So I’ve finally found what I consider a plausible solution to email spam. It’s known as hashcash/proof-of-work and the implementation I’ve come across is the pennypost. It’s a valid alternative to challenge authentication and less annoying to all involved. It works thus:
If I desire to send an email to email@example.com I must find a combination of date/address/randomstring which hashes to a required number of leading zeroes, using some agreed upon hash. If the hash is correctly chosen finding a solution can be computationally expensive for the sender yet trivial for the recipient. As if 1 in 10^10 strings satisfy the condition the sender will have to make 10^10 computations on average, the recipient will only have to make one. This is desirable as the cost of sending should be born by the sender and not the recipient.
Unfortunately, I’ve only been able to get this to work in thunderbird 2.x (current version is 3.0.1). And further I had a bit of trouble with the email address as regular expressions bit, but that’s really not that much of a complaint.
Protests against this method cite botnets and discrepancies in cpu power. Botnets supposedly make this approach less appealing as one can use the botnet to compute hashes and thus find a hash much faster. However, this method still reduces the amount of SPAM that a botnet can send and also makes it more likely that the owner of an infected machine realizes the machine is infected and does something about the issue. So really this complaint boils down to botnets are bad, yes they are, but their badness is lessened through using proof of work stamping. Second discrepancies in cpu power. There’s maybe a 15x difference in performance between a pretty powerful system and a pretty weak system (atom vs i7 920, that’s an approximately $60 cpu vs an approximately $280 processors, or a 5x difference in price). So a computation that takes the i7 10 seconds takes the atom a little under three minutes. I actually think that if one were to pick the hash well one could minimize the difference in performance, but either way, 3 minutes isn’t terribly long to wait. I mean how often do we expect people to read their email, plus one could integrate with an intelligent whitelist, such that one doesn’t need to compute hashes for those we correspond with frequently. This has the potential to reduce the amount of spam sent by orders of magnitude, and it’s cutting it out at the source, it’s not better filtering or something at that end. The cost is being paid either by those who would do the harm or by those whose machines have been infected (which will encourage them to clean their machines and take better measures in the future).
Anyways enough rambling, the PennyPost extension for mozilla thunderbird can be found here, now we just need to integrate it with gmail and most other email clients (of course this is where it will fail at the moment, but perhaps with time it could work). It’s the only thing I’ve ever heard of that might work, because Russian isp’s have no incentive to prevent their subscribers from sending pharma spam to americans, but this could reduce their ability to send spam by 100x or more.