[hashcash] Re: will spammers early adopt hashcash? (Re: Spam Spotlight on Reputation)

  • From: "Eric S. Johansson" <esj@xxxxxxxxxx>
  • To: Adam Shostack <adam@xxxxxxxxxxxx>
  • Date: Tue, 07 Sep 2004 17:35:12 -0400

Adam Shostack wrote:

On Tue, Sep 07, 2004 at 04:13:13PM -0400, Adam Back wrote:

| Well we'll see.  If they have lots of CPU from zombies and can get and
| maintain more with limited effort maybe even they can, and CAMRAM's
| higher cost stamp on introductions only will prevail as the preferred
| method.

Adam,

        You've thought about this more than me.  What do you see as
equilibrium postal rates if the spammers have 10k, 100k, or a million
nodes to send?

http://harvee.org/~esj/hcstampcalc.sxc

StarOffice spreadsheet which lets you play with pipe size, stamp size, and message size and show the slowdown amount for that set of parameters. my interpretation of the results is that with a modest stamp size (15-30 seconds), you get a significant enough degradation of delivery rates that if you were able to do the same thing to direct mail, direct mail would go away. hmmm. maybe we need a postal hashcash.

let me know if you find any problems with the spreadsheet or its assumptions. I'm sure someone will find something. The Internet is wonderful for making mistakes instantly visible worldwide.

        Will spammers run under nice?  Use your graphics card as a
co-processor?  Is the rate of new vulns high enough to keep their CPU
pools filled?

the question to ask is: if they have enough idle resources to overwhelm a hashcash style defense, could those idle resources be put to other uses its hashcash wasn't there? In other words, I would rather have the zombies wasting time generating stamps and slowing down user machines than be free to send spam.


I'm coming to think that zombies are a self-limiting problem. People are becoming more aware either directly or indirectly and taking more steps to prevent zombies (not enough I know but any improvement is a good improvement). Organizations like Comcast are supposedly taking more aggressive steps against zombies.

With appropriate tracking of connections and associating connections with spam, one could create variable postage rates for mail. For example, mail from reasonably trustworthy sources[1] would have a initial connection postage rates on the order of 20-22 bits. All other sources would have postage rates based on a sliding scale increasing with the amount of spam per-unit time. The advantage of this over a simple blacklist is that you can still get through even when you are on the shit list. Contrast to blacklist which prevent you from contacting the other side to find out what's going on.

how would you know how much postage is needed? Could be a simple extension to SMTP.
250 I'm here
helo harvee.org
250 helo harvee.org
stmp
250 44 bits
quit
250 bye


this wouldn't need to reveal any information about user population except that there is a variable bit rate for different users the least of which is the baseline number. Obviously you would not want to reveal who's on a white list or even if an address is valid. All you want to reveal is the minimum postage required to accept communications from your IP address.

I think further discussion of this technique should go to the hashcash mailing list.

but one more thought first and that is I think this kind of information gathering would quickly reveal zombies. This evidence could be used by service providers to have a conversation with their customer about machine hygiene.

---eric

[1]which may be a smaller set than addresses to blacklist

Other related posts:

  • » [hashcash] Re: will spammers early adopt hashcash? (Re: Spam Spotlight on Reputation)