On Mon, Mar 24, 2003 at 04:16:13PM -0800, Steve Schear wrote:
E-gold uses this approach. They call it a Turing number (after the British
mathematician, Alan Turing)
https://www.e-gold.com/acct/login.html Challenge responses may eliminate
spam from bogus addresses but it almost sure to set of an image recognition
arms race between other spammers and Turing number technologists as the try
to fashion ever more cleaver images that supposedly can be easily read by
humans but not machines. There are already programs to "read" earlier (and
maybe current versions of E-gold's Turing number images. I would be
surprised if these measures proved effective
Actually, it is an interesting question of what arms races spammers would
wish to engage in.
From a purely rational standpoint (bear with me on this!) the spammer
simply wants to send as many messages to the best prospects per unit of
time and bandwidth.
This means that if the spammer gets a challenge (or even something as simple
as a temporarily unavailable status) they can do one of two things:
a) Try to respond to the challenge
b) Simply move on to delivering the next message in the list.
As long as B is easier than A, the rational thing to do is to just do B.
This changes in two cases. If most people start issuing challenges or
other such barriers, B is no longer productive, and so you now start the
arms race -- but only until you have enough people to send to again.
Secondly, if you have some idea as to the "quality" of an address, in terms
of probability of making a sale (direct marketers try to measure this all the
time) then you are motiviated to do extra work on the higher "quality"
targets.
Finally, spammers will not be rational, and may wish to get in an arms race
for the spite or challenge of it. (There's a lot of spite in both directions
in this field.)
Nonetheless, I think people overestimate the arms race. I have seen challenge
response systems that try to do natural language questions, or embed images
only the human eye can see in graphics.
I wrote a challenge/response system six years ago that simply asks for any
reply at all -- it doesn't put any burden on the other party, and would be
easy to defeat with something as simple as an autoresponder. Yet it works,
the spammers have not attempted to use this simple defeat. Once they start,
I will easily enough move to something else, but it is telling that in six
years they have not, even though others have also built a number of
challenge/response systems since then. Sometimes spammers have autoresponders
for other reasons, but they have been easy for me to eliminate.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg