Slashdot Mirror
Impoverish a Spammer Today
esj at harvee writes "Recently the Camram project released its latest version of a hybrid sender-pays anti-spam system. The project has proven that sender-pays works and has demonstrated how to make it work with existing e-mail systems. Camram has developed hybrid sender-pays techniques that scale down to the desktop and up to the enterprise. It's a completely decentralized system that can put spam-fighting power in the hands of individuals. It gives you control of not only the current generation of spam, but also any future commercial spam -- why replace Viagra ads from a scam artist with Viagra ads from Pfizer?"
RTFA, it handles mailing lists fine. You whitelist the sender and then they don't need to stamp the mail.
The technology is a hybrid solution to avoid the problem of universal adoption... a nice side-effect of this is you don't demand stamps from your white-list.
I have to say, I think it's quite an interesting combination of concepts, but still requires mass adoption to be useful.
The FAQ says that there is a white list. I assume from reading it that it means that they do not have to pay.
They have a page with Frequently Raised Objections. Now I've made redundant 40% of the remaining posts to this article.
Singularity: a belief in the "God" idea with the "demiurge" relation inverted.
Why is this a problem? If what you are expected to pay depends on volume then it means that a non-spammer who only sends a few emails a day will have almost nothing to pay while a spammer will be unable to afford the work required to send thousands of emails. Since this is based upon proof of work and not an actual monetary amount, it will not be a cost that is difficult to bear.
Yes, some people who run email lists out of their account will be inconvenienced, but not as much as they claim. They will just need to change the signup message to say "this is a mailing list that you signed up for, so add us to your whitelist because we will not be performing proof of work challenges and will drop you from the list when the first proof of work request arrives."
Some will claim that the hordes of spam zombies out there will be able to do the work on the spammer's behalf so this is not a solution, but it will at least provide some rate limiting for that zombie and it will also make it much more likely that the zombie will be noticed by the user when it starts to chew up CPU cycles.
I agree, but this project isn't exactly e-postage... it's more like E-e-postage... you pay in computational cycles, not dollars (or pounds or lira or whatever you trade in your part of the world).
So as long as you're not sending out several thousand messages to new and different recepients on a daily basis, you needn't really worry.
According to the FAQ, the calculations are that even with the number of "zombie" machines out there, there still isn't enough processing power to generate all of the necessary "stamps" - or at least it's enough to reduce the time.
If nothing else, at least it's something, right?
52 Weeks, 52 Religions with John Hummel
You will have to change your signup mechanism to notify the user that they have to add you to the whitelist, and you will need to change the list admin email to first send a message to a user reminding them of this fact and only after they reply to this standard response to all complaints message will the message filter up to your mailbox. This is a couple of hours of coding for anyone maintaining a mailing list package.
READ THE PROPOSAL FIRST PLEASE!
This is not asking you to spend money, it is asking you to perform a proof of work. This is hashcash, not real money.
I'm reading TFA and it states quite clearly "Mailing lists don't really have a good solution"
This is a calculation based stamp, not anything financial. It's not going to cost anything. It allows for white-listing on a per user basis that exempts senders from the stamp requirement. Therefore, if you wanted to get on a mailing list, you'd add them to your white-list. Yes, it's an extra step, but what's one extra step when you sign onto a mailing list compared to having to dig through hundreds of spam messages a day?
Have some (slightly out of date) documentation:
One section
Another section
Ripped right from their website's Frequently Raised Objections:
If anybody can generate a stamp, what is to stop a spammer from generating stamps?
Nothing. In fact, we want spammers to spend as much time as they can generating stamps because it will undermine their economic foundations. As a spammer generates messages with stamps, people can raise their postage based on the spam. Everyone's rates will increase and it'll only affect the spammer and stranger-to-stranger e-mail. Friend-to-friend e-mail doesn't use work stamps and will be unaffected by any postage increases. "
And....
The second attack utilizes zombies as a compute array. But if you run the numbers, you'll find out that the number of zombies known, if run perfectly and full tilt, cannot generate enough stamps for all of the spam in the world today. A tremendous number of stamps would be generated, but not enough for everybody. One benefit of zombies being used to generate stamps is that the machines will become hot, slow, and probably unreliable, all of which will be noticeable to the end-user. With luck, this means some people will get their machines fixed and reduce the zombie issue. Again, if the zombies the start generating stamps, one can always change stamp definitions or value.
[all emphasis theirs]
It's almost like they anticipated this sort of thing. Or, like, thought out their design beforehand. Crazy concept, no ?
--LordPixie
Require your users to whitelist your address, and then don't stamp your messages.
"I'll have a Guinness, no wait, make that a Coors Light" -Grad student I work with, who shall remain anonymous...
Combining challenge/response with cpu stamps, java and other factors. It allows the problem to change over time, requires no new software at the sender's end (which is the big non-starter) and still allows anonymous mail.
It's at this page on cpu stamps and challenge response.
Has it been over a year since you last donated to the Electronic Frontier Foundation
Also, white lists dont deal with the fact that a lot of email is from first time corresponders such as online retail outlets.
Er, if an "online retial outlet" is sending me email I did not sign up for, then that is SPAM and is exactly the thing this is supposed to prevent!.
If you *do* want email from a certain company, and you signed up for it, then you should add that domain/email to your white list. Simple as that.
The first is semicorrect, but remember the system falls back to whitelisting and CRM114 if an email arrives without a stamp. You can always whitelist mailing lists even if you feel confident enough to turn off the CRM114.
Yes, but to perform a useful brute force attack, from the point of view of a spammer, you'd need to hijack more computers than exist on Earth. Again this goes back to the fall-back. This is a "only if both parties choose to play will they benefit, and if one chooses not to they lose nothing" scheme. So users of email will put up with it. No it doesn't. Again, players benefit, those who opt out lose nothing, they end up back with their sent emails screened by users with whitelists and CRM114, which is no different to the situation right now. Again... Doesn't require a centrally controlling authority. In fact, this is touted by the proposal's proponents as being one advantage it has over the stupid identity verification systems proposed by anti-spam zealots. This proposal has nothing to do with taxes. No money is sent. Look, it's quite simple. You have an email client that, on sending email to someone for the first time from a particular email addresses, generates a "stamp" which is computationally difficult to generate - ie it'll take some time. There's no money involved, except in that people wanting to send huge amounts of email may - may mind you, not will, depending on how they send the email - have to invest a few billion in Apple twin G5s. No, spammers can be as dishonest as they wish. They'll have to be unbelievably smart to get around this. What blacklists? It still will be. I think this is a remarkable idea, and is the first rational anti-spam system I've seen proposed for a while. It solves the false-positive problems inherent in AI filters like Bayesian and CRM114. It doesn't hurt innocent parties. It's interesting, I'd like to see more analysis but I think it actually has a chance of working.Which presumably means the anti-spam zealots will fight it with all they can muster...
You are not alone. This is not normal. None of this is normal.
The algorithm appears to be:
Does it have a stamp? If so, add to white list and PASS
Is it on the white list? If so, PASS
Does it pass a CRM114 check? If so, PASS
Otherwise, FAIL.
The information is on the configuration page. It ought, I think, to be in their FAQ.
You are not alone. This is not normal. None of this is normal.
You might have a point if this scheme involved using money. In this case, however, the "payment" is a proof-of-work. The user is paying in CPU cycles "spent" to send the message.
As for low-power devices, sure, that's a problem. Unless you have a better idea, though, you'll just have to live with TMDA or some other solution that doesn't require as much cpu time. You could even send your key to recipients ahead of time and get them to pre-whitelist it.
As for the other comments, you ought to read about camram. camram whitelists by pgp keys, not by sender. Initial messages have both a hashcash stamp and a pgp key. If the hashcash stamp has enough bits, the pgp key gets whitelisted. Spam operations would have to generate a high-value stamp for each recipient. Sure, they could send to the same recipient address twice, but why would they?
Furthermore, any pgp keys that spammers manage to get people to whitelist could be added to a DNSBL-type blacklist. The spammer would then have to generate a new key and generate hashcash stamps for every recipient all over again to get that new key whitelisted. Think RAZOR with a feature that feeds obvious spammers' keys into a dnsbl.