I don't know what a CAPTCHA is and I have no interest in learning a piece of
jargon that is completely pointless.
Talking in a private language that is only understood by a small clique is a
great way to make sure that the outside world ignores important work.
-----Original Message-----
From: Yakov Shafranovich [mailto:research(_at_)solidmatrix(_dot_)com]
Sent: Wednesday, January 28, 2004 10:54 AM
To: Hallam-Baker, Phillip
Cc: ASRG
Subject: 2. C/R - Exploits for CAPTCHAs
[Please follow the posting guidelines, was "Re: [Asrg] Its
all over for
Challenge Response". Mod.]
Phil,
First of all this is ancient news, it was mentioned on the ASRG list
back in November:
https://www1.ietf.org/mail-archive/working-groups/asrg/current
/msg07899.html
Additionally, we need to clarify this. The spammers do not break C/R per
se, rather they overcome the reverse Turing test AKA CAPTCHA part of it.
The basic point of C/R is to make sure that the originating email
address is valid and in order for spammers to do the scheme described
here, they must have valid return addresses. Therefore, if any spammer
wants to use this scheme, they become more traceable.
Yakov
P.S. There are also existing problems with using Turing tests, see the
post linked to above for the W3C draft.
Hallam-Baker, Phillip wrote:
spammers have found a way to break C/R schemes that have a 'turing test'
component.
You simply set up a free porn web site and get people to crack the turing
tests in return for seeing the porn.
http://yro.slashdot.org/article.pl?sid=04/01/28/1344207&mode=flat&tid=111&ti
d=126&tid=172&tid=95&threshold=1
Phill
-------
Yakov Shafranovich / asrg <at> shaftek.org
SolidMatrix Technologies, Inc. / research <at> solidmatrix.com
"Some lies are easier to believe than the truth" (Dune)
-------
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg