On Wed, May 28, 2003 at 11:56:53AM -0700, Peter Deutsch wrote: > Concepts such as Hashcash or other payment-oriented systems, in which > you try to impose a cost on the sender to screen out bulk mailers, are > interesting enough, but I think they're addressing the wrong problem. > I've personally come to the conclusion that to address this problem > (that is, the decision as to whether I want to accept a message from > you), I don't actually need to know who you are, or even what you're > trying to send me, and I certainly don't need to impose artificial costs > on you (since this looks too much like punishing the innocent for the > crimes of the guilty). I'm curious why you think Hashcash doesn't work. Personally, I think a scheme where (a) you provide a crypto signature which proves who you are that you are someone that I trust to send me something useful, *OR* (b) you have to send me some token which proves that you have spent 120 seconds worth of CPU time calculating it, would work perfectly. That way, someone can still send me unsolicited mail asking for help with e2fsck, or some other aspect of the Linux kernel, but a spammer simply won't be able to afford the necessary CPU time to send vast numbers of SPAM. And regular correspondents with me wouldn't could simply send a PKI authenticated token to avoid needing to do the necessary CPU-burning calculations. (And this is an optimization anyway; someone who is sending me a human generated message can generally easily afford the 2 minutes worth of CPU time before their mailers can deliver the message to my mail host.) - Ted