From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/45436
Path: main.gmane.org!not-for-mail
From: "Patrick J. LoPresti" <patl@curl.com>
Newsgroups: gmane.emacs.gnus.general
Subject: Re: [ANNOUNCE] contrib/hashcash.el spam fighter
Date: 29 Jun 2002 20:07:14 -0400
Sender: owner-ding@hpc.uh.edu
Message-ID: <s5gbs9t8w99.fsf@egghead.curl.com>
References: <Pine.LNX.4.44.0206241356360.29624-100000@yxa.extundo.com> <02Jun24.115740edt.119250@gateway.intersystems.com> <iluit48y6gj.fsf@extundo.com> <02Jun24.151839edt.119751@gateway.intersystems.com> <ilu1yawxtu1.fsf@extundo.com> <m3elewm7dk.fsf@peorth.gweep.net> <iluvg87wxbn.fsf@extundo.com> <02Jun25.104630edt.119271@gateway.intersystems.com> <s5gvg834fxr.fsf@egghead.curl.com> <02Jun28.122222edt.119118@gateway.intersystems.com> <s5gptybb16a.fsf@egghead.curl.com> <02Jun28.172137edt.119392@gateway.intersystems.com>
NNTP-Posting-Host: localhost.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Trace: main.gmane.org 1025395899 18562 127.0.0.1 (30 Jun 2002 00:11:39 GMT)
X-Complaints-To: usenet@main.gmane.org
NNTP-Posting-Date: Sun, 30 Jun 2002 00:11:39 +0000 (UTC)
Return-path: <owner-ding@hpc.uh.edu>
Original-Received: from malifon.math.uh.edu ([129.7.128.13])
	by main.gmane.org with esmtp (Exim 3.33 #1 (Debian))
	id 17OSJX-0004om-00
	for <ding-account@gmane.org>; Sun, 30 Jun 2002 02:11:39 +0200
Original-Received: from sina.hpc.uh.edu ([129.7.128.10] ident=lists)
	by malifon.math.uh.edu with esmtp (Exim 3.20 #1)
	id 17OSG9-00022f-00; Sat, 29 Jun 2002 19:08:09 -0500
Original-Received: by sina.hpc.uh.edu (TLB v0.09a (1.20 tibbs 1996/10/09 22:03:07)); Sat, 29 Jun 2002 19:08:30 -0500 (CDT)
Original-Received: from sclp3.sclp.com (qmailr@sclp3.sclp.com [209.196.61.66])
	by sina.hpc.uh.edu (8.9.3/8.9.3) with SMTP id TAA01856
	for <ding@hpc.uh.edu>; Sat, 29 Jun 2002 19:08:20 -0500 (CDT)
Original-Received: (qmail 25676 invoked by alias); 30 Jun 2002 00:07:43 -0000
Original-Received: (qmail 25665 invoked from network); 30 Jun 2002 00:07:43 -0000
Original-Received: from lockupnat.curl.com (HELO egghead.curl.com) (216.230.83.254)
  by gnus.org with SMTP; 30 Jun 2002 00:07:42 -0000
Original-Received: (qmail 29243 invoked by uid 10171); 29 Jun 2002 20:07:14 -0400
Original-To: ding@gnus.org
In-Reply-To: <mit.lcs.mail.ding/02Jun28.172137edt.119392@gateway.intersystems.com>
Original-Lines: 52
User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7
Precedence: list
X-Majordomo: 1.94.jlt7
Xref: main.gmane.org gmane.emacs.gnus.general:45436
X-Report-Spam: http://spam.gmane.org/gmane.emacs.gnus.general:45436

Stainless Steel Rat <ratinox@peorth.gweep.net> writes:

> * "Patrick J. LoPresti" <patl@curl.com>  on Fri, 28 Jun 2002
> | Right, so you have to try them all.  Checking the validity of a coin
> | is "fast", so this is OK, in theory.
> 
> Not even in theory.  It is a linear problem, and linear problems do not
> scale.

Sure, it is linear in the number of recipients times the number of
addresses you have.  But this product for a typical message is not
increasing over time, so there is no scalability problem.

> [...]
> 
> | Then again, it is not disastrous if you miss a message.
> 
> And if that lost message is the job offer I am expecting?

Do you usually have job offers BCC'd to you?  :-)

You are correct that you cannot combine BCC's with X-Hashcash without
risking the privacy of the BCC.  (All someone else has to do is guess
that you were a recipient, then check the X-Hashcash header to confirm
it.)  So BCC'd messages would have to go into your "has no X-Hashcash
header" folder for later perusal.  You will need such a folder anyway
as long as you have correspondents who are not using X-Hashcash.

> -Anything- that causes loss of legitimate mail is BAD.  Really bad.
> Unacceptably bad, in my opinion and that of the 350 employees in my
> company who expect mail not to be lost.

Tagging mail as potential spam, then perusing it later, is not
"losing" it.  In fact it is precisely how many (perhaps most) existing
spam-filtering implementations work.

> That is 1.8 million hashes per hour.
> 
> All those hashes being dumped into your spent coin database.  And five
> thousand Sub7 variant infections is a very conservative number.

You do not record invalid coins as "spent", because you can always
recognize them as being invalid.  Only valid coins need to be
remembered, and creating even a single valid coin is computationally
expensive.  How expensive is up to the recipient to choose.

> Do you begin to see the vulnerabilities in X-Hashcash?

I have yet to see you present any.  Yes, it does not combine well with
BCC.  But so far, that is the only correct argument you have made...

 - Pat