[Top] [All Lists]

Re: [Asrg] A CAPTCHA that automatically detects and neutralizes attacks.

2005-06-01 18:16:58
On Jun 1, 2005, at 8:53 AM, John Levine wrote:
My goal here is to minimize annoyance -- once you answer someone's
challenge, his challengebot shuts up.  If you don't, every time he
gets another forged spam with your address in it, you get another

(I'm switching the second-person 'you' in the quoted text to first- person here..)

But doesn't this mean that if my email does get on a spam-list somewhere, and other people have challengebots, then I'll potentially be getting *lots* of challenges. In which case, the 'challenge' email (initiated by the forged spam with my From address) becomes a form of spam in itself. So I either 1) ignore ALL challenges, 2) answer them all, or 3) need some kind of filter to figure out which ones are from legitimate people as opposed to spam-bots.

Situation 3 is just what we have now, except it's harder because there's less information in a challenge on which to decide whether it's legit. In situation 1, challenges become useless (for anyone). In situation 2, challenges also becomes useless.

So unless there's a hole in my logic here (there probably is), if C/R systems are widely used, the will become useless, unless some way of keeping forged email from being sent is found - which is one of the big problems with spam..

Jim <back to lurk-dom>

Asrg mailing list