-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

Valdis.Kletnieks@vt.edu wrote: | On Sat, 12 Feb 2005 02:48:56 +0100, Bernhard Kuemel said: | | |>If hashcash (http://www.hashcash.org/) gets integrated in our mail |>systems we no longer need to hide or obfuscate our email addresses. | | | On the other hand, widespread distribution of hashcash will probably mean | the end of many mailing lists, because you can't trust users to actually | whitelist everything they subscribe to.

If a user choses to use hashcash he must understand it. If he doesn't and subscribes to a mailing list all the list mail will go to his spam folder. He will learn from that and whitelist list mail.

| And remember that the whole *idea* | of hashcash is that you make it impractical for somebody to send 3,000 pieces | of mail. I'm sure netsys.com wouldn't want to keep full-disclosure if they had | to do hashcash for even 10% of their users.

They would not hashcash every mail, but sign each incoming mail so spammers can't spam suscribers whose addresses then can be published again.

| I'll overlook the issues caused when you *dont know* what to whitelist. | For instance - many mailing lists (including this one) have a "confirmation | of subscription" check. For bonus points - should you have whitelisted: | | a) full-disclosure@lists.netsys.com (the actual list name) | b) full-disclosure-request@lists.netsys.com (the rfc822 header on my confirm) | c) full-disclosure-admin@lists.netsys.com (the rfc821 MAIL FROM:) | d) mailman@ | e) majordomo@ | f) listserv@

Subscribing to mailing lists has always been a process of following instructions. If you subscribe via a web page, this web page will tell you which addresses to whitelist. If you subscribe via email firstly there will also be some source of instructions how to subscribe, and secondly you can whitelist replies that reference (private) emails you sent recently.

| There's also all the stuff that things like amazon, ebay, your bank, | your insurance company, your utility companies, etc... all send out, | that users will forget to whitelist.

They can send hashcashed requests for being whitelisted which will pop up a window similar to message receipt requests.

| Hashcash really sucks if you're a mail server admin who has to crank 50,000 | hash cashes a day at 5 CPU seconds a pop because people forgot to whitelist | your server.

I don't understand the situation. Human edited mail is usually created on a workstation that is capable of making hashcash while the mail is edited. Mass mail generated on a server falls into several categories:

1. spam: let them make hashcash
2. solicited recurring mail: send hashcashed whitelist request and follow up with unpaid mail. If unpaid mail gets rejected stop sending mail. Actually, there is little reason not to make the whitelisting part of the service subscription process.
3. Replies should be whitelisted automatically.
4. legitimate systems that initiate mail conversation must make hashcash. Can you think of any examples?

| Hashcash isn't even a tiny speed bump if you're a spammer and have 50,000 | zombies - each one only takes a 5 second hiccup and continues spamming....

Configure your system to require more. 1 minute. Or 10. Or 20. The amount of hashcash can be put in an email address comment or if insufficient cash is sent, the receiving system can automatically request more.

| But yeah, other than all those minor details, hashcash is a fine solution. ;)

ecash may be even better. You don't have to accept the postage. Only take it from unwanted mail.

Bernhard -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

iD8DBQFCDfJ89zL78+QhnUgRAu+pAJ95pzHYaMatinzyQ3wtIIeQqGb/uwCgi+4o 4I44MDzL2TeHQ1KLQGW7kts= =HCYs -----END PGP SIGNATURE-----