I had both of these thoughts - except I haven't got around to learning enough about XS yet.
Then I did the experiment. It was a while ago, but IIRC the speed loss in doing the minting calculation in perl is only about 4x. The digest library itself is in C, of course, which is probably the saving factor. Anyway for verification you probably don't care about this at all, and for minting you can simlpy spawn the C program.
The obvious plan is to roll out a library that works, first, then make it run at a sensible speed later. People are complaining there's no software.. so I will have to write it. Yes, I knew there was something I meant to do today...
OK, so I've been caught being uninformed. Sorry about that - but don't be surprised. 8-/
IMHO sidelining anonymous speech to the point where almost everyone will ignore it is not an acceptable price to pay for only getting spam from people or companies who do it By The Book.
Suppose the perl hashcash library had the facility to use the mext idle machine on your local network, instead of running them all in parallel on the local machine.
Like I said earlier, it is "just software". In my (admittedly limited) experience, most servers are IO bound not CPU bound.
Generally, if your company doesn't specialise in sending mail, you're not going to have any problems at all doing the work. That's the whole point.
In most cases, the collision is required to contain the recipient's email address in some form. (The obvious problems here with Bcc: are.. problems, but not insurmountable)
The best time for pre-calculation seems to be when a mail is delivered to you. Kick off the hashcash generation so it's finished by the time you want to send your reply.
If you're calculating for a mailing list, there are better solutions. The pathologically fair case is to get the poster to generate for all recipients on the list - presumably after some blinding process. Eek!
Mailing lists are a known problem. We've kicked around various possible solutions. I have another mail on my postoned queue, quietly fermenting in my brain.
Worst thing that can happen is some subscribers start bouncing mail, and you drop them (and tell them why). Not your problem anymore.
I'm suddenly reminded of DoNotWantItGoodWantItTuesday. I'm sure the WikiWeb will love me for sending the hordes over there. 8-)
I'm not sure I followed all of that.. but there is a Java applet (it needs more work doing...) which will generate Hashcash. As I mumbled in my grandparent posting to this one, the Webmail system can send you the applet, and wait for you (the client machine) to generate the token.
Problem solved, for certain values of web browser.
Because it's there. It works, sort of. It has this extension protocol called EHLO, but it's easily backwards-compatible with HELO only systems.
Camram probably needs to write more RFCs. 8-/
... a protocol that is a little more sophistocated, with mandatory digitally signed content (including headers), and rejection of all connections without a certificate, would block all spammers pretty quickly.
Who signs the certificate? I don't want to pay Verisign $200/year just so I can send email. I certainly don't want more spam from Waitrose just because they paid Verisign $200 for a certificate.
The PGP/GPG web of trust can provide a useful whitelist type of solution, but that hasn't exactly caught on in a big way either.
Currently it's easier for spammers to spew from a fixed source. If ever RBL type solutions started really biting them, they would probably move to distributed/trojan based solutions anyway.
It seems like an obvious thing to do, although the more clueful ISPs would probably detect the outgoing and pull the plug on the victim.
Reasons why DDoS spam may not be a problem are given in an earlier (um, later) thread.
If the company isn't hip to this newfangled tech, give them a "special" address.
foocompany-username@example.com.invalid
spongcompany-username@example.com.invalid
You can just keep the plain username@example.com.invalid address and require hashcash for that. This isn't much more work than setting up hashcash. Of course, if you don't have a whole domain to play with (or an ISP that can do mail prefixes) then.. get another ISP.
Anything else, if you get spam to it then it's because the company has leaked your address. *Plonk!* Problem solved.
Experience teaches that you should put the modifier in front of the username. Spammers sometimes randomly cut off the front of the address if they think it might not be important.
Yes, currently the ISPs are choking on spam, and it costs them in hardware and manpower to keep up.
The problem is that the payoff for generating the work stamps is elsewhere. This is the nature of sender pays.
Since not all mail will have hashcash, the bandwidth will still be wasted. There is the possibility of "second class" or reduced throughput per IP address, for sources that don't stamp though. Whether this is a good thing in the long run, is another question.
Maybe the changes would not be openly visible, but I don't like the idea that my computer may have to use extra cycles just to send a letter.
Sounds like you would prefer it if your mail was stamped for you by your mail relay or smarthost.
ToDo: I was going to ask a big ISP for some stats on how many mails per machine a big smarthost normally shifts. I suspect it's somewhere between "many" and "lots", so this may not be so practical.
The next step will be HashCash viruses, which use up CPU time on the owned machine making tokens and sending them somewhere.
This is a valid concern. Apart from any cunning solutions (yeah I need to catch up on Adam's paper), you're talking about 4000 tokens per day for a modern machine. Maybe less if the world decides to require bigger work - it scales all the way up to 2^160.
My back-of-envelope calculations say that each spammer with the T1 line will need to r00t a thousand boxes to put postage on all his spam. Then those boxes need to be left on 24/7. Most random victims switch their machines off after two hours.
Sometimes, the accounting overhead costs more than the thing is worth.
Nah, the tedious bit is setting it all up so it works. After that you just forget about it. If it's done right, of course.
We need a solution to spam, but this isn't it. There really aren't that many spammers; put fifty people in jail and it will stop.
No, but it can be part of the solution. There is no SilverBullet.
Putting spammers in jail won't stop the otherwise-reputable companies joining in the spam game, it will simply set up a framework in which they can get state approval for spamming.
You can't put Chinese or Korean spammers in US or British jails. Not unless you romp over there with a load of tanks and kidnap them. It's not really polite to blacklist the whole of China, is it?
Also, putting spammers in jail will make it more attractive to forge spam to appear to come from someone else. Like we have now.
You can go pretty much anywhere with a perl library. I've been meaning to do this for aaaagggesss. The plan is to start small and do the XS library integration later. It doesn't seem quite so daunting this way.
My problem is, I have fingers in too many pies.
Adam's site (above) is the definitive place to look though.
Re:Dumb Idea-No Grounding In Economic Reality
on
GEEK Unions?
·
· Score: 1
[The original article seemed to be aimed at changing dumb laws instead of waiting for it to become obvious to the world that they're dumb, but this seems just as important]
Read the Randal Schwartz vs. Intel case and tell me again you wouldn't strike for another programmer?
Yes, that's the guy who wrote the book on my desk being banged up for... I'm not really sure why.
This, you see, is how I know that "Life's a bitch and then you die".
Slashdot Mirror
We're both correct, and maybe we'll both be content if there's actually some non-vapourware when we meet in the middle. 8-)
Then I did the experiment. It was a while ago, but IIRC the speed loss in doing the minting calculation in perl is only about 4x. The digest library itself is in C, of course, which is probably the saving factor. Anyway for verification you probably don't care about this at all, and for minting you can simlpy spawn the C program.
The obvious plan is to roll out a library that works, first, then make it run at a sensible speed later. People are complaining there's no software .. so I will have to write it. Yes, I knew there was something I meant to do today...
IMHO sidelining anonymous speech to the point where almost everyone will ignore it is not an acceptable price to pay for only getting spam from people or companies who do it By The Book.
Like I said earlier, it is "just software". In my (admittedly limited) experience, most servers are IO bound not CPU bound.
Generally, if your company doesn't specialise in sending mail, you're not going to have any problems at all doing the work. That's the whole point.
The best time for pre-calculation seems to be when a mail is delivered to you. Kick off the hashcash generation so it's finished by the time you want to send your reply.
If you're calculating for a mailing list, there are better solutions. The pathologically fair case is to get the poster to generate for all recipients on the list - presumably after some blinding process. Eek!
(ENOSLEEP)
Worst thing that can happen is some subscribers start bouncing mail, and you drop them (and tell them why). Not your problem anymore.
I'm suddenly reminded of DoNotWantItGoodWantItTuesday. I'm sure the WikiWeb will love me for sending the hordes over there. 8-)
I'm not sure I followed all of that .. but there is a Java applet (it needs more work doing...) which will generate Hashcash. As I mumbled in my grandparent posting to this one, the Webmail system can send you the applet, and wait for you (the client machine) to generate the token.
Problem solved, for certain values of web browser.
Camram probably needs to write more RFCs. 8-/
Who signs the certificate? I don't want to pay Verisign $200/year just so I can send email. I certainly don't want more spam from Waitrose just because they paid Verisign $200 for a certificate.The PGP/GPG web of trust can provide a useful whitelist type of solution, but that hasn't exactly caught on in a big way either.
Currently it's easier for spammers to spew from a fixed source. If ever RBL type solutions started really biting them, they would probably move to distributed/trojan based solutions anyway.
It seems like an obvious thing to do, although the more clueful ISPs would probably detect the outgoing and pull the plug on the victim.
Reasons why DDoS spam may not be a problem are given in an earlier (um, later) thread.
If the company isn't hip to this newfangled tech, give them a "special" address.
.. get another ISP.
foocompany-username@example.com.invalid
spongcompany-username@example.com.invalid
You can just keep the plain username@example.com.invalid address and require hashcash for that. This isn't much more work than setting up hashcash. Of course, if you don't have a whole domain to play with (or an ISP that can do mail prefixes) then
Anything else, if you get spam to it then it's because the company has leaked your address. *Plonk!* Problem solved.
Experience teaches that you should put the modifier in front of the username. Spammers sometimes randomly cut off the front of the address if they think it might not be important.
Yes, currently the ISPs are choking on spam, and it costs them in hardware and manpower to keep up.
The problem is that the payoff for generating the work stamps is elsewhere. This is the nature of sender pays.
Since not all mail will have hashcash, the bandwidth will still be wasted. There is the possibility of "second class" or reduced throughput per IP address, for sources that don't stamp though. Whether this is a good thing in the long run, is another question.
ToDo: I was going to ask a big ISP for some stats on how many mails per machine a big smarthost normally shifts. I suspect it's somewhere between "many" and "lots", so this may not be so practical.
Unless you have sufficiently few users that you can calculate hashcash with "spare" cycles, you don't want to generate it on your webmail server.
Then again, if you're going to require full scripting privileges on the browser you can probably get the work done there instead.
My back-of-envelope calculations say that each spammer with the T1 line will need to r00t a thousand boxes to put postage on all his spam. Then those boxes need to be left on 24/7. Most random victims switch their machines off after two hours.
Nah, the tedious bit is setting it all up so it works. After that you just forget about it. If it's done right, of course. No, but it can be part of the solution. There is no SilverBullet.Putting spammers in jail won't stop the otherwise-reputable companies joining in the spam game, it will simply set up a framework in which they can get state approval for spamming.
You can't put Chinese or Korean spammers in US or British jails. Not unless you romp over there with a load of tanks and kidnap them. It's not really polite to blacklist the whole of China, is it?
Also, putting spammers in jail will make it more attractive to forge spam to appear to come from someone else. Like we have now.
I think we would prefer not to stress the user out. We can get involved in the "Turing test arms race" later if necessary.
In the meantime, legit users should be able to hit "y" and let rip. Also, legit cronjobs should be able to run without hassle.
Someone has to write it. I for one take the "laziness" virtue a little too far.
My problem is, I have fingers in too many pies.
Adam's site (above) is the definitive place to look though.
[The original article seemed to be aimed at changing dumb laws instead of waiting for it to become obvious to the world that they're dumb, but this seems just as important]
... I'm not really sure why.
Read the Randal Schwartz vs. Intel case and tell me again you wouldn't strike for another programmer?
Yes, that's the guy who wrote the book on my desk being banged up for
This, you see, is how I know that "Life's a bitch and then you die".
What are you going to do, shoot them? You say not.
Even if they use their pepper spray and start dragging people away?
I'm not saying a stand should not be made (I love the passive voice (-8 ) but is this actually going to achieve anything?