Re: human validation on post comments

> -----Original Message-----
> From: David Fetter [mailto:david(at)fetter(dot)org]
> Sent: 21 March 2006 17:16
> To: Dave Page
> Cc: PostgreSQL WWW
> Subject: Re: [pgsql-www] human validation on post comments
>
> I see I didn't explain it well enough. Here's the flow:
>
> 1. Spammer generates spam and queues it up for sites.
> 2. A person arrives at the porn site.
> 3. The spam system generates a request including the spam to the
> target site. Clock starts ticking.
> 4. The spam system presents the resulting capcha to the porn surfer.
> Less than a second has elapsed.
> 5. Porn surfer types in the string as asked. Time elapsed is
> probably still under 5 seconds.
> 6. Spam system sends the string to the target site. Time elapsed is
> under 10 seconds for >90% of cases.

Ahh, gotcha.

>
> > > But apart from its ineffectiveness on spammers, as others have
> > > mentioned, capcha excludes blind people. :(
> >
> > Yes - it's a shame none of us thought about it when Gevik was
> > originally working on it.
> >
> > There is the audio option I suggested which Paypal use IIRC -
> > alternatively we could use some sort of puzzle - such as 'enter the
> > third, second from last and 2nd character from this string'.
>
> That lends itself to exactly the same attack I sketched out above.

Undoubtedley, but unless they write something specifically to work with
our site which is a lot of effort... And all we do then is fall back to
how things are now until we've broken whatever they were doing by
modifying the regexps in the auto-reject code or re-jigged the puzzles.
Of course, doing any of this we mustn't make it too difficult for the
user to submit things.

Regards, Dave.