[The message I'm replying to was marked charset=iso-8859-1 but
contained various octets that are not 8859-1 text characters. I've
replaced them with my best guesses at what they are meant to be, in
[brackets]. Michael Kaplan, I'd suggest you fix/replace whatever
brokenware generated that message and incorrectly marked it as
Content-Type: text/plain; charset="iso-8859-1"
.]
I present my response to the critique.
My resposnes below assume you haven't changed it since the version I
read.
This is the first and only CAPTCHA developed that is invulnerable to
technical circumvention. I have to admit that I am surprised that
this innovation in and of itself has not generated more discussion.
Maybe it's because more people agree with me, that it can be and will
be defeated technically, than with you, that it can't and won't?
There's a lot of very good work being done by computer vision people,
solving basically this very problem - and with difficult noisy
real-world images, not the nice clean synthetic ones you use.
I[']ll guess that every three or four months a TYPICAL user will
suffer a day or two of spam and will need to deactivate a single
sub-address. Otherwise this system is beyond any technical
subversion. Is there any other system existing or proposed that can
claim this?
Sure. Any of them. And in most cases, with about as much truth.
Bounces [-] The fact that my system employs bounces seems to greatly
disturb many people. The strongest objection concerns the additional
burden these bounces will put on the email system.
Perhaps strongest to you. The strongest to me is that the
challenge/bounce messages will spam anyone whose address gets forged
into the from-line of spam to an early adopter. Committing abuse in
the name of fighting abuse is hypocritical - and unacceptable.
The theoretical maximum increase in email traffic that this system
could generate would be 100% if we consider an email account that
receives emails with invalid sub-addresses exclusively.
Not quite. There is no real limit to the maximum increase when two
implementations start challenging one another's challenges - it's a
classic bounce laser.
The near perfect efficacy of my system for blocking spam would
justify such expenditure. How would you feel if your email provider
said to you ["]I know you are overwhelmed by spam and that this
system will virtually eliminate it but doing so could cause a near
doubling of your email traffic so you can[']t use it and you must
live with this spam burden forever["]?
I'd feel my email provider was grossly incompetent, both for mistaking
your system for being as effective as you think it is and for thinking
that those two alternatives are the only ones available.
Filters likely increase email traffic to much greater extent, albeit
indirectly, as spammers generate vast quantities of spam to get
around them.
And why won't the same be true with your system?
Spam filters don[']t even have anywhere near the likely efficacy that
my system will have. So a filter is tolerable, but my system
isn[']t?
Filters don't generate spam to forgery victims. (Usually, at least.
Some do, and they deserve to get slapped down for it.)
Language [-] There was also a lot of concern over how the bounces
would be managed by recipients who use different languages. I would
respond that most people who correspond with each other do so in the
same language.
Yes - but how is your system going to know what language that is?
Also many web-sites use the common technique of showing icons of
international flags to represent languages, and clicking on your
respective flag will bring up a page with your own language. This
same technique can apply to bounces.
I'll believe it when I see it. You appear to have mistaken email,
which is a static technology, for the Web, which is interactive to at
least the minimal extent necessary to support the sort of user
interface you describe.
The typical user is not exposing their email address multiple times a
day to spammers.
No; the typical user is exposing others' email addresses multiple times
a day to spammers.
Okay, that's a slight exaggeration. The proportion of zombied Windows
boxen out there has not yet reached 50%, so "the typical user" still
isn't zombied. But any zombied machine's address book is available to
spammers in full, including any address using your system that may be
in it.
Is there anyone who does not think that this system is profoundly
superior to every other challenge/response system?
As I would hope is obviously by now: Yes. Me.
Again I am surprised; my system makes every other challenge/response
system obsolete and yet it has not sparked real discussion or
enthusiasm. Isn[']t this the Anti-Spam Research Group?
It doesn't make anything obsolete until it's implemented and deployed.
Do that and I, for one, will pay a lot more attention.
Seeing the CAPTCHA requires a system that either allows for a
graphics capable MUA or allows activation of a hyperlink [-] True.
You would need to access a system that would allow you to see
graphics.
Which kills it right there, as far as I'm concerned. (As if it needed
further killing for me.)
A graphics capable MUA is the most convenient, but all you would
really need is a computer with a web browser so you can paste the
link into the browser and view the CAPTCHA.
No. A computer with a *graphics-capable* web browser.
Don[']t most people have access to web browsers?
Most people? Certainly. And if you can arrange that only those people
ever send mail to your system, you're fine - in that respect.
Typical users can see email graphics. I obviously travel in
different circles since I don[']t know a single person who uses an
email system that is not graphics capable.
Your system needs more than graphics capable; it needs graphics
convenient. I can, if I need to, extract an image frokm a webpage or
email and look at it. It is not a convenient process, and I most
certainly would not bother to do it to answer a C/R challenge.
I would argue that most typical users would not worry enough about
the minority of people who cannot access graphics via their mail
system. The incentive to use a system that effectively eliminates
spam would outweigh the need to cater to this minority.
Quite possibly. Provided your challenges are easily mechanically
identifiable, so I can reject them automatically, this then won't be a
problem for me personally (except for the extra bandwidth used).
Does the fact that as only 30-40% (a wild guess) of people may want
to use this system argue against it?
Yes, because the rest will get spammed by your challenges every time
their addresses get forged int the fromlines of spam sent to that 30-40
percent.
Before you reject my system can you suggest one that is in any way
comparable?
There are lots of vapourware FUSSPs out there. So far I see no reason
to think yours is anything else.
Implement your system. Deploy it on a small scale. *Then* I'll be
interested in hearing more - in particular, I very much want to hear
your experiences - the *actual* percentages of this and that, rather
than the wild guesses I've seen on both sides. The *actual* end-user
reactions.
I'm not interested in implementing it because I believe it will be far
less effective and more problematic than you think, and I am not
inclined to sink effort into something I think will be useless.
Unless you want to pay me to implement it, in which case contact me
off-list and we can discuss my consulting rates.
Is the status quo superior?
Yes, in at least one way: it doesn't have a third of the net spamming
the other two-thirds with challenge blowback.
Have you totally given up any hope for a truly effective anti-spam
system?
If you mean a purely technical system - yes. Spam is not a
fundamentally technical problem; fundamentally technical approaches
will not eradicate it.
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML
mouse(_at_)rodents(_dot_)montreal(_dot_)qc(_dot_)ca
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg