Re: [Asrg] New proposal for spam blocking: Greylisting

["John Morris" <jmorris@cdt.org>]

Vernon Schryver <vjs@calcite.rhyolite.com> wrote ..
> > From: Elric Pedder <elric@novitraq.com>
> 
> > ...
> > If only a hash of the triplet were stored, would this solve
> > the privacy issue?
> 
> No.  Consider a "dictionary attack."  If you have a copy of the database
> and want to know if Steve Case sent Bill Gates a message, you hash
> those two addresses with a likely IP address and see if you can get
> a hit in the database.  If you do not know the exact IP address, you
> can guess it is one of a few thousand (or at most a billion) and make
> the corresponding few thousand (or billion) probes of your copy of
> the database.  Like a dictionary attack on /etc/passwd, this attack
> may not be quick, but it is effective.

I agree with Vernon's comments.  Hashing the triplets would not "solve" the privacy problem, for the reasons Vernon explains.  But I do think it could "reduce" the privacy problems, because a dictionary-like attack would be less effective if you do not have any idea about who has sent e-mail to the person whose greylist you are attacking.  It would also make the greylist better protected from a more casual attack -- for example, a colleague or family member sneaking a quick peek at someone's greylist.

But, hashing the triplets would certainly not make all of the privacy problems disappear.  Indeed, even if one could come up with a hash that was resistant to kind of attack Vernon details, the other information in the database could reveal important personal information even without knowing who sent an e-mail.  For example, if you are trying to investigate whether person X made an initial contact with person Y during a given period of time, Y's hashed greylist could establish that someone contacted Y for the first time at a time specific (which could be valuable even if you cannot determine whether the someone was X).

John