On Thu, Mar 5, 2009 at 17:23, Evan Prodromou <[email protected]> wrote: > Billy Crook wrote: >> Further, using the 'sender' of an email to in any way identify the >> human that send said email is poor design, > > Sez you, smartypants.
:-) >> as the 'sender' is in no >> way guaranteed authentic. > > NOT checking the sender means that a random number spam attack on the server > will eventually start hitting some incoming email addresses. I will admit haven't done the math, but there is likely already sufficient entropy in the random alias that the amount of computational and bandwidth effort required to just hit one, would be prohibitively expensive. Actually, math is fun, so here goes nothing..... 36 ^ 13 chars long=170581728179578208256 possabilities * 1Kbyte per message = about 158866614270 Terrabytes of incoming traffic to try them all. I can't even dream about that much bandwidth. Maybe in ten years... Suppose there are one billion users on your Laconica server (and I'm holding you to that goal, Mr. Prodromou...) And suppose that all it took was guessing their random receiving alias to get a spam in because the sending address is ignored. Then, on average, a spammer could successfully offer 140 characters of discount medication after only 158 Terabytes of network I/O. Given a sufficiently patient colo admin, and a gigabit internet connection It would take 1294336 seconds or about 15 days for a spammer to get one message out. And that's assuming all the users are in comas, and not using any of the server's bandwidth or processor themselves, in which case it wouldn't terribly matter. 15 days of a full on pummelling the likes of which has very rarely if ever before been seen, just to hijack 140 characters of someone's identity. I think spammers are much more likely to exploit the easy signup, lack of capchas or openID compatibility. And please, don't add captchas unless there's a '#$config['site']['driveawayusers'] = false; > If we check the sender, then the attacker has to know the email address of > at least one user, AND do a random number spam attack. With the 80-bit > values we're using, that goes to the Really Hard level pretty fast. > > Maybe, instead of just allowing anyone to post to an address, you might want > to allow users to define more than one email address for their account. (We > should probably do this anyways.) That way, you could add both your work and > your personal email address, and either one would work for posting. That would work 99% of the time. I do think it would be terribly clever though if you didn't have to have a "From" address, and by a single matching unique random identifier, your message would go through. A single 'Allow posting only from:' checkbox would probably be a lot easier to code, though I'll admit, I'm not anywhere near being able to do this yet. _______________________________________________ Laconica-dev mailing list [email protected] http://mail.laconi.ca/mailman/listinfo/laconica-dev
