----- Original Message -----
From: "Paul Howarth" <paul(_at_)city-fan(_dot_)org>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Saturday, August 28, 2004 8:16 AM
Subject: RE: [spf-discuss] Re: DEPLOY: SPF/Sender ID support in Courier.
On Sat, 2004-08-28 at 10:51, AccuSpam wrote:
I think hashcash is a dead end as an anti-spam system. Spammers have
armies of zombies that can do the calculations for them, so it will
inconvenience spammers much less than legitimate bulk mailers.
Yes I am aware of that, but consider this counter-point which ties
specifically into the requirement to per-user cryptography anti-forgery:
If you increase the calculation cost to say 15 seconds (0.25 min.) on
average client, then it does not inconvenience the average sender much,
*and* you tie the Sender, Recipient, and body to the signature, then the
spammer has to calculate this for every combination. Given 22 billion spams
per day for whole internet now (estimated from BrightMail.com's 16% share),
and assume they have 1 million zombies, that is 2200 * 0.25 = 550 minutes =
9.2 hours of computing time per day per zombie.
Thus "hashcash" can be very effective at eliminating the zombies,
because if a zombie loses 9 hours a day or processing power, I am confident
the owner of the zombie will take action.
I wouldn't be too sure about that (remember lots of the zombies will be
in time zones where it is during the night when the spammer is using
them), but as I said before it'll be a big problem for legitimate bulk
mailers that don't have an army of zombies at their disposal, such as
the mailing list manager that runs this list for example.
Hmm. There are several underlying issues. Almost all "hashcash" authors are
very excited about the cost of having a "sender pays" system where the
sender is forced to generate computational checksums of their messages in
order for their email to be painlessly accepted. Unfortunately, they're
almost all intertwined with a challenge-response system so that the hashcash
token from authenticated senders or sites is accepted. They believe that
people will be happy to respond to these challenges so that their next email
gets through, and/or that the recipient will be willing to manage the
extensive whitelisting of email addresses as legitimate contact addresses
for the sender expire or the sender uses multiple email addresses.