I think we can now embrace the concept that we can create CAPTCHA
that are = beyond any practical attack that a spammer can generate.
Hmmn. I gather you're not familiar with the free porn proxy attack:
spammer puts up a web site offering free porn with access granted by
solving the CAPTCHAs that it proxies through from its spam runs. I'm
not sure if I've seen this used yet, but it would not be hard to do.
I am very familiar with the concept of the free porn proxy attack. I address
this issue specifically on my website:
http://home.nyc.rr.com/spamsolution/An%20Effective%20Solution%20for%20Spam.htm
The response is under the "Critique Questions and Answers" section. After my
website was featured on Slashdot there was a deluge of criticisms concerning
the porn proxy attack by people who did not completely review my website, so
near the end of my website I expounded once again on the futility of this
attack (basically the small number of CAPTCHA that can be solved would be
irrelevant within the context of my anti-spam system).
I will also mention that I attended the Second International Workshop on Human
Interactive Proofs this month at Lehigh University
http://www.cse.lehigh.edu/prr/hip2005/index.html
Everyone was aware of the concept of the porn proxy attack but no one was aware
of it being in current use. The organizers of the conference asked if anyone
could provide a website where this was taking place but no one could. If you
know of such a website then please let me know and I will forward it to the
organizer of the conference.
CAPTCHA's of any form have two other killer flaws. One is that in the
absence of widespread strong user authentication, which doesn't seem
any closer now than it's been for the past decade, spammers can avoid
your challenge by spoofing mail from someone on your whitelist. The
other is that significant numbers of people, through bafflement or
exasperation, decline to respond to challenges so unless you never get
mail from people you don't know (in which case a whitelist is all you
need) CAPTCHAs will always lose real mail.
You criticisms refer to a conventional C/R system but do not apply to my
anti-spam system. The whitelist system as described by my anti-spam system
only contains personal contacts and individuals to whom you have sent email.
There is no way for a spammer to determine who is on your whitelist. Even if
spammers learned the identity of one or two contacts on your whitelist then it
wouldn't matter; you would remove these names from the whitelist but you would
still be able to receive mail from these individuals as they will just use a
valid sub-address like everybody else.
Thank you for you input,
Michael G. Kaplan
--
_______________________________________________
NEW! Lycos Dating Search. The only place to search multiple dating sites at
once.
http://datingsearch.lycos.com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg