Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Update on mail bombing threats--not so funny

  • From: Dan Busarow
  • Date: Fri Jan 10 22:46:01 1997

-----BEGIN PGP SIGNED MESSAGE-----

On Fri, 10 Jan 1997, Vadim Antonov wrote:
> Can it be fixed?  Of course.  But the first step in filtering out
> those who are trying to push their unwanted speech on us is to
> make sure they won't pretend to be somebody whose words we'd
> want to listen to.

[ ...]

> Now, how about doing the right thing: make the NANOG list the
> first one to require signed messages?  Somebody has to start.

So in order to post to nanog you would have to have your PGP 
key signed by NANOG or the list operator or another entity trusted
by all.  How do you establish trust for that signing?

The Usenix key signing is a good model for techie types, but
we are the minority.  How would the great unwashed have their
keys signed?  Besides, I like being able to post without having to
attend a NANOG meeting though I could live with the restriction.

I agree that both goals, authentication and flooding defense, are 
desirable.  Source address verification is important and doable as 
long as everyone in a position to do so wants to.  We have our filters
in place, does everyone?  There are 3000+ of us little guys and
we are the ones who need to do it.  The NSPs and regionals could
possibly filter at customer gateways but with multi-homing how much 
human/CPU load would that present?

Authentication is worse when looking at ubiquitous verification.  
Unless we give up on PGP and switch to PEM and RSA certs (using RSA
as a trusted authority).  And even then, for personal certs anyway, 
they don't seem very secure to me.  I can get one for free and all 
they require is a valid e-mail address to send it to.  Once I have it 
I can forge my e-mail address and use the cert to sign messages 
originating from another account.  Of course the original "valid" 
e-mail address has long since disappeared.  I haven't actually tried 
this, but I don't see how a signed message injected into an SMTP port 
could be distinguished from a "real" one.  Sure, the IP address will
be in the headers, but they aren't signed.

Now the threat of RSA pursuing me for violation of their personal
use restrictions *might* slow down some spammers, but probably not 
until a few have been caght and hung.

This might be more on topic on cryptography@c2.net.  
Majordomo list.  Low volume.

Dan
- -- 
 Dan Busarow                                                  714 443 4172
 DPC Systems / Beach.Net                                    dan@dpcsys.com
 Dana Point, California  83 09 EF 59 E0 11 89 B4   8D 09 DB FD E1 DD 0C 82

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMtcEWbWobIiO1AA9AQEENQP/dFcwDqVr5k02lVj3YVir81eyQr64gZ+6
m43R2mVSNSVkwSXaSwliK53JasQHdSFoC8Dj99m0vRqQOldiol2eQIEq66eG4Yby
2v45nJvrfinfo84wRWOzdyzvcHdRJaCUTRUUiYzOY/Ec1mbkG3NIGwvLJlN/GjCt
qIRYb/hPid0=
=yynD
-----END PGP SIGNATURE-----

- - - - - - - - - - - - - - - - -




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.