[hashcash] Re: Hashcash and Bcc/envelope recipients

• From: Adam Back <adam@xxxxxxxxxxxx>
• To: Aaron Toponce <aaron.toponce@xxxxxxxxx>
• Date: Wed, 23 Mar 2011 22:37:04 +0100

The RFC822 headers (From, To, Cc, Bcc) are a fiction.  In the real world you
can telnet to port 25, give a list of envelope recipients, and then type
anything you want in the From, To and Cc fields.

Anyway in normal, non-port-25-forgery, usage the envelope recipients match
the addition of the To, Cc + Bcc, and the Bcc header is removed, then the
envelope recipients are communicated to the mail hub.

The mail hub however then delivers the mails onwards and if multiple
recipients are at the same domain may deliver them individually or as a
group.  As you cant control what the mail hub does, defensively you have to
deliver Bcc recipients separately and individually with a stamp for them.

And the other recipients as a single group.

Otherwise as you observed the X-Hashcash headers blow the privace of the Bcc
recipients.

I believe thats what hashcash-sendmail does.  Kind of complex but there you
are.


The problem with using the From address (I think most/all of the current
clients dont do that) is that its not unique to the recipient.  So a spammer
could create one spam and send it to millions of people and they'd all think
the stamp looked valid and they hadnt seen it before.

Adam

On Wed, Mar 23, 2011 at 03:24:17PM -0600, Aaron Toponce wrote:

I've built a Python script for Mutt that mints tokens based on the
addresses in the To: and Cc: fields, however, how does hashcash handle Bcc:
or envelope recipients? By putting a token for each recipient in the
header, the addresses of those recipients would be revealed, thus
defeating the whole point.

I've thought about minting a token with a resource of "bcc-recipients", and
placing that token in the headers, but then that reveals that there have
been Bcc: recipients added to the mail. I believe the whole point of Bcc:
is to be completely transparent, not revealing to anyone that they exist.

So, I'm guessing that it's probably best to just ignore Bcc: and envelope
recipients in general. I guess I could mint a token for the From: address
(is this what I should be doing anyway?), but then that begs the question
of why not just minting a token using the From: address only, and not worry
about the To: and Cc: addresses?

Am I missing something?

• Follow-Ups:
  • [hashcash] Re: Hashcash and Bcc/envelope recipients
    • From: Aaron Toponce

• References:
  • [hashcash] Hashcash and Bcc/envelope recipients
    • From: Aaron Toponce

Other related posts:

• » [hashcash] Hashcash and Bcc/envelope recipients- Aaron Toponce
• » [hashcash] Re: Hashcash and Bcc/envelope recipients- Aaron Toponce
• » [hashcash] Re: Hashcash and Bcc/envelope recipients - Adam Back
• » [hashcash] Re: Hashcash and Bcc/envelope recipients- Eric S. Johansson
• » [hashcash] Re: Hashcash and Bcc/envelope recipients- Aaron Toponce
• » [hashcash] Re: Hashcash and Bcc/envelope recipients- Eric S. Johansson
• » [hashcash] Re: Hashcash and Bcc/envelope recipients- Adam Back
• » [hashcash] Re: Hashcash and Bcc/envelope recipients- Aaron Toponce

1. Home
2. hashcash
3. Archive
4. 03-2011

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---