X-Original-To: pgsql-www-postgresql.org@localhost.postgresql.org Received: from localhost (av.hub.org [200.46.204.144]) by postgresql.org (Postfix) with ESMTP id D7E9A9DC82A for ; Tue, 21 Mar 2006 13:16:04 -0400 (AST) Received: from postgresql.org ([200.46.204.71]) by localhost (av.hub.org [200.46.204.144]) (amavisd-new, port 10024) with ESMTP id 18600-05 for ; Tue, 21 Mar 2006 13:16:03 -0400 (AST) X-Greylist: from auto-whitelisted by SQLgrey- Received: from fetter.org (dsl092-188-065.sfo1.dsl.speakeasy.net [66.92.188.65]) by postgresql.org (Postfix) with ESMTP id 9C9AA9DC869 for ; Tue, 21 Mar 2006 13:16:01 -0400 (AST) Received: by fetter.org (Postfix, from userid 500) id 6D8CACF1CE; Tue, 21 Mar 2006 09:16:01 -0800 (PST) Date: Tue, 21 Mar 2006 09:16:01 -0800 From: David Fetter To: Dave Page Cc: PostgreSQL WWW Subject: Re: human validation on post comments Message-ID: <20060321171601.GA27311@fetter.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.1i X-Virus-Scanned: by amavisd-new at hub.org X-Spam-Status: No, score=0.129 required=5 tests=[AWL=0.129] X-Spam-Score: 0.129 X-Spam-Level: X-Archive-Number: 200603/123 X-Sequence-Number: 9713 On Tue, Mar 21, 2006 at 04:54:24PM -0000, Dave Page wrote: > > > > -----Original Message----- > > From: David Fetter [mailto:david@fetter.org] > > Sent: 21 March 2006 16:45 > > To: Dave Page > > Cc: PostgreSQL WWW > > Subject: Re: [pgsql-www] human validation on post comments > > > > The porn thing works just fine no matter what the timeout is, as > > the spam is queued up already and the capcha gets presented as > > soon as it's generated. The porn surfer will generally not dally > > when presented with the capcha. > > Generating enough real traffic to a dummy site to ensure that there > is always user ready to read a single capcha within a few minutes of > it being generated just to post a single piece of spam seems like a > pretty mean feat. I see I didn't explain it well enough. Here's the flow: 1. Spammer generates spam and queues it up for sites. 2. A person arrives at the porn site. 3. The spam system generates a request including the spam to the target site. Clock starts ticking. 4. The spam system presents the resulting capcha to the porn surfer. Less than a second has elapsed. 5. Porn surfer types in the string as asked. Time elapsed is probably still under 5 seconds. 6. Spam system sends the string to the target site. Time elapsed is under 10 seconds for >90% of cases. > I would think they could generate more revenue from bunging a few > ads on the site than hoping that the spam they manage to get on a > completely unrelated site might actually generate a customer. Still, > I'm only speculating so may be completely wrong. It's very cheap to set up such a system, and spammers routinely expect--and profit from--"hit rates" that are less than one in a million. > > But apart from its ineffectiveness on spammers, as others have > > mentioned, capcha excludes blind people. :( > > Yes - it's a shame none of us thought about it when Gevik was > originally working on it. > > There is the audio option I suggested which Paypal use IIRC - > alternatively we could use some sort of puzzle - such as 'enter the > third, second from last and 2nd character from this string'. That lends itself to exactly the same attack I sketched out above. Cheers, D -- David Fetter http://fetter.org/ phone: +1 415 235 3778 AIM: dfetter666 Skype: davidfetter Remember to vote!