At 10:22 AM 05/16/2003 -0700, Eric Murray wrote:
There is already a reasonably good proof-of-work mechanism built into SMTP-- START_TLS.
Any server that is willing to do TLS with mine is very unlikely to be a spammer. In fact a quick check of about 8000 spams I have shows that two of them used TLS. (both in the last week. hmm.)
Steve Bellovin pointed out that spammers who use open relays and open proxies will happily burn those CPUs doing proof-of-work as well as burning their bandwidth multiplying spam. That's not necessarily a _bad_ thing, if it gets the attention of the people running the relay/proxy machines (:-) But it's a basic problem with link-based proof-of-work like START_TLS as opposed to end-to-end proof-of-work mechanisms in the message itself. If you do link-based, the pnly last relay site needs to do the work, so the spammer can steal CPU from lots of machines without burning his own. If you do message-based proof-of-work, it's much harder to get a proxy or relay to do the work, as opposed to using the spammer's own machine. START_TLS and other link-based mechanisms _do_ have the benefit of harassing dialup and DSL spammers, who are using their own CPUs without relays, so it at least gets rid of some of the ankle-biters and forces spammers to abuse relays and proxies, which may be easier to identify (especially because they're using START_TLS...) This has the side benefit that it cuts down on the use of dial/dsl blacklists, which are one of the extremely annoying sources of collateral damage in the anti-spam world.