[hashcash] [Fwd: FW: Hashcash in mail (was: New Whitepaper: Anti Brute Force Resource Metering)]

  • From: "Eric S. Johansson" <esj@xxxxxxxxxx>
  • To: hashcash <hashcash@xxxxxxxxxxxxx>
  • Date: Thu, 24 Mar 2005 15:30:27 -0500

A friend sent me this today. Peter is right of course but I believe it's possible to solve the problem without too much ugliness. I am beginning to think again about a solution to this problem. Which is the ever popular put something into DNS txt record such as:

   IN  TXT "hcrv 0; hcsv 1;bits 30; vwin 5d"

hcrv  = hash cash record version number for this record
hcsv = hash cash stamp version
bits = stamp bit size required;
vwin = validity window for stamp (may or may not want to reveal)

and if you're sending, check your own domain name record to make sure you set the right values.

if information is not valid or present, use your own settings as defaults.

yes?? no??

--- eric

-----Original Message-----
From: Peter J. Holzer [mailto:hjp@xxxxxxxxx]
Sent: Thursday, March 24, 2005 4:59 AM
To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Hashcash in mail (was: New Whitepaper: Anti Brute Force
Resource Metering)

On 2005-03-23 21:25:03 -0000, Gunter Ollmann (NGS) wrote:
> You claim that hashcash "has already proven to positively reduce
> the success" of spammers. Is there any example of hashcash being
> deployed in e-mail systems? I don't know any and I can't even
> offhand think of any feasible method of how it could be deployed.

 Checkout the following: SpamAssassin -
 http://wiki.apache.org/spamassassin/ TMDA -
 http://wiki.tmda.net/TmdaHashCashHowto CANRAM -

Yes, but are they actually used?

The X-hashcash header has to be sent "blind". There is no way for the
recipient to tell the sender that it uses hashcash and how many bits it
requires. At best, this information could be included in the reject
message, but 1) that requires the sender to read the bounce message
(which the average user doesn't) and 2) especially Spamassassin is often
used not to reject messages but only to mark them so they can be sorted
into a Junk folder.

This makes it very likely that the sender must be told to use hashcash
in some other way (probably by telephone: "did you get my mail?" - "no,
you have to use hashcash" - "what's that?"), which makes it IMHO highly
unlikely that it is used anywhere without prior agreement - but if you
agree in advance to use hashcash, you can agree on simpler measures, too
(e.g. whitelisting each others outgoing mail servers).


The result of the duopoly that currently defines "competition" is that
prices and service suck. We're the world's leader in Internet
technology - except that we're not.

Other related posts: