[Remops] Remailer Abuse Blocklist

Sun Sep 9 21:37:49 BST 2007

Bananasplit Admin ha scritto:

> > How do users update your rab.blk, Bananasplit Admin? That's the original
> > point of the RAB -- giving users one web-based place to go to say "block
> > me" that will hopefully outlive the remailers, so that all remailers now
> > and future will honor the block.
> >
> > (The original RAB may not have done challenge-response on the email; I
> > can't remember. This is an important feature, though, esp. for a RAB that
> > all remailers are using.)
> >
> Thanks for your input Len.  I've currently set the RAB up as an email
> service reachable at rab at blocklist.mixmin.net.  Any email sent to this
> address will receive a challenge response that they must confirm in the
> usual manner.

I would highly advise a web-cgi interface for adding your email address to
the RAB.

The system, from the user's point of view, should work like this:

1. They get the email from the remailer, with a pointer to the RAB in the
headers, or they email abuse at remailer, and get the auto-response that
mentions blocking, with the RAB as the primary method. A link to add
oneself via the web is presented.

2. If the user does not opt to use the email system, s/he goes to the RAB
site (via HTTPS, preferrably), and is greeted with a page explaining that
the user should enter their email address and expect a confirmation email.
There should be a field for the email address (with some validation that
the content entered consists of a valid email address.) Don't forget that
rabbi at ai is a valid email address. ;)

3. Upon submission, the next page loaded should be a "you won't receive
any more messages from remailers participating in the RAB." (Perhaps it
can automatically list those remailers.) "You may still receive anonymous
mail from remailers not part of the RAB network -- in that case, follow
the instructions from the remailer or contact the remailer operator for
assistance."

The submit result page should also offer the opportunity to submit another
email address. (Repeat until done.)

4. In addition to checking for valid email syntax and not allowing regex's
to be inserted via this form, you will also want to check for duplicate
entries.

5. The user is sent a challenge email that they can confirm by replying
to, or by visiting a unique web link. Rip this code off from something
BSD-licensed that already does it, since it's easy to do wrong accidently.

6. (Pending Mixmaster improvements) Automatic signup by remailers via
internal mpgp request signing.

.... I can see about hosting this at K.U. Leuven. No promises until I talk
to the IT department, but I can see several advantages to that -- one, we
have an X.509 cert signed by a major CA; two, we're a university, and thus
more reasonably trusted not to be a spam-harvester by a victim of
harassing email from a remailer (no, of course that's not what Bananasplit
Admin is -- but how does a random email recipient know that?) and three,
if we make this an official project within my group, it may outlive
individual operators and be more permanent than the original RAB.

(It doesn't have to be my University, btw -- if anyone else in the
position to possibly offer university hosting for a RAB wants to, that's
fine with me. I'm just offering the possibility because I think I can do
this.)

Bananasplit Admin, do you mind sharing the code you have already with me?
I'll help add the features I've described here.

Best,

Len