[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: hashcash spam prevention & firewalls




...
> I find this concept to have problems. 

Yah, so do I...I don't like things that allow abuse of discretion, but I
thought it was necessary -- I didn't know hashcash could be prepackaged when I
posted this. 

It's a moot point since it's not needed anyway, but if morbid curiosity
overwhelms you, read on...To summarize, no single organization would certify
remailers, not all hosts would need to be certified, and banning remailers
wouldn't be any harder than it is today. 

===============================================================================

...
> This whitelist concept, that if I am "good" I get approved and certified
> smacks of things which I generally oppose.  And who keeps the whitelist? 
> CAUCE?  Verisign?  Time Magazine?  The NSA?  Microsoft? 

Well, the intention was for no single organization to certify remailers, but
rather to distribute the responsibility among anyone who can be trusted not to
certify a spammer. Individual gateways could choose whose certifications they
trusted if they thought some authorities were too restrictive or thought spam
was seeping through. Yes, I'd imagine CAUCE and Verisign (along with Infonex,
nym.alias.net, etc.) would try to set themselves up as authorities. NSA
wouldn't because they don't like remailers at all (except for those
identity-escrowed FORTEZZA-powered Big-Brother-friendly ones, which wouldn't
get users anyhow :). 

> 
> How much would it cost for each of the 50K mail hosts to become certified?
> This is an administrative nightmare.

Not all hosts, just high-traffic ones for which other solutions (having users
exempt them from hashcash [for mailing lists] and having heavy users generate
their own hashcash [for ISPs]) won't work. This basically means remailers.

...
> 
> Currently remailers can send mail most anywhere.  I suspect that if remailers
> had to get certified (say a RASCi rating of "remailer") 

The certification scheme wasn't designed for rating but rather to let cracker
get by on less than 44 CPU-hours a day. 

> most mail hosts would begin denying mail from remailers. 

They could already. Get Raph Levien's list and block mail from those addresses; 
unlisted remailers would be found soon enough. If you also used the
certification for some arbitrary non-remailer, non-spam servers, it would
probably be harder to use certification to ban remailers than to use the
remailer list.

---------------------------------------------------------------------------
Randall Farmer
    [email protected]
    http://hiwaay.net/~rfarmer