lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050324095839.GA24631@wsr.ac.at>
Date: Thu, 24 Mar 2005 10:58:39 +0100
From: "Peter J. Holzer" <hjp@....ac.at>
To: bugtraq@...urityfocus.com
Subject: Hashcash in mail (was: New Whitepaper: Anti Brute Force Resource Metering)

On 2005-03-23 21:25:03 -0000, Gunter Ollmann (NGS) wrote:
> > You claim that hashcash "has already proven to positively reduce the
> > success" of spammers. Is there any example of hashcash being
> > deployed in e-mail systems? I don't know any and I can't even
> > offhand think of any feasible method of how it could be deployed.
> 
> Checkout the following:
> SpamAssassin - http://wiki.apache.org/spamassassin/
> TMDA - http://wiki.tmda.net/TmdaHashCashHowto
> CANRAM - http://www.camram.org/

Yes, but are they actually used? 

The X-hashcash header has to be sent "blind". There is no way for the
recipient to tell the sender that it uses hashcash and how many bits it
requires. At best, this information could be included in the reject
message, but 1) that requires the sender to read the bounce message
(which the average user doesn't) and 2) especially Spamassassin is often
used not to reject messages but only to mark them so they can be sorted
into a Junk folder. 

This makes it very likely that the sender must be told to use hashcash
in some other way (probably by telephone: "did you get my mail?" - "no,
you have to use hashcash" - "what's that?"), which makes it IMHO highly
unlikely that it is used anywhere without prior agreement - but if you
agree in advance to use hashcash, you can agree on simpler measures, too
(e.g. whitelisting each others outgoing mail servers).

	hp

-- 
   _  | Peter J. Holzer \Beta means "we're down to fixing misspelled comments in
|_|_) | Sysadmin WSR     \the source, and you might run into a memory leak if 
| |   | hjp@....ac.at     \you enable embedded haskell as a loadable module and
__/   | http://www.hjp.at/ \write your plugins upside-down in lisp". --ae@....se

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ