On 1/23/06, Richard Clayton <richard(_at_)highwayman(_dot_)com> wrote:
I also note that his CAPTCHAs are
not text based. I'd need to do some more work to comment as to whether
his stick-figures are genuinely harder to solve. They looked as if they
made some cultural assumptions that might not travel well.]
The 3-D CAPTCHA is not text based but as I explain on my site I believe that
existing text based CAPTCHA such as the Microsoft CAPTCHA provides more than
enough security.
So one could get appropriate skills for about $10 or so a week [labour
rates are higher for towns with broadband]. For a 50 hour week that
means you're paying about 20 cents an hour.
I've never tried solving CAPTCHAs at speed, so I couldn't predict how
fast I could do them for hours on end. But it looks to me that the cost
is definitely going to be in fractions of a cent/solution.
Try solving a few of the Microsoft CAPTCHA. An experienced person should
take about 3 seconds. Working nonstop 12 hours a day would get you 14,400
solved CAPTCHA. I'll use my figure of 80 million CAPTCHA solved in order to
deliver one million spam. That means that every day the spammer is
employing 5,556 workers using 5,556 computers that use electricity and may
need air conditioning. And the third world owner of this business needs a
cut and you'll need security guards so that the computers won't get stolen
and...
However you crunch the numbers this is a major expense.
Why does the filter suddenly improve when the email is sent for the
second time (viz: it starts to discard 95% of the email that it approved
earlier ?). Or -- same idea but different: why does the spammer send
something that is filterable at the first stage ?
Further, I'd dispute that applying two 95%-effective spam
filters has
a net 99.75% success rate.
Very well
hmm... I think it needs more than that as a reply :(
During the harvesting phase the spammer must do what spammers never do: use
a real and functional return address. We can speculate about how crippling
this would be for the spammer. I'll assume that spammers will be forced to
send poorly filterable material during the first round but the incredible
burden of using a real return address may still allow for a degree of
filtering.
So we will say that it is on the second round that real spam is sent and
that 95% of this will be filtered. Almost every commonly used domain is
trusted, but this spam is using a sub-address that was sent to an untrusted
domain; a stronger filter can be applied to sub-addresses sent to untrusted
domain.
But also remember that it is very obvious which domains are sending harvest
spam. An ISACS utilizing email service provider may normally get only 50
bounce generating emails a day from the little known untrusted domain
Sleazy.com. Now over the last 30 minutes 100,000 bounce generating emails
come in from Sleazy.com.
Now the second round of spam comes in using real sub-address but spoofed
"From" fields. The email service provider can reject and send ISACS bounces
to all of these extremely suspicious sub-addresses if they do not use the
Sleazy.com domain. Legitimate correspondents usually would resend the
bounce from the same domain but ISACS usually allows them to use any
domain. Extra restrictions can be placed on these extraordinarily
suspicious sub-address. Or this extra-suspicious sub-addresses can just
have a ridiculously strong filter applied to them.
There are endless ways to play with the numbers, but I'll stick with the
estimate of 1.6 billion spam emails with real return addresses sent in order
to deliver one million spam (And I repeat the question - Is this even
possible?)
Thank you,
Michael Kaplan
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg