Re: Hashcash - was re: Spam fights
On Wed, Jun 16, 2004 at 11:38:10AM -0400, Hubert Chan wrote: tokens in order to get any effect from SpamAssassin. Other than using zombies, I don't think spammers could afford to generate real tokens for every recipient. Well, since there are millions of vulnerable systems all over the 'net that doesn't seem like such a stretch, does it? Mike Stone
Re: Hashcash - was re: Spam fights
> "Daniel" == Daniel Pittman <[EMAIL PROTECTED]> writes: Daniel> On 16 Jun 2004, Hubert Chan wrote: >> SpamAssassin will check for hashcash in the future. Support is >> already present in the development version of SpamAssassin. Daniel> ...makes you wonder how long it will take before someone does Daniel> generate the headers in SPAM, then. Being in SpamAssassin seems Daniel> to be a trigger point for a whole lot of things to be worth Daniel> avoiding/abusing for spammers - the silly haiku header thing Daniel> being one example. Well SpamAssassin, AFAIK, will do proper hashcash checking, including the double-spend database. It won't assign any extra credit to bogus hashcash headers (probably eventually will even increase spamicity for those emails). It also won't credit tiny hashcash tokens (I think the minimum is 20 bits). So spammers would have to generate real hashcash tokens in order to get any effect from SpamAssassin. Other than using zombies, I don't think spammers could afford to generate real tokens for every recipient. -- Hubert Chan <[EMAIL PROTECTED]> - http://www.uhoreg.ca/ PGP/GnuPG key: 1024D/124B61FA Fingerprint: 96C5 012F 5F74 A5F7 1FF7 5291 AF29 C719 124B 61FA Key available at wwwkeys.pgp.net. Encrypted e-mail preferred.
Re: Hashcash - was re: Spam fights
On Wed, Jun 16, 2004 at 11:38:10AM -0400, Hubert Chan wrote: tokens in order to get any effect from SpamAssassin. Other than using zombies, I don't think spammers could afford to generate real tokens for every recipient. Well, since there are millions of vulnerable systems all over the 'net that doesn't seem like such a stretch, does it? Mike Stone -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Hashcash - was re: Spam fights
> "Daniel" == Daniel Pittman <[EMAIL PROTECTED]> writes: Daniel> On 16 Jun 2004, Hubert Chan wrote: >> SpamAssassin will check for hashcash in the future. Support is >> already present in the development version of SpamAssassin. Daniel> ...makes you wonder how long it will take before someone does Daniel> generate the headers in SPAM, then. Being in SpamAssassin seems Daniel> to be a trigger point for a whole lot of things to be worth Daniel> avoiding/abusing for spammers - the silly haiku header thing Daniel> being one example. Well SpamAssassin, AFAIK, will do proper hashcash checking, including the double-spend database. It won't assign any extra credit to bogus hashcash headers (probably eventually will even increase spamicity for those emails). It also won't credit tiny hashcash tokens (I think the minimum is 20 bits). So spammers would have to generate real hashcash tokens in order to get any effect from SpamAssassin. Other than using zombies, I don't think spammers could afford to generate real tokens for every recipient. -- Hubert Chan <[EMAIL PROTECTED]> - http://www.uhoreg.ca/ PGP/GnuPG key: 1024D/124B61FA Fingerprint: 96C5 012F 5F74 A5F7 1FF7 5291 AF29 C719 124B 61FA Key available at wwwkeys.pgp.net. Encrypted e-mail preferred. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Hashcash - was re: Spam fights
On 16 Jun 2004, Hubert Chan wrote: >> "Russell" == Russell Coker <[EMAIL PROTECTED]> writes: > Russell> On Fri, 11 Jun 2004 22:34, Patrick Maheral <[EMAIL PROTECTED]> wrote: [...] > SpamAssassin will check for hashcash in the future. Support is already > present in the development version of SpamAssassin. ...makes you wonder how long it will take before someone does generate the headers in SPAM, then. Being in SpamAssassin seems to be a trigger point for a whole lot of things to be worth avoiding/abusing for spammers - the silly haiku header thing being one example. > Russell> Besides, with an army of Windows Zombies you could generate > Russell> those signatures anyway... > > Although eating up gobs of CPU will probably be more easily noticed > than just sending out lots of traffic. Then again, some users are > pretty clueless... ...and Windows does have a meaningful "low" priority for threads which will result in this being pretty much unnoticed by most users, even the observant ones. Sure, you need more machines to get the same effect, but it isn't like there is a shortage of them... OTOH, HashCash sucks a lot less than the other "solutions" out there, so I am all for it being more widely used; it would be interesting to see if it actually managed to take off. :) Daniel -- Organization and method mean much, but contagious human characters mean more in a university, where a few undisciplinables ... may be infinitely more precious than a faculty full of orderly routinists. -- William James
Re: Hashcash - was re: Spam fights
> "Russell" == Russell Coker <[EMAIL PROTECTED]> writes: Russell> On Fri, 11 Jun 2004 23:43, [EMAIL PROTECTED] (Rens Houben) wrote: >> Why bother, when said windows machines will have perfectly good >> signatures stored on them somewhere already? Russell> Presumably the signature would be based on the envelope Russell> recipient and therefore signatures you find on someone else's Russell> machine would not do any good. If it was otherwise then a Russell> single signature would work for an entire spam run. Yes. In hashcash, the hashcash token uses the recipient's address, as well as a date. The recipient can keep a database of received tokens to make sure that the same token isn't used twice. Old tokens can be expired, since the token contains the date too. -- Hubert Chan <[EMAIL PROTECTED]> - http://www.uhoreg.ca/ PGP/GnuPG key: 1024D/124B61FA Fingerprint: 96C5 012F 5F74 A5F7 1FF7 5291 AF29 C719 124B 61FA Key available at wwwkeys.pgp.net. Encrypted e-mail preferred.
Re: Hashcash - was re: Spam fights
> "Russell" == Russell Coker <[EMAIL PROTECTED]> writes: Russell> On Fri, 11 Jun 2004 22:34, Patrick Maheral <[EMAIL PROTECTED]> wrote: >> It seems that most people here don't like CR systems, and I'd have to >> agree with that consensus. >> >> I'm just wondering what is the general feeling about using hashcash >> and other header signatures systems. Russell> Currently you can't accept only such messages because almost Russell> no-one sends them. Most people see no need to send them Russell> because almost no-one checks for them when receiving a message. SpamAssassin will check for hashcash in the future. Support is already present in the development version of SpamAssassin. [...] Russell> Besides, with an army of Windows Zombies you could generate Russell> those signatures anyway... Although eating up gobs of CPU will probably be more easily noticed than just sending out lots of traffic. Then again, some users are pretty clueless... (P.S. I'm the hashcash package maintainer.) -- Hubert Chan <[EMAIL PROTECTED]> - http://www.uhoreg.ca/ PGP/GnuPG key: 1024D/124B61FA Fingerprint: 96C5 012F 5F74 A5F7 1FF7 5291 AF29 C719 124B 61FA Key available at wwwkeys.pgp.net. Encrypted e-mail preferred.
Re: Hashcash - was re: Spam fights
On 16 Jun 2004, Hubert Chan wrote: >> "Russell" == Russell Coker <[EMAIL PROTECTED]> writes: > Russell> On Fri, 11 Jun 2004 22:34, Patrick Maheral <[EMAIL PROTECTED]> wrote: [...] > SpamAssassin will check for hashcash in the future. Support is already > present in the development version of SpamAssassin. ...makes you wonder how long it will take before someone does generate the headers in SPAM, then. Being in SpamAssassin seems to be a trigger point for a whole lot of things to be worth avoiding/abusing for spammers - the silly haiku header thing being one example. > Russell> Besides, with an army of Windows Zombies you could generate > Russell> those signatures anyway... > > Although eating up gobs of CPU will probably be more easily noticed > than just sending out lots of traffic. Then again, some users are > pretty clueless... ...and Windows does have a meaningful "low" priority for threads which will result in this being pretty much unnoticed by most users, even the observant ones. Sure, you need more machines to get the same effect, but it isn't like there is a shortage of them... OTOH, HashCash sucks a lot less than the other "solutions" out there, so I am all for it being more widely used; it would be interesting to see if it actually managed to take off. :) Daniel -- Organization and method mean much, but contagious human characters mean more in a university, where a few undisciplinables ... may be infinitely more precious than a faculty full of orderly routinists. -- William James -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Hashcash - was re: Spam fights
> "Russell" == Russell Coker <[EMAIL PROTECTED]> writes: Russell> On Fri, 11 Jun 2004 23:43, [EMAIL PROTECTED] (Rens Houben) wrote: >> Why bother, when said windows machines will have perfectly good >> signatures stored on them somewhere already? Russell> Presumably the signature would be based on the envelope Russell> recipient and therefore signatures you find on someone else's Russell> machine would not do any good. If it was otherwise then a Russell> single signature would work for an entire spam run. Yes. In hashcash, the hashcash token uses the recipient's address, as well as a date. The recipient can keep a database of received tokens to make sure that the same token isn't used twice. Old tokens can be expired, since the token contains the date too. -- Hubert Chan <[EMAIL PROTECTED]> - http://www.uhoreg.ca/ PGP/GnuPG key: 1024D/124B61FA Fingerprint: 96C5 012F 5F74 A5F7 1FF7 5291 AF29 C719 124B 61FA Key available at wwwkeys.pgp.net. Encrypted e-mail preferred. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Hashcash - was re: Spam fights
> "Russell" == Russell Coker <[EMAIL PROTECTED]> writes: Russell> On Fri, 11 Jun 2004 22:34, Patrick Maheral <[EMAIL PROTECTED]> wrote: >> It seems that most people here don't like CR systems, and I'd have to >> agree with that consensus. >> >> I'm just wondering what is the general feeling about using hashcash >> and other header signatures systems. Russell> Currently you can't accept only such messages because almost Russell> no-one sends them. Most people see no need to send them Russell> because almost no-one checks for them when receiving a message. SpamAssassin will check for hashcash in the future. Support is already present in the development version of SpamAssassin. [...] Russell> Besides, with an army of Windows Zombies you could generate Russell> those signatures anyway... Although eating up gobs of CPU will probably be more easily noticed than just sending out lots of traffic. Then again, some users are pretty clueless... (P.S. I'm the hashcash package maintainer.) -- Hubert Chan <[EMAIL PROTECTED]> - http://www.uhoreg.ca/ PGP/GnuPG key: 1024D/124B61FA Fingerprint: 96C5 012F 5F74 A5F7 1FF7 5291 AF29 C719 124B 61FA Key available at wwwkeys.pgp.net. Encrypted e-mail preferred. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Hashcash - was re: Spam fights
On Fri, 11 Jun 2004 23:43, [EMAIL PROTECTED] (Rens Houben) wrote: > In other news for Fri, Jun 11, 2004 at 11:24:05PM +1000, Russell Coker has been seen typing: > > Besides, with an army of Windows Zombies you could generate those > > signatures anyway... > > Why bother, when said windows machines will have perfectly good > signatures stored on them somewhere already? Presumably the signature would be based on the envelope recipient and therefore signatures you find on someone else's machine would not do any good. If it was otherwise then a single signature would work for an entire spam run. I am assuming that the sending machine would not store the signatures for messages it sent, which could be re-used if the spam messages were to have an ancient time-stamp. However this still wouldn't be of any great use, not many people have more than 10,000 messages stored in their sent-mail folder and the common case is far less. Capturing a lot of zombies to generate signatures would probably be easier than trying to find a machine that had a large sent-mail folder. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
Re: Hashcash - was re: Spam fights
On Fri, 11 Jun 2004 23:43, [EMAIL PROTECTED] (Rens Houben) wrote: > In other news for Fri, Jun 11, 2004 at 11:24:05PM +1000, Russell Coker has been seen typing: > > Besides, with an army of Windows Zombies you could generate those > > signatures anyway... > > Why bother, when said windows machines will have perfectly good > signatures stored on them somewhere already? Presumably the signature would be based on the envelope recipient and therefore signatures you find on someone else's machine would not do any good. If it was otherwise then a single signature would work for an entire spam run. I am assuming that the sending machine would not store the signatures for messages it sent, which could be re-used if the spam messages were to have an ancient time-stamp. However this still wouldn't be of any great use, not many people have more than 10,000 messages stored in their sent-mail folder and the common case is far less. Capturing a lot of zombies to generate signatures would probably be easier than trying to find a machine that had a large sent-mail folder. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Hashcash - was re: Spam fights
In other news for Fri, Jun 11, 2004 at 11:24:05PM +1000, Russell Coker has been seen typing: > Besides, with an army of Windows Zombies you could generate those signatures > anyway... Why bother, when said windows machines will have perfectly good signatures stored on them somewhere already? > -- > http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages > http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark > http://www.coker.com.au/postal/Postal SMTP/POP benchmark > http://www.coker.com.au/~russell/ My home page -- Rens Houben |opinions are mine Resident linux guru and sysadmin | if my employers have one Systemec Internet Services. |they'll tell you themselves PGP key at http://swordbreaker.systemec.nl/~shadur/shadur.key.asc
Re: Hashcash - was re: Spam fights
On Fri, 11 Jun 2004 22:34, Patrick Maheral <[EMAIL PROTECTED]> wrote: > It seems that most people here don't like CR systems, and I'd have to > agree with that consensus. > > I'm just wondering what is the general feeling about using hashcash and > other header signatures systems. Currently you can't accept only such messages because almost no-one sends them. Most people see no need to send them because almost no-one checks for them when receiving a message. Anti-spam measures may be used on workstations eventually, but have to be initially installed at servers if they are to become popular. The people who run big mail servers (AOL, Hotmail, etc) don't want to install hashcash for the same reason that spammers won't install it. Besides, with an army of Windows Zombies you could generate those signatures anyway... -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
Hashcash - was re: Spam fights
It seems that most people here don't like CR systems, and I'd have to agree with that consensus. I'm just wondering what is the general feeling about using hashcash and other header signatures systems. Patrick
Re: Hashcash - was re: Spam fights
In other news for Fri, Jun 11, 2004 at 11:24:05PM +1000, Russell Coker has been seen typing: > Besides, with an army of Windows Zombies you could generate those signatures > anyway... Why bother, when said windows machines will have perfectly good signatures stored on them somewhere already? > -- > http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages > http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark > http://www.coker.com.au/postal/Postal SMTP/POP benchmark > http://www.coker.com.au/~russell/ My home page -- Rens Houben |opinions are mine Resident linux guru and sysadmin | if my employers have one Systemec Internet Services. |they'll tell you themselves PGP key at http://swordbreaker.systemec.nl/~shadur/shadur.key.asc -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Hashcash - was re: Spam fights
On Fri, 11 Jun 2004 22:34, Patrick Maheral <[EMAIL PROTECTED]> wrote: > It seems that most people here don't like CR systems, and I'd have to > agree with that consensus. > > I'm just wondering what is the general feeling about using hashcash and > other header signatures systems. Currently you can't accept only such messages because almost no-one sends them. Most people see no need to send them because almost no-one checks for them when receiving a message. Anti-spam measures may be used on workstations eventually, but have to be initially installed at servers if they are to become popular. The people who run big mail servers (AOL, Hotmail, etc) don't want to install hashcash for the same reason that spammers won't install it. Besides, with an army of Windows Zombies you could generate those signatures anyway... -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Hashcash - was re: Spam fights
It seems that most people here don't like CR systems, and I'd have to agree with that consensus. I'm just wondering what is the general feeling about using hashcash and other header signatures systems. Patrick -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]