From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/45988
Path: main.gmane.org!not-for-mail
From: Simon Josefsson <jas@extundo.com>
Newsgroups: gmane.emacs.gnus.general
Subject: hashcash (was Re: new spam functionality added)
Date: Sat, 03 Aug 2002 18:01:57 +0200
Sender: owner-ding@hpc.uh.edu
Message-ID: <ilun0s4szgq.fsf_-_@h133n1c1o299.bredband.skanova.com>
References: <m3lm7rya31.fsf@onyx.nimbus.northernlight.com>
	<oydy9br1xnb.fsf@sam.cs.rice.edu>
	<ilu3ctz8xja.fsf@latte.josefsson.org>
	<87y9brejam.fsf@mail.paradoxical.net>
	<oydu1mf4oxi.fsf@sam.cs.rice.edu>
	<873ctztyth.fsf@mail.paradoxical.net>
	<02Jul31.171132edt.119710@gateway.intersystems.com>
	<87fzxzsit2.fsf@mail.paradoxical.net>
	<m3ptx38j67.fsf@peorth.gweep.net> <oydado7icrx.fsf@sam.cs.rice.edu>
	<m3k7nb8gr8.fsf@peorth.gweep.net> <87ofck96ic.fsf@deneb.enyo.de>
	<iluvg6stf4g.fsf@h133n1c1o299.bredband.skanova.com>
	<m3lm7orr4b.fsf@peorth.gweep.net>
NNTP-Posting-Host: localhost.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Trace: main.gmane.org 1028390577 3551 127.0.0.1 (3 Aug 2002 16:02:57 GMT)
X-Complaints-To: usenet@main.gmane.org
NNTP-Posting-Date: Sat, 3 Aug 2002 16:02:57 +0000 (UTC)
Cc: "(ding)" <ding@gnus.org>
Return-path: <owner-ding@hpc.uh.edu>
Original-Received: from malifon.math.uh.edu ([129.7.128.13])
	by main.gmane.org with esmtp (Exim 3.33 #1 (Debian))
	id 17b1Mm-0000v9-00
	for <ding-account@gmane.org>; Sat, 03 Aug 2002 18:02:56 +0200
Original-Received: from sina.hpc.uh.edu ([129.7.128.10] ident=lists)
	by malifon.math.uh.edu with esmtp (Exim 3.20 #1)
	id 17b1MJ-0006DV-00; Sat, 03 Aug 2002 11:02:27 -0500
Original-Received: by sina.hpc.uh.edu (TLB v0.09a (1.20 tibbs 1996/10/09 22:03:07)); Sat, 03 Aug 2002 11:02:54 -0500 (CDT)
Original-Received: from sclp3.sclp.com (qmailr@sclp3.sclp.com [209.196.61.66])
	by sina.hpc.uh.edu (8.9.3/8.9.3) with SMTP id LAA17226
	for <ding@hpc.uh.edu>; Sat, 3 Aug 2002 11:02:34 -0500 (CDT)
Original-Received: (qmail 18478 invoked by alias); 3 Aug 2002 16:02:01 -0000
Original-Received: (qmail 18473 invoked from network); 3 Aug 2002 16:02:00 -0000
Original-Received: from 178.230.13.217.in-addr.dgcsystems.net (HELO yxa.extundo.com) (217.13.230.178)
  by gnus.org with SMTP; 3 Aug 2002 16:02:00 -0000
Original-Received: from h133n1c1o299.bredband.skanova.com (yxa.extundo.com [217.13.230.178])
	(authenticated bits=0)
	by yxa.extundo.com (8.12.5/8.12.5) with ESMTP id g73G1vkd025242;
	Sat, 3 Aug 2002 18:01:57 +0200
Original-To: Stainless Steel Rat <ratinox@peorth.gweep.net>
Mail-Copies-To: nobody
X-Hashcash: 020803:ratinox@peorth.gweep.net:8df301fd650ef63a
X-Hashcash: 020803:ding@gnus.org:6812ee0691f5ba92
In-Reply-To: <m3lm7orr4b.fsf@peorth.gweep.net> (Stainless Steel Rat's
 message of "Sat, 03 Aug 2002 09:47:32 -0400")
Original-Lines: 46
User-Agent: Gnus/5.090007 (Oort Gnus v0.07) XEmacs/21.4 (Informed Management
 (RC2), i686-pc-linux)
Precedence: list
X-Majordomo: 1.94.jlt7
Xref: main.gmane.org gmane.emacs.gnus.general:45988
X-Report-Spam: http://spam.gmane.org/gmane.emacs.gnus.general:45988

Stainless Steel Rat <ratinox@peorth.gweep.net> writes:

> * Simon Josefsson <jas@extundo.com>  on Sat, 03 Aug 2002
> | Pretty much so, I think.  That's why I think hashcash needs to be
> | computed at the machine that sends the original mail; X-Hashcash that
> | is.  The current implementation isn't very good though, as it stalls
> | Emacs while computing hashcash.
>
> X-Hashcash has problems in that there is no way to force spammers to use
> it

My MTA could refuse to receive mail without X-Hashcash.  Same level as
"real" hashcash gives.

> , and any implementation is nontransparent to users.

In the same way MIME and SMTP is nontransparent -- the MUA will have
to support it.  I don't grok how this is a big problem.

> | Hashcash with ~< 25 bits is just a toy, you need more bits to make it
> | costly for spammers.
>
> Collision size in a proper hashcash implementation is "scoreable", so that
> known, trusted sources need a very small collision while spamhauses require
> much more.  Consider: if $MAILSOURCE requires a collision that takes 6
> seconds on average to calculate, that limits the number of messages it can
> send to $MYISP to 14400 per day.

How do you differentiate between trusted sources and spamhauses?  This
sounds like lots of configuration work and maintainance.  It isn't
difficult to fake the source.

> Legitimate mail sources, like ISPs with enforced anti-spam policies, will
> get low scores, requiring less than 0.25 seconds of calculation time,
> perhaps only 12-16 bits.  ISPs who ignore spam complaints and allow it to
> be sent from their servers (gblx-cough-cough) will need 27-30 bits,
> effectively choking them off until they clean up their acts.  At least,
> that is how my personal hashcash system would be configured; YMMV.

MMV.  With that setup you will not be much better off with using
todays publicly available black/white-lists.  Spammers would exploit
known-good spammers until they get blacklisted, and then move on to
another victim ISP.  I would require anyone wanting to send mail to me
to use a reasonable level of hashcash which would exclude spammers.
Then even if a spammer hacked a known-good ISP, I wouldn't accept
their spam blindly.  And hacking known-good ISPs isn't difficult.