John Levine wrote:
CAPTCHA's of any form have two other killer flaws. One is that in the
absence of widespread strong user authentication, which doesn't seem
any closer now than it's been for the past decade, spammers can avoid
your challenge by spoofing mail from someone on your whitelist. The
other is that significant numbers of people, through bafflement or
exasperation, decline to respond to challenges so unless you never get
mail from people you don't know (in which case a whitelist is all you
need) CAPTCHAs will always lose real mail.
That's not really a CAPTCHA problem, it's more a problem with
challenge-response systems in general. The CAPTCHA is just a bolt-on to
make the C-R system less easy to spoof responses to.
So of course, this CAPTCHA-based system has all the other flaws of C-R
systems. In particular, there's the killer problem that spam can be made
to look like challenges, at which point the entire system falls apart
because spam filters begin to delete most challenges, and very few
people will load images, click links or otherwise respond to the few
that make it to an inbox.
In fact, I wish one of the spam gangs would start their next major
campaign by crafting their spam to look like challenges from common C-R
systems. That way we could get rid of the endless supply of people
proposing C-R as the solution to spam, and move on to something more
Asrg mailing list