X-Original-To: pgsql-www-postgresql.org@localhost.postgresql.org Received: from localhost (av.hub.org [200.46.204.144]) by postgresql.org (Postfix) with ESMTP id 410399DCC51 for ; Tue, 21 Mar 2006 09:42:03 -0400 (AST) Received: from postgresql.org ([200.46.204.71]) by localhost (av.hub.org [200.46.204.144]) (amavisd-new, port 10024) with ESMTP id 74478-03 for ; Tue, 21 Mar 2006 09:42:06 -0400 (AST) X-Greylist: from auto-whitelisted by SQLgrey- Received: from mx-2.sollentuna.net (mx-2.sollentuna.net [195.84.163.199]) by postgresql.org (Postfix) with ESMTP id 13AC29DCA0F for ; Tue, 21 Mar 2006 09:41:57 -0400 (AST) Received: from ALGOL.sollentuna.se (janus.sollentuna.se [62.65.68.67]) by mx-2.sollentuna.net (Postfix) with ESMTP id 733F48F283; Tue, 21 Mar 2006 14:42:01 +0100 (CET) Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-MimeOLE: Produced By Microsoft Exchange V6.5 Subject: Re: human validation on post comments Date: Tue, 21 Mar 2006 14:42:01 +0100 Message-ID: <6BCB9D8A16AC4241919521715F4D8BCEA3519D@algol.sollentuna.se> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [pgsql-www] human validation on post comments Thread-Index: AcZMqkdRe4tdx4feQZGGrSeF4mVncwAQre6Q From: "Magnus Hagander" To: "David Fetter" , "PostgreSQL WWW" X-Virus-Scanned: by amavisd-new at hub.org X-Spam-Status: No, score=0.103 required=5 tests=[AWL=0.103] X-Spam-Score: 0.103 X-Spam-Level: X-Archive-Number: 200603/119 X-Sequence-Number: 9709 > > > I have been integrating a component that will ask the=20 > user to enter=20 > > > the word in a dynamic image before their comments can be=20 > submitted. > >=20 > > Terrific! I'm sure the people who clear the comments will=20 > have nice=20 > > things to say. > >=20 > > The image is generated dynamically? That's good -- the spammers > > are already working on systems that harvest static images=20 > from sites=20 > > and match them against a database. Grrrr. >=20 > Actually, they've already got one, and here's how it works: >=20 > 1. Put up a free porn site. > 2. Present somebody else's capcha image as an entry. > 3. Let the person see the porn if they've correctly cracked the > capcha. > 4. Spam site. >=20 > The sad part of this one is that they don't have to crack any=20 > single capcha system. Instead, they've cracked the entire=20 > capcha process. I don't know how this particular system is set up, but how can they defeat something like: * Fill in form data. Submit * Generate verification page containing an image. Along with the code, store the hash of the form data. * Validate the image against the hash of the data. Means you need to put in all your data in the form beforehand, so you have to tailor one page to each set of contenst. Or am I thinking completely wrong here :-) //Magnus