Re: [Asrg] request for review for a non FUSSP proposal

Claudio Telmon <> Mon, 22 June 2009 22:14 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B18CF3A6B2F for <>; Mon, 22 Jun 2009 15:14:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.452
X-Spam-Status: No, score=-0.452 tagged_above=-999 required=5 tests=[AWL=0.267, BAYES_00=-2.599, HELO_EQ_IT=0.635, HOST_EQ_IT=1.245]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id I+PHnXEg63+O for <>; Mon, 22 Jun 2009 15:14:17 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 51F853A67E6 for <>; Mon, 22 Jun 2009 15:14:17 -0700 (PDT)
Received: from ([::ffff:]) by via I-SMTP-5.6.0-560 id ::ffff:; Tue, 23 Jun 2009 00:14:31 +0200
Message-ID: <>
Date: Tue, 23 Jun 2009 00:14:30 +0200
From: Claudio Telmon <>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20090318 Lightning/0.8 Thunderbird/ Mnenhy/
MIME-Version: 1.0
To: Anti-Spam Research Group - IRTF <>
References: <> <> <> <> <> <>
In-Reply-To: <>
X-Enigmail-Version: 0.95.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [Asrg] request for review for a non FUSSP proposal
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <>
List-Id: Anti-Spam Research Group - IRTF <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 22 Jun 2009 22:14:18 -0000

Rich Kulawiec wrote:
> On Mon, Jun 22, 2009 at 11:45:08PM +0200, Claudio Telmon wrote:
>> In this respect, the framework should be effective, since spammers would
>> also need to generate the consent token, which they can't. 
> Why not?  They can run any code they want on any compromised system,
> therefore they can generate the consent token the same way the former
> owner of that system could.

The owner of the compromised system can only generate tokens then
accepted by his address's MTA, the same can the spammer that compromised
the system.
The attacker can collect the tokens provided to the system owner in
order to communicate with other people. It will then be able to send
spam to the owner's correspondents. These, in turn, can see that spam
arrives with the tokens they provided to the system owner, inform the
system owner about this fact and invalidate the tokens. Once the system
security is "restored", the spammer is left with useless tokens.
Collected consent-protected addresses are useless without valid tokens.


Claudio Telmon