Thursday, November 11, 2004

Hashcash versus spam... 

I'm always interested in things like security, cryptography and spam, so this method of deturring spam was pretty interesting to see.

This is one of the classes of solutions that tries to use cost as a deterrent to spam. In most of the past proposals from various sounces, cost is in terms of money, with some sort of micropayment scheme. That has a ton of problems. A lot of people wouldn't want to pay even fractions of a cent, what about people with no credit card, who organizes everything, is there taxation, what about other countries, etc. I think anything like that is doomed to failure...

The hashcash method takes a different direction, where the cost is computer power. The idea is to make the sender incur some processing power to sent a valid e-mail. The seconds it'd take would be negligible for a normal user, but less practical for a spammer (they might still be able to send tens of thousands of messages a day, but they'd probably usually send millions an hour..).

It works by using an algorythym that takes a semi-random string (like the e-mail being sent to, the time of day, and some random numbers) and gives a specific result. They key being that it is slow to generate that result, but quick for someone on the other end to plug in the values and see that it is correct.

The recepient sets a certain strength and if they get an e-mail who has a header proving they did the work to that strength, it doesn't get filtered as heavy (or perhaps even whitelisted) by whatever anti-spam measures are in place.

This is a pretty cool idea, but still see some issues. Some are fairly easy to results, but others less so. For friends and for mailing lists you actually want to get, it is easy enough to white list those, so that only strangers need to do the extra work.. My main concerns would be that it seems like some spammers make quite a lot of money, so specialized hardware solutions may not be out of the question for them. Does anyone know what typical margins are like? Could they afford special farms or chips to help the calculations?

Another concern is less powerful machines. People with old computers are used to suffering a bit.. what about people who use bluetooth or whatever to send e-mails through their pda? My other concern is how does one get the word out on what strength someone needs to be able to get through to someone? Could put it on a website and tagline and such, but it seems like there'd still be a lot of issues.

They seem to be going about it in a more lucid way than many others (i.e. they are trying to slowly blend it into other solutions instead of needing a mass acceptence to be successful), but I still have my doubts on if it'll get anywhere. Still, I like it a lot more than those challenge/response things that won't work if two people have them at once, or the efforts to try to remove a lot of the anonymity inherant in the internet...

This page is powered by Blogger. Isn't yours? Weblog Commenting by HaloScan.com