Image of the glider from the Game of Life by John Conway
Skip to content

The Sad State of Hashcash

So today, I received an email from one of the readers of this blog. He wanted to get into OpenPGP with his email, and asked if I could help him get started with some tutorials, how-tos, etc. I was flattered that he valued my opinion. So, I responded to each of his questions and discussion points the best I could. However, during the reply, I reminded myself of Hashcash.

Hashcash is a really slick concept. The motivation is to combat spammers by using your CPU to calculate a SHA1 string starting with the first 20-bits as zeros based on a random number. Basically, a "proof-of-work" system. If the random number, combined with the timestamp and the recipient's email address, doesn't provide those first 20-bits of zeros, a new random number is chosen and hashed. Once the random number is found, it's attached to the header of the email, and sent. The recipient of the email can then hash the full string, and see if the first 20-bits of the resulting SHA1 are zeros. If so, along with some other validity checks, then the hash is considered valid, and you can rest assured that the email was not sent by a spammer.

A valid stamp:

You can verify this with:

% echo -n '' | sha1sum
00000d0a92fad840b05009c8692f43593c692589  -

Notice how the first 20-bits of the SHA1 hash are zeros? This is a valid hash based on the random number, the email address and the timestamp.

How does this defeat the spammers? Well, because finding the right random number that will produce a hash with the first 20-bits of zeros is computationally expensive. There will be one in at least 2^20 hashes, but the search in finding one is expensive. A modern computer can find one in under a second. But, if you wish to send bulk emails all at once, you need to create a hash "token" or "stamp" for each one. Due to the design of the algorithm to be slow, this will seriously hinder your ability to be efficient at sending bulk mail. Spammers be damned.

The proof-of-idea work is slick. The sender of an email has done the work necessary, and you can easily validate the work is been done much faster than it took to create. However, it appears from the website that all activity on the software has been abandoned since 2006, including updating the web page. Software is hard to find, and for the software that does exist, it's only compatible with very specific versions of software, leaving old or new software out of the game.

A couple examples.

Penny Post is an extension for Thunderbird. The SourceForge page houses the extension that is only compatible with Thunderbird versions earlier than 3.0. However, there is a Github project working on a Thunderbird 3.0-compatible extension. However, this extension is not compatible with Thunderbird 3.1. The extension page has also been pulled from Mozilla Addons.

Hashcash-sendmail is a Perl script for Mutt. It works by coupling the hashcash binary and the sendmail binary together to deliver your stamped mail. However, if you are using Mutt's buitin SMTP support, then the Perl script isn't usable. Also, it appears that the author of the script has lost his domain, and there hasn't been any updates since 2004, it seems.

Lastly, I have a Windows XP laptop for work with Thunderbird 3.1 installed. Of course, Penny Post isn't compatible with 3.1, so I'm already out of luck. However, even the Windows Hashcash binaries are out of date by several years.

Nevermind trying to implement it into more popular MUAs, like webmail clients (Gmail, Yahoo!, MSN, AOL, etc.), Outlook, Groupwise, etc. It just doesn't exist. Yet, SpamAssassin has full support for identifying the "X-Hashcash" email header.

No matter where I look, I reach dead ends. This is unfortunate, because I see Hashcash as a slick way of beating spam, yet it appears that the spammers are laughing all the way to the bank. They're not worried because no one is using it. And I have a feeling that no one is using it, because no one is developing anything for it. Everything out there is at least 5 years old and aging.

Maybe another slick proof-of-work system will come along. Who knows? I would like to work it into my daily email routine, but it appears that doing so with the current state of affairs is futile. I guess I could work on developing scripts and such that could be easily implemented into various MUAs, but with the amount of stuff I want to do after graduation, I'm guessing it's fairly low on the priority list.

{ 4 } Comments