[hashcash] Re: centralization and the effect of the "abuse system"

Adam Megacz wrote: 
One last thing to add on a more philosophical/big-picture level:

I personally am not very interested in a system that uses
"reputations", shared blacklists/brownlists, etc.  The beauty of
proof-of-work is that aside from the protocol specification, it is
100% purely decentralized.  If you're willing to accept some sort of
centralized authority or repository you might as well use a mature
system like Vipul, DCC, or even [shudder] SpamCop/DNSRBLs.

reputations are separate from black/brown lists. if we can do reputation, then we have a significant advantage over other systems. We can changed stamp value based on reputation thereby further increasing the difference between legitimate users and those that try to overwhelm us.

This reputation does not have to be centralized. in fact, the easiest version is a localized version. but if we can figure out some way of aggregating reputation from multiple sites, then we get a much larger view of attackers and can repulse attack without having even seen the site before.

unlike the other distributed spam source lists, we tend to have a clearer indication of what is spam or not spam. It's not perfect by any means but it's pretty good.





I was on the wrong end of a lot of abuse complaints during the
beta-testing phase of my C/R system.  From this I learned that the
spam problem is causing much more serious harm than simply filling up
peoples' inboxes: it's forcing the network operators to form what
essentially amounts to an arbitration/judicial/law-enforcement system
authorized to punish people not just for the *volume of packets* they
send (ie a [D]DoS attack), but for the *content* and *context* of
those packets.

oh my goodness. I can really sympathize. In the early days, I used a proof of work challenge response system and I didn't properly filter out all of my mailing lists. So a message went out to one mailing list, some theoretically bright person responded to me *and CC'd the list* telling me I was an idiot. Then of course I respond with yet another challenge, and he did the same thing again. How many times do you think he did it before I caught it? at least 4. needless to say, harsh words were said, I left the list in a huff and I have taken this object lesson to heart.

This is becoming extremely dangerous to innovators: it's getting near
the point where if what you do is too different from what the average
user does, you're going to get hassled a lot by the "abuse framework".
You'll have a harder time getting top-tier hosting (I almost got
kicked out of MAE West).  SpamCop in particular has generated an
immensely contorted "legal code" specifying what you are and aren't
allowed to do with the SMTP protocol, and it's choking off any sort of
innovation that involves automation combined with SMTP.

sounds like my distributed mailing list would definitely be on their shit list.

A decentralized system for combatting spam would steal a lot of the
momentum behind the development of this sort of ossifying
superstructure.  Hopefully it could keep things in the state where the
abuse system is reserved for:

a) abusive *quantity* of packets / flooding

actually, this close one of the early applications of proof of work systems. I had a conversation with some folks at BBN about something similar and if one could put the proof of work generator at the edge (i.e. really deep edge, think personal zombie), one could use proof of work stamps to track and manage this kind of problem.

When the network-operator-managed abuse system goes beyond those two
jurisdictions it worries me a lot -- the people who run this system
are rarely aware of emerging technologies and how to handle them.

then let's see if we can muster enough talent so we can package up your system, and my system and make it available to the world. And don't forget something on the front-end for feedback.

--- eric

Other related posts: