| From: | David Fetter <david(at)fetter(dot)org> |
|---|---|
| To: | Dave Page <dpage(at)vale-housing(dot)co(dot)uk> |
| Cc: | PostgreSQL WWW <pgsql-www(at)postgresql(dot)org> |
| Subject: | Re: human validation on post comments |
| Date: | 2006-03-21 17:16:01 |
| Message-ID: | 20060321171601.GA27311@fetter.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-www |
On Tue, Mar 21, 2006 at 04:54:24PM -0000, Dave Page wrote:
>
>
> > -----Original Message-----
> > From: David Fetter [mailto:david(at)fetter(dot)org]
> > Sent: 21 March 2006 16:45
> > To: Dave Page
> > Cc: PostgreSQL WWW
> > Subject: Re: [pgsql-www] human validation on post comments
> >
> > The porn thing works just fine no matter what the timeout is, as
> > the spam is queued up already and the capcha gets presented as
> > soon as it's generated. The porn surfer will generally not dally
> > when presented with the capcha.
>
> Generating enough real traffic to a dummy site to ensure that there
> is always user ready to read a single capcha within a few minutes of
> it being generated just to post a single piece of spam seems like a
> pretty mean feat.
I see I didn't explain it well enough. Here's the flow:
1. Spammer generates spam and queues it up for sites.
2. A person arrives at the porn site.
3. The spam system generates a request including the spam to the
target site. Clock starts ticking.
4. The spam system presents the resulting capcha to the porn surfer.
Less than a second has elapsed.
5. Porn surfer types in the string as asked. Time elapsed is
probably still under 5 seconds.
6. Spam system sends the string to the target site. Time elapsed is
under 10 seconds for >90% of cases.
> I would think they could generate more revenue from bunging a few
> ads on the site than hoping that the spam they manage to get on a
> completely unrelated site might actually generate a customer. Still,
> I'm only speculating so may be completely wrong.
It's very cheap to set up such a system, and spammers routinely
expect--and profit from--"hit rates" that are less than one in a
million.
> > But apart from its ineffectiveness on spammers, as others have
> > mentioned, capcha excludes blind people. :(
>
> Yes - it's a shame none of us thought about it when Gevik was
> originally working on it.
>
> There is the audio option I suggested which Paypal use IIRC -
> alternatively we could use some sort of puzzle - such as 'enter the
> third, second from last and 2nd character from this string'.
That lends itself to exactly the same attack I sketched out above.
Cheers,
D
--
David Fetter <david(at)fetter(dot)org> http://fetter.org/
phone: +1 415 235 3778 AIM: dfetter666
Skype: davidfetter
Remember to vote!
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Dave Page | 2006-03-21 17:23:05 | Re: human validation on post comments |
| Previous Message | Dave Page | 2006-03-21 16:54:24 | Re: human validation on post comments |