At 04:45 PM 5/12/2003, Adam Back wrote:
Whether you think a few seconds is sufficient depends on your views of the economics of spamming. Ie how close to losing break-even the spammers are, and whether a few seconds of CPU per message is enough to significantly increase the cost. This article for example discusses the economics of spam:
http://www.eprivacygroup.com/article/articlestatic/58/1/6
they give an example of a spam campaign with a 0.0023% response rate, and a yeild of $19 per response. They estimate the cost of sending the spam was less than 0.01c per message. I've seen significantly lower estimates for the sending costs. To deter a given spam campaign we just have to increase the cost to the point of making it unprofitable given the response rate and profit per responder. The other side of this equation is what a second of CPU costs in monetary terms to a spammer.
Assuming that a CPU costs $500 and that its value can be amortized over 2 years, CPU costs .0016 cents/second. Based on the numbers enough, the revenue/spam sent is .044 cents. Thus, the breakeven point is 27.6 seconds/message: assuming other costs are minimal, you have to require > 27.6 seconds of CPU calculation from an email submittant to ruin the spamming business model. A few thoughts on this: - You have to adjust the size of the calculation frequently to keep up with Moore's law (although the time/$500 CPU is constant, assuming constant profitability for spam) - If spammers have new technology or economies of scale available to them, it's going to adversely affect everyone else. (That is, if you're using an 18-month-old CPU and CPU-seconds cost you twice what they cost in the volume it costs spammers, your $500 computer will have to spend 2 minutes of time to calculate a token it takes a spammer 30 seconds to calculate). - This is going to dramatically increase the costs of sending bulk e-mail for non-spammers: for example, I get airline specials a few times a week; they must send millions of these. - The CPU time required here is several orders of magnitude larger than the cryptographic costs associated with SSL, and SSL is not broadly accepted at least in part due to the CPU cost associated with with it; this implies to me that there will be substantial resistance. - The CPU costs associated with SSL engendered a substantial market in cryptographic accelerators intended to reduce the cost to do an RSA private key operation. Presumably, a system like this will create such a market for e-mail token accelerators: unfortunately, this is exactly the kind of new tech / economy of scale envisioned above: we may end up with a situation where a calculation which costs a spammer .044 cents will take the average user's CPU 10 minutes or more to calculate. - Tim