[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: message dependent hashcash => no double spend database (Re: hashcash spam prevention & firewalls)




At 11:48 PM 12/13/97 GMT, Adam Back wrote:
>However, generally I have been assuming that it's easier to have a
>double spend database, and to make the hashcash depend only on the
>resource name for the kinds of problems you raise, and because it is
>cheaper to verify hashcash on shorter strings.  By resource name I
>mean whatever it is that is being used.  For an email address it is
>the email address, for a remailer it is the remailers address.  Could
>be generalised for other purposes, for example free use of web based
>resources or even telnet based TCP/IP protocols in general.

As a technological fix for spam, destination address hashcash seems to be
lacking.  All this does is raise the wall of entry into becoming a
spamhause from one PC to say, ten.  It is not much more difficult to sell a
CD-ROM with one million email addresses & hashcash.   A 20 second hashcash
expenditure on one million email addresses will take about 231 CPU days, or
about three weeks if you use ten machines.  Sell 500 copies of the CD-ROM
for $500, and you net $250K, easily enough profit to purchase the $20K of
machines or even to rent them for one month.  After six months, you will
have around eight million pieces of hashcash from the computational power
of only ten machines.  This says nothing of the profits from actually
sending spam.

The implementation of the plan is a more or less impossible scheme.  Many
people like myself exist who do not care from spam, but wish to receive
email from anyone who legitimately sends it.  I can only see a hashcash
anti-spam plan working when you have a closed list of people who generally
know each other.  While the mail gateway I use could easily be converted to
a hashcash enabled gateway, I have no interest in refusing email from those
who do not have hashcash gateways.

To be an anti-spam measure for ISPs, hashcash would have to be based on the
destination email address, the text of the message in some fashion, and
possibly on other factors such as a timestamp or a from address.  Hashcash
tied to a from address as well as the destination would do a lot for spam
filters.  Using all or a portion of the message body, say every 23
characters in a round robin fashion until 50 sample body message characters
had been collected would make hashcash non reusable and not sellable.

Any ISP hashcash plan still does not take into account the effect of
services like hotmail, rocketmail, and the like who will need to generate
hashcash for the destination address because they exist to shield the
destination address from the sender.  Changes to the "Don't charge postage"
database will be awkward.  There are some serious privacy problems with
warehousing with your ISP a list of your other email addresses, or the
addresses of your postage free friends.


  -- Robert Costner                  Phone: (770) 512-8746
     Electronic Frontiers Georgia    mailto:[email protected]  
     http://www.efga.org/            run PGP 5.0 for my public key