(There has been some discussion of controlling floods on USENET through mail2news gateways on remailer-operators list recently -- take a look for example at alt.anon.privacy-server).
On Mon, Feb 25, 2002 at 11:02:47AM +0100, christian mock wrote: > the "killer issue" ATM seems to be relative CPU performance levels; > athlon/1GHz 378377 hashes per sec > pentium/100 28745 hashes per sec > this means we have a factor of >13 for machines that can reasonably > be expected to be in service today (athlon vs P1/100), > > this means that with the proposed 29 bits, it would take about 1.5 > hours on the celeron 333, and more than one day on the 486. So this is indeed a problem. The other proposal I saw recently here was adapative charging -- charge nothing unless flood is detected, then increase postage requirement dynamically until the flood is squelched when the flooder is slowed down to a trickle. This has a couple of problems -- firstly the sender has no direct connection to the resource which is setting the price, so it is inconvenient to find out what value to put on the token. Anyway by the time the token arrives perhaps the price has increased and so the mail bounces. Related to anonymity: anonymous users don't want to direct http connections or such to find out what the current price is as that will tend to identify them as remailer users, as well as tending to correlate their true identify with their anonymous posts due to timing correlations between the two events. Some other ideas: What about is-a-person credentials with some non-trivial purchase cost. So a new nym would go to a web page do some proof of being human (type in a number contained in a gif), maybe do some proof of work (hashcash), and do some mild proof of uniqueness and anti-theft of credential (mail the credential to the email address given). If the same email-address is used twice, the user will be refused another credential. The user can then use the credential pseudonymously without being identified. If the user exceeds some pre-defined volume limit on the resource, the resource revokes the pseudonym. This has more of the desireed properties: there is some sign-up over-head for all users, which adds some inconvenience for regular users, but at least it is only one-off for them. For flooders on the other hand they can only send some sane limit per day of messages per nym; and the overhead of creating a whole stream of nyms to make a big flood is sufficiently inconvenient to make it quite tedious, though of course not impossible for some truly dedicated person who wants to spend all day typing numbers contained in images, minting 24hours worth of hashcash on a normal machine etc. If you wanted to get fancy you might be able to arrange that if the nym sent more than a certain volume of messages in a time period his email address would be revealed. Thoughts on this? (The anonymous is-a-person credentials could be built with Chaum's credentials, or more flexibly with Brands' credentials, perhaps Wagner's blind MAC based e-cash scheme.) Adam
