Oh $DIETY, can I borrow that first paragraph? There are auction sites where you can buy free email addresses by the thousands for a single digit number of dollars. CAPTCHAs have been thoroughly PWNed.
Even SMS tokens can be gamed if you are not very, very careful. Aloha, Michael. -- Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been Processed." | Got the Junk Mail Reporting Tool ? -----Original Message----- From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Rich Kulawiec Sent: Sunday, May 29, 2016 11:29 AM To: mailop@mailop.org Subject: Re: [mailop] signup form abuse On Fri, May 27, 2016 at 11:07:44AM -0700, Jay Hennigan wrote: > CAPTCHA could potentially fix it, but that is sure to raise objections > as being too inconvenient for list operators playing the numbers game. Captchas are also not a valid anti-abuse mechanism: they have been quite thoroughly beaten and are only used today by those who have failed to pay attention to adversarial progress over the last 10-15 years. Resources are either targets for abuse or they're not; adversaries are either competent and well-resourced or they're not. In the case where resources *are* targets and adversaries *are* competent/well-resourced, they will defeat captcha mechanisms at will using either automated, manual, or hyrid techniques. In the other three cases, captchas aren't necessary, either because the resource isn't being targeted, or adversaries aren't capable, or both. Moreover, we have long since passed the point on the curve where "captchas that be successfully attacked" became harder than "captchas that can be solved by most humans". Having worked on this problem extensively, I've found that other measures are much more effective, predictable, stable under load, and diagnosable -- depending on the use case, of course, and one size does not fit all. The key, as it so often is with any anti-abuse measure, is to carefully study one's own log files and understand (qualitatively and quantitatively) what "normal" looks like and what "abnormal" looks like. Lots of people skip this analysis in their haste to deploy "solutions" and thus don't actually understand the the nature of their problem(s). This inevitably results in poor outcomes. ---rsk _______________________________________________ mailop mailing list mailop@mailop.org https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fchilli.nosignal.org%2fcgi-bin%2fmailman%2flistinfo%2fmailop&data=01%7c01%7cmichael.wise%40microsoft.com%7c09aba86736f24e949ade08d387f0873b%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=cxPlvtvkylA6seCFaNcQbGnbVzSvPCa%2flNj%2fZHFs6X0%3d _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
