Hashcash HOWTO

This HOWTO describes how to integrate TMDA with the Hashcash denial-of-service counter measure tool.


Briefly, Hashcash is payment in burnt CPU cycles. A hashcash token constitutes a proof-of-work which takes a parameterizable amount of time to compute for the sender. Thus, mail which contains a valid hashcash token can reasonably assumed to not be spam since sending bulk mail this way would be computationally infeasible.

E-mail senders attach hashcash tokens to their messages with the X-Hashcash header. Vendors and authors of anti-spam tools are encouraged to exempt mail sent with hashcash As this technique becomes more popular, the benefits of using and checking for hashcash tokens will increase. For example, Spamassassin 2.70 supports hashcash checking, so adding hashcash tokens to outgoing e-mail will become more valuable as that version becomes more widely deployed. Also, Microsoft has recently taken interest in this strategy with their Penny Black Project.


  1. Familiarity with both TMDA & Hashcash.

  2. The hashcash executable (source and binaries available from the Hashcash homepage).
  3. TMDA v1.1.3 or above. These techniques will not work with earlier TMDA releases.

Incoming Mail

Hashcash tokens can be checked for in incoming mail using the pipe-headers source in your TMDA FILTER_INCOMING file. See the FilterSources page for more on pipe-headers. Here is an example:

# verify hashcash tokens in the 'X-Hashcash' header field
pipe-headers "/usr/bin/hashcash -c -y -X -b16 -r you@yourdomain.dom" accept

Essentially the headers of each incoming message are fed to the hashcash command string which checks for a valid token in X-Hashcash. If one is found and it can be verified, the hashcash program returns a 0 exit status, and the 'accept' action is run allowing the message to be immediately delivered.

Be sure to consult the hashcash tool documentation and season the above usage to taste.

Outgoing Mail

Assuming you use tmda-sendmail or tmda-ofmipd to "tag" your outgoing messages, TMDA's FILTER_OUTGOING file now allows you to add dynamic/shell-escaped headers with the new shell= tag action. See FilterSpecification for more on the tag action. This provides a convenient way to add hashcash tokens via the X-Hashcash header to your messages. They can be added per-recipient, or for all recipients. The examples below also illustrate use of the built-in $TMDA_RECIPIENT environment variable. This variable contains the address of the message recipient and is available for use anywhere in your FILTER_OUTGOING file.


# Add X-Hashcash when sending to foo@bar.com only.

# store the tag action in a macro
macro HASHCASH x-hashcash shell="/usr/bin/hashcash -q -m -b20 ${TMDA_RECIPIENT}"

to foo@bar.com tag
   from             bare
   reply-to         dated

# Add X-Hashcash to all messages that didn't match a prior rule.
# No macro used.

to * tag 
   x-hashcash shell="/usr/bin/hashcash -q -m -b20 ${TMDA_RECIPIENT}"

Be sure to consult the hashcash tool documentation and season the above usage to taste.

TmdaHashCashHowto (last edited 2007-09-21 16:48:51 by JasonMastaler)

SourceForge.net Logo