Yesterday I decided to give Hashcash a try. The idea behind Hashcash is that you have to prove your interest in communicating with me by expending some significant CPU time to show me that you aren't a spammer. A spammer wants to send hundreds or thousands of messages a second, even on a bunch of compromised zombie machines they have compromised. Of course, it only really works once a bunch of people have adopted it.
The current Hashcash recommendation requires about 1 second of CPU time on a fairly speedy box to compute, which would significantly slow down even zombie hordes. You can also configure how hard you want the problem to be, and give higher weights to those that work harder. For instance, we are currently sending out messages with “24 leading zero bits”, which takes about 10 seconds per message to compute, where the default is 20 bits, which takes around a second. This is all on a fairly overpowered box (for a small company mail server), a 2.6GHz P4.
The advantage of Hashcash is that it's entirely controlled by the user. To start sending Hashcash messages, configure your MTA to start sending messages appropriately signed. For the Linux users among us, there are some wrappers to the “/usr/sbin/sendmail” program which will allow your messages to be Hashcashed while preserving the standard API.
The way I did it for us is to set up our central mail server so that when it receives e-mail from us via UUCP, it adds a Hashcash to the message and forwards it on to the real mail system. Don't be surprised that we're using UUCP for e-mail.
To start using Hashcash on incoming messages, you will need to configure your mail reader or mail filtering program to use Hashcash. This involves keeping a list of legitimate addresses that you normally receive e-mail for (because that's part of the Hashcash stamp) and then wedging the Hashcash check into your procmail filter or the like. You'll probably want to configure it to use the “double spend” database to keep track of senders who try to use the exact same Hashcash to send multiple messages.
The down side is that Hashcash is only effective if a lot of people are using it. I checked our mail server logs over the last 3 months, and we've received exactly one message with Hashcash in it during that time. It's obviously early in the adoption stages right now.
So far, we are only doing the sender side. Partly this is because that's as far as I got the other morning when setting it up, partly because nobody is using Hashcash yet. Until people start generating Hashcash on their outgoing messages, it's not much use to check for them. So, we're starting with adding them to outbound messages.
For those of you who are interested in what a Hashcash stamp looks like, it adds a header such as the following to your outgoing messages:
X-Hashcash: 1:24:041128:firstname.lastname@example.org::OQDswV91xp7U1MkK:0000000000000 0000000000000000000000000000000000Afc6
This is for a 24-bit Hashcash, generated on 2004-11-28, for the address “email@example.com”.
The Hashcash Website has several sample command-line clients, including one in Python, which can be used to test it out. It also has links to plug-ins for various mail systems. I'd highly recommend you take a look.comments powered by Disqus