Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Beat Spam Using Hashcash

timothy posted more than 9 years ago | from the variation-on-a-theme dept.

Spam 324

Shell writes "If they want to send spam, make them pay a price. Built on the widely available SHA-1 algorithm, hashcash is a clever system that requires a parameterizable amount of work on the part of a requester while staying "cheap" for an evaluator to check. In other words, the sender has to do real work to put something into your inbox. You can certainly use hashcash in preventing spam, but it has other applications as well, including keeping spam off of Wikis and speeding the work of distributed parallel applications." If you're specifically interested in hashcash for your mail server, Camram has some interesting ideas -- their Frequently Raised Objections page may be illuminating.

Sorry! There are no comments related to the filter you selected.

GNAA wins election (-1, Offtopic)

dumbrock (829939) | more than 9 years ago | (#10779361)

The votes are in and the winner of the 2004 U.S. Presidential election is GNAA. The GNAA is an informal political entity whose primary goals are the mollification of the American public so that they can be trained to worship the GNAA and all it supports. For all you political hacks who speak of red states and blue states, you must by now realize that the only winner in the elections of 2004 was the GNAA. If you are ready to accept your fate and join us, you too can be a winner. Otherwise you will be a whiner (democrat) or a weiner (republicrat). About GNAA: GNAA (GAY NIGGER ASSOCIATION OF AMERICA) is the first organization which gathers GAY NIGGERS from all over America and abroad for one common goal - being GAY NIGGERS. Are you GAY [dickcream.com]? Are you a NIGGER [mugshots.org]? Are you a GAY NIGGER [gay-sex-access.com]? If you answered "Yes" to all of the above questions, then GNAA (GAY NIGGER ASSOCIATION OF AMERICA) might be exactly what you've been looking for! Join GNAA (GAY NIGGER ASSOCIATION OF AMERICA) today, and enjoy all the benefits of being a full-time GNAA member. GNAA (GAY NIGGER ASSOCIATION OF AMERICA) is the fastest-growing GAY NIGGER community with THOUSANDS of members all over United States of America and the World! You, too, can be a part of GNAA if you join today! Why not? It's quick and easy - only 3 simple steps! * First, you have to obtain a copy of GAYNIGGERS FROM OUTER SPACE THE MOVIE [imdb.com] and watch it. You can download the movie [idge.net] (~130mb) using BitTorrent. * Second, you need to succeed in posting a GNAA First Post [wikipedia.org] on slashdot.org [slashdot.org], a popular "news for trolls" website. * Third, you need to join the official GNAA irc channel #GNAA on irc.gnaa.us, and apply for membership. Talk to one of the ops or any of the other members in the channel to sign up today! Upon submitting your application, you will be required to submit links to your successful First Post, and you will be tested on your knowledge of GAYNIGGERS FROM OUTER SPACE. If you are having trouble locating #GNAA, the official GAY NIGGER ASSOCIATION OF AMERICA irc channel, you might be on a wrong irc network. The correct network is NiggerNET, and you can connect to irc.gnaa.us as our official server. Follow this link [irc] if you are using an irc client such as mIRC. If you have mod points and would like to support GNAA, please moderate this post up. .________________________________________________. | ______________________________________._a,____ | Press contact: | _______a_._______a_______aj#0s_____aWY!400.___ | Gary Niger | __ad#7!!*P____a.d#0a____#!-_#0i___.#!__W#0#___ | gary_niger@gnaa.us [mailto] | _j#'_.00#,___4#dP_"#,__j#,__0#Wi___*00P!_"#L,_ | GNAA Corporate Headquarters | _"#ga#9!01___"#01__40,_"4Lj#!_4#g_________"01_ | 143 Rolloffle Avenue | ________"#,___*@`__-N#____`___-!^_____________ | Tarzana, California 91356 | _________#1__________?________________________ | | _________j1___________________________________ | All other inquiries: | ____a,___jk_GAY_NIGGER_ASSOCIATION_OF_AMERICA_ | Enid Indian | ____!4yaa#l___________________________________ | enid_indian@gnaa.us [mailto] | ______-"!^____________________________________ | GNAA World Headquarters ` _______________________________________________' 160-0023 Japan Tokyo-to Shinjuku-ku Nishi-Shinjuku 3-20-2 Copyright (c) 2003-2004 Gay Nigger Association of America [www.gnaa.us]

THE GNAA FAILS BASIC HTML FORMATTING! (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#10779403)

It isn't hard to do HTML properly you IDIOT! Now DROP AND GIVE ME 20 GREASED UP YODA DOLLS SHOVED UP YOUR ASS!

Re:THE GNAA FAILS BASIC HTML FORMATTING! (0, Offtopic)

dumbrock (829939) | more than 9 years ago | (#10779547)

I am of the political wing of the GNAA. HTML formatting is handled at the corporate office. NOW put the greased yoda dolls one-bay and give the money to gnaa. tell them they have been in my anal cavity.

Hashcash got me arrested... (5, Funny)

Anonymous Coward | more than 9 years ago | (#10779366)

Those damn police dogs can smell through plastic pretty well!

Re:Hashcash got me arrested... (-1, Redundant)

Anonymous Coward | more than 9 years ago | (#10779781)

That's why you have to kick them in the throat.

Re:Hashcash got me arrested... (5, Funny)

Infinityis (807294) | more than 9 years ago | (#10779856)

Maybe Winzip and Ziplock should merge. I think it'd be nice to have encrypted, password protected sandwich bags, but at 90% compression, I think the bread might not taste so good afterwards.

CMDRTACO GAVE ME THE UCIA (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#10779368)

CmdrTaco gave me an unsolicited cock in the ass. He called it "goin' Kobe style on you" and, with his final grunt told me "YOU'VE BEEN KOBIFIED BITCH"

FP

OMFG! MISTER CHEF DIES AT THE END OF HALOE2!!!!1!1 (-1, Troll)

Anonymous Coward | more than 9 years ago | (#10779734)

Apparently Cartman's mom wears him out with sexual exhaustion!

Weird (0, Redundant)

stephenMF (547151) | more than 9 years ago | (#10779371)

Protowall wouldn't let me read the article. Hm.

prosty fist! (-1, Troll)

Anonymous Coward | more than 9 years ago | (#10779379)

prosty fist!
where oh where is the spam checklist?
your solution will not work because:
A. you fail it

Work for it? (2, Informative)

null etc. (524767) | more than 9 years ago | (#10779382)

Aren't there plenty of available solutions today that make the sender "work for it?"

Re:Work for it? (1, Insightful)

Anonymous Coward | more than 9 years ago | (#10779442)

There are plenty of available solutions, however they're all designed/implemented/pushed by large companies - viva la open source.

hashcash.org is down..? (2, Interesting)

ArghBlarg (79067) | more than 9 years ago | (#10779388)

Funny this story should appear today.. I have been trying to find a mirror of hashcash.org for the last few days to read up on the whole idea. It's been down for a while now (or is there just some problem on my end?)

Please post mirrors.

Names, shmames (0, Troll)

Anonymous Coward | more than 9 years ago | (#10779389)

Hashcash, Camram...... Jeez!

Can you smoke it? (1)

Xenix (232152) | more than 9 years ago | (#10779398)

I got nothing.

Again? (4, Informative)

Anonymous Coward | more than 9 years ago | (#10779404)

The previous [slashdot.org] stories [slashdot.org] weren't enough?

Won't help (1)

Sv-Manowar (772313) | more than 9 years ago | (#10779409)

The spammers have heard of outsourcing too, I see a new job market emerging in this manual labour field

HashCash? (3, Funny)

Hatta (162192) | more than 9 years ago | (#10779411)

And remember, you can't spell "Budget" without "Get Bud".

Slashdot Spam Form Response (4, Insightful)

Anonymous Coward | more than 9 years ago | (#10779416)

Your post advocates a

(*) technical ( ) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
(*) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(*) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(*) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

(*) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(*) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!

Re: Slashdot Spam Form Response (5, Insightful)

er_col (664618) | more than 9 years ago | (#10779464)

Thanks for the usual Spam Form Response. I think it is remarkable that very few choices are marked on it this time around. And if you read the Frequently Raised Objections page, you may well end up with no marks left at all. So this hashcash idea does sound really interesting.

Re: Slashdot Spam Form Response (2, Insightful)

955301 (209856) | more than 9 years ago | (#10779623)

Agreed. I went through the form as well, and found that at least one point the grandparent marked don't apply; users of email don't actually have anything to put up with. The validation is done by the mail server (or other server it's offloaded to).

But the mailing list server would have to take on additional load since they send mail to so many users.

And using zombies to do the hashing has a point as well, although the author points out that loading the zombies with additional work isn't such a bad thing after all.

Note to Moderators. (-1, Redundant)

Anonymous Coward | more than 9 years ago | (#10779468)

This Post Came First and is not Redundant.

Re:Slashdot Spam Form Response (3, Informative)

NoOneInParticular (221808) | more than 9 years ago | (#10779542)

Ah, was waiting for this one:

(*) Mailing lists and other legitimate email uses would be affected

One word, one hyphen: white-listing.

(*) Users of email will not put up with it

Why? It's not costing them anything

(*) Armies of worm riddled broadband-connected Windows boxes

Need an order more worm riddled boxes, i.e. ONE ORDER LESS SPAM.

(*) Ideas similar to yours are easy to come up with, yet none have ever been shown practical

None have ever been tried.

(*) Sorry dude, but I don't think it would work.

Sorry dude, I think it will not solve the problem, but will make it appr. one order less effective.

Re:Slashdot Spam Form Response (2, Insightful)

fatphil (181876) | more than 9 years ago | (#10779640)

"""
(*) Mailing lists and other legitimate email uses would be affected

One word, one hyphen: white-listing.
"""

One word, one hyphen: header-forging

"""
(*) Users of email will not put up with it

Why? It's not costing them anything
"""

It costs them CPU cycles.

"""
(*) Armies of worm riddled broadband-connected Windows boxes

Need an order more worm riddled boxes, i.e. ONE ORDER LESS SPAM.
"""

What language is that in?

"""
(*) Ideas similar to yours are easy to come up with, yet none have ever been shown practical

None have ever been tried.
"""

If so, it's because none have been shown to be practical.

FP.

Re:Slashdot Spam Form Response (0)

Anonymous Coward | more than 9 years ago | (#10779786)

One word, one hyphen: white-listing.

I am the grandparent AC. My response:

(*) Whitelists suck

Re:Slashdot Spam Form Response (4, Insightful)

pclminion (145572) | more than 9 years ago | (#10779854)

One word, one hyphen: white-listing.

As a USER of email, I find the need to maintain a white-list simply because spammers are fucking assholes is UNACCEPTABLE. I won't do it. Right now, my Bayesian filters completely hide spam from me. I will not move from that system to a system which requires MORE WORK FOR ME, i.e., maintaining a whitelist.

Feel free to sit there and feel smug about your "solution" which requires you to waste your time.

I find that the people who most strongly advocate sender-side blocking, like HashCash, invariably are network administrators who don't want "their" bandwidth wasted. Guess what: I'm a customer. It's my bandwidth. I really don't give a fuck if spammers are violating the sanctity of your precious network. I am only interested in not seeing spam, not thinking about spam, and not worrying about spam. HashCash is a horrid solution in those respects, and I won't accept it.

Re:Slashdot Spam Form Response (1)

Don'tTreadOnMe (686201) | more than 9 years ago | (#10779855)

One word, one hyphen: white-listing.

If this is the answer to that objection, why bother with HashCash at all? Why not just use an "accepted sender" (white-list) to block out all of your spam?

Re:Slashdot Spam Form Response (0)

Anonymous Coward | more than 9 years ago | (#10779884)

Go ahead, implement it. Someone REALLY should bring a Hash Cash system to critical mass. We need that failure, so that we can point at something and end the discussion before it starts when another anti-spam newbie makes an idiot of himself by publicly raving about the Hash Cash concept.

Re:Slashdot Spam Form Response (0, Troll)

fatphil (181876) | more than 9 years ago | (#10779573)

Thank you. The thread is now closed.
Right, on to the next story...

FP.

Re:Slashdot Spam Form Response (1)

John Whitley (6067) | more than 9 years ago | (#10779792)

The Great Hammer of RTFA hits. --more--
You feel compelled to greater efforts of literacy.


The comment even includes a link to the Frequently Raised Objections [camram.org] page which specifically addresses these and a number of other issues. This page discusses specific points that made prior similar ideas were impractical and addresses how this new variant addresses those problems. If you can't emit anything more coherent than an uninformed knee-jerk response, then STFU!

He he he. It reminds me of .. (1)

apankrat (314147) | more than 9 years ago | (#10779859)

.. the story of the prominent mathemtician of early 20th century (I totally forgot who) had a form that said -
Dear ____,

Your proof of Last Fermat Theorem contains
an error in line ___ on a page __.

Sincerely,
Prof. Xxxx
and for every proof-to-be he'd just pass it onto his grad students and let them fill in the blanks.

You asked for it - the spam rebuttal!!! (-1, Redundant)

Anonymous Coward | more than 9 years ago | (#10779418)

Your post advocates a

(x) technical ( ) legislative (x) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
(x) Mailing lists and other legitimate email uses would be affected
(x) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(x) Users of email will not put up with it
(x) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
(x) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
(x) Unpopularity of weird new taxes
(x) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
(x) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

(x) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
(x) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

Note to Moderators. (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#10779490)

This Post Came Second but it was posed in parrellel with the other post and although it is Redundant, it wasn't the fault of the poster..

Another Note to Moderators. (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#10779892)

People who write instructions to the moderators are a bunch of fucking assclowns.

Mod up!

This doesn't *stop* anything (1, Insightful)

hansendc (95162) | more than 9 years ago | (#10779428)

Today, spammers buy and sell large lists of email addresses on CDs or other media. Each of these addressess took some mining to find it, and put it on the CD.

In the future (if this takes off), these lists will simply contain the hashes along with the addresses. This temporarily makes the spammers lives a bit difficult, but doesn't have a long term impact.

Spammers share information. The cost of all those hashes amortized over a few years to a large number of spammers is nothing.

Re:This doesn't *stop* anything (4, Insightful)

Raul654 (453029) | more than 9 years ago | (#10779473)

Easily countered - then you simply change the hash question on a per email basis. So I ask potential email A a question about FOO and potential emailer B a question about OOF. There's no way to know in advance what I am going to ask. That way, the only way to email me is to actually compute the answer.

Re:This doesn't *stop* anything (4, Informative)

OverlordQ (264228) | more than 9 years ago | (#10779479)

In the future (if this takes off), these lists will simply contain the hashes along with the addresses. This temporarily makes the spammers lives a bit difficult, but doesn't have a long term impact.

Did you even RTFA? If there is *any* sort of time lag from when the Supplier A generated the hashes and sent to the Spammer B and the spammer sends the mail the hash's will become invalid.

3. The date (and time) a stamp was minted. Stamps in the future and those too far in the past may be judged invalid.

Re:This doesn't *stop* anything (1)

awacs (706692) | more than 9 years ago | (#10779484)

I think that part of the idea is that the hash is From- addr dependent. So, spammy must use the same From- address as the original CD seller in order to use his hash, and therefore gets picked off easier ...

Re:This doesn't *stop* anything (1)

crow (16139) | more than 9 years ago | (#10779517)

I only read the FAQ, so I don't know if this solution does this, but my guess as to how this might work is:
  • Sender establishes an SMTP connection.
  • Mail server responds, indicating that it supports hashcash extensions
  • Sender requests hashcash workload
  • Mail server responds with complex computation based on Sender and Recipient
  • Sender computes
  • Sender sends message with computed hash
  • Recipients spam filters add Sender to presumed-good whitelist
So the key would be having the computation be based on the sender and the recipient, so it can't be pre-computed (unless all spammers agree to use the same forged sender, which would be nice).

Extensions are needed for mail filters, SMTP servers, and SMTP clients.

Re:This doesn't *stop* anything (1)

jj_johny (626460) | more than 9 years ago | (#10779522)

RTFA

The question is different for each transaction. Duh. Please this idea is dumb on a host of levels and has been covered many times. The biggest issue is that sooooo much infrastructure (mainly software) has to change. So can we just say that this is another one of those CS discussions - interesting in theory - that will go no where anytime soon.

Yes it does. (0)

Anonymous Coward | more than 9 years ago | (#10779558)

If you'd read the entire article before posting, you'd find your concern is addressed.

"Also, once minted, I don't want a stamp to be shared among every spammer who wants to send me mail. Therefore, hashcash takes two
extra steps (or at least recommends them as part of the protocol):

First, stamps carry a date. A user may decide to consider stamps older than a certain age invalid. Second, a hashcash client may, and probably should, implement a double spend database.

A double spend database is one in which each stamp may be used exactly once; if it is received a second time, it is considered invalid
(much as with a postage stamp after it is marked as processed)."

That's covered in the Article. (4, Informative)

955301 (209856) | more than 9 years ago | (#10779562)


The author points out that a) a date is added to the string to be hashed and b) a database is kept for the day of hashes already used.

If you include the hash when you pass it out, step a) invalidates hashes of older days and step b) keeps the current days hashes from being reused.

So it doesn't matter if the spammers share. The hashes are one-times.

Re:This doesn't *stop* anything (1)

Spoing (152917) | more than 9 years ago | (#10779764)

  1. Today, spammers buy and sell large lists of email addresses on CDs or other media. Each of these addressess took some mining to find it, and put it on the CD.

Nope. From my experience, that's not true. These are crooks...selling to crooks. If they sell bad data -- and I'd bet they do -- why would they care and how would the buyers of these lists know the difference?

Reason: About 1/2 of the spam messages I get are to addresses that are total fiction; they have never been used anywhere. Of the common ones, the associated name tends to be the same or from a short list of names -- and also total fiction (ex: "Marge Simmons" sales@bogus_sample_domain.com). The majority of the remaining addresses that were valid at one point are ancient (4+ years old).

I know this for a fact because one domain I have has only been used by me and I track the addresses I hand out.

I'd be curious if anyone else in a similar situation (old domain, not shared) has the same experiences.

The specific domain I'm refering to has been around for about 8 years.

Re:This doesn't *stop* anything (1)

karmatic (776420) | more than 9 years ago | (#10779818)

The "hash" includes a timestamp, the from address, and a serial number. The serial # can only be used once.

It's a non-issue.

Re:This doesn't *stop* anything (1)

melandy (803088) | more than 9 years ago | (#10779819)

these lists will simply contain the hashes along with the addresses
According to the article, there is also a timestamp associated with each hashcash stamp. So a CD full of hashes along with addresses as you propose will only be of value for a limited time.

Of course, the list could be processed *again* and you would have a fresh list, also of value only for a limited time. This process can be repeated ad nauseam, but new lists require new work.

The article did not mention a timeframe in which a stamp would be valid (other than not in the future, and not too far in the past). One could infer that the length of time in the past could be shortened, thus shortening the lifespan of a given spam list, and consequently increasing the amount of work to keep it up to date. The number of bits could also be increased to make creating a spam list more expensive.

Also, each stamp is only good once. When a stamp is spent, it's rendered useless.

In summary, you make a good point that spammers share information. However, I think that the expense of creating these stamps on a continual basis is not negligible. The real question becomes whether the expense of creating the stamps exceeds the revenue generated by the spam.

What about mailing lists?? (0, Redundant)

datbox (800756) | more than 9 years ago | (#10779436)

How would mailing lists be affected by all of this?
I would think this would put a major strain on the server that distributes to the individual addresses.

Re:What about mailing lists?? (3, Informative)

alexbartok (764756) | more than 9 years ago | (#10779512)

Thanks for RTFA
Jeez.

>>
How do you deal with large-scale legitimate mail sources (i.e. mailing lists, mail houses, etc.)?

There are two issues here. Mailing lists don't really have a good solution with the first generation of stamps. The traffic mailing lists generate is fundamentally indistinguishable from spammers, therefore whatever hurts spammers will hurt mailing lists. The answer for right now is to not do anything with mailing lists. Let them send unstamped mail and let the user whitelist mailing lists or deal with the trapped message issue manually.

In the future, it will become easier to deal with mailing lists because of the second generation of stamps (opportunistic signatures). If the list is signed with its own stamps, then it would be let through without problem. Spammers would still be barred because their signatures would be ignored.

The second issue is that mailing houses that deliver bulk e-mail for legitimate commercial ventures will need to generate stamps for some of their traffic. If they are sending newsletters to which users have subscribed, then the signature stamps method will work for them. Everything else is advertising mail and should be stamped. A circumstance in the future can be envisaged where mass mailers will try to cheat and use signature stamps for mailing lists to deliver commercial e-mail. Obviously there should be some method of responding, but that is not yet apparent.

In the meantime, these houses will need to generate stamps. While most of their server resources will be maxed out, they'll have idle resources on the desktop. A technique is being developed that allows a company to make use of its idle resources to generate stamps for its outbound mail. It will be up to each organization to determine what machines it wants to use and how high it wants to load them. If it's bulk e-mail with no particular need to deliver immediately, then a small number of heavily loaded machines should be sufficient. If it's urgent corporate mail, then they will want to have more machine resources than are needed for stamps.

Re:What about mailing lists?? (0)

Anonymous Coward | more than 9 years ago | (#10779529)

You must be new here.

Right cause, wrong solution. (2, Insightful)

Anonymous Coward | more than 9 years ago | (#10779447)

The end effect of this is eventually bad, or utterly worthless.

Joe Sixpack wants to send a mail. If it takes him an hour to parse a key, he's not going to mail his mother anymore.

If a spammer has to spend an hour processing the key, he's just going to invest more of his time getting zombie PCs to get the work done for him.

Who wins here? Certainly no one.

Disclaimer: the hour was used as an example. I've no clue how long it takes, but the point should still hold.

The moral being, don't make the end users pay for the actions of spammers. We have laws for spammers now; it's time to start using them.

Re:Right cause, wrong solution. (4, Informative)

Em Ellel (523581) | more than 9 years ago | (#10779633)

Joe Sixpack wants to send a mail. If it takes him an hour to parse a key, he's not going to mail his mother anymore.

The general idea is that it will take a relatively small yet significant time to compute. So for example (also random) 30 seconds. Joe Sixpack will not notice 30 second delay on his computer for one email. However Jack Spammer who sends a million emails will need 500,000 minutes to compute the sums. A huge difference.... until you figure out that Joe Sixpack computer's spyware is what actually doing the computing.

-Em

Re:Right cause, wrong solution. (1, Interesting)

Anonymous Coward | more than 9 years ago | (#10779688)

Oddly enough, I notice when it takes more than two or three seconds. Typically that's an indication that there's a DNS problem.

Re:Right cause, wrong solution. (1)

harrkev (623093) | more than 9 years ago | (#10779649)

RTFA.

Joe Sixpack will take a second, maybe two to send the e-mail. I doubt that he could type fast enough for this to be an issue...

Now, a zombie can only send one e-mail every second vs. the usual ten. Not perfect, but I would settle for 3 spams per day vs. my current 30.

Yes, it does require some changes to e-mail software, but the article points out that the changes can be slowly phased in. If an e-mail client includes the code and this idea never catches on, then the worst thing to happen is that there is a little coad-bloat in your client. No big deal!

I wonder how long before Mozilla incorporates this?

Re:Right cause, wrong solution. (1)

Pleione (825378) | more than 9 years ago | (#10779656)

I agree with this. Spamming has gotten so out of hand that the only way an automated system can work is by having outrageous filters in place. This has the potential to prevent legit senders from ever reaching you. If the penalty was raised and enforced, say by making spamming a felony offense, I'd bet that a lot of those problems would go away.

Re:Right cause, wrong solution. (1)

One Childish N00b (780549) | more than 9 years ago | (#10779722)

It doesn't take an hour to parse the key, it takes maybe less than a second - the idea being that it's invisible to 'Joe Sixpack' sending an email to his buddies, but those less-than-a-seconds add up for the spammer spewing out hundreds of thousands of emails advertising that there \/14gr4. Also, if the zombie machines he uses start running slow because they're now processing hundreds of thousands of those hashes, they're more likely to get an engineer in who will fix the problem. Who wins? Everyone.

Re:Right cause, wrong solution. (2, Interesting)

gateman9 (733995) | more than 9 years ago | (#10779727)

Okay, do a little math. Spammers want to spam millions of addresses. So, even with a theoretically large network of zombies (say a thousand for one spammmer), the zombies can compute an equivalent 1000 hours of work in an hour. That's 1000 emails. The spammer would need to get his zombies to do 1000 hours of work to send a million emails. Eventually, the excessive work being doen on these zombies would get someone's attention and they would either be cut from the network or reclaimed from zombie status.

I don't know about you, but I RTFA, and once you and your friends have done a little grunt work once, you no longer need to do grunt-work.

Also, if I read correctly, the hashes may only take a few minutes per address, even on the minute scale, it is too economically expensive for spammers to send email.

More or less, spammers would need the equivalent super-computer on the scale of the Columbia installation or the Earth Simulator to effectively continue spamming.

Stupid idea (3, Insightful)

pclminion (145572) | more than 9 years ago | (#10779457)

This makes it difficult to send any kind of mass mail.

For example, Sourceforge sends site-wide update messages about once a month or so. They have tens, if not hundreds of thousands of users. If every one of those users used HashCash, Sourceforge would practically need a dedicated server farm computing hashes simply in order to send out its update notices.

This is a really, really stupid idea.

Re:Stupid idea (2, Insightful)

chuckgrosvenor (473314) | more than 9 years ago | (#10779495)

Not really. If you want the mass email, you can whitelist it so they don't need to computer a hash for you.

Re:Stupid idea (3, Insightful)

fatphil (181876) | more than 9 years ago | (#10779527)

And then every spammer forges its source to be sourceforge.

Shit, pun not intended.

FP.

How about.... (1)

raxxerax (673428) | more than 9 years ago | (#10779668)

How about allowing a user to place a site on a list of sites that will be asked for the same hash (randomly chosen for each site) everytime? This means that sourceforge simply needs to save the hash and send it with subsequent emails.

Re:How about.... (1)

magefile (776388) | more than 9 years ago | (#10779787)

Same problem. "Hi, I'm sourceforge. What hash do I need?" A little while later ... "Hi, Ralsky [and a million other spammers]. Here's a CD of email addys + *@sourceforge.net hashes. $500 sound good?"

Re:Stupid idea (1)

cortana (588495) | more than 9 years ago | (#10779873)

$ dig +short txt sourceforge.net
"v=spf1 mx a:mail.marblehorse.org a:sshgate.sourceforge.net a:smtp.vasoftware.com a:newcastle.devrandom.net -all"

Problem solved.

Re:Stupid idea (1)

crow (16139) | more than 9 years ago | (#10779549)

Better yet, they send you a single email when you sign up with them, and they stamp that one. The idea is that known senders don't need stamps. This can solve the problem for mailing lists, as they get whitelisted when you subscribe.

Re:Stupid idea (1)

badfish99 (826052) | more than 9 years ago | (#10779635)

So every time I subscribe to a mailing list, I've got to go through some convoluted process of receiving a magic email and then adding the sender to the whitelist. OK for you and me, but if Microsoft implement this they will just automate the process so you only have to click "ok" on a popup. So Joe Sixpack will click "ok" when he gets his first spam, and the spammer will be on his whitelist.

Re:Stupid idea (2, Insightful)

mypalmike (454265) | more than 9 years ago | (#10779807)

So every time I subscribe to a mailing list, I've got to go through some convoluted process of receiving a magic email and then adding the sender to the whitelist.

Don't you already get "magic emails" and go through a convoluted process for most mailing lists to confirm that you want to be on the list?
OK for you and me, but if Microsoft implement this they will just automate the process so you only have to click "ok" on a popup.

POPUP: "Do you wish to receive mail from the sender 'V|4GRA-= CIA7IS =CHEAP'? [Yes] [No]"
So Joe Sixpack will click "ok" when he gets his first spam, and the spammer will be on his whitelist.

If Joe Sixpack makes the mistake of accepting it, he can later simply remove it from his whitelist when he notices. A well-designed UI will make it so that he doesn't even realize he has this "whitelist".

-_-_-

Re:Stupid idea (1)

magefile (776388) | more than 9 years ago | (#10779843)

Frankly, I don't give a shit about Joe Sixpack. 'Course, given that it won't work for Joe Sixpack, it won't be implemented, but if it were implemented, and Joe Sixpack didn't see a difference, that's not my problem, nor do I care.

Re:Stupid idea (2, Insightful)

Anonymous Coward | more than 9 years ago | (#10779550)

I think we just need to accept the fact that mailing lists need to be whitelisted. There is never going to be a simple way of letting "good" SPAM in while blocking "bad" SPAM at the same time. Half the SPAM I get is from mailing lists like Best Buy's. How can I block it at my companies spam filter if 1/3 of the people here actually want the mail?

Blah. Whitelist it if you want it.

Re:Stupid idea (1)

pclminion (145572) | more than 9 years ago | (#10779735)

Blah. Whitelist it if you want it.

Sorry. I refuse to waste my time maintaining such a list simply because spammers are assholes, and those who advocate HashCash are blind. Instead of being happily unaware of spam as by Bayesian filter silently tosses it, I now have to consciously manage a white list.

No thanks.

Re:Stupid idea (0)

Anonymous Coward | more than 9 years ago | (#10779589)

So there is no white list option like tdma?.
I think tmda is a great antispam solution, don't know why more people don't use it.
http://tmda.net/

Read the other link (1, Informative)

Anonymous Coward | more than 9 years ago | (#10779615)

Mailing lists are specificly dealt with in the list of frequent concerns.

It's easily solved (2, Funny)

Skapare (16644) | more than 9 years ago | (#10779757)

It's easily solved. Just buy the CD of pre-calculated prime factors from the spammers.

Re:Stupid idea (1)

Infinityis (807294) | more than 9 years ago | (#10779801)

"This makes it difficult to send any kind of mass mail."

Well, not exactly any kind...there's still snail mail. Of course, at $0.37 per person * 100,000 users = $37,000 per mass mailing, then * 12 months = $444,000 annually, it gets pretty expensive, but at least it would keep out all but the most dedicated spammers.

At its very roots, the ease of sending an email makes it a problem. If someone really wants to eliminate their spam, another tier or two needs to be added to email, wherein there is a verification system in place to ensure that an email was sent from where it says it was sent from, or only selected users can send someone an email, or something like that. Strangers can't just walk right into a CEO's office, they've got to go through layers of secretaries, etc. Why should a strange email be allowed to walk right into a CEO's inbox?

Re:Stupid idea (1)

trustedserf (700733) | more than 9 years ago | (#10779849)

Anyone who subscribes to a list and then demands any form of 'payment' to be sent mails is confused and shouldn't be on the list.

If you subscribe, and want the mails there need only be an opt-out where you make the source of the mailing list excempt from the scheme. ... Like a button in your mail client that says 'Accept mail from this address without challenging.' ... probably based on IP address.

Won't Stop Virus/Worm'd Zombie spamming (1, Insightful)

Anonymous Coward | more than 9 years ago | (#10779499)

An awful lot of spam has been generated from machines infected by worms. If the spammer controls a thousand zombie machines, he'll have all the CPU power he needs...

Re:Won't Stop Virus/Worm'd Zombie spamming (2, Insightful)

gateman9 (733995) | more than 9 years ago | (#10779821)

You've never done distributed computing work, have you?

On average, the 1000 zombies will have an average CPU equivalent to a P4. Add to that network latency and all the work that has to go into coordination, and the equivalent CPU power goes down.

So if a spammer had 1000 zombies, he'd get at best a 1000 hours of work in 1 hour, and on average maybe a 100. To send a million emails, even under the best conditions and using the two or three second hash-compute time, he would need approximately 555-833 hours.

now what? (3, Funny)

Scythr0x0rs (801943) | more than 9 years ago | (#10779523)

You make me pay precious CPU time to e-mail my mother-in-law? you insensitive clods!

Re:now what? (0, Offtopic)

Infinityis (807294) | more than 9 years ago | (#10779622)

By referring to a mother-in-law, you're implying that you are married, which implies that you have had relations with a feminine being, so basically, you're bragging...you insensitive clod!

I had to quit smoking... (5, Funny)

RandoX (828285) | more than 9 years ago | (#10779578)

...because I was out of hash cash.

cf Penny Black (4, Interesting)

r (13067) | more than 9 years ago | (#10779590)

Funny, isn't there a Microsoft Research project that did this already?

Oh yeah, so there is [microsoft.com] , along with papers explaining how it works. So much for giving credit for prior work.

Re:cf Penny Black (2, Insightful)

PugMajere (32183) | more than 9 years ago | (#10779741)

Hashcash predates the MS Research project.

This article is about the first correct (supposedly) Python implementation of hashcash.

The Munchies... (1)

Aceto3for5 (806224) | more than 9 years ago | (#10779592)

I gotta read these headlines more carefully. I always thought SPAM was popular BECAUSE of people using Hashish. I would lean more towards doritos but thats just me.

Won't work. Zombies will generate the stamps (2, Interesting)

Animats (122034) | more than 9 years ago | (#10779593)

Spammers will just offload stamp generation work onto their zombies. 0wned PCs on cable modems will burn even more CPU time.

If you want a virus built to generate stamps on zombies, just go over to Spamforum.biz [spamforum.biz] and advertise for one. New ads over there this week include "PushMail Webmailer v1.0.2 ~ New, Fast WAP Webmailer for Sale (Gets by Filters)". There's even a banner ad for a firm that wants spammers [s-rx.com] : "3 different sites - Pharma - OEM - Cigarettes".

Re:Won't work. Zombies will generate the stamps (1)

955301 (209856) | more than 9 years ago | (#10779714)


You're right, but putting additional CPU load on zombies isn't such a bad thing, is it? Spammers pay for zombies so it still increases their actual costs.

This idea actually has merit. Admit it.

Even easier than that (1)

Skapare (16644) | more than 9 years ago | (#10779795)

Even easier than that. At 20 bit values, we're not talking very many different numbers here. These can be pre-calculated in a few hours, packaged on CDROMs, and sold to other spammers. Yet another way to make money on the net.

Re:Won't work. Zombies will generate the stamps (1)

Vegard (11855) | more than 9 years ago | (#10779797)

I just read the terms of use of spamforum.biz, at http://www.spamforum.biz/terms.htm - can these be legal at all?

Basically, the click-through license will make you agree not to sue anyone affiliated with the site, or any contributors, etc. Leaving out the question whether click-through is valid, this is not something that I would want to risk.

I advise anyone that is concerned against spam, and possibly want to contribute to the fight against spam at some point, to not enter this site , if you want to avoid the risk of getting sued for "breach of contract" (the one you signed by entering the site).

Re:Won't work. Zombies will generate the stamps (1)

Animats (122034) | more than 9 years ago | (#10779870)

Since they haven't disclosed who the other party to the contract is, there's no contract.

It would be great if they sued. They'd have to disclose their identity.

As an anonymous coward (1, Funny)

Anonymous Coward | more than 9 years ago | (#10779594)

I think it would be great if /. implemented this. If posting took 200 sec of computation then only people with something interesting to say would bother. Much less spam and karma-whoring.

Flamewars would be restricted to people at work posting from supercomputers :)

-J

C. 'Roast Beef' Kazenzakis, we love you. (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#10779612)

Just in case you're browsing Slashdot today. :)

Greylisting worked for my company (4, Interesting)

alen (225700) | more than 9 years ago | (#10779627)

We bought a vanilla smtp server for our gateway called Xwall. A few months ago they introduced greylisting.

Basically what it does is temporarily block suspicious emails. If it's a real SMPT server it will resend the message and the second time it will be allowed to go through. Spammers never use RFC compatible SMTP servers and simply send once in bulk and forget about it. This cut down our spam by over 90%.

Re:Greylisting worked for my company (1)

MalleusEBHC (597600) | more than 9 years ago | (#10779726)

While that does have its advantages, unfortunately very few people realize that SMTP is an unreliable protocol. Most people send an email and assume that it gets there instantaneously, so its usually too risky for a business to implement "greylisting" as you have.

Re:Greylisting worked for my company (5, Informative)

Haegar (1160) | more than 9 years ago | (#10779862)

Tried it at work - stopped loads of spam, but had to disable it because out there are too many broken smtp servers (on short inspection mostly lotus notes) that think an return code of 4xx is a permanent error and bounce the mail.

And my boss is not happy when even ONE important mail from a client is not reaching him.

How many numbers would that be? (3, Funny)

Skapare (16644) | more than 9 years ago | (#10779630)

However, verifying a stamp requires just one SHA-1 computation. For use in e-mail, a 20-bit value is currently the recommended price: Senders need to perform about a million trials to find a valid stamp, which takes less than a second on the most recent CPUs and compiled applications. And it still takes only a few seconds on relatively old machines.

Fur sail 2 u nou: 5 mil-leeun facter numberz

Yuz cun b-u-l-k f4ster wit dis CD uv all-ready calcoolated leest uf numbors. Fer onlee $99.95, u getz ohver fiv milyun numz ant wee tos in freeee a miliun fresh A-O-L addys. Vizut us @ hotprimefactors.biz to ordur.

put it to good use (1)

Thud457 (234763) | more than 9 years ago | (#10779804)

Can't we come up with some workable system where the sender has to crank through a few iterations of seti or folding at home to pay for accepting the email? (I seem to recall a suggestion about cross-checking against another sender/server, but don't remember how they prevent cheaters.)

can't stop it.. (1)

dustinbarbour (721795) | more than 9 years ago | (#10779660)

It seems to me that spam is just about unstoppable. As such, I find the best solution to the problem is to run a smart filter that learns as it goes. I run Mozilla Thunderbird and it's bayesian junk filter is damn good. I simply do not get spam in my inbox. I get a false positive once a month or so, but that is certainly acceptable. Yes yes.. That doesn't cut down on the congestion caused by bazillions of spam messages, but eh.. I still get 5 MBps to the house.

Waste of perfectly good CPU time (2, Insightful)

iamacat (583406) | more than 9 years ago | (#10779679)

Sort of like burning your harvest to keep grain prices high. Just send me a completed work unit of Seti-At-Home or Folding-At-Home in an email header. I am sure, given the incentive of every e-mail message advancing their goal, some of these projects can come up with work units that are difficult to calculate but easy to verify.

Maybe for once zombied Windows boxes will be more productive than they would be under their users' control.

Re:Waste of perfectly good CPU time (1)

955301 (209856) | more than 9 years ago | (#10779775)


And how *exactly* does the receiving mail server verify the work unit without computing it itself?

Besides, doesn't dropping spam via other methods typically involve network traffice to blacklists and CPU cycles spent?

Face it; the time is already wasted with other methods. Unless you have a real reason to nay-say it? Pony up!

Solution also ignores... (4, Insightful)

Croaker (10633) | more than 9 years ago | (#10779704)

the fact that not everyone is sending legitimate email with a powerful computing device. Something that could cause an inconvenience to a spammer with a boatload of cheap commodity 2Ghz desktop systems (other their own or a zombie army) will bring more modest systems to their knees. Handhelds, phones, old 486 systems recycled for use in the 3rd world, set top boxes, embedded systems, etc. will no longer be viable systems with which to send mail. And what about web mail providers?

These's simply no reason to resort to kludge solutions that depend on penalizing those who cannot afford top-of-the-line systems.

greylisting is better (2, Insightful)

hackstraw (262471) | more than 9 years ago | (#10779724)

To me greylisting seems like the best thing to do. See:

http://slett.net/spam-filtering-for-mx/greylisting .html [slett.net]

and/or:

http://projects.puremagic.com/greylisting/ [puremagic.com]

In a nutshell, it simply uses a standard 451 SMTP response that says "Hey, I'm busy now, can you call back in a minute or so?" To my knowledge, all standard SMTP servers respect this request, and little to none of the mass mailers do. And if they do, their bandwidth will triple.

Here's a log example:

Oct 15 15:18:17 example1.example.com sendmail[6955]: [ID 801593 mail.info] i9FJIGH06953: to=, ctladdr= (168/601), delay=00:00:01, xdelay=00:00:01, mailer=esmtp, pri=121994, relay=example2.example.com. [123.390.141.456], dsn=4.3.0, stat=Deferred: 451 4.7.1 Greylisting in action, please come back in 00:01:00

If the mail never comes back, then the sender is now blacklisted. If the mail does come back, the sender is whitelisted.

Simplest and most standards compliant thing that I've heard of, and it seems to work.

Re:greylisting is better (2, Insightful)

Em Ellel (523581) | more than 9 years ago | (#10779825)

If the mail never comes back, then the sender is now blacklisted. If the mail does come back, the sender is whitelisted. ..so this will work until spammers add a retry to the mailers - at which time they are whitelisted.

-Em

Solvable (1)

Dracolytch (714699) | more than 9 years ago | (#10779789)

For these hashes, you cannot work on the complete hash space, otherwise it would take forever for someone to send a message because of how long it will take to find the hash. That means each message sent will have a subset of the hash space, or (more likely) large portions of the hash space will go unused.

If you're using the hash space uniformally, then armies of infected Windows PCs will take just a couple seconds per e-mail. What does the spammer care? Those CPUs are free/cheap. Just means it's time to find a way to compromise more machines.

If you're only using a subset of the hash space, store the results of each hash you try. Then, the next time around, finding the result is near instantaneous... Making the scheme innefective.

~D
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?