On Wed, May 28, 2003 at 11:56:53AM -0700, Peter Deutsch wrote:
Concepts such as Hashcash or other payment-oriented systems, in which
you try to impose a cost on the sender to screen out bulk mailers, are
interesting enough, but I think they're addressing the wrong problem.
I've personally come to the conclusion that to address this problem
(that is, the decision as to whether I want to accept a message from
you), I don't actually need to know who you are, or even what you're
trying to send me, and I certainly don't need to impose artificial costs
on you (since this looks too much like punishing the innocent for the
crimes of the guilty).
I'm curious why you think Hashcash doesn't work. Personally, I think
a scheme where (a) you provide a crypto signature which proves who you
are that you are someone that I trust to send me something useful,
*OR* (b) you have to send me some token which proves that you have
spent 120 seconds worth of CPU time calculating it, would work
perfectly. That way, someone can still send me unsolicited mail
asking for help with e2fsck, or some other aspect of the Linux kernel,
but a spammer simply won't be able to afford the necessary CPU time to
send vast numbers of SPAM. And regular correspondents with me
wouldn't could simply send a PKI authenticated token to avoid needing
to do the necessary CPU-burning calculations. (And this is an
optimization anyway; someone who is sending me a human generated
message can generally easily afford the 2 minutes worth of CPU time
before their mailers can deliver the message to my mail host.)
- Ted