Hardening lists against spam attacks

Mark M. markm at voicenet.com
Tue Dec 31 08:14:55 PST 1996


On Tue, 31 Dec 1996, Igor Chudov @ home wrote:

> Send a number of unique tokens to each subscriber each day.  Enforce a
> rule that only posts with valid current tokens may be accepted. The
> number of tokens should initially be very small (say, one per day) and
> then should be quickly increased to a sufficient number, like 10 or 20,
> as the subscriber shows a record of using tokens properly (as defined by
> acceptable content rules).
> A database is kept as to who was issued which tokens.
> If tokens are used improperly (to post off-topic materials) the 
> offending subscriber is denied any further tokens.
> The problem of this scheme is (besides its cost) that anonymous users
> will not be truly anonymous.

I think this problem can be solved by blind signing the tokens.  A user
generates a random number, multiplies it by the blinding factor, then sending
it to a token server which would append a timestamp and sign the blinded
token.  All signature requests should be signed with a PGP key.  The server
response would be encrypted with the user's public key.  A person's PGP key
would be sent along with the subscription request and then saved by the list

The token would be included in a user's list submission, removed, and saved by
the list software to detect any duplicates.  The server would issue a limited
number of tokens to each public key registered with it.  If two signed requests
come from the same email address in the same day signed with different keys,
only the tokens in the first request should be signed.

The only problem with this scheme is the inconvenience of having to register
a public key with the server before posting.  Someone with many different email
addresses could generate a public key for each address to get more tokens.  The
only way to prevent this is to control list subscriptions.

Version: 2.6.3
Charset: noconv


More information about the cypherpunks-legacy mailing list