public inbox for [email protected]
help / color / mirror / Atom feedFrom: David Fetter <[email protected]>
To: Dave Page <[email protected]>
Cc: PostgreSQL WWW <[email protected]>
Subject: Re: human validation on post comments
Date: Tue, 21 Mar 2006 09:16:01 -0800
Message-ID: <[email protected]> (raw)
In-Reply-To: <E7F85A1B5FF8D44C8A1AF6885BC9A0E4011C9692@ratbert.vale-housing.co.uk>
References: <E7F85A1B5FF8D44C8A1AF6885BC9A0E4011C9692@ratbert.vale-housing.co.uk>
On Tue, Mar 21, 2006 at 04:54:24PM -0000, Dave Page wrote:
>
>
> > -----Original Message-----
> > From: David Fetter [mailto:[email protected]]
> > Sent: 21 March 2006 16:45
> > To: Dave Page
> > Cc: PostgreSQL WWW
> > Subject: Re: [pgsql-www] human validation on post comments
> >
> > The porn thing works just fine no matter what the timeout is, as
> > the spam is queued up already and the capcha gets presented as
> > soon as it's generated. The porn surfer will generally not dally
> > when presented with the capcha.
>
> Generating enough real traffic to a dummy site to ensure that there
> is always user ready to read a single capcha within a few minutes of
> it being generated just to post a single piece of spam seems like a
> pretty mean feat.
I see I didn't explain it well enough. Here's the flow:
1. Spammer generates spam and queues it up for sites.
2. A person arrives at the porn site.
3. The spam system generates a request including the spam to the
target site. Clock starts ticking.
4. The spam system presents the resulting capcha to the porn surfer.
Less than a second has elapsed.
5. Porn surfer types in the string as asked. Time elapsed is
probably still under 5 seconds.
6. Spam system sends the string to the target site. Time elapsed is
under 10 seconds for >90% of cases.
> I would think they could generate more revenue from bunging a few
> ads on the site than hoping that the spam they manage to get on a
> completely unrelated site might actually generate a customer. Still,
> I'm only speculating so may be completely wrong.
It's very cheap to set up such a system, and spammers routinely
expect--and profit from--"hit rates" that are less than one in a
million.
> > But apart from its ineffectiveness on spammers, as others have
> > mentioned, capcha excludes blind people. :(
>
> Yes - it's a shame none of us thought about it when Gevik was
> originally working on it.
>
> There is the audio option I suggested which Paypal use IIRC -
> alternatively we could use some sort of puzzle - such as 'enter the
> third, second from last and 2nd character from this string'.
That lends itself to exactly the same attack I sketched out above.
Cheers,
D
--
David Fetter <[email protected]> http://fetter.org/
phone: +1 415 235 3778 AIM: dfetter666
Skype: davidfetter
Remember to vote!
view thread (18+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected]
Subject: Re: human validation on post comments
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox