Bugtraq mailing list archives
Hashcash in mail (was: New Whitepaper: Anti Brute Force Resource Metering)
From: "Peter J. Holzer" <hjp () wsr ac at>
Date: Thu, 24 Mar 2005 10:58:39 +0100
On 2005-03-23 21:25:03 -0000, Gunter Ollmann (NGS) wrote:
You claim that hashcash "has already proven to positively reduce the success" of spammers. Is there any example of hashcash being deployed in e-mail systems? I don't know any and I can't even offhand think of any feasible method of how it could be deployed.Checkout the following: SpamAssassin - http://wiki.apache.org/spamassassin/ TMDA - http://wiki.tmda.net/TmdaHashCashHowto CANRAM - http://www.camram.org/
Yes, but are they actually used? The X-hashcash header has to be sent "blind". There is no way for the recipient to tell the sender that it uses hashcash and how many bits it requires. At best, this information could be included in the reject message, but 1) that requires the sender to read the bounce message (which the average user doesn't) and 2) especially Spamassassin is often used not to reject messages but only to mark them so they can be sorted into a Junk folder. This makes it very likely that the sender must be told to use hashcash in some other way (probably by telephone: "did you get my mail?" - "no, you have to use hashcash" - "what's that?"), which makes it IMHO highly unlikely that it is used anywhere without prior agreement - but if you agree in advance to use hashcash, you can agree on simpler measures, too (e.g. whitelisting each others outgoing mail servers). hp -- _ | Peter J. Holzer \Beta means "we're down to fixing misspelled comments in |_|_) | Sysadmin WSR \the source, and you might run into a memory leak if | | | hjp () wsr ac at \you enable embedded haskell as a loadable module and __/ | http://www.hjp.at/ \write your plugins upside-down in lisp". --ae () op5 se
Attachment:
_bin
Description:
Current thread:
- Hashcash in mail (was: New Whitepaper: Anti Brute Force Resource Metering) Peter J. Holzer (Mar 24)