Why the CAPTCHA Approach Is Doomed 522
TechnoBabble Pro writes "The CAPTCHA idea sounds simple: prevent bots from massively abusing a website (e.g. to get many email or social network accounts, and send spam), by giving users a test which is easy for humans, but impossible for computers. Is there really such a thing as a well-balanced CAPTCHA, easy on human eyes, but tough on bots? TechnoBabble Pro has a piece on 3 CAPTCHA gotchas which show why any puzzle which isn't a nuisance to legitimate users, won't be much hindrance to abusers, either. It looks like we need a different approach to stop the bots."
So what next? (Score:2, Insightful)
So if the CAPTCHA is doomed, what is the next approach? Letting spam bots go rampant over a site is not an acceptable alternative.
Re: (Score:3, Insightful)
Re: (Score:3, Interesting)
All except the money solution seem to rely on being able to pin an identity to a particular user (or bot). For example, GMail's rate limiting assumes that each bot has exactly one GMail address.
It falls apart when the bot registers a few hundred thousand GMail addresses.
What prevents bots from doing that now? CAPTCHAS.
I agree with the article that CAPTCHA is doomed and that other approaches are needed. I don't agree that either of those solutions work, by themselves.
Re:So what next? (Score:5, Funny)
So if the CAPTCHA is doomed, what is the next approach?
Torture
Re:So what next? (Score:5, Funny)
So if the CAPTCHA is doomed, what is the next approach?
Torture
You mean, TORTCHA?
Re: (Score:3, Insightful)
Re:So what next? (Score:5, Funny)
Place Goatse on the front page. After everyone's eyes are bleeding, the only remaining visitors will then be robots. Behold, you have isolated the set of spambots from the set of humans.
Inverting the set to get the humans instead of the bots is left as a trivial exercise to the reader.
Re: (Score:3, Funny)
You repeat yourself.
Re:So what next? (Score:5, Interesting)
Spam-filters analogous to those applied to email seem to be increasingly used as plugins to various blog engines.
Re: (Score:3, Insightful)
So if the CAPTCHA is doomed, what is the next approach? Letting spam bots go rampant over a site is not an acceptable alternative.
The next thing to do is to close the services that needs (CAPTCHA) spam projection. This means no more free email. Get used to paying.
Re: (Score:3, Interesting)
Why is this bullshit non-solution always brought up by some greed-monkeys who salivate at the idea of charging billions in "micro-payments" ... oh wait.
I will make it as simple as possible to you: pay-to-play-posting + bot-net = spam unabated + billions in charges to hapless consumers. And no, securing PCs air-tight is not a practical solution in a situation where average u
Re: (Score:3, Interesting)
Which does not change the dynamics one bit. The bot net operators will simply direct their bots to steal the pay-to-play site passwords that the victims go to and the game is over. Worse, because now you no longer guard against spammers for these pay-to-play accounts, you've now made
Re: (Score:3, Interesting)
They will wait until millions of doofuses sign up, with their individual credit cards, PayPal accounts and what-not, and then use the bot-infected PC's belonging to the hapless victims to log in and spam away.
You need to stop spam from reaching the users. If they don't see it, they aren't bothered by it.
I've said it before- Email Certification.
Want to run a Certified Email server? Go to your ISP (
Re: (Score:3, Interesting)
Nonsense. No amount of incentive will get Grandma to start running (and understanding the output of) packet sniffers, traffic analyzers and the like. This has nothing whatsoever to do with "locking down" computers as automated countermeasures are only very superficially effective against a very adaptable enemy.
Grandma doesn't need to do packet sniffing, traffic analysis and the like. She simply needs to alter her behaviour slightly. To maintain your machine(s) free of malware you simply need to be careful, maintain your anti-virus etc and be alert for odd changes in your machine.
Again, since you do not run frequent, in-depth manual checks on your system, you do not even know if you are not already owned by a deep seated root-kit. Everything you described is insufficient do defend, or to even detect such an attack. Also you already perform things that average user is not likely to do, even with incentives, as the whole idea of choosing where not to go on the Internet is the anathema of Internet use to them. You might as well kick 80% of people off the Internet by some legislation.
Sorry, but do you actually know how almost all things like root-kits etc are installed on a users machine? Solcial engineering.. It might be cooler to think that someone somewhere is attacking your machine directly and you can't prevent i
Re:So what next? (Score:5, Interesting)
Now, I didn't say you'd LIKE what 's next...
RS
Re: (Score:2)
There are other alternatives, like better blocking at the client side.
For this to be more feasible, blogs and e-mail sites need to come up with published and preferably common standards for their output. Which would be another win for the consumer.
Re: (Score:3, Insightful)
Making people pay for posts. Making people pay for email. That will stop spam dead in its tracks.
No it won't, and once we introduce it we'll be stuck with it.
Now, I didn't say you'd LIKE what 's next...
You're right, I don't like the idea of killing off the Internet as we know it over a misguided attempt to stop something that can only be limited, not stopped. Sometimes the cure is much much worse than the disease and in that case the cure should be rejected.
Not really (Score:5, Informative)
Re: (Score:3, Insightful)
If the computer was so compromised that the spambot was able to log-in to secure websites (which any site that used a pay-to-post system would need to be) as if it was the legitimate operator of the computer, it makes sense to charge the operator of the computer. This will also, very quickly, encourage adoption of good security practices, as when th
Re:So what next? (Score:5, Funny)
Re:So what next? (Score:5, Funny)
Re:So what next? (Score:4, Funny)
Re: (Score:3, Funny)
Oh yes you can, depending on your definition of 'to eat'...
Which reminds me of the old joke. guy's out driving in the country and he sees a pig with a wooden leg. He thinks that's weird so he goes up to the house and says "hey, I was wondering about the pig with the pegleg" and the farmer says "oh, man, let me TELL you about that pig -- he goes and gets the mail for me, he guards the house, he bites burglars, I'm even training him to drive my lawnmower!"
"Okay, that's cool," says the guy, "but what about t
Re: (Score:3, Insightful)
And that's only because your podcast website doesn't present a large enough target to warrant changing the bots' heuristics to spam it.
The "pay someone to answer" solution to captcha works just fine for breaking your site, too. It's just not worth it (yet?).
Of course, that's the same solution many have for spam: by diversifying the operating system landscape among desktops (not a monoculture of Windows), we break down the value of targeting any particular vulnerability. It's alleged that the only reason t
Re: (Score:2)
I'd rather see a hundred spams getting through than one legitimate user being blocked.
Re: (Score:3, Insightful)
No, the legitimate user can't always try again.
Sometimes, the captchas are ALWAYS unsolvable, like one site that uses complimentary colours of the same intensity. That works well unless you can't read text on a complimentary colour background, in which case you're always fscked. I am one of those.
Or don't forget blind people.
Or, in the case of "intelligence" captchas, people from other cultures. One particularly obnoxious site I went to had all questions about rap music and American sports. Neither of w
Re: (Score:3, Insightful)
In other words, the one size gets better as it approaches the limit of how many it fits; don't let the good be the enemy of the perfect!
Animated Captchas (Score:3, Insightful)
Sometimes, the captchas are ALWAYS unsolvable, like one site that uses complimentary colours of the same intensity. That works well unless you can't read text on a complimentary colour background, in which case you're always fscked. I am one of those.
Sounds like an animated captcha could be an alternative approach, since here you could vary the intensity over time. Of course the animated captcha should only be server generated series of bitmaps or vectors, and not be client generated (Flash would fail), for
Re: (Score:2)
The end of free speech on the web? (IE single/shared logins across the web.) maybe require excellent Karma on slashdot before you can get a digg/youtube/reddit/myspace/craigslist login.
Re:So what next? (Score:5, Interesting)
Charge a fee. It doesn't have to be money. It could be cycles.
Have the client hash the message append some random characters to the end of the message. Have it change vary the characters until the hash matches some pre-defined pattern before sending. Cheap to verify on the incoming machine (just one hash), arbitrarily expensive on the sending machine. Your requirement can be for a certain number of characters or a specific sequence of bits, all the way up to the bitlength of the hash.
It doesn't answer the question of "is the sender a human" but it does answer the question of "how much is this message worth to the sender." The beauty of it is that that is sufficient.
If the spammer is using a dedicated server, you can limit the amount of spam they can send arbitrarily. Imagine how profitable a spam server would be if it cost $3k to send 86,400 messages per day? If the spammer is using a botnet, that scales a little better for them, but since it chews up cycles, it's going to make their operation noticeable to users.
There are probably better ways even than that, and someone will eventually find one that is more deterministic (it's unlikely, but there's a chance that someone could just be unlucky enough to never be able to chance on the right sequence using a psuedorandom perturbation approach)
I didn't think of this though, so there might be some patents. Google for message digest spam control or something like that to see some papers.
Re:So what next? (Score:5, Informative)
That wooshing sound.... (Score:5, Insightful)
...is the point going right over the author's head.
A CAPTCHA works well enough for the same reason greylisting works well enough. They may be trivial to bypass (for some definition of 'trivial'), buy many applications only need a tiny speed-bump to make a huge difference in undesirable traffic.
Re: (Score:2)
I think the point here is it won't even be a speed bump soon.
Re: (Score:3, Informative)
Re:That wooshing sound.... (Score:4, Insightful)
Almost nobody takes the time to make a spam-bot.
Some 90% brain-dead excuse for human life takes something off the shelf and points it at whatever software you're running. Unless you're one of the most visited sites on the net, a minor modification to the code, and a manually integrated captcha is going to stop practically everybody from spamming your site.
Re: (Score:3, Insightful)
Errm... on small scale CAPTCHA's work brilliantly. For instance, if you've ever installed and administrated a PHPbb forum, the CAPTCHA that comes with has been broken to hell such that as soon as your site is indexed, it's going to be spammed. Adding retardedly simple changes to the CAPTCHA will immediately stop all the spamming until someone specifically re-writes the bot for your site, which is doubtful in most cases.
I didn't specifically do this, but you could change the code to say "Add these 2 number
Re:That wooshing sound.... (Score:5, Informative)
Yup. I used PHPBB2 and changed the CAPTCHA code.
"Type the following text in the CAPTCHA box . Ignore the image below."
All spamming stopped. Regular users were fine.
Re:That wooshing sound.... (Score:4, Informative)
Yes, me too. I simply ask "How do you spell spam?" for my question. Stopped the spambots in their tracks :)
Re: (Score:3, Interesting)
It only works for us small-fry. If we got any serious amount of traffic, we'd be worth 'cracking'.
Re: (Score:2)
Well I think you make a good point: for many sites, it's not particularly worth the effort to break the capatcha. On the other hand, it may be worth the effort for some sites, and it will be broken for the sake of those sites.
Once they've figured out how to break those, they might (possibly) be able to apply the same technique to everyone else with little overhead. But really, that's not even the point. If spammers can hack verification on major sites and get access to millions of free email addresses,
Re:That wooshing sound.... (Score:5, Interesting)
They may be trivial to bypass (for some definition of 'trivial'), buy many applications only need a tiny speed-bump to make a huge difference in undesirable traffic.
Plus, if you're using ReCaptcha [recaptcha.net], you're making the spammers do a little bit of good for the world. If they can develop software that reliably cracks ReCaptcha, then they've solved a lot tougher problem than just pushing v1@g@r@.
Re: (Score:3, Informative)
Re: (Score:3, Informative)
I tend to think using Recaptcha just earns somebody money, it is not really doing any particular good for the world.
Would it be asking too much to suggest you check the FAQ [recaptcha.net] or About Us [recaptcha.net] links? Is it enough that "reCAPTCHA channels this human effort into helping to digitize books from the Internet Archive", or does it help that "reCAPTCHA is a project of the School of Computer Science at Carnegie Mellon University"?
Or perhaps you'll take the word of Science magazine [recaptcha.net]. Of course, the link is to a .pdf reprin
Re:That wooshing sound.... (Score:5, Insightful)
CAPTCHAs have moved far past "tiny speed bumps" for me. Many are case sensitive yet vary letter size greatly; they use fonts which make the number 1 and the letter l identical; and they smash things together making, for example "m" and "n n" identical.
Implementers also suck royally. Sites often require a long list of information be typed, including redundant passwords. Then they lose ALL that information when you get the CAPTCHA wrong. Some get caching all screwed up. It's a mess.
CAPTCHAs today are so much worse than "speed bumps" for regular users, that I'm beginning to wonder whether I, myself, am a bot. The internet is becoming unusable to me.
there's another woosh over your head (Score:4, Insightful)
Greylisting only works because many sites don't use it; if everybody used it, it would stop working.
The economics of CAPTCHAs are even less favorable, since the cost of breaking a CAPTCHA is small compared to the cost of what the bot actually does after it has broken it.
question and answer seem to work well (Score:4, Funny)
Re:question and answer seem to work well (Score:5, Funny)
At that point spam will be the least of you worries, fleshbag.
Re: (Score:3, Funny)
"Are you alive?"
"Yes."
"Prove it."
Re:question and answer seem to work well (Score:4, Insightful)
...until AI gets smart enough to answer questions intuitively.
It's REALLY HARD to automatically generate random questions that an average human can answer easily, but that current AI technology can't answer just as easily. Of course you can come up with questions yourself, and compile a list of them, but if you've only got a list of a hundred questions, then all the spammer has to do is figure out the answers to your hundred questions, and then he has free reign to do whatever he wants. Or, come up with the answer to ONE of them, and he has free reign to do whatever he wants at 1% the speed he could otherwise, which is still a hell of a lot of spam.
If you don't believe me, you try writing software that will generate random questions. Here's my stab at it [webwizardry.net], which would barely slow a spammer down.
Re:question and answer seem to work well (Score:4, Funny)
I don't know.
Humans fail the "What are your username and password?" question all the time.
Annoyance (Score:5, Insightful)
That's where the issue is.
I've been a nerd since I was born. Grew up with early computers. Watched them evolve until now. But nothing makes me feel dumber than trying a CAPTCHA 5 or 6 times and failing every time. Its a serious annoyance and I've seen WORSE that I haven't even attempted.
Just accept the truth ... (Score:4, Funny)
After three tries (Score:3, Interesting)
block the I address for 10 minutes, then an hour then a day.
CAPTCHAs work as well as DRM... (Score:4, Insightful)
... which is another way of saying they really doesn't work at all. Both annoy legitimate customers and users while still allowing those with nefarious motives to do whatever they wanted to do in the first place.
Re: (Score:3)
There have been MAYBE half a dozen Captcha's in my life that I have failed to get through. The "annoyance" is what... 5 seconds spent on an extra text field? Maybe 30 seconds if your eyesight suck _really bad_?
DRM, on the other hand, can keep users from actually installing programs that they paid for. It will often disable these programs outright if certain conditions are not met. It can keep users tied to services, keep users tied to the int
Stuck in the old ways (Score:5, Insightful)
Everyone seems to think that the answer to this is to challenge the user somehow. Why isn't a technical solution possible that doesn't require any interaction from a person?
On my own contact forms, I use a really simple obfuscation technique, it doesn't require any user interaction, and I don't get any spam. I've chosen to name my form elements with meaningless names, because obviously automated spammers rely on field names to fill in the blanks. If they see a form like this:
<input type="text" name="email">
<input type="text" name="subject">
<input type="text" name="message">
Obviously it's pretty easy to fill out. If they see this instead:
<input type="text" name="sj38d74j">
<input type="text" name="9sk2i84h">
<input type="text" name="m29s784j">
Then they probably won't even make it past the email validation part, unless they catch the error that my page is printing and try all combinations (or get lucky).
It makes it even more effective when you use fields with good names, but hide them from users with either CSS or Javascript:
<input type="text" name="email" style="display: none;">
That's a honeypot, if it's filled out then it's a robot. You can use the same CSS or Javascript techniques to also print messages informing users not to fill those out if their browser decides to not run my code and instead shows them.
Really simple solution, requiring no user interaction, and is at least if not more effective than a challenge and response type of solution. I don't know why everyone is hung up on a visual challenge when it's a lot easier to distinguish between a real web browser and a scraper that doesn't bother to execute Javascript or apply CSS. I've been saying this for years though, so I don't really expect anyone to start paying attention now.. at least my own inbox is spam-free though.
How does that work with Auto-Fill mechanisms? (Score:2)
I like the general idea, however a problem I see is that mechanisms that auto-fill forms for you (like your name and email address) may not work on your page - and even worse might populate that honey pot field the same way a bot would.
Re: (Score:2)
Auto-fill tools work by remembering the previous values of the fields. As long as the field names weren't changed from visit to visit, it should work fine.
If you're talking about the robo-form fillers that try to fill out forms that you've never visited before, it'd be easy enough to clear the honeypot inputs using Javascript after the page was loaded. A robot most likely wouldn't execute the Javascript.
Re:Stuck in the old ways (Score:5, Informative)
Re: (Score:3, Insightful)
So, essentially, this works as long as its not a common technique, but as soon as it becomes common enough to matter to the overall volume of forum spam in the world, there is a trivial way for spammers to adapt to it and defeat it.
One captcha I've seen... (Score:3, Interesting)
has a different take on the subject. Rather than trying to obscure the image with lines or similar measures, it uses a series of letters, some of which are a color. You are then asked to type in the colored letters to proceed.
I don't know if these are static images or generated each time but the owner claims his site has almost no spammers (i.e. people have to do it, not machines).
Great for daltonists (Score:2)
Srly - great. :)
Re: (Score:2)
His site probably also doesn't have many colourblind users.
Re: (Score:2)
His site has hundreds of thousands of registered users so I am presuming he has a few. He does have an alternative method for color blind people to use.
Re:One captcha I've seen... (Score:5, Interesting)
This is also not very difficult to break. Assuming that the letters and numbers aren't obfuscated the same way CAPTCHA images are (if they are then this is just another CAPTCHA), a bot would be able to parse the characters out of the image. It could then classify the characters into groups of colors, pick one group randomly, and guess. There couldn't be more than four or five colors in the image since asking to differentiate between aqua/navy/royal/pale blue is unreasonable for a human (but interestingly enough, not difficult for a computer). That would give you a bot with a ~20-25% accuracy rate.
Beyond that, you could parse the question as well, looking for the words red, blue, green, black, etc. and classify ranges of hex colors into associated color names. That would greatly increase success rate of guesses.
This is not a reliable CAPTCHA replacement and in fact seems not very difficult to break.
Wrong implementation (Score:4, Informative)
Most CAPTCHAs are hacked because their implementation is amatuerish. They are hacked by resusing session ids or dictionary attacks and nothing to do with actual image itself. Long story short CAPTCHAs reduce the amount of spam by more than 50% simply because it's not worth the effort for a spambot to break it, after all they have the entire internet to spam.
Some are good some are bad and most are downright horrible, but you wouldn't want your favorite forum to be trolled by spambots would ya? Might as well live with it. Nothing works 100% you should know that by now
Re: (Score:2)
My favorite site is /. It's already trolled by spambots, you insensitive clod.
New option for stopping bots (Score:2)
It looks like we need a different approach to stop the bots.
Nuke the sites from orbit; it's the only way to be sure.
Limit services based on effort expended (Score:4, Interesting)
The more effort someone is willing to put out to prove they are human or are backed by a human willing to be responsible for problems, the more abuse-able services you give them.
For example, e-mail service providers could offer several tiers:
Simple signup/new accounts:
Limited number and size of incoming and outgoing messages.
Verified signup/driver's license with confirmation by paper mail:
Nearly-full, with shutoff or limitations imposed at first sign of abuse.
Verified signup/credit card with confirmation:
Nearly-full, with shutoff or limitations imposed at first sign of abuse.
Established account, with a pattern of usage indicative of a human over a period of several weeks:
Nearly-full, with shutoff or limitations imposed at first sign of abuse.
Credentialed user, backed by a substantial bond or deposit and an explanation of why suspicious behavior really is legitimate:
Full access plus a free pass on "legitimate" suspicious behavior until someone complains, but if it's abused then throttle him and take the costs out of his deposit.
The catchpa is fundamentally flawed (Score:2)
Stopping bots is easy... (Score:5, Funny)
1/0 = ?
It's a Turing test (Score:2, Insightful)
CAPTCHAs are simple Turing tests. As computers get faster and software gets smarter, it will become harder and harder to tell them apart. Also, since humans have a broad spectrum of ability, there will be an increasing percentage of humans who can not pass the tests.
For example, math students who can not tell a Rembrandt from a Picasso, and art students who can't determine the roots of a simple quadratic. (See, I'm not picking on anyone in particular - we are all ignorant in most fields.)
In future we wil
Re:It's a Turing test (Score:5, Funny)
Refresh the page a bit, fun to see what you can get.
Re:It's a Turing test (Score:5, Insightful)
A CAPTCHA is not a Turing test. A Turing test requires that a person tell a computer and a human apart; the CAPTCHA problem is harder, from a certain point of view, because a computer is required to tell a human and a computer apart.
What about the economic argument? (Score:4, Insightful)
Most posts on this topic have been along the lines of, "Maybe CAPTCHAs as they are implement now don't work, but here is a method that is trivial for people but hard for computers."
TFA's best argument, in my opinion, was that it is trivially inexpensive for a spammer to simply hire people to break CAPTCHAs. So, a method that doesn't annoy people but is hard for computers still won't work because the spammer will just use people. This is not a topic I know a lot about (not being a spammer I don't know what kind of revenue they generate) but would like to hear a response to this. Is the TFA off its gourd and better technology really will solve this problem? Or is gate-keeping for free services essentially pointless?
I really like the concept behind Re-Captcha (Score:3, Interesting)
I watched an amazing mini-documentary about Re-Captcha and really like the concept and the end goal. Basically Re-Captcha uses two words, one known word and one of the words is unknown and comes from book digitization efforts. The known word gets you into the site for whatever you are doing, the unknown one comes from a literary work that OCR couldn't figure out. After a large sampling of people have typed the unknown word the majority answer becomes the text entered in the digitization effort.
My contention is that people like myself who think it is a great cause would happily spend some free/bored time just entering the unknown words on a website without the whole captcha bit. If anyone here is a part or knows anyone on the team please bring this idea up.
Re: (Score:3, Informative)
(Repost) A Few Common Captcha Fallacies (Score:5, Insightful)
Everyone has a great idea for a CAPTCHA, but very few people know what the hell is really going on. Remember that the machine doesn't need to solve the CAPTCHA every time, that machines are infinitely patient and have huge memories, and that another machine needs to make sure the human gave the right answer!
Ideas that won't work:
Really, it's very easy to think you've come up with a very clever CAPTCHA. When you think that, all you've done is stoked your ego and screwed yourself over. It's the same reason why we don't roll our own cryptography: CAPTCHA-making is a very hard problem, mainly because your problem space must be infinite (to avoid an attacking machine simply memorizing answers), the answers verifiable by a machine, but the problems not solvable by a machine.
How many questions can be checked by machines but not answered by them?
Not many; fewer every day. There are no questions that can't be answered by a computer (and which can be answered by a human mind). The Church-Turing thesis [wikipedia.org] [wikipedia.org] has some validity: the human mind is no more powerful than a turing machine, and ultimately, computers and our brains are equivalently computationally. There's nothing a computer can't solve: there are just things we haven't figured out yet.
Here's what I use... (Score:3, Interesting)
When the PHPBB2 CAPTCHA became completely useless and I was seeing hundreds of bot registrations on a forum I ran, I built something else. I added a simple extra text field to the registration form. I ask a plain English question, giving away the answer, and require the user to write it in the blank.
i.e. What is the common name for a domesticated feline? (Starts with "c" and ends with "at" This is an anti-spam measure)
The field is checked for the right answer on the post-processing. This stopped 100% of the fake registrations. I ended up doing this on practically every web-accessible form I have built since then, and I've seen the method pop up on other people's websites as well (certainly parallel evolution rather than "they got it from me").
Obvous plan to rid world of spam (Score:3, Insightful)
UN solution (Score:3, Insightful)
It is a bog problem and requires a big solution.
Our leaders shall overcome their cultural shock, phase out activities in local organizations, like EU, NATO, CIS, etc., and begin to work in a global setup, the UN, the WTU - world telecommunication union, Interpol, UNICEF, etc.
What is the point of fighting spam in, say, the USA, if it will continue to pour in from, say, Indonesia?
Re:8==C=A=P=T=C=H=A==D (Score:5, Interesting)
This troll actually gave me an idea. Why not ascii art?
Give an ascii art picture and asc the user to tell what it is.
In this case cock would let you through.
Re:8==C=A=P=T=C=H=A==D (Score:5, Insightful)
Because an open ended question would get a million different responses.
And having the user select a radio button would narrow the probability down to 1/X choices. And when you have a million bots, 1/x is more than enough to get your spam out.
Re:8==C=A=P=T=C=H=A==D (Score:4, Informative)
Already been done [thephppro.com].
Re: (Score:2)
Re: (Score:2)
FIGlets are still ASCII art.
text banners, in a variety of typefaces, comprised of letters made up of conglomerations of smaller ASCII characters (see ASCII art).
Re:8==C=A=P=T=C=H=A==D (Score:4, Insightful)
Re: (Score:3, Insightful)
While that may be effective for the moment, as soon as a webmail provider starts using it, it'll be cracked overnight.
Re: (Score:3, Insightful)
I have suggested a solution more times than I care to count:
There's your first clue that maybe your solution isn't the be-all-end-all you think it is.
impose default caps on sent emails per account, IP, whatever, until the sender has been established as a legit sender of mass mails.
OK, but who are you suggesting should impose these default caps? ISPs? That's fine, but the only way an ISP can do this is by firewalling outbound port 25 and requiring all their customers to relay mail through the ISP's mail server. A lot of ISPs do this and I wish more of them would, but it can cause problems for customers (if you're required to relay through your company's SMTP server instead and they haven't con
Re:My solution is simple & elegant: (Score:5, Informative)
The author was arguing that one of the primary reasons to do captcha breaking is to get freebee email accounts on GMail/Yahoo to send spam from.
Limit the email the account can send, and you reduce the desire for the account. Reduce the usefullness of the account, and you reduce the desire to crack the captcha on new account signups, or at least the profitability in doing so.
It's one approach that would make a difference, but it's clearly not the only solution.
Re:My solution is simple & elegant: (Score:5, Insightful)
Limit the email the account can send, and you reduce the desire for the account. Reduce the usefullness of the account, and you reduce the desire to crack the captcha on new account signups, or at least the profitability in doing so.
Doesn't this increase the desire to get more accounts faster?
Re: (Score:3, Interesting)
Example: Picture of cat.
Question 1: Does this fly?
Question 2: Is this living?
Question 3: Would a human be able to pick this up?, etc.
Re: (Score:2)
1: It does if I throw it hard enough
2: No, I threw it against the wall.
3: No, its a picture on my lcd thats bolted to the wall.
Do I have access yet? Question/Answer is just too freeform and questionable. They would frustrate way too many people as they require reading and understanding and at least some degree of thinking. If you make it multiple choice then you've really just made it a guessing game where brute force and volume will be all that matters. Captchas are annoying as well, but pretty simple to
Re: (Score:3, Insightful)
All the bot needs to do is do a google search for "site:example.com", hit a random sampling of the results, and then register.
In the grand scheme of things, it probably only adds a few percent of overhead for the bot.
Re: (Score:3, Informative)
I agree there are ways to circumvent it, but the majority of bots will not go to the trouble of doing that, and that's the key.
Another idea would be to observe mouse movements through Javascript to detect a real user. This would be VERY inefficient for a bot, and probably not worth the while.
This would work great until the majority of websites do it, then it is worth the overhead for the bot to go to the trouble of doing it. When CAPTCHA started it wasn't worth the bot writers' trouble to crack it. They just went to easier sites, but as more and more sites adopted CAPTCHA the value of cracking it became greater. Any successful system will eventually be adopted by a large enough number of websites to make it worth the bot writers' time to crack. At which time they will.
Re: (Score:2)
...which is why a home-rolled system will probably always be more efficient, as long as it's sufficiently different from the majority of other solutions and remains so (obscuring it somehow to avoid copycats might be a good thing).
Re: (Score:2)
Whenever I've looked at automating scraping or whatever of some sites, it's occured to me how easy it would be to block by behaviour - like how scraping tools tend not to download images or make attempts at precise intervals. Obviously all this behaviour could be replicated, but it'd be a lot more work and would put limits on what the bot could do.
Re: (Score:2)
Recipient-pays messaging is the problem (Score:3, Insightful)
It's worse than that. Any free or recipient-pays message system is subject to exactly the same amount of abuse. When sending a message costs nothing, the marginal cost of advertising is zero. As long as the marginal gain is non-zero, however small, volume will go to infinity. You can filter and legislate to reduce the volume of this advertising, but you'll never actually eliminate it. These countermeasures just bring the marginal cost of
Re: (Score:3, Funny)
sweatshop ... paying roughly $5/hour
You're doing it wrong.