Postgres Pro
Downloads
Home   >   mailing lists

Re: human validation on post comments - Mailing list pgsql-www

From David Fetter
Subject Re: human validation on post comments
Date
Msg-id 20060321171601.GA27311@fetter.org
Whole thread Raw
In response to Re: human validation on post comments  ("Dave Page" <dpage@vale-housing.co.uk>)
Responses Re: human validation on post comments  ("Greg Sabino Mullane" <greg@turnstep.com>)
List pgsql-www
Tree view 
On Tue, Mar 21, 2006 at 04:54:24PM -0000, Dave Page wrote:
>
>
> > -----Original Message-----
> > From: David Fetter [mailto:david@fetter.org]
> > Sent: 21 March 2006 16:45
> > To: Dave Page
> > Cc: PostgreSQL WWW
> > Subject: Re: [pgsql-www] human validation on post comments
> >
> > The porn thing works just fine no matter what the timeout is, as
> > the spam is queued up already and the capcha gets presented as
> > soon as it's generated.  The porn surfer will generally not dally
> > when presented with the capcha.
>
> Generating enough real traffic to a dummy site to ensure that there
> is always user ready to read a single capcha within a few minutes of
> it being generated just to post a single piece of spam seems like a
> pretty mean feat.

I see I didn't explain it well enough.  Here's the flow:

1.  Spammer generates spam and queues it up for sites.
2.  A person arrives at the porn site.
3.  The spam system generates a request including the spam to the
    target site.  Clock starts ticking.
4.  The spam system presents the resulting capcha to the porn surfer.
    Less than a second has elapsed.
5.  Porn surfer types in the string as asked.  Time elapsed is
    probably still under 5 seconds.
6.  Spam system sends the string to the target site.  Time elapsed is
    under 10 seconds for >90% of cases.

> I would think they could generate more revenue from bunging a few
> ads on the site than hoping that the spam they manage to get on a
> completely unrelated site might actually generate a customer. Still,
> I'm only speculating so may be completely wrong.

It's very cheap to set up such a system, and spammers routinely
expect--and profit from--"hit rates" that are less than one in a
million.

> > But apart from its ineffectiveness on spammers, as others have
> > mentioned, capcha excludes blind people. :(
>
> Yes - it's a shame none of us thought about it when Gevik was
> originally working on it.
>
> There is the audio option I suggested which Paypal use IIRC -
> alternatively we could use some sort of puzzle - such as 'enter the
> third, second from last and 2nd character from this string'.

That lends itself to exactly the same attack I sketched out above.

Cheers,
D
--
David Fetter <david@fetter.org> http://fetter.org/
phone: +1 415 235 3778        AIM: dfetter666
                              Skype: davidfetter

Remember to vote!

pgsql-www by date:

Previous
From: "Dave Page"
Date:
Subject: Re: human validation on post comments
Next
From: "Dave Page"
Date:
Subject: Re: human validation on post comments