On 7 Feb 2000, Frog-Admin wrote in alt.privacy.anon-server:
> I caught an abuser (trivial traffic analysis):
>
> Azerty received 100 * messages 160 K initially
> giving 100 * identical messages 60 K on arrival with 14*gif (batman) each.
> In-between, transparent-remix generated a few hundreds messages each hop
>
> [removed].com > azerty > noisebox > frog > [removed].net
> that was the scheme
>
> here are the headers: incoming and last hop
> I DO NOT PROMOTE ABUSE NOR PROTECT DOS ATTACKERS
>
[...]
I've expressed a few thoughts on why handling abuse this way is a
mistake before, but I will repeat myself. Ultimately this is up to you
and your users of course.
IMO remailer operators should NEVER publish private mail sent through
their server. Reasons include:
1) You may think you are SURE this person is abusing the remailer in
this case. However you don't know if the email address was forged; the
apparent sender may be under attack. If that is the case you have just
shined a very bright light proclaiming in large letters that he/she may
be a remailer user. That alone is more than many remailer users want
publicly announced.
2) You are setting a precedent for remailers to publish private data
and logs when they have problems. Other operators with less
experience, less sound judgement, or even malicious intent may copy and
promote this behavior, employing this technique in error against users
who they think are abusing their remailers. Examples include:
a) It is not uncommon for mail servers and remailers to experience
problems which can look like abuse. For example Replay once had a
problem where sent mail wasn't deleted from the spool, so every
message got sent thousands of times. Many people thought they were
under a personal DoS attack or were being mail-bombed. It was just
a software glitch.
b) An operator of an old winsock remailer (I don't recall the name)
once received a message that was large (about 500K). He decided he
was being attacked because his (at the time unpublished) maximum
was 30K. He published the message with headers to newsgroups
including this one, including both the sender and decrypted
recipient, as you have done. This may have been before your time,
but those who were here no doubt remember the flames. The user was
irate that his mail was published as were many users; the operator
was berated publicly and privately and received death threats; the
remailer was mail-bombed; the operator closed the remailer and
instead began writing viruses which published peoples' documents to
usenet. All this because of an operator who thought it okay to
publish what he was SURE was abuse, and a (formerly anonymous)
remailer user who did not know the remailer had a 30K limit.
c) New users of remailers sometimes misconstrue the acceptable use
policies of remailers, are misinformed of their genuine purpose, or
make technical mistakes (such as thinking a 3 gig file is no
problem) which results in abuse-like behavior.
d) An inexperienced operator once published original headers (to a
mailing list) when his beta copy of Reliable jammed when sending to
a particular address. He somehow thought this was an intentional
attack on the part of the user because the user sent a message to
that same address once per week. (The point here is not that the
operator was inexperienced or even that he jumped to an unwarranted
and rather bizarre conclusion, but that the habit of publishing
user information in cases of 'abuse' can jeopardize
someone's security.)
3) You allow those who would attack remailers to create an atmosphere
where operators are routinely publishing user information, sharing user
information, attempting to track users, log users, etc. This in turn
(rightfully) undermines the well-deserved trust remailers operators
have accrued for their hard work of providing strong anonymity.
Already IMO some remailers (running Freedom and Mixmaster, not Reliable
AFAIK) do far too much logging in attempts to thwart SPAM, and at least
some of the unreliability of the remailer network is due to misapplied
and ill-conceived abuse filtering.
On the latter thought, I remember you mentioning that you have modified
Reliable to perform some logging (which you apparently used to trace this
message through three remailers, two of which you run), and I think it
would be helpful and correct if you detailed these changes for your
users. I think your users should be informed of such modifications as it
is their security you are silently jeopardizing. I also think that your
not immediately making it clear from the outset that you ran both Azerty
and Frog was at the very least a serious error of judgement.
In cases of *carefully verified* abuse, I think the proper procedure is
to attempt to contact the sender, giving him or her the chance to
defend or explain the apparent abuse, and modify their behavior.
Failing that notify the sender's ISP. I consider it very bad form to
publish mail to newsgroups and even the remops list (which is public).
This plays into the hands of abusers and undermines the integrity of
the remailer system, which depends on operators NOT sharing
information.
Remailers do suffer abuse. I personally have admired operators who
shut down their remailer or reduced its capabilities after
sustained abuse or complaints, rather than degrading its security
and the integrity of the entire network. I hope you will reconsider
your policy of publishing and monitoring user information.
