Captchas: Difference between revisions

From ASRG
Jump to navigationJump to search
No edit summary
No edit summary
Line 1: Line 1:
Captchas (from "Completely Automated Public Turing test to tell Computers and Humans Apart") is a method originally designed to protect web forms from being completed by robots.
{{ast
|date=2
|difficult=Medium
|popular=Medium
|effective=Medium
|where=MTA or MUA
|harm=High
}}
Captchas (from "Completely Automated Public Turing test to tell Computers and Humans Apart") is version of mail challenges, adapted from a method originally designed to protect web forms from being completed by robots.


When using to protect a mailbox, a confirmation message is sent to the sender when he writes to the protected mailbox for the first time, indicating a web page where he will be asked to enter a textual code hidden in an image. If the correct answer is given, the sender is added to a whitelist so subsequent messages will be accepted without any further action.
When using to protect a mailbox, a confirmation message is sent to the sender when he writes to the protected mailbox for the first time, indicating a web page where he will be asked to enter a textual code hidden in an image. If the correct answer is given, the sender is added to a whitelist so subsequent messages will be accepted without any further action.


Although some defenders of this method disseminates it as "100 % spam stopped without loss of message", this method has many drawbacks (not exhaustive list) :
Although some defenders of this method claim it provides "100 % spam stopped without loss of messages", in practice this method has many drawbacks including:


* All of the general problems with [[Challenges]]
* It generates backscatter harming innocents - most of spams have a forged sender address, the supposed sender will receive a confirmation request about a spam sent by someone else.
* It doesn't work with messages sent by anything other than an individual human sender: newsletters, travel tickets, bounce management (VERP, BATV, ...)
* Not user friendly with people with physical deficiencies - blind people may not be able to correctly decode captchas (see [http://www.acb.org/board-minutes/bm070802.html American Council of the Blind]
* Not user friendly with people with physical deficiencies - blind people may not be able to correctly decode captchas (see [http://www.acb.org/board-minutes/bm070802.html American Council of the Blind]
* It generates backscatter harming innocents - as most of spams are sent with a forged sender address, the supposed sender will receive a confirmation request about a message (spam) sent by someone else.
* It can generate loops - if two poorly configured systems challenge each other's mail, an indefinite mail loop can result.
* It doesn't work with messages sent by some automated means : newsletters, travel tickets, bounce management (VERP, BATV, ...), ...
* Can generate loops - if Alice and Bob mailboxes are both protected by this method, when Alice send a message to Bob, for the first time, a confirmation request will be sent her, which won't be received as her mailbox is protected. Also, it has been seen some providers of this solution using no reachable addresses (e.g. NULL SENDER, or a blackhole) send confirmation requests.
* Delays are introduced, which may be larger if the sender doesn't immediately receive the confirmation request or simply doesn't have access to network for some reason (message delivery depends on some external uncontrolled resource).
* Delays are introduced, which may be larger if the sender doesn't immediately receive the confirmation request or simply doesn't have access to network for some reason (message delivery depends on some external uncontrolled resource).
* Access control managed by senders not by the mailbox owner. One of consequences is that if a spammer wants to send messages to someone it's enough to send a first message from some email address under his control, in order to confirm the captcha.
* Access control managed by senders not by the mailbox owner. One of consequences is that if a spammer wants to send messages to someone it's enough to send a first message from some email address under his control, in order to confirm the captcha.
* Message loss - some senders don't care to confirm his message when it interests only the recipient.
* Message loss - some senders don't care to confirm his message when it interests only the recipient.



Revision as of 09:02, 15 June 2009

Anti-spam technique: Captchas
Date of first use: 2
Effectiveness: Medium
Popularity: Medium
Difficulty of implementation: Medium
Where implemented: MTA or MUA
Harm: High

Captchas (from "Completely Automated Public Turing test to tell Computers and Humans Apart") is version of mail challenges, adapted from a method originally designed to protect web forms from being completed by robots.

When using to protect a mailbox, a confirmation message is sent to the sender when he writes to the protected mailbox for the first time, indicating a web page where he will be asked to enter a textual code hidden in an image. If the correct answer is given, the sender is added to a whitelist so subsequent messages will be accepted without any further action.

Although some defenders of this method claim it provides "100 % spam stopped without loss of messages", in practice this method has many drawbacks including:

  • All of the general problems with Challenges
  • It generates backscatter harming innocents - most of spams have a forged sender address, the supposed sender will receive a confirmation request about a spam sent by someone else.
  • It doesn't work with messages sent by anything other than an individual human sender: newsletters, travel tickets, bounce management (VERP, BATV, ...)
  • Not user friendly with people with physical deficiencies - blind people may not be able to correctly decode captchas (see American Council of the Blind
  • It can generate loops - if two poorly configured systems challenge each other's mail, an indefinite mail loop can result.
  • Delays are introduced, which may be larger if the sender doesn't immediately receive the confirmation request or simply doesn't have access to network for some reason (message delivery depends on some external uncontrolled resource).
  • Access control managed by senders not by the mailbox owner. One of consequences is that if a spammer wants to send messages to someone it's enough to send a first message from some email address under his control, in order to confirm the captcha.
  • Message loss - some senders don't care to confirm his message when it interests only the recipient.

The solution proposed by providers of this anti-spam method to some of these drawbacks is an additional white/black list manually managed by the mailbox owner.


References