X-Original-To: pgsql-www-postgresql.org@localhost.postgresql.org Received: from localhost (av.hub.org [200.46.204.144]) by postgresql.org (Postfix) with ESMTP id 995019DCA21 for ; Tue, 21 Mar 2006 13:23:10 -0400 (AST) Received: from postgresql.org ([200.46.204.71]) by localhost (av.hub.org [200.46.204.144]) (amavisd-new, port 10024) with ESMTP id 19827-04 for ; Tue, 21 Mar 2006 13:23:09 -0400 (AST) X-Greylist: from auto-whitelisted by SQLgrey- Received: from anchor-post-35.mail.demon.net (anchor-post-35.mail.demon.net [194.217.242.85]) by postgresql.org (Postfix) with ESMTP id 82B2F9DC9E8 for ; Tue, 21 Mar 2006 13:23:07 -0400 (AST) Received: from mailgate.vale-housing.co.uk ([194.217.48.34] helo=vale-housing.co.uk) by anchor-post-35.mail.demon.net with esmtp (Exim 4.42) id 1FLkZW-0000LW-I9 for pgsql-www@postgresql.org; Tue, 21 Mar 2006 17:23:06 +0000 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-MimeOLE: Produced By Microsoft Exchange V6.5 Subject: Re: human validation on post comments Date: Tue, 21 Mar 2006 17:23:05 -0000 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [pgsql-www] human validation on post comments thread-index: AcZNCyJgIKLmt4FcR8q7N6fjcnlYKwAAG26w From: "Dave Page" To: "David Fetter" Cc: "PostgreSQL WWW" X-Virus-Scanned: by amavisd-new at hub.org X-Spam-Status: No, score=0.316 required=5 tests=[AWL=0.316] X-Spam-Score: 0.316 X-Spam-Level: X-Archive-Number: 200603/124 X-Sequence-Number: 9714 =20 > -----Original Message----- > From: David Fetter [mailto:david@fetter.org]=20 > Sent: 21 March 2006 17:16 > To: Dave Page > Cc: PostgreSQL WWW > Subject: Re: [pgsql-www] human validation on post comments >=20 > I see I didn't explain it well enough. Here's the flow: >=20 > 1. Spammer generates spam and queues it up for sites. > 2. A person arrives at the porn site. > 3. The spam system generates a request including the spam to the > target site. Clock starts ticking. > 4. The spam system presents the resulting capcha to the porn surfer. > Less than a second has elapsed. > 5. Porn surfer types in the string as asked. Time elapsed is > probably still under 5 seconds. > 6. Spam system sends the string to the target site. Time elapsed is > under 10 seconds for >90% of cases. Ahh, gotcha. >=20 > > > But apart from its ineffectiveness on spammers, as others have > > > mentioned, capcha excludes blind people. :( > >=20 > > Yes - it's a shame none of us thought about it when Gevik was > > originally working on it. > >=20 > > There is the audio option I suggested which Paypal use IIRC - > > alternatively we could use some sort of puzzle - such as 'enter the > > third, second from last and 2nd character from this string'. >=20 > That lends itself to exactly the same attack I sketched out above. Undoubtedley, but unless they write something specifically to work with our site which is a lot of effort... And all we do then is fall back to how things are now until we've broken whatever they were doing by modifying the regexps in the auto-reject code or re-jigged the puzzles. Of course, doing any of this we mustn't make it too difficult for the user to submit things. Regards, Dave.