even when they have a link that says mailto:majordom () example com&body=subscribe listname If you just say "and remember to whitelist foo@address" they won't know how/ And if you try to give directions, you'll have to have AOL instrucitons, and Hotmail instructions, and Yahoo instructions, and GMail instructions, and at least some of the Hotmail users will try to follow the Yahoo instructions just because they're total yahoos as well as being hotmail subscribers..
| There's also all the stuff that things like amazon, ebay, your bank, | your insurance company, your utility companies, etc... all send out, | that users will forget to whitelist. They can send hashcashed requests for being whitelisted which will pop up a window similar to message receipt requests.
And the spammers can send hashcashed requests too - remember they have thousands of zombies, so it doesn't bother them...
I don't understand the situation. Human edited mail is usually created on a workstation that is capable of making hashcash while the mail is edited.
You missed a point here. If I'm composing on a workstation, you *DONT* want me to do a hashcash *THEN* - because if I'm a spammer, I can do the hashcash ONCE, and send it to 75 different mailservers, and they'll never know. What ends up happening is the user composes it, hits "send", it goes to their ISP's mail hub - and when the 75 copies go out, the mail hub has to do a different hashcash for each of the 75 destinations that ask for a hashcash. That's why hashcash is painful to mail hubs.
Configure your system to require more. 1 minute. Or 10. Or 20. The amount of hashcash can be put in an email address comment or if insufficient cash is sent, the receiving system can automatically request more.
Remember that you have to pick a number that a legitimate ISP can calculate a fair number of them a day - if you're cranking a million e-mails a day, which even a fairly small site like ours manages to do, and only 1% of the mail needs to be hash-cashed for one CPU minute, suddenly you need 6 CPUs doing nothing but grinding hashcash. On the other hand, if you're a spammer with 10K zombies, requiring a minute of hashcash still means you can send 1.4M spam per day, using other people's CPU.
Attachment:
_bin
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: [Mailman-Developers] mailman email harvester Bernhard Kuemel (Feb 11)
- Re: Re: [Mailman-Developers] mailman email harvester Valdis . Kletnieks (Feb 11)
- mailman email harvester Bernhard Kuemel (Feb 12)
- Re: mailman email harvester Valdis . Kletnieks (Feb 12)
- mailman email harvester Bernhard Kuemel (Feb 12)
- Re: Re: [Mailman-Developers] mailman email harvester Valdis . Kletnieks (Feb 11)
- RE: Re: [Mailman-Developers] mailman emailharvester Aditya Deshmukh (Feb 13)
- Re: Re: [Mailman-Developers] mailman emailharvester Volker Tanger (Feb 13)
- RE: Re: [Mailman-Developers] mailman emailharvester Aditya Deshmukh (Feb 15)
- RE: Re: [Mailman-Developers] mailman emailharvester Aditya Deshmukh (Feb 13)
- Re: Re: [Mailman-Developers] mailman email harvester Valdis . Kletnieks (Feb 11)