Captchas

From ASRG
Revision as of 08:02, 15 June 2009 by Johnl (talk | contribs)
Jump to navigationJump to search
Anti-spam technique: Captchas
Date of first use: 2
Effectiveness: Medium
Popularity: Medium
Difficulty of implementation: Medium
Where implemented: MTA or MUA
Harm: High

Captchas (from "Completely Automated Public Turing test to tell Computers and Humans Apart") is version of mail challenges, adapted from a method originally designed to protect web forms from being completed by robots.

When using to protect a mailbox, a confirmation message is sent to the sender when he writes to the protected mailbox for the first time, indicating a web page where he will be asked to enter a textual code hidden in an image. If the correct answer is given, the sender is added to a whitelist so subsequent messages will be accepted without any further action.

Although some defenders of this method claim it provides "100 % spam stopped without loss of messages", in practice this method has many drawbacks including:

  • All of the general problems with Challenges
  • It generates backscatter harming innocents - most of spams have a forged sender address, the supposed sender will receive a confirmation request about a spam sent by someone else.
  • It doesn't work with messages sent by anything other than an individual human sender: newsletters, travel tickets, bounce management (VERP, BATV, ...)
  • Not user friendly with people with physical deficiencies - blind people may not be able to correctly decode captchas (see American Council of the Blind
  • It can generate loops - if two poorly configured systems challenge each other's mail, an indefinite mail loop can result.
  • Delays are introduced, which may be larger if the sender doesn't immediately receive the confirmation request or simply doesn't have access to network for some reason (message delivery depends on some external uncontrolled resource).
  • Access control managed by senders not by the mailbox owner. One of consequences is that if a spammer wants to send messages to someone it's enough to send a first message from some email address under his control, in order to confirm the captcha.
  • Message loss - some senders don't care to confirm his message when it interests only the recipient.

The solution proposed by providers of this anti-spam method to some of these drawbacks is an additional white/black list manually managed by the mailbox owner.


References