ietf-asrg
[Top] [All Lists]

Re: [Asrg] My take on e-postage

2004-04-26 00:18:45
Of course, it still suffers from the usual problems endemic to all
hashcash, notably the very wide variety in CPU speeds out there.
J. Random Hacker in Outer Slobbovia running on a half-lung salvaged
68020 will be utterly blocked by hashcash values high enough to be even
noticed by Evil Q. Spammer's late-model 8-CPU 18GHz Hexium.

Some numbers, using hashcash 0.27 (compiled with optimisation for each machine):

My 16MHz 68030 (an old Mac pulled from a skip) can do 1000 hashes a second - it'll take 15-20 minutes on average to do a 20-bit collision. For the impoverished people that must rely on such a machine, this is vaguely acceptable. They can always go outside and do a bit of gardening while they wait.

My 200MHz Pentium-MMX can do 84000 hashes a second, reducing the time for a 20-bit collision to 12 seconds - a much more acceptable figure. The vast majority of Internet users in the Western world have a machine at least this fast. Indeed any Pentium-class CPU would appear to be able to produce a 20-bit collision in under a minute (on average).

My 1600MHz Athlon-XP can do 575000 hashes a second - enough to reduce the time for a 20-bit collision to 2 seconds. Most enthusiasts and power users have a machine about this size, which reduces a 20-bit hashcash to near invisibility for normal levels of e-mail.

I estimate that the fastest current-generation CPUs can do a 20-bit collision in about 1 second. Assuming spammers can build 4-way boxes out of these, how many boxes will they need to fill a T1 to capacity, the way they used to? Assuming a 5KB spam size, about 7500 of them. Is this economically feasible for the spammer? You tell me.

So, assuming the spammer is limited to conventional CPUs and that hashcash is widely used, he is now rate-limited to 1 spam per second per CPU for machines he builds himself, and perhaps 1 spam per 2-5 seconds per zombie he controls. This is a VAST improvement on the current situation.

On the other hand, in an earlier discussion on this subject, I pointed out that dedicated hardware can be built to accelerate hashcash generation. Someone else replied that if the spammers can do it, so can Taiwan, and cheaper. If everyone has access to a SHA-1 coprocessor and an e-mail program that supports it, the playing field becomes more level, not less.

However, there's a flaw in that argument too, because coprocessors cheap enough for Aunt Tillie to buy one without thinking too hard about it, are also cheap enough for the spammers to buy in hundreds, together with a huge batch of USB hubs to plug them into a mere handful of servers. But that still means the spammers can "only" send hundreds of times as much mail as Aunt Tillie, which is still a vast improvement on the status quo.

--------------------------------------------------------------
from:     Jonathan "Chromatix" Morton
mail:     chromi(_at_)chromatix(_dot_)demon(_dot_)co(_dot_)uk
website:  http://www.chromatix.uklinux.net/
tagline:  The key to knowledge is not to rely on people to teach you it.


_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg