Escalating The War On SPAM Through Practical POW Exchange

Proof-of-work (POW) schemes have been proposed in the past. One prominent system is HASHCASH (Back, 2002) which uses cryptographic puzzles . However, work by Laurie and Clayton (2004) has shown that for a uniform proof-of-work scheme on email to have an impact on SPAM, it would also be onerous enough to impact on senders of “legitimate” email. I suggest that a non-uniform proof-of-work scheme on email may be a solution to this problem, and describe a framework that has the potential to limit SPAM, without unduly penalising legitimate senders, and is constructed using only current SPAM filter technology, and a small change to the SMTP (Simple Mail Transfer Protocol). Specifically, I argue that it is possible to make sending SPAM 1,000 times more expensive than sending “legitimate” email (so called HAM). Also, unlike the system proposed by Debin Liu and Jean Camp (2006), it does not require the complications of maintaining a reputation system.

💡 Research Summary

The paper begins by reviewing the history of proof‑of‑work (PoW) schemes for email, noting that early proposals such as HASHCASH applied a uniform computational cost to every message. Citing Laurie and Clayton (2004), the author argues that a uniform‑cost PoW is impractical because it imposes the same delay on legitimate mail as on spam, magnifies disparities in server CPU speed, penalises high‑volume mailing lists, and can be overwhelmed by spammers who control large botnets. Consequently, a uniform model would either cripple normal users or fail to deter spam.

To overcome these shortcomings, the author proposes a “Targeted‑Cost Proof‑of‑Work” (TC‑PoW) system that leverages existing spam‑filter classifiers (e.g., SpamAssassin, CRM114). The receiving mail server first runs the message through its spam filter; based on the estimated spam probability, it assigns a difficulty level for a cryptographic puzzle. Messages classified as almost certainly ham receive little or no burden, while those flagged as spam receive a puzzle that may require on the order of one hour of CPU work. By tying the cost to the filter’s confidence, the scheme can make spam roughly 1,000 times more expensive per message than legitimate mail.

The paper provides quantitative examples: assuming a 99.9 % accurate filter, a legitimate sender could send about 24 000 messages per day (≈3.6 seconds of average work per message), whereas a spammer with 10 million compromised machines would be limited to roughly 24 messages per day, yielding a total spam volume of only 24 million messages per day—about one spam message per twenty Internet users. Even with a more modest 95 % filter accuracy, the cost ratio remains around 20 : 1, still dramatically curbing spam while allowing legitimate bulk senders to operate.

Risk management is discussed in depth. Variable filter performance across domains is mitigated because each receiving server can set its own resistance thresholds and optionally use a sliding scale or white‑list exemptions. The “pressed‑HAM” (PHAM) problem—legitimate but borderline spammy messages such as newsletters—is addressed by noting that commercial senders can usually afford the extra work, and that the system encourages them to reduce message size or embed links rather than heavy HTML. Mailing‑list traffic is handled by allowing well‑configured lists to bypass resistance, while lists abused by spammers would be penalised. The possibility of spammers learning filter characteristics is considered; the author suggests using a binary (resist or not) or coarsely graded resistance and adding randomization to make reverse‑engineering costly. A “sin‑bin” mechanism could temporarily block repeat offenders who refuse to meet the imposed work.

Implementation requires a modest extension to SMTP: a new keyword (proposed as “POW”) would allow the receiver to request a puzzle after the message body is received, and the sender to return the solution. Because current SMTP does not support this exchange, protocol modification and standardisation would be necessary, which the author acknowledges as a deployment hurdle.

In conclusion, the paper presents a compelling argument that a non‑uniform, filter‑driven PoW scheme can shift the computational burden overwhelmingly onto spammers, achieving a practical economic deterrent while preserving normal mail flow. The approach hinges on high‑quality spam classification, reasonable puzzle design, and modest changes to the mail transport protocol. Remaining challenges include maintaining classifier accuracy in the face of adaptive spammers, handling low‑power devices, and achieving global consensus on the SMTP extension. Future work should focus on optimizing puzzle algorithms, integrating the system with emerging email authentication frameworks (DKIM, DMARC), and pursuing standardisation through IETF or similar bodies.