Forgot your password?
typodupeerror
Spam Programming IT Technology

Beat Spam Using Hashcash 324

Posted by timothy
from the variation-on-a-theme dept.
Shell writes "If they want to send spam, make them pay a price. Built on the widely available SHA-1 algorithm, hashcash is a clever system that requires a parameterizable amount of work on the part of a requester while staying "cheap" for an evaluator to check. In other words, the sender has to do real work to put something into your inbox. You can certainly use hashcash in preventing spam, but it has other applications as well, including keeping spam off of Wikis and speeding the work of distributed parallel applications." If you're specifically interested in hashcash for your mail server, Camram has some interesting ideas -- their Frequently Raised Objections page may be illuminating.
This discussion has been archived. No new comments can be posted.

Beat Spam Using Hashcash

Comments Filter:
  • by Anonymous Coward on Wednesday November 10, 2004 @03:05PM (#10779366)
    Those damn police dogs can smell through plastic pretty well!
  • Work for it? (Score:2, Informative)

    by null etc. (524767)
    Aren't there plenty of available solutions today that make the sender "work for it?"
  • by ArghBlarg (79067) on Wednesday November 10, 2004 @03:06PM (#10779388) Homepage
    Funny this story should appear today.. I have been trying to find a mirror of hashcash.org for the last few days to read up on the whole idea. It's been down for a while now (or is there just some problem on my end?)

    Please post mirrors.
  • Again? (Score:4, Informative)

    by Anonymous Coward on Wednesday November 10, 2004 @03:09PM (#10779404)

    The previous [slashdot.org] stories [slashdot.org] weren't enough?

  • HashCash? (Score:4, Funny)

    by Hatta (162192) on Wednesday November 10, 2004 @03:10PM (#10779411) Journal
    And remember, you can't spell "Budget" without "Get Bud".
  • by Anonymous Coward on Wednesday November 10, 2004 @03:10PM (#10779416)
    Your post advocates a

    (*) technical ( ) legislative ( ) market-based ( ) vigilante

    approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

    ( ) Spammers can easily use it to harvest email addresses
    (*) Mailing lists and other legitimate email uses would be affected
    ( ) No one will be able to find the guy or collect the money
    ( ) It is defenseless against brute force attacks
    ( ) It will stop spam for two weeks and then we'll be stuck with it
    (*) Users of email will not put up with it
    ( ) Microsoft will not put up with it
    ( ) The police will not put up with it
    ( ) Requires too much cooperation from spammers
    ( ) Requires immediate total cooperation from everybody at once
    ( ) Many email users cannot afford to lose business or alienate potential employers
    ( ) Spammers don't care about invalid addresses in their lists
    ( ) Anyone could anonymously destroy anyone else's career or business

    Specifically, your plan fails to account for

    ( ) Laws expressly prohibiting it
    ( ) Lack of centrally controlling authority for email
    ( ) Open relays in foreign countries
    ( ) Ease of searching tiny alphanumeric address space of all email addresses
    ( ) Asshats
    ( ) Jurisdictional problems
    ( ) Unpopularity of weird new taxes
    ( ) Public reluctance to accept weird new forms of money
    ( ) Huge existing software investment in SMTP
    ( ) Susceptibility of protocols other than SMTP to attack
    ( ) Willingness of users to install OS patches received by email
    (*) Armies of worm riddled broadband-connected Windows boxes
    ( ) Eternal arms race involved in all filtering approaches
    ( ) Extreme profitability of spam
    ( ) Joe jobs and/or identity theft
    ( ) Technically illiterate politicians
    ( ) Extreme stupidity on the part of people who do business with spammers
    ( ) Dishonesty on the part of spammers themselves
    ( ) Bandwidth costs that are unaffected by client filtering
    ( ) Outlook

    and the following philosophical objections may also apply:

    (*) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
    ( ) Any scheme based on opt-out is unacceptable
    ( ) SMTP headers should not be the subject of legislation
    ( ) Blacklists suck
    ( ) Whitelists suck
    ( ) We should be able to talk about Viagra without being censored
    ( ) Countermeasures should not involve wire fraud or credit card fraud
    ( ) Countermeasures should not involve sabotage of public networks
    ( ) Countermeasures must work if phased in gradually
    ( ) Sending email should be free
    ( ) Why should we have to trust you and your servers?
    ( ) Incompatiblity with open source or open source licenses
    ( ) Feel-good measures do nothing to solve the problem
    ( ) Temporary/one-time email addresses are cumbersome
    ( ) I don't want the government reading my email
    ( ) Killing them that way is not slow and painful enough

    Furthermore, this is what I think about you:

    (*) Sorry dude, but I don't think it would work.
    ( ) This is a stupid idea, and you're a stupid person for suggesting it.
    ( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!
    • by er_col (664618) on Wednesday November 10, 2004 @03:16PM (#10779464)
      Thanks for the usual Spam Form Response. I think it is remarkable that very few choices are marked on it this time around. And if you read the Frequently Raised Objections page, you may well end up with no marks left at all. So this hashcash idea does sound really interesting.
      • Agreed. I went through the form as well, and found that at least one point the grandparent marked don't apply; users of email don't actually have anything to put up with. The validation is done by the mail server (or other server it's offloaded to).

        But the mailing list server would have to take on additional load since they send mail to so many users.

        And using zombies to do the hashing has a point as well, although the author points out that loading the zombies with additional work isn't such a bad thing
        • However, the zombies, to be effective as more than a single entity, will have to talk to each other. This adds:

          -Complexity
          -Time (not as much as doing it by thyself, or it would be pointless)
          -Something that can be used as a unique trait to distinguish zombies from normal machines
    • by NoOneInParticular (221808) on Wednesday November 10, 2004 @03:23PM (#10779542)
      Ah, was waiting for this one:

      (*) Mailing lists and other legitimate email uses would be affected

      One word, one hyphen: white-listing.

      (*) Users of email will not put up with it

      Why? It's not costing them anything

      (*) Armies of worm riddled broadband-connected Windows boxes

      Need an order more worm riddled boxes, i.e. ONE ORDER LESS SPAM.

      (*) Ideas similar to yours are easy to come up with, yet none have ever been shown practical

      None have ever been tried.

      (*) Sorry dude, but I don't think it would work.

      Sorry dude, I think it will not solve the problem, but will make it appr. one order less effective.

      • """
        (*) Mailing lists and other legitimate email uses would be affected

        One word, one hyphen: white-listing.
        """

        One word, one hyphen: header-forging

        """
        (*) Users of email will not put up with it

        Why? It's not costing them anything
        """

        It costs them CPU cycles.

        """
        (*) Armies of worm riddled broadband-connected Windows boxes

        Need an order more worm riddled boxes, i.e. ONE ORDER LESS SPAM.
        """

        What language is that in?

        """
        (*) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
        • For header-forging, you need to know what mailing lists the recipient is subscribed to.
          For normal use (except mailing lists), the cpu-cycles to calculate the hash are non-consequential. Modern day computers are too powerful for everyday needs anyway, who cares that it takes 20 extra seconds to send a single email, if its done in the background, no one would notice. If you need to send to 100 addresses, it takes 2000 seconds, still no big deal.
          What language is that in?
          Mathematical English.

          If so, it's

      • by pclminion (145572) on Wednesday November 10, 2004 @03:51PM (#10779854)
        One word, one hyphen: white-listing.

        As a USER of email, I find the need to maintain a white-list simply because spammers are fucking assholes is UNACCEPTABLE. I won't do it. Right now, my Bayesian filters completely hide spam from me. I will not move from that system to a system which requires MORE WORK FOR ME, i.e., maintaining a whitelist.

        Feel free to sit there and feel smug about your "solution" which requires you to waste your time.

        I find that the people who most strongly advocate sender-side blocking, like HashCash, invariably are network administrators who don't want "their" bandwidth wasted. Guess what: I'm a customer. It's my bandwidth. I really don't give a fuck if spammers are violating the sanctity of your precious network. I am only interested in not seeing spam, not thinking about spam, and not worrying about spam. HashCash is a horrid solution in those respects, and I won't accept it.

        • Put it this way (Score:3, Interesting)

          by Morosoph (693565)
          It can make Baysian filtering work better.

          Someone with a valid stamp is less likely to be a spammer. Simply include it as a factor when calculating probabilities!

          Or ignore the X-Hashcash field completely. As you choose.

          If you read the article, you'd see that this was precisely the way in which SpamAssassin uses hashcash [ibm.com] : as one factor amoungst many in a general system of spam classification.

        • White-lists are the ultimate form of opt-in. If you subscribe to a bulk email list such as a mailing list, it is very easy for them to point you to various ways to white-list them in your mailer. If you don't want to do this, don't subscribe to bulk email. For all other purposes there's a calculation to be performed.

          The 'bayesian' filters are actually very naive. Spammers do get through to them. For me it's about 10% that gets through. This still amounts to about 20 emails a day that I have to throw into m

        • I find that the people who most strongly advocate sender-side blocking, like HashCash, invariably are network administrators who don't want "their" bandwidth wasted. Guess what: I'm a customer. It's my bandwidth. I really don't give a fuck if spammers are violating the sanctity of your precious network. [ ... ]

          That's nice as far as it goes, but I think you may be failing to consider what happens behind that Bayesian filter hiding all the spam from you. Your bandwidth is being consumed by spammers; you

      • One word, one hyphen: white-listing.

        If this is the answer to that objection, why bother with HashCash at all? Why not just use an "accepted sender" (white-list) to block out all of your spam?

    • .. the story of the prominent mathemtician of early 20th century (I totally forgot who) had a form that said -
      Dear ____,

      Your proof of Last Fermat Theorem contains
      an error in line ___ on a page __.

      Sincerely,
      Prof. Xxxx
      and for every proof-to-be he'd just pass it onto his grad students and let them fill in the blanks.

    • This is extremely stupid.

      If it works, users of email will put up with it.

      Ideas similar to yours are easy to come up with, yet none have ever been shown practical

      The only argument I see against the practicality of this solution is the point above, which is circular. An argument which depends upon a circular argument is also circular.

      Armies of worm riddled broadband-connected Windows boxes

      In my opinion, this is a strength of hashcash rather than a defect. Consider the ratios. I send maybe a few hu
    • Your post advocates a _____ approach to fighting spam.

      Leave the poor misguided fools alone. Seriously, if they're putting in the effort to do this anyway, just let them try. They can even start demanding HashCash if they want - and it's their problem when the rest of us just decide it's not worth the additional effort to send them email.

      Your idea will not work. Here is why it won't work.

      There is one foolproof approach to ensure you never, ever receive another spam email again. Shut down your mail serv

  • by Anonymous Coward
    The end effect of this is eventually bad, or utterly worthless.

    Joe Sixpack wants to send a mail. If it takes him an hour to parse a key, he's not going to mail his mother anymore.

    If a spammer has to spend an hour processing the key, he's just going to invest more of his time getting zombie PCs to get the work done for him.

    Who wins here? Certainly no one.

    Disclaimer: the hour was used as an example. I've no clue how long it takes, but the point should still hold.

    The moral being, don't make the end use
    • by Em Ellel (523581) on Wednesday November 10, 2004 @03:31PM (#10779633)
      Joe Sixpack wants to send a mail. If it takes him an hour to parse a key, he's not going to mail his mother anymore.

      The general idea is that it will take a relatively small yet significant time to compute. So for example (also random) 30 seconds. Joe Sixpack will not notice 30 second delay on his computer for one email. However Jack Spammer who sends a million emails will need 500,000 minutes to compute the sums. A huge difference.... until you figure out that Joe Sixpack computer's spyware is what actually doing the computing.

      -Em
      • by Ninja Programmer (145252) on Wednesday November 10, 2004 @08:46PM (#10782911) Homepage
        • The general idea is that it will take a relatively small yet significant time to compute. So for example (also random) 30 seconds. Joe Sixpack will not notice 30 second delay on his computer for one email.
        Yes he will. Because that 30 seconds of 100% CPU utilization. To make sure its not annoying to mail senders, its got to be something really short like 3 seconds or something (that would be my personal threshold). But then there's the question of whether or not its enough of a burden on spammers.
    • RTFA.

      Joe Sixpack will take a second, maybe two to send the e-mail. I doubt that he could type fast enough for this to be an issue...

      Now, a zombie can only send one e-mail every second vs. the usual ten. Not perfect, but I would settle for 3 spams per day vs. my current 30.

      Yes, it does require some changes to e-mail software, but the article points out that the changes can be slowly phased in. If an e-mail client includes the code and this idea never catches on, then the worst thing to happen is that t
    • It doesn't take an hour to parse the key, it takes maybe less than a second - the idea being that it's invisible to 'Joe Sixpack' sending an email to his buddies, but those less-than-a-seconds add up for the spammer spewing out hundreds of thousands of emails advertising that there \/14gr4. Also, if the zombie machines he uses start running slow because they're now processing hundreds of thousands of those hashes, they're more likely to get an engineer in who will fix the problem. Who wins? Everyone.
      • Also, if the zombie machines he uses start running slow because they're now processing hundreds of thousands of those hashes, they're more likely to get an engineer in who will fix the problem. Who wins? Everyone.

        You obviously don't know many PC users. Everybody I know just buys a new computer when theirs "gets slow" figuring that there are some mechanical parts that are simply wearing out inside of it. If zombies start having to work harder, Joe Sixpack will just go buy a shiny new Dell.
    • Okay, do a little math. Spammers want to spam millions of addresses. So, even with a theoretically large network of zombies (say a thousand for one spammmer), the zombies can compute an equivalent 1000 hours of work in an hour. That's 1000 emails. The spammer would need to get his zombies to do 1000 hours of work to send a million emails. Eventually, the excessive work being doen on these zombies would get someone's attention and they would either be cut from the network or reclaimed from zombie status.

      I d
  • Stupid idea (Score:3, Insightful)

    by pclminion (145572) on Wednesday November 10, 2004 @03:15PM (#10779457)
    This makes it difficult to send any kind of mass mail.

    For example, Sourceforge sends site-wide update messages about once a month or so. They have tens, if not hundreds of thousands of users. If every one of those users used HashCash, Sourceforge would practically need a dedicated server farm computing hashes simply in order to send out its update notices.

    This is a really, really stupid idea.

    • Re:Stupid idea (Score:2, Insightful)

      Not really. If you want the mass email, you can whitelist it so they don't need to computer a hash for you.
      • Re:Stupid idea (Score:3, Insightful)

        by fatphil (181876)
        And then every spammer forges its source to be sourceforge.

        Shit, pun not intended.

        FP.
        • $ dig +short txt sourceforge.net
          "v=spf1 mx a:mail.marblehorse.org a:sshgate.sourceforge.net a:smtp.vasoftware.com a:newcastle.devrandom.net -all"

          Problem solved.
      • Better yet, they send you a single email when you sign up with them, and they stamp that one. The idea is that known senders don't need stamps. This can solve the problem for mailing lists, as they get whitelisted when you subscribe.
    • Re:Stupid idea (Score:2, Insightful)

      by Anonymous Coward
      I think we just need to accept the fact that mailing lists need to be whitelisted. There is never going to be a simple way of letting "good" SPAM in while blocking "bad" SPAM at the same time. Half the SPAM I get is from mailing lists like Best Buy's. How can I block it at my companies spam filter if 1/3 of the people here actually want the mail?

      Blah. Whitelist it if you want it.
      • Blah. Whitelist it if you want it.

        Sorry. I refuse to waste my time maintaining such a list simply because spammers are assholes, and those who advocate HashCash are blind. Instead of being happily unaware of spam as by Bayesian filter silently tosses it, I now have to consciously manage a white list.

        No thanks.

        • If you read the article, you'll see that SpamAssassin use hashcash as a one factor amougst many [ibm.com] in classifying spam.

          Whitelisting is a simplifying concept, which one can understand more subtly as another factor to be accounted for in calculating probabilities, making your Baysian engine that much more efficient.

        • So instead of wasting a couple seconds every time you sign up for a mailing list, you prefer to waste money on bandwidth to download thousands of spam e-mails?
          • So instead of wasting a couple seconds every time you sign up for a mailing list, you prefer to waste money on bandwidth to download thousands of spam e-mails?

            Are you trying to suggest that if spam were eliminated, the price of bandwidth would suddenly drop dramatically? Instead of jacking my rates up each year, Comcast will actually start decreasing them?! Wow, where the hell do I sign up?

            Ain't gonna happen, so where's my incentive?

    • It's easily solved. Just buy the CD of pre-calculated prime factors from the spammers.

    • If you add Sourceforge, specifically, to your whitelist, the problem goes away.

      Only unsolicited mail needs a hashcash field.

  • now what? (Score:3, Funny)

    by Scythr0x0rs (801943) * on Wednesday November 10, 2004 @03:22PM (#10779523)
    You make me pay precious CPU time to e-mail my mother-in-law? you insensitive clods!
  • by RandoX (828285) on Wednesday November 10, 2004 @03:26PM (#10779578)
    ...because I was out of hash cash.
  • cf Penny Black (Score:4, Interesting)

    by r (13067) on Wednesday November 10, 2004 @03:27PM (#10779590)
    Funny, isn't there a Microsoft Research project that did this already?

    Oh yeah, so there is [microsoft.com], along with papers explaining how it works. So much for giving credit for prior work.

    • Re:cf Penny Black (Score:3, Insightful)

      by PugMajere (32183)
      Hashcash predates the MS Research project.

      This article is about the first correct (supposedly) Python implementation of hashcash.
  • by Animats (122034) on Wednesday November 10, 2004 @03:27PM (#10779593) Homepage
    Spammers will just offload stamp generation work onto their zombies. 0wned PCs on cable modems will burn even more CPU time.

    If you want a virus built to generate stamps on zombies, just go over to Spamforum.biz [spamforum.biz] and advertise for one. New ads over there this week include "PushMail Webmailer v1.0.2 ~ New, Fast WAP Webmailer for Sale (Gets by Filters)". There's even a banner ad for a firm that wants spammers [s-rx.com]: "3 different sites - Pharma - OEM - Cigarettes".


    • You're right, but putting additional CPU load on zombies isn't such a bad thing, is it? Spammers pay for zombies so it still increases their actual costs.

      This idea actually has merit. Admit it.
    • I just read the terms of use of spamforum.biz, at http://www.spamforum.biz/terms.htm - can these be legal at all?

      Basically, the click-through license will make you agree not to sue anyone affiliated with the site, or any contributors, etc. Leaving out the question whether click-through is valid, this is not something that I would want to risk.

      I advise anyone that is concerned against spam, and possibly want to contribute to the fight against spam at some point, to not enter this site , if you want to avoi
  • by alen (225700) on Wednesday November 10, 2004 @03:30PM (#10779627)
    We bought a vanilla smtp server for our gateway called Xwall. A few months ago they introduced greylisting.

    Basically what it does is temporarily block suspicious emails. If it's a real SMPT server it will resend the message and the second time it will be allowed to go through. Spammers never use RFC compatible SMTP servers and simply send once in bulk and forget about it. This cut down our spam by over 90%.
    • While that does have its advantages, unfortunately very few people realize that SMTP is an unreliable protocol. Most people send an email and assume that it gets there instantaneously, so its usually too risky for a business to implement "greylisting" as you have.
    • by Haegar (1160) on Wednesday November 10, 2004 @03:52PM (#10779862) Homepage
      Tried it at work - stopped loads of spam, but had to disable it because out there are too many broken smtp servers (on short inspection mostly lotus notes) that think an return code of 4xx is a permanent error and bounce the mail.

      And my boss is not happy when even ONE important mail from a client is not reaching him.
      • That's Odd (Score:3, Interesting)

        by Greyfox (87712)
        We use Lotus Notes at work and I have no trouble E-mailing my greylisting server at home. Our mail relays happily delay the message for 6 hours and then resend it.
    • by Vainglorious Coward (267452) on Wednesday November 10, 2004 @04:06PM (#10780009) Journal

      Spammers never use RFC compatible SMTP servers

      And spammer tactics remain static, so the same techniques that worked five hours or five years ago will continue to work indefinitely. Not.

  • by Skapare (16644) on Wednesday November 10, 2004 @03:31PM (#10779630) Homepage
    However, verifying a stamp requires just one SHA-1 computation. For use in e-mail, a 20-bit value is currently the recommended price: Senders need to perform about a million trials to find a valid stamp, which takes less than a second on the most recent CPUs and compiled applications. And it still takes only a few seconds on relatively old machines.

    Fur sail 2 u nou: 5 mil-leeun facter numberz

    Yuz cun b-u-l-k f4ster wit dis CD uv all-ready calcoolated leest uf numbors. Fer onlee $99.95, u getz ohver fiv milyun numz ant wee tos in freeee a miliun fresh A-O-L addys. Vizut us @ hotprimefactors.biz to ordur.

  • It seems to me that spam is just about unstoppable. As such, I find the best solution to the problem is to run a smart filter that learns as it goes. I run Mozilla Thunderbird and it's bayesian junk filter is damn good. I simply do not get spam in my inbox. I get a false positive once a month or so, but that is certainly acceptable. Yes yes.. That doesn't cut down on the congestion caused by bazillions of spam messages, but eh.. I still get 5 MBps to the house.
  • by iamacat (583406) on Wednesday November 10, 2004 @03:36PM (#10779679)
    Sort of like burning your harvest to keep grain prices high. Just send me a completed work unit of Seti-At-Home or Folding-At-Home in an email header. I am sure, given the incentive of every e-mail message advancing their goal, some of these projects can come up with work units that are difficult to calculate but easy to verify.

    Maybe for once zombied Windows boxes will be more productive than they would be under their users' control.

    • And how *exactly* does the receiving mail server verify the work unit without computing it itself?

      Besides, doesn't dropping spam via other methods typically involve network traffice to blacklists and CPU cycles spent?

      Face it; the time is already wasted with other methods. Unless you have a real reason to nay-say it? Pony up!
      • And how *exactly* does the receiving mail server verify the work unit without computing it itself?

        It depends on the task. For solving large systems of non-linear equations, just evaluate them with claimed values of the variables. And just because CPU cycles are wasted now doesn't mean they can't be put to good use in future. That's how distributed computing projects started in the first place.
  • by Croaker (10633) on Wednesday November 10, 2004 @03:38PM (#10779704)
    the fact that not everyone is sending legitimate email with a powerful computing device. Something that could cause an inconvenience to a spammer with a boatload of cheap commodity 2Ghz desktop systems (other their own or a zombie army) will bring more modest systems to their knees. Handhelds, phones, old 486 systems recycled for use in the 3rd world, set top boxes, embedded systems, etc. will no longer be viable systems with which to send mail. And what about web mail providers?

    These's simply no reason to resort to kludge solutions that depend on penalizing those who cannot afford top-of-the-line systems.

  • by hackstraw (262471) * on Wednesday November 10, 2004 @03:40PM (#10779724)
    To me greylisting seems like the best thing to do. See:

    http://slett.net/spam-filtering-for-mx/greylisting .html [slett.net]

    and/or:

    http://projects.puremagic.com/greylisting/ [puremagic.com]

    In a nutshell, it simply uses a standard 451 SMTP response that says "Hey, I'm busy now, can you call back in a minute or so?" To my knowledge, all standard SMTP servers respect this request, and little to none of the mass mailers do. And if they do, their bandwidth will triple.

    Here's a log example:

    Oct 15 15:18:17 example1.example.com sendmail[6955]: [ID 801593 mail.info] i9FJIGH06953: to=, ctladdr= (168/601), delay=00:00:01, xdelay=00:00:01, mailer=esmtp, pri=121994, relay=example2.example.com. [123.390.141.456], dsn=4.3.0, stat=Deferred: 451 4.7.1 Greylisting in action, please come back in 00:01:00

    If the mail never comes back, then the sender is now blacklisted. If the mail does come back, the sender is whitelisted.

    Simplest and most standards compliant thing that I've heard of, and it seems to work.
    • If the mail never comes back, then the sender is now blacklisted. If the mail does come back, the sender is whitelisted. ..so this will work until spammers add a retry to the mailers - at which time they are whitelisted.

      -Em
      • If the mail does come back, the sender is whitelisted. ..so this will work until spammers add a retry to the mailers - at which time they are whitelisted.

        It kills off all of the owned windows machines, and triples the bandwidth of the spamhouses that just so happen to use standard compliant SMTP servers.

        Oh, and its not too tough to move someone from a whitelist to the blacklist.
    • by wcdw (179126)
      Unfortunately, I'm not sure that Lotus Notes handles those errors well, and many legitimate companies do still use Notes. (I feel sorry for them, but that's another story.)

      Last time I was forced to use the product, any error on the receiving end would result in the message getting dropped (with no notification to the sender). Though perhaps they've [finally] improved their SMTP gateway.
  • For these hashes, you cannot work on the complete hash space, otherwise it would take forever for someone to send a message because of how long it will take to find the hash. That means each message sent will have a subset of the hash space, or (more likely) large portions of the hash space will go unused.

    If you're using the hash space uniformally, then armies of infected Windows PCs will take just a couple seconds per e-mail. What does the spammer care? Those CPUs are free/cheap. Just means it's time t
  • I don't get this. It will just lead to a general slowing down of the services running on the Internet.

    Where do people think that email is being sent from? A dedicated server that the user has somewhere dedicated solely to sending email?

    Most people will be sending email through their ISP. And ISP that was coping with x,xxxx,xxxx pieces of email a day will suddenly now have to redo their email architecture to cope with the extra computational cost involved.

    Other people send email using their webhost.

  • I've read the article and what I have read doesn't impress me. So, you added cost to the spammers. Have you seen how much money these bozos make? Sorry, I think everyone is underestimating the cost.
  • Why make spammers (and everyone else) pay in CPU cycles that accomplish nothing but waste time? Why not keep public keys in your address book, with a filter rule that runs a header's token against it, which could only be encrypted by the matching public key - authenticating the sender? Instead of separating the rich spammers (with distributed zombies spinning their cycles at someone else's expense) from the poor ones, we'd separate the authenticated sender from the spoofs, and put everyone not in our addres
  • by pla (258480) on Wednesday November 10, 2004 @04:28PM (#10780226) Journal
    From the "objections list":

    How do you deal with large-scale legitimate mail sources (i.e. mailing lists, mail houses, etc.)?
    I consider mailing lists a cute throwback to a much earlier time. Don't get me wrong, I subscribe to three or four myself. But every single one of them, I could just read on-line (and no, not all Yahoo lists, only one in fact).

    To effectively eliminate spam, I would gladly visit a web page rather than have the same info appear in my mailbox.


    The second issue is that mailing houses that deliver bulk e-mail for legitimate commercial ventures will need to generate stamps for some of their traffic.
    Er... How does that differ from actual spam? I don't give two shakes of a rat's ass whether or not UCE comes from a "legitimate" source. I don't want it. Any of it. So, it really doesn't bother me that, for the benefit of no more "Free v1@6ra" email, I also lose out on "buy our totally legit ink cartridges" at the same time. I consider it a perk, not a problem.
  • acceptance (Score:3, Insightful)

    by krokodil (110356) on Wednesday November 10, 2004 @04:31PM (#10780265) Homepage
    The problem with technologies like this is that they need to gather widespread acceptance to become useful.

    Quick grep on my mail archive (which is HUGE) failed to find single message with X-HashCash header. That means even if I would enable it now, it will be practically useless.

    Of course wide acceptance could be achieved by the means of widespread grassroots campaign, but this is hard way. If somebody big like GMail, Yahoo Mail or MS Outlook or Apple Mail started to use it , that would have snowball effect.

  • by Renraku (518261) on Wednesday November 10, 2004 @04:38PM (#10780324) Homepage
    Wow, they can see the future!

    They've been telling people for YEARS that anything under the top-of-the-line computer won't be able to send email or brose the internet!
  • by Shant3030 (414048) * on Wednesday November 10, 2004 @04:39PM (#10780336)
    reminds of what I used to call my student loans while in college...

  • I use hashcash (Score:3, Informative)

    by Piquan (49943) on Wednesday November 10, 2004 @06:03PM (#10781396)

    Just to give some practical information:

    I'm using hashcash in its basic form, not with Camram. I wasn't aware of Camram until just now, but will probably look into it.

    All my emails are sent out with hashcash, and I have SpamAssassin lower the score of emails with hashcash.

    The recommended hash length is at least 20 bits. I calculate hashes of 23 bits (per recepient), which takes about 2/3 sec on my Athlon 800. My SpamAssassin config requires at least 20 bits to lower the score, and lowers it more and more up to 26 bits (at which point it has -5).

    I think that this is the most effective use of hashcash: once it becomes widely used, then spam rules can become tougher with less chance of false positives.

    From reading the article, it looks like Camram is mostly a recipient-side addon to basic hashcash, which involves automated whitelisting and sending challenges to senders of "maybe-spam". Somebody sending hashcash like me will (from the look of things) get past Camram recipients without problems.

    Camram seems a bit less cooperative than I'd like, such as using its own Bayesian filter instead of letting the user have an external one like SpamAssassin take a crack at the email. But these are implementational issues, not problems with the Camram concept.

  • by Titusdot Groan (468949) on Wednesday November 10, 2004 @06:12PM (#10781486) Journal
    I've read the article and the FAQ...

    Adoption will be slow. Many companies already have maxed out mail servers. Adding even an 1 second compute cycle to all outbound mail requires a fairly hefty increase in available resources, especially since most mail systems are chosen for bandwidth and IO not math processing power. What happens to a system during peak business hours when 100 people send mail with an average of 5 recipients each ... 500 seconds of computing ... ummm. Imagine a company that sends 5000 messages an hour, or 50000, or ...

    If it's not at least a second on a reasonable machine than it's not going to cause ANY headaches for a spammer -- they are just text pumps they can send SO much more mail than a normal server because they don't care about logging, errors, bounces, rejects and retries.

    The "use clients inside the company" idea is idiotic -- my mail server is going to punch through the DMZ directly to the desktop of my accounting staff and ask it to generate a key? I don't think so. There is a reason every company with any brains bans Seti/IM/etc. from their internal desktops.

    Zombie writers will just interleave writing packets of the current message with SHA-1 calculation for the next message they are sending. Spammers have some really good programmers on their side. If you don't think of them as being at least as good as you are then you have already lost. They are already generating random text at the front and back of the payload, this isn't SHA-1 thing isn't a big deal.

    Like SPF, spammers will be the FIRST people to generate proper keys. For the near future a valid key will be a STRONG indicator of spam not a "potential whitelist" feature.

  • by Henry Stern (30869) <henry@stern.ca> on Wednesday November 10, 2004 @06:47PM (#10781891) Homepage
    Judging by the +3 and higher comments, it seems that nobody is thinking outside the box. There is no mutual information between an e-mail not having a hashcash stamp on it and being spam. However, if an e-mail has a valid hashcash stamp, it's probably legitimate. Thus, while hashcash can't really help your spam filter reduce false negatives (spams that it lets through), it helps reduce false positives (legitimate e-mails that are blocked).

    I personally stamp all of my outgoing e-mail with 20 bits of hashcash postage. It's easy to do and requires very little CPU time. Here's how I do it:

    I have stunnel listening on port 465 which forwards connections to MEsmtpd [edenhofer.de]. After authenticating the sender, MEsmtpd pipes the message to hashcash-sendmail [toehold.com] which adds 20-bit stamps for each recipient to the e-mail and passes it on to sendmail. I don't have to do anything at all in my e-mail clients. There you have it, easy as pie.

    Regarding that stupid "your spam solution won't work" checklist, Spam classification is a hard problem. It can't be solved by any one approach. Even though Hashcash won't stop any spam, it can still make your spam filter more effective.

    P.S. SpamAssassin supports Hashcash. See Mail::SpamAssassin::Plugin::Hashcash.

"Irrationality is the square root of all evil" -- Douglas Hofstadter

Working...