From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/45425 Path: main.gmane.org!not-for-mail From: "Patrick J. LoPresti" Newsgroups: gmane.emacs.gnus.general Subject: Re: [ANNOUNCE] contrib/hashcash.el spam fighter Date: 28 Jun 2002 10:48:48 -0400 Sender: owner-ding@hpc.uh.edu Message-ID: References: <02Jun24.115740edt.119250@gateway.intersystems.com> <02Jun24.151839edt.119751@gateway.intersystems.com> <02Jun25.104630edt.119271@gateway.intersystems.com> NNTP-Posting-Host: localhost.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: main.gmane.org 1025275877 14175 127.0.0.1 (28 Jun 2002 14:51:17 GMT) X-Complaints-To: usenet@main.gmane.org NNTP-Posting-Date: Fri, 28 Jun 2002 14:51:17 +0000 (UTC) Cc: ding@gnus.org Return-path: Original-Received: from malifon.math.uh.edu ([129.7.128.13]) by main.gmane.org with esmtp (Exim 3.33 #1 (Debian)) id 17Nx5h-0003gV-00 for ; Fri, 28 Jun 2002 16:51:17 +0200 Original-Received: from sina.hpc.uh.edu ([129.7.128.10] ident=lists) by malifon.math.uh.edu with esmtp (Exim 3.20 #1) id 17Nx40-0006P8-00; Fri, 28 Jun 2002 09:49:32 -0500 Original-Received: by sina.hpc.uh.edu (TLB v0.09a (1.20 tibbs 1996/10/09 22:03:07)); Fri, 28 Jun 2002 09:49:52 -0500 (CDT) Original-Received: from sclp3.sclp.com (qmailr@sclp3.sclp.com [209.196.61.66]) by sina.hpc.uh.edu (8.9.3/8.9.3) with SMTP id JAA29411 for ; Fri, 28 Jun 2002 09:49:40 -0500 (CDT) Original-Received: (qmail 13590 invoked by alias); 28 Jun 2002 14:49:15 -0000 Original-Received: (qmail 13585 invoked from network); 28 Jun 2002 14:49:15 -0000 Original-Received: from lockupnat.curl.com (HELO egghead.curl.com) (216.230.83.254) by gnus.org with SMTP; 28 Jun 2002 14:49:15 -0000 Original-Received: (qmail 20169 invoked by uid 10171); 28 Jun 2002 10:48:48 -0400 Original-To: Stainless Steel Rat In-Reply-To: Original-Lines: 46 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 Precedence: list X-Majordomo: 1.94.jlt7 Xref: main.gmane.org gmane.emacs.gnus.general:45425 X-Report-Spam: http://spam.gmane.org/gmane.emacs.gnus.general:45425 Stainless Steel Rat writes: > | A spammer could compute these, but he could only use it once. > > No, he could only use it once every 28 days by default. No. I think you still do not fully understand the hashcash scheme... The hashed value includes both the recipient's address and the date. The hash is valid only if the recipient address is correct *and* the date is recent. "Recent" can be 28 days, 1 week, 1 day, or whatever you like; it depends on how long you want to allow the coin to be valid (for the convenience of the sender) versus how long you want to keep old coins listed in your local database. > Still, there may be a way of exploiting the Bcc mechanism or RCPT TO > at the SMTP level, both common spam tactics. If a spammer were to > generate a hash against a bogus To header (like most of the spam I > get), he could blindly send his spam to millions of recipients with > only one hash. Yes, you could check the X-Hashcash coin against > your known address, but that leads you directly into a false > negative if a legitimate sender Bccs you something. The sender must include a separate hash for every recipient, whether CC'd or BCC'd. Depending on the structure of the hash, this may or may not directly reveal to whom you BCC'd. (It certainly makes it possible for someone else to *guess* to whom you BCC'd, which is a downside. I doubt you can correct this deficiency without public-key crypto, though.) > The system is also vunlerable to false positives. The likelyhood of > an accidentally duplicated coin increases with the number of users. > And it is potentially vulnerable to denial of service by the same > mechanism. It does not matter if two duplicated coins appear somewhere in the world; what matters is whether somebody can exploit them. With any reasonable number of bits, they cannot. One false positive out of a million messages, or a billion messages, is certainly a ratio I could tolerate. I do not think hashcash will catch on because it is too complex. But it is technically sound, your half-dozen misinformed messages on the topic notwithstanding :-). - Pat