I think we can now embrace the concept that we can create CAPTCHA
that are = beyond any practical attack that a spammer can generate.
Hmmn. I gather you're not familiar with the free porn proxy attack:
spammer puts up a web site offering free porn with access granted by
solving the CAPTCHAs that it proxies through from its spam runs. I'm
not sure if I've seen this used yet, but it would not be hard to do.
CAPTCHA's of any form have two other killer flaws. One is that in the
absence of widespread strong user authentication, which doesn't seem
any closer now than it's been for the past decade, spammers can avoid
your challenge by spoofing mail from someone on your whitelist. The
other is that significant numbers of people, through bafflement or
exasperation, decline to respond to challenges so unless you never get
mail from people you don't know (in which case a whitelist is all you
need) CAPTCHAs will always lose real mail.
Also, some of us do not keep a log of everyone to whom we have ever
sent mail, so when challenges arrive, we can't tell whether it's in
response to mail we sent or not. My policy is to answer all of them
since then I'll be on that particular correspondent's whitelist and
whether it was real mail or spoofed spam that triggered it, he won't
bother me again.
Regards,
John Levine, johnl(_at_)taugh(_dot_)com, Taughannock Networks, Trumansburg NY
http://www.taugh.com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg