Comments on: The Sad State of Hashcash

By: Links 6/3/2011: Fedora 16 Codenames, Android Grows in Tablet Market | Techrights

Sun, 06 Mar 2011 07:20:00 +0000

[...] The Sad State of Hashcash So today, I received an email from one of the readers of this blog. He wanted to get into OpenPGP with his email, and asked if I could help him get started with some tutorials, how-tos, etc. I was flattered that he valued my opinion. So, I responded to each of his questions and discussion points the best I could. However, during the reply, I reminded myself of Hashcash. [...]

By: Aaron

Aaron — Fri, 04 Mar 2011 13:34:54 +0000

@Yann. No, for SpammAssassin, it only needs to run sha1sum on the token that is found in the mail, not calculate a token. Doing the verification takes milliseconds at most. And the point of hashcash is to prevent the spammers from using it, because by design, it’s meant to be slow. If spammers did start using hashcash, you would notice the volume of spam reaching your inbox drop my many, many orders of magnitude. It’s just too infeasible for them to take advantage of if they wish to support their business sending out millions and millions of spam mails per day.

By: Niklas Schönberg

Niklas Schönberg — Fri, 04 Mar 2011 12:14:39 +0000

You don’t have to do the computations to validate. As the post say, there is one valid hash in 2^20 so the sender needs to try them until he gets one correct, so on average 2^20/2 tries, but to validate you just need one calculation.

By: Yann

Yann — Fri, 04 Mar 2011 10:13:21 +0000

Aaron, so if my spamassassin wants to analyze the content of the mails to see if they are spam, will it have to do that expensive computing on every incoming email too? Or will it assume that every email using this is not a spam – in which case it might be worth for spammers to use hashcash, it if’s a guarantee that it’ll reach the target’s inbox?