Captchas: Difference between revisions

From ASRG
Jump to navigationJump to search
No edit summary
(Added note that spammers can simply pay people to solve CAPTCHAs.)
 
(5 intermediate revisions by 2 users not shown)
Line 1: Line 1:
Captchas (from "Completely Automated Public Turing test to tell Computers and Humans Apart") is a method originally designed to protect web forms from being completed by robots.
{{ast
|date=ca. 2001
|difficult=Medium
|popular=Medium
|effective=Medium
|where=MTA or MUA
|harm=High
}}
Captchas (from "Completely Automated Public Turing test to tell Computers and Humans Apart") is version of mail challenges, adapted from a method originally designed to protect web forms from being completed by robots.


When using to protect a mailbox, a confirmation message is sent to the sender when he writes to the protected mailbox for the first time, indicating a web page where he will be asked to enter a textual code hidden in an image. If the correct answer is given, the sender is added to a whitelist so subsequent messages will be accepted without any further action.
When using to protect a mailbox, a confirmation message is sent to the sender when he writes to the protected mailbox for the first time, indicating a web page where he will be asked to enter a textual code hidden in an image. If the correct answer is given, the sender is added to a whitelist so subsequent messages will be accepted without any further action.


Although some defenders of this method disseminates it as "100 % spam stopped without loss of message", this method has many drawbacks (not exhaustive list) :
Although some defenders of this method claim it provides "100 % spam stopped without loss of messages", in practice this method has many drawbacks including:


* All of the general problems with [[Challenges]]
* Not user friendly with people with physical deficiencies - blind people may not be able to correctly decode captchas (see [http://www.acb.org/board-minutes/bm070802.html American Council of the Blind]
* Not user friendly with people with physical deficiencies - blind people may not be able to correctly decode captchas (see [http://www.acb.org/board-minutes/bm070802.html American Council of the Blind]
* It generates backscatter harming innocents - as most of spams are sent with a forged sender address, the supposed sender will receive a confirmation request about a message (spam) sent by someone else.
* Often not user-friendly to people with normal vision either; CAPTCHA system misbehavior is a common source of humor on the Internet.
* It doesn't work with messages sent by some automated means : newsletters, travel tickets, bounce management (VERP, BATV, ...), ...
* Spammers can simply pay humans in poorer nations to solve CAPTCHAs. In 2010, [http://motherjones.com/kevin-drum/2010/08/price-captcha commercial CAPTCHA-solving services were seen] charging $1 per thousand CAPTCHAs solved. At those rates, a fairly large spamming campaign can still be cost-effective.
* Can generate loops - if Alice and Bob mailboxes are both protected by this method, when Alice send a message to Bob, for the first time, a confirmation request will be sent her, which won't be received as her mailbox is protected. Also, it has been seen some providers of this solution using no reachable addresses (e.g. NULL SENDER, or a blackhole) send confirmation requests.
* Delays are introduced, which may be larger if the sender doesn't immediately receive the confirmation request or simply doesn't have access to network for some reason (message delivery depends on some external uncontrolled resource).
* Access control managed by senders not by the mailbox owner. One of consequences is that if a spammer wants to send messages to someone it's enough to send a first message from some email address under his control, in order to confirm the captcha.
* Message loss - some senders don't care to confirm his message when the message interests only the recipient.
 
The solution proposed by providers of this anti-spam method to some of these drawbacks is an additional white/black list manually managed by the mailbox owner.
 


== References ==
== References ==
Line 20: Line 22:
* [http://en.wikipedia.org/wiki/Captcha Wikipedia]
* [http://en.wikipedia.org/wiki/Captcha Wikipedia]
* [http://www.acb.org/board-minutes/bm070802.html American Council of the Blind]
* [http://www.acb.org/board-minutes/bm070802.html American Council of the Blind]
* [http://www.w3.org/TR/turingtest/ www.w3.org] Inaccessibility of CAPTCHA
* [http://www.w3.org/TR/turingtest/ W3C Inaccessibility of CAPTCHA]
* [http://www2.parc.com/istl/projects/captcha/history.htm PARC history of Captchas]

Latest revision as of 10:56, 30 September 2010

Anti-spam technique: Captchas
Date of first use: ca. 2001
Effectiveness: Medium
Popularity: Medium
Difficulty of implementation: Medium
Where implemented: MTA or MUA
Harm: High

Captchas (from "Completely Automated Public Turing test to tell Computers and Humans Apart") is version of mail challenges, adapted from a method originally designed to protect web forms from being completed by robots.

When using to protect a mailbox, a confirmation message is sent to the sender when he writes to the protected mailbox for the first time, indicating a web page where he will be asked to enter a textual code hidden in an image. If the correct answer is given, the sender is added to a whitelist so subsequent messages will be accepted without any further action.

Although some defenders of this method claim it provides "100 % spam stopped without loss of messages", in practice this method has many drawbacks including:

  • All of the general problems with Challenges
  • Not user friendly with people with physical deficiencies - blind people may not be able to correctly decode captchas (see American Council of the Blind
  • Often not user-friendly to people with normal vision either; CAPTCHA system misbehavior is a common source of humor on the Internet.
  • Spammers can simply pay humans in poorer nations to solve CAPTCHAs. In 2010, commercial CAPTCHA-solving services were seen charging $1 per thousand CAPTCHAs solved. At those rates, a fairly large spamming campaign can still be cost-effective.

References