Difference between revisions of "Captchas"

From ASRG
Jump to navigationJump to search
Line 11: Line 11:
 
* Delays are introduced, which may be larger if the sender doesn't immediately receive the confirmation request or simply doesn't have access to network for some reason (message delivery depends on some external uncontrolled resource).
 
* Delays are introduced, which may be larger if the sender doesn't immediately receive the confirmation request or simply doesn't have access to network for some reason (message delivery depends on some external uncontrolled resource).
 
* Access control managed by senders not by the mailbox owner. One of consequences is that if a spammer wants to send messages to someone it's enough to send a first message from some email address under his control, in order to confirm the captcha.
 
* Access control managed by senders not by the mailbox owner. One of consequences is that if a spammer wants to send messages to someone it's enough to send a first message from some email address under his control, in order to confirm the captcha.
* Message loss - some senders don't care to confirm his message when the message interests only the recipient.
+
* Message loss - some senders don't care to confirm his message when it interests only the recipient.
  
 
The solution proposed by providers of this anti-spam method to some of these drawbacks is an additional white/black list manually managed by the mailbox owner.
 
The solution proposed by providers of this anti-spam method to some of these drawbacks is an additional white/black list manually managed by the mailbox owner.

Revision as of 08:36, 15 June 2009

Captchas (from "Completely Automated Public Turing test to tell Computers and Humans Apart") is a method originally designed to protect web forms from being completed by robots.

When using to protect a mailbox, a confirmation message is sent to the sender when he writes to the protected mailbox for the first time, indicating a web page where he will be asked to enter a textual code hidden in an image. If the correct answer is given, the sender is added to a whitelist so subsequent messages will be accepted without any further action.

Although some defenders of this method disseminates it as "100 % spam stopped without loss of message", this method has many drawbacks (not exhaustive list) :

  • Not user friendly with people with physical deficiencies - blind people may not be able to correctly decode captchas (see American Council of the Blind
  • It generates backscatter harming innocents - as most of spams are sent with a forged sender address, the supposed sender will receive a confirmation request about a message (spam) sent by someone else.
  • It doesn't work with messages sent by some automated means : newsletters, travel tickets, bounce management (VERP, BATV, ...), ...
  • Can generate loops - if Alice and Bob mailboxes are both protected by this method, when Alice send a message to Bob, for the first time, a confirmation request will be sent her, which won't be received as her mailbox is protected. Also, it has been seen some providers of this solution using no reachable addresses (e.g. NULL SENDER, or a blackhole) send confirmation requests.
  • Delays are introduced, which may be larger if the sender doesn't immediately receive the confirmation request or simply doesn't have access to network for some reason (message delivery depends on some external uncontrolled resource).
  • Access control managed by senders not by the mailbox owner. One of consequences is that if a spammer wants to send messages to someone it's enough to send a first message from some email address under his control, in order to confirm the captcha.
  • Message loss - some senders don't care to confirm his message when it interests only the recipient.

The solution proposed by providers of this anti-spam method to some of these drawbacks is an additional white/black list manually managed by the mailbox owner.


References