kaPoW Webmail: Effective Disincentives Against Spam

Webmail spam poses a significant threat to major webmail providers such as Google GMail, Yahoo! Mail, and Microsoft Live Mail, as well as to individual companies and universities that provide web-based interfaces to their email. Whether spammers create new accounts or hijack existing accounts to send spam, the transmission of spam drives up server operating costs as well as the human costs required to identify and disable spamming accounts. This paper presents kaPoW Webmail, a system for slowing down and disincentivizing webmail spammers using transparent, web-based proof-of-work (also known as client puzzles). The approach requires that clients must solve a computational puzzle for each email sent. The system employs a novel puzzle algorithm that efficiently generates and verifies fine-grained computational puzzles thathavedeterministicsolution-times.Unlikepriorproofof-work systems, kaPoW Webmail also adaptively issues puzzles of varying difficulties based on a comprehensive set of client-specific and content-specific measurements. The evaluation shows that this system thwarts spammers while preserving service to legitimate webmail clients.

[1]  Pekka Nikander,et al.  DOS-Resistant Authentication with Client Puzzles , 2000, Security Protocols Workshop.

[2]  Duncan J. Watts,et al.  Characterizing individual communication patterns , 2009, KDD.

[3]  Elaine Shi,et al.  Portcullis: protecting connection setup from denial-of-capability attacks , 2007, SIGCOMM '07.

[4]  Wu-chang Feng,et al.  The Case for Public Work , 2006, 2007 IEEE Global Internet Symposium.

[5]  Michael K. Reiter,et al.  Defending against denial-of-service attacks with puzzle auctions , 2003, 2003 Symposium on Security and Privacy, 2003..

[6]  Wu-chang Feng,et al.  Helping TicketMaster: Changing the Economics of Ticket Robots with Geographic Proof-of-Work , 2010, 2010 INFOCOM IEEE Conference on Computer Communications Workshops.

[7]  Michael K. Reiter,et al.  Mitigating bandwidth-exhaustion attacks using congestion puzzles , 2004, CCS '04.

[8]  OpenSSL OpenSSL : The open source toolkit for SSL/TSL , 2002 .

[9]  Vishal Malik,et al.  Distributed intrusion detection system , 2002 .

[10]  Adam Back,et al.  Hashcash - A Denial of Service Counter-Measure , 2002 .

[11]  Ari Juels,et al.  Client puzzles: A cryptographic defense against connection depletion , 1999 .

[12]  Joshua Goodman,et al.  Stopping outgoing spam , 2004, EC '04.

[13]  D. Shanks Class number, a theory of factorization, and genera , 1971 .

[14]  Adam Stubblefield,et al.  Using Client Puzzles to Protect TLS , 2001, USENIX Security Symposium.

[15]  James A. Hendler,et al.  Reputation Network Analysis for Email Filtering , 2004, CEAS.

[16]  Wu-chi Feng,et al.  Design and implementation of network puzzles , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[17]  Ronald L. Rivest,et al.  Time-lock Puzzles and Timed-release Crypto , 1996 .

[18]  Dan Boneh,et al.  TWENTY YEARS OF ATTACKS ON THE RSA CRYPTOSYSTEM , 1999 .

[19]  Wu-chang Feng,et al.  The case for TCP/IP puzzles , 2003, FDNA '03.

[20]  John Langford,et al.  CAPTCHA: Using Hard AI Problems for Security , 2003, EUROCRYPT.

[21]  Kun Huang,et al.  Throttling Outgoing SPAM for Webmail Services , 2005, CEAS.

[22]  Moni Naor,et al.  Pricing via Processing or Combatting Junk Mail , 1992, CRYPTO.

[23]  Wu-chang Feng,et al.  mod kaPoW: Protecting the web with transparent proof-of-work , 2008, IEEE INFOCOM Workshops 2008.

[24]  Ben Laurie,et al.  \Proof-of-Work" Proves Not to Work , 2004 .

[25]  Zhao Jun Distributed Intrusion Detection System , 2006 .