On Mon, Feb 15, 2010 at 10:18:12AM +0000, Ian Eiloart wrote:
You're correct, of course, to caution that automatic reporting
mechanisms will be subject to automated poisoning. We should, of
course build mechanisms to defend against such attacks.
Those mechanisms have already been defeated -- and now we're even
starting to see press reports about some of the many failures.
For example:
http://www.mediapost.com/publications/?fa=Articles.showArticle&art_aid=130320#
which reads in part:
The complaint details how Mizhen and his affiliates allegedly
manipulated the statistics that Microsoft's anti-spam system
relies on by creating millions of new email accounts and then
moving up to 200,000 of their own messages a day from "junk"
files into inboxes.
An associate of Mizhen allegedly contacted Microsoft and
said that the messages weren't spam -- as evidenced by the
statistics showing that people moved the messages into their
inboxes. Microsoft was taken in by the associate's representations
and unblocked the spam messages, according to its complaint.
Of course, this is just one case that made the popular press, and it only
did so because the spammers involved were sufficiently heavy-handed that
they blew it, and because Microsoft was the target. Smarter spammers --
of which there are plenty -- are more subtle, and are engaged in similar
creative efforts. I trust that everyone on this list is capable of
figuring out how Mizhen et.al. could have been slightly more clever and
quite likely evaded detection indefinitely.
(Incidentally, note: "millions of new email accounts". Which, among
other things, is another nail in the coffin of captchas.)
---Rsk
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg