mikeash.com pyblog/testing-hashcash-based-anti-spam-measures.html comments

anyone - 2021-08-10 18:56:17

Tue, 10 Aug 2021 18:56:17 GMT

Thank you!

Jewls - 2018-06-19 20:24:07

Tue, 19 Jun 2018 20:24:07 GMT

Hi Mike, i couldn't find this on your github repo. I was curious of how you implemented. This was about 30 secs.

My1 - 2017-04-19 11:27:47

Wed, 19 Apr 2017 11:27:47 GMT

at least for me it takes literally half an eternity to calculate the thing, and I am on an i5 CPU.

Jonathan McCormack - 2016-02-24 20:04:54

Wed, 24 Feb 2016 20:04:54 GMT

Just testing on an iPhone 6 Plus, button appeared straight away.

Test - 2014-04-28 10:31:25

Mon, 28 Apr 2014 10:31:25 GMT

Just testing this to see how it works! ;)

hascashe - 2014-04-17 00:24:55

Thu, 17 Apr 2014 00:24:55 GMT

pretty cool isnt it

Aaron Toponce - 2013-09-24 02:44:46

Tue, 24 Sep 2013 02:44:46 GMT

testing from a Samsung Galaxy S3. still waiting for the post button to become visible...

Aaron Toponce - 2013-05-18 17:11:36

Sat, 18 May 2013 17:11:36 GMT

I have written a number of web applications with public/anonymous commenting systems. If I implement a native Hashcash support for JavaScript, then spam is non-existent. Just for fun, I log all spam comments thrown out, due to not passing the Hashcash test, and I've seen upwards of 600 spam comments PER DAY thrown out due to not presenting a valid Hashcash token.

Hashcash is only one valid client puzzle, among many though. For Wordpress, there is a "hashcash plugin", but when you look at the source, it's actually not Hashcash. Instead, it's just a random client puzzle. But, proof-of-work client puzzles work all the same.

Well done on implementing Hashcash though. If more people would do this for their web applications, we wouldn't need those ridiculous CAPTCHAs.

HASH CA$H - 2013-05-01 20:16:01

Wed, 01 May 2013 20:16:01 GMT

This should be everywhere

steve smith - 2013-04-06 01:24:34

Sat, 06 Apr 2013 01:24:34 GMT

Just testing here.

Ugur - 2013-02-24 16:10:36

Sun, 24 Feb 2013 16:10:36 GMT

Just for trying live demo

my wonderful self again - 2013-02-08 04:29:29

Fri, 08 Feb 2013 04:29:29 GMT

Took less than a second for me as well.

my wonderful self - 2013-02-08 04:27:56

Fri, 08 Feb 2013 04:27:56 GMT

Just wants to see how this works

mikeash - 2013-02-07 14:48:37

Thu, 07 Feb 2013 14:48:37 GMT

I did some quickie benchmarking when I wrote the implementation, and as I recall, my result was that a native hashcash solution was about 100x faster than doing it in JavaScript in a modern browser. This is probably enough to render the whole exercise pointless on a large scale. If the hashcash is tuned to take 30 seconds in the browser, then a native implementation would take about a third of a second per post. It's possible that this would still be enough to discourage spam to an extent, but it's not a huge obstacle.

On a small blog like this, any custom solution is enough to cut down on spam substantially, at least for a long time, because it's just not worth it to write any custom code for it, no matter how easy.

As JavaScript engines improve (and I assume that crypto will be a particularly important target for optimization), that will allow the hashcash difficulty to be turned up, lessening the advantage of a native implementation. So it could become a truly useful, scalable solution eventually.

George Hafiz - 2013-02-07 08:11:37

Thu, 07 Feb 2013 08:11:37 GMT

It's a good point about the efficiency of the hash implementation being a remaining issue. How long before botnet operators implement C SHA-1 into their zombie programs in order to render these counter-measures ineffective? Assuming the efficiency of C SHA-1 is really that much greater than JavaScript - anyone got any benchmark results?

rewrw - 2013-01-24 16:22:40

Thu, 24 Jan 2013 16:22:40 GMT

rwerwerwerw

mikeash - 2012-09-13 13:48:30

Thu, 13 Sep 2012 13:48:30 GMT

It hasn't stopped spam completely, but the spam that remains appears to be posted by actual humans using the form just like the rest of us. I can't fathom how it could be worth their time, but that's what the logs tell me.

tester - 2012-09-13 04:30:56

Thu, 13 Sep 2012 04:30:56 GMT

So does this system actually work? As others have noted, JavaScript is much faster these days and so you probably need more zeros.

test - 2012-08-27 13:37:56

Mon, 27 Aug 2012 13:37:56 GMT

test.

Alice - 2012-07-20 15:36:08

Fri, 20 Jul 2012 15:36:08 GMT

Took less than a second for me. :|

mikeash - 2012-02-15 14:45:43

Wed, 15 Feb 2012 14:45:43 GMT

Mine tends to drop to zero for a couple of months, then rise back to a handful of spam comments a week. I'm not sure how to explain that, as it doesn't seem worth anybody's while to automate this particular site's anti-spam measures, but human-driven spam shouldn't be deterred at all by small changes.

I really should check my logs for the IP address that spam comments come from and see if the requests show anything about the nature of what's posting them. I'll have to remember to do that next time one shows up.

me - 2012-02-14 21:15:35

Tue, 14 Feb 2012 21:15:35 GMT

Typically, if you implement any custom anti-spam measures at all, the spam rate will drop to almost zero because the automated tools no longer work.

mikeash - 2012-01-11 14:40:06

Wed, 11 Jan 2012 14:40:06 GMT

A nuisance to spammers is all I need. 30 minutes of programmer time plus the resources that Safari would take up is worth far more than spamming my site is. I haven't had to delete any spam since I set the thing up, so clearly it's working. Whether it works better than the previous scheme (which prevented spam for a while every time I changed the magic word) remains to be seen.

How could it be a nuisance to my readers? If you mean because it prevents people from being able to write and submit a post in under 10 seconds, well, that's just the sort of nuisance I want to give to my readers.

Jared Kipe - 2012-01-11 02:30:53

Wed, 11 Jan 2012 02:30:53 GMT

I have always assumed "spammers" employ various types of automation, and I wouldn't say it is out of the realm of possibility that someone would script the above (I could do it trivially in less than 30 minutes by making a Safari Extension, opening the posts I wanted to target in separate background tabs and let the custom JS do their own thing forever).

Your idea is interesting, but at best is a nuisance for spammers. At worst, a nuisance to spammers AND nuisance to your readers.

mikeash - 2012-01-10 18:27:41

Tue, 10 Jan 2012 18:27:41 GMT

Forgot to mention: yes, a specialized tool could defeat this easily by computing the hashcash in C in 0.01 seconds instead of in JavaScript in 10 seconds. But the goal isn't to defeat all potential adversaries, just all that I expect to come across. Nobody will implement a C hashcasher just to defeat my site.

mikeash - 2012-01-10 18:26:35

Tue, 10 Jan 2012 18:26:35 GMT

My assumption is that waiting ~10 seconds for the button to become available imposes an impractical time drain on a spammer. They need to work in incredible bulk and that means they need to work fast.

This also hits human spammers, who have similar time constraints. They'll want to open the page, paste paste paste submit, all really quickly. This forces them to wait.

As a bonus, it also discourages legitimate commenters with nothing important to say.

Jared Kipe - 2012-01-10 18:19:12

Tue, 10 Jan 2012 18:19:12 GMT

The thing is, that if you decided to write your spamming client in javascript, this is trivial to get around.

document.forms[0][0].onfocus();
document.forms[0][0].value = "spam";
And then just wait for the "Post Comment" button to become available. Since you've already implemented the JS to actually do the computation, there isn't any added complexity to the "spam" client.

I would think this is about as good as just having a hidden field you expect to be a certain value, that JS fills in that value onfocus()

sneak - 2011-12-24 22:59:27

Sat, 24 Dec 2011 22:59:27 GMT

The problem with this is that JavaScript implementations of hashcash are 10000x slower than native implementations. Any acceptable comment-posting delays mean that I can write a native blog spamming tool with more than acceptable performance. :)

Aron - 2011-12-21 22:02:12

Wed, 21 Dec 2011 22:02:12 GMT

Do I get a Bitcoin upon successful comment submission?

mikeash - 2011-11-30 15:48:29

Wed, 30 Nov 2011 15:48:29 GMT

Since it's a probabilistic computation, it can sometimes go really fast (or slow). It's just trying different pieces of data until a match is found, which could be the first item it tries or the millionth. On average, it'll be around 2^18 attempts, but it'll vary.

dennis - 2011-11-30 15:19:39

Wed, 30 Nov 2011 15:19:39 GMT

It definitely didn't take anywhere near 10 seconds on my machine (late 2010 11" MBA, 1.6GHz). It was a small blip on my Activity Monitor and then went away just as quickly.

mikeash - 2011-11-28 15:29:24

Mon, 28 Nov 2011 15:29:24 GMT

Interestingly, you actually want the hashcash implementation to be as fast as possible. If you make it artificially slow, then an adversary could come along and implement their own that's much faster and defeat your inherent rate limiting. For example, if I calibrate the hashcash to take 10 seconds of CPU time and then somebody comes along and writes an implementation that's 1000x faster, they only have to dedicate 1/100th of a second of CPU time for each post.

As it happens, doing it in JavaScript is about 100x slower than doing it in C using CommonCrypto, so that certainly could be done here. But you'd have to dedicate quite a bit of development time developing a special client just for my blog comments, and at that point I'm not really going to worry about it too hard.

Steve Nicholson - 2011-11-28 02:49:41

Mon, 28 Nov 2011 02:49:41 GMT

I'm trying to come up with some funny way to say that you should have implemented the routine in Flash to use even more CPU time but I got nothin'.

Allan - 2011-11-28 01:18:10

Mon, 28 Nov 2011 01:18:10 GMT

Yup, much better.

mikeash - 2011-11-27 03:23:32

Sun, 27 Nov 2011 03:23:32 GMT

Silly me, I never thought to actually test UI responsiveness. I've tuned how the computation runs and it should be much better now. I'm posting this from my iPad as proof.

Allan - 2011-11-26 21:13:42

Sat, 26 Nov 2011 21:13:42 GMT

The computation took quite a while on my iPad 2 (I didn't time it but it was at least 30 seconds), and while it was churning it was just about impossible to type.

Jose Vazquez - 2011-11-26 20:51:45

Sat, 26 Nov 2011 20:51:45 GMT

Oh noes! My CPUs! they burn unnecessarily! :-) (/me pulls out stopwatch to measure performance)

jcburns - 2011-11-26 18:54:01

Sat, 26 Nov 2011 18:54:01 GMT

Hello, I am commenting for the sake of commenting. Also for the sake of understanding what's happening as I click in these fields and invisible javascript numbers are tossed back and forth. Happy day after day after US Thanksgiving to all.

mikeash - 2011-11-26 18:44:43

Sat, 26 Nov 2011 18:44:43 GMT

Greetings from this new hashcash-enabled world!