From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/45431 Path: main.gmane.org!not-for-mail From: Simon Josefsson Newsgroups: gmane.emacs.gnus.general Subject: Re: [ANNOUNCE] contrib/hashcash.el spam fighter Date: Sat, 29 Jun 2002 13:46:18 +0200 Sender: owner-ding@hpc.uh.edu Message-ID: References: <02Jun24.115740edt.119250@gateway.intersystems.com> <02Jun24.151839edt.119751@gateway.intersystems.com> <02Jun25.104630edt.119271@gateway.intersystems.com> <02Jun28.122222edt.119118@gateway.intersystems.com> <02Jun28.172137edt.119392@gateway.intersystems.com> NNTP-Posting-Host: localhost.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: main.gmane.org 1025351429 29918 127.0.0.1 (29 Jun 2002 11:50:29 GMT) X-Complaints-To: usenet@main.gmane.org NNTP-Posting-Date: Sat, 29 Jun 2002 11:50:29 +0000 (UTC) Cc: "(ding)" Return-path: Original-Received: from malifon.math.uh.edu ([129.7.128.13]) by main.gmane.org with esmtp (Exim 3.33 #1 (Debian)) id 17OGkG-0007mQ-00 for ; Sat, 29 Jun 2002 13:50:28 +0200 Original-Received: from sina.hpc.uh.edu ([129.7.128.10] ident=lists) by malifon.math.uh.edu with esmtp (Exim 3.20 #1) id 17OGgd-0000YP-00; Sat, 29 Jun 2002 06:46:43 -0500 Original-Received: by sina.hpc.uh.edu (TLB v0.09a (1.20 tibbs 1996/10/09 22:03:07)); Sat, 29 Jun 2002 06:47:03 -0500 (CDT) Original-Received: from sclp3.sclp.com (qmailr@sclp3.sclp.com [209.196.61.66]) by sina.hpc.uh.edu (8.9.3/8.9.3) with SMTP id GAA01109 for ; Sat, 29 Jun 2002 06:46:46 -0500 (CDT) Original-Received: (qmail 2484 invoked by alias); 29 Jun 2002 11:46:21 -0000 Original-Received: (qmail 2479 invoked from network); 29 Jun 2002 11:46:20 -0000 Original-Received: from 178.230.13.217.in-addr.dgcsystems.net (HELO yxa.extundo.com) (217.13.230.178) by gnus.org with SMTP; 29 Jun 2002 11:46:20 -0000 Original-Received: from latte (yxa.extundo.com [217.13.230.178]) (authenticated bits=0) by yxa.extundo.com (8.12.5/8.12.5) with ESMTP id g5TBkG6w017781; Sat, 29 Jun 2002 13:46:16 +0200 Original-To: Stainless Steel Rat Mail-Copies-To: nobody X-Hashcash: 020629:ratinox@peorth.gweep.net:c7c1d44362aa46c9 X-Hashcash: 020629:ding@gnus.org:94fc444b5eb84e58 In-Reply-To: (Stainless Steel Rat's message of "Fri, 28 Jun 2002 20:41:24 -0400") Original-Lines: 61 User-Agent: Gnus/5.090007 (Oort Gnus v0.07) Emacs/21.3.50 (i686-pc-linux-gnu) Precedence: list X-Majordomo: 1.94.jlt7 Xref: main.gmane.org gmane.emacs.gnus.general:45431 X-Report-Spam: http://spam.gmane.org/gmane.emacs.gnus.general:45431 Stainless Steel Rat writes: > | The number of email addresses a person has is usually a constant, so > | the problem is O(1). > > And in a list of 500 hashes, which one is yours? Remember, this is a BCC > list, so there is no association of hashes to addresses. I try them all, which doesn't take more than a few ns. OTOH I rarely see mail with 500 direct recipients, so this isn't a typical scenario. > | I wouldn't reject failed hashcash, I would treat it as mail that don't > | have hashcash. Hashcash improves the situation in most cases, and in > | the remote cases where it fails, it doesn't make things worse than it > | was before. > > This makes no sense to me. If the purpose of X-Hashcash (not hashcash, > they are NOT the same thing) on a personal level is a spam filtering > mechanism, and you receive a message that has a "spent" coin, you treat > that message as a message that has no coin at all? If so, then what is the > point of keeping a database of spent coins? To put mail with valid hashcash in a separate, supposedly spam-free, mailbox. > | Not at all, it seems to work fine, if in your example hashcash forces > | spammers to invest in knowledge to get a cluster with 5000 machines to > | work. Making it expensive to spam is the whole point of hashcash. > > You seem to be unaware of what Sub7 is. Look it up on Symantec's > anti-virus web site. They describe it better than I can. It would take me > (as DoS attacker) very little effort to assemble a network of many > thousands of machines, secretly stealing CPU cycles from all over the world > to generate hashes with which to cripple someone's mail server. The > X-Hashcash spent coin database is a fundamental weakness that can be > exploited. I don't understand this argument, the whole point of hashcash is that you need to spend CPU to overcome it. How you aquire that CPU is irrelevant. If all spammers were required to acquire it using sub7, people would start to fix the sub7 problem, not stop using hashcash, and things would be fine. By the same argument, all cryptography has a weakness because you can brute force it using sub7. It is not a weakness to me, but a design goal. > | Also, in practice the collision size people will use will be close to > | 30 bits though, and is increased over time as CPUs gets faster. > > 30 bits? You must be joking. A 30 bit collision is a 1:2^30 probability > At a rate of 200,000 hashes per second (which is pretty fast for a desktop > machine today, actually) it would take on average 5,368 seconds to find > just one collision. That's 1.5 HOURS. > > 30 bits? No way. Not for another 5 years at least. 30 bits would allow a desktop PC to send 16 mails per day, that's probably more that I need. If you use too few bits (like anything under 23-24), spammers will have it to easy to acquire that amount of CPU. 29 bits have been suggested as a value to use in practice.