Gaming the spam system

The hottest topics in spam-fighting today are computational solutions. These methods require e-mail senders to burn CPU time on their own computers to create e-stamps they must attach individually to each message sent to strangers. The Penny Black project at Microsoft research is the best known. Separately, programmer Adam Back maintains a thorough FAQ on the topic at hashcash.org.

Computational schemes work like this: If your computer sends to my server a message addressed to me and you're not on my list of trusted correspondents, my server sends a math problem back to your mailer, which must provide the answer. That problem is a function that uses my address, yours, and possibly information about your specific message as input parameters. Your computer must calculate the function separately for every single recipient to whom you try to send a message. The function is designed to take a finite amount of time -- say, 10 seconds -- to calculate, regardless of your CPU speed or other hardware.

The premise behind the plan is that if you want to send me a personal message, you won't mind a 10-second delay. Your e-mail client might even begin the negotiation and calculation process while you're composing the message. But if you're a spammer trying to send 10,000 messages or more per minute before your account is identified and shut down, you'll need a rack of servers to do the computations sent back to you by recipients of your message. Hopefully, the cost would make spamming unprofitable.

But just as spammers hacked their way around blacklists and Bayesian filters, they're more likely to find workarounds to Penny Black than go out of business. Hackers on several mailing lists have already identified one big hole in the plan: Many spammers already send their messages using unsuspecting people's PCs, which they've hijacked by exploiting security holes. What's to stop them from breaking into other computers to generate their stamps?