There seems to some confusion about what I actually proposed. (I never seem to be able to write clearly the first time.) Let me describe in more detail my currently preferred token distribution system. First some definitions: Majordomo - The rule based administrator for the list List administrator - The rule maker. Also does the things majordomo can't. poster - someone who wants to post a message to the list list member - those who receive the list. Token distribution works like this: A poster desiring a token sends a request to majordomo and includes a public key. This request can be sent thru a remailer chain. Majordomo generates a token (think of it as a secret key), encyphers it with the public key, and posts it to the list. Note that the poster does not have to be subscribed to the list. The token can be recovered from the archives or from a reflector list. (Thanks to Tim May for the suggestion of this method of distribution.) Now we have given poster an anonymous token. Since tokens are good forever, true anonymity requires a new token for each post. Otherwise the poster only has a pseudonym. I consider this feature an advantage. Since tokens are good forever, majordomo will only give out a limited number per day. I suggest four. This limit will somewhat protect against the attack Ray Arachelian pointed out of having one abusive user collect 10,000,000 tokens. It is important to recognize the class of problems I am trying to solve. While I would like to solve the sporadic "make money fast" spam problem, I agree with Tim that, at today's levels, it is only an annoyance. I also agree that the drivel that comes from some of our more prolific posters is best handled by filtering by the list members themselves. (I currently have 3 of them going directly to the trash. Perhaps aga should get kickbacks from Qualcomm. He managed to sell a copy of EudoraPro.) The problem I am really concerned with is denial of service attacks via flooding. With 1000 list members, each message to the list requires a lot of resources to handle compared with the ones it requires to send. This fact gives an attacker a bit advantage. Tokens are designed to enable majordomo to recognize the source of messages and provide lower performance reception to those who are sending a lot of messages. This technique is similar to the technique used by the Whitehouse mail system to limit flooding attacks. (And the idea came from a description of that system posted here some months ago.) Tokens would also give the list administrator a tool to discourage certain posters. If John Gillmore wanted to make it hard for Dimitri to post, he could cancel Dimitri's token. Dimitri could get another one (under a different name if Majordomo's instructions prevented it from giving him one), but John could continue the cancel the new ones. (N.B. There is no evidence that John actually wanted to keep Dimitri from posting. This example is only a hypothetical.) Sandy suggests gateways (i.e. distributed moderators) to preserve anonymity. While I don't think they are needed to preserve anonymity, they will be useful for those who can't or won't encrypt their posts. It is important to note here that anyone with a token can act as a gateway. I was trying to make only small changes in the dynamics of the list. As such, the market based solutions are more radical than I was willing to consider. I would like to see a market based system in actual use, but perhaps elsewhere. The idea seems better fitted to Robert Hettinga's e$pam list. ------------------------------------------------------------------------- Bill Frantz | Client in California, POP3 | Periwinkle -- Consulting (408)356-8506 | in Pittsburgh, Packets in | 16345 Englewood Ave. frantz@netcom.com | Pakistan. - me | Los Gatos, CA 95032, USA