Daniel J McDonald wrote: > On Fri, 2009-10-16 at 16:25 -0400, Adam Katz wrote: > >> My own proposal to fixing this is to bring back Blue Security's >> do-not-email list, which is to say a freely available index of >> secure hashes representing email addresses that have opted out of >> bulk email. (Recall that the controversial aspect of Blue >> Security's methods is what they did to violators, which I'm not >> touching here.) > > The other problem with it is that it can be used to scrub lists and > get a set of real users who don't want spam. There is no guarantee > that spammers will be ethical and remove the DNE recipients - they > may find a better return throwing out the addresses that don't > match...
You're thinking in terms of maliciousness and not profitability. Yes, a spammer can use the hash index to refine a list of known emails to just people who *don't* want bulk mail ... but how does that help? > And then there are hash collisions... Not really. They're too rare (and they don't really matter). MD5 (the /simplest/ checksum to consider) has a one in 2^128 chance of a collision. To put that in perspective, the Mega Millions lottery has 1:176M odds, aka one in 2^27.4 -- that's larger by a factor of a binary googol (2^100). (Note, the not-at-all applicable collision attack has a complexity of 2^32.) I'm not worried. If the index is large enough to have ONE guaranteed collision, it's either improperly maintained (and therefore rubbish) or it's a victim of its own success and we no longer need it.
