From: Elric Pedder <elric(_at_)novitraq(_dot_)com>
...
If only a hash of the triplet were stored, would this solve
the privacy issue?
No. Consider a "dictionary attack." If you have a copy of the database
and want to know if Steve Case sent Bill Gates a message, you hash
those two addresses with a likely IP address and see if you can get
a hit in the database. If you do not know the exact IP address, you
can guess it is one of a few thousand (or at most a billion) and make
the corresponding few thousand (or billion) probes of your copy of
the database. Like a dictionary attack on /etc/passwd, this attack
may not be quick, but it is effective.
Whether the hash is easily reversible like CRC-32 or a cryptographic
function like SHA or MD5 is irrelevant except perhaps for the speed
of the attack.
This sort of thing is why hashes of target addresses are not sent by
DCC clients to servers to be stored in the distributed database. It
is also why none of the hashes of mail from white-listed senders or
to non-participating receivers is sent to DCC servers by clients.
It might be interesting to consider something similar for the
Greylisting database. What if only the IP address of the SMTP
client and the Rcpt_To value is checked?
I saw some comments about available counter-attacks by spammers, but
I don't recall seeing a clear description of the easiest. Spammers
do not need to do real queuing to get though a greylist. They need
only send to the same target list from the same SMTP client a few
hours after an initial spew. Mailboxes protected by a greylist will
accept the second copy. Other mailboxes will see two copies. That
wouldn't be remarkable, because some spammers are already hitting
individual addresses with several copies per spew.
Vernon Schryver vjs(_at_)rhyolite(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg