[Top] [All Lists]

Re: [Asrg] A CAPTCHA that automatically detects and neutralizes attacks.

2005-06-10 11:33:12
John Levine wrote:

CAPTCHA's of any form have two other killer flaws.  One is that in the
absence of widespread strong user authentication, which doesn't seem
any closer now than it's been for the past decade, spammers can avoid
your challenge by spoofing mail from someone on your whitelist.  The
other is that significant numbers of people, through bafflement or
exasperation, decline to respond to challenges so unless you never get
mail from people you don't know (in which case a whitelist is all you
need) CAPTCHAs will always lose real mail.

That's not really a CAPTCHA problem, it's more a problem with challenge-response systems in general. The CAPTCHA is just a bolt-on to make the C-R system less easy to spoof responses to.

So of course, this CAPTCHA-based system has all the other flaws of C-R systems. In particular, there's the killer problem that spam can be made to look like challenges, at which point the entire system falls apart because spam filters begin to delete most challenges, and very few people will load images, click links or otherwise respond to the few that make it to an inbox.

In fact, I wish one of the spam gangs would start their next major campaign by crafting their spam to look like challenges from common C-R systems. That way we could get rid of the endless supply of people proposing C-R as the solution to spam, and move on to something more productive.


Asrg mailing list

<Prev in Thread] Current Thread [Next in Thread>