#32 don't auto-block remailers address

Remailer (20)
Trek Star

mixmaster auto-block feature now check (in
rem.c:blockrequest()) if the address to be blocked is
not the remailer address.
It should check also if the address is not of a
remailer or ignore it, because an attacker can send a
spoofed request to block a remailer from the remailer

Also before to send reply.txt (that contains a
DESTINATION-BLOCK line) it should check if the
destination address is a remailer.


  • Len Sassaman

    Len Sassaman - 2002-10-18
    • priority: 5 --> 8
    • assigned_to: nobody --> weaselp
  • Len Sassaman

    Len Sassaman - 2002-10-18

    Logged In: YES

    Well, now it's public. How do you want to handle this? If we
    simply ignore remailer entries in the .blk file, then remops
    won't be able to block mail to other remailers (a common
    practice when trying to minimize the damage donw by a dead

    If we do the check against known remailers when the
    destination-block requests come in, that would seem better.

  • Len Sassaman

    Len Sassaman - 2002-10-21

    Logged In: YES

    Okay, here's how the fix should work. Before we check if an
    address is in dest.blk, we should check if it is an address in
    our keyring(s). If it is, we should ignore dest.blk and send the

    (This blocks the attack, and still allows remops to block dead
    remailers -- they just have to remove the dead remailer's key
    from their key rign first.)

    One might also argue that middleman remailers should
    perform a check of their keyrings before sending any mail,
    also. (Peter says that middleman remailers allow or deny
    messages to be sent based on message type, which opens
    up certain mailbombing attacks.) We could fix both of these
    in a similar fashion, though I am primarily concerned about
    the first one.

  • Peter Palfrader

    Peter Palfrader - 2002-12-14

    Logged In: YES

    fixed in CVS

  • Peter Palfrader

    Peter Palfrader - 2002-12-14
    • status: open --> open-fixed
  • Len Sassaman

    Len Sassaman - 2002-12-14
    • status: open-fixed --> closed-fixed

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

No, thanks