[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Asrg] Please critique my anti-spam system

To: asrg at ietf.org
Subject: Re: [Asrg] Please critique my anti-spam system
From: Seth Breidbart <sethb at panix.com>
Date: Sun, 9 Jan 2005 13:21:14 -0500 (EST)
In-reply-to: <20050109170027.EF653C611D@ws7-5.us4.outblaze.com> (mkaplansolution@lycos.com)
List-archive: <http://www1.ietf.org/pipermail/asrg>
List-help: <mailto:asrg-request@ietf.org?subject=help>
List-id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-post: <mailto:asrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
References: <20050109170027.EF653C611D@ws7-5.us4.outblaze.com>
Sender: asrg-bounces at ietf.org

"Michael Kaplan" <mkaplansolution at lycos.com> wrote:

>> No. The CAPTCHA based addresses are worth much more than an ordinary
>> address. The CAPTCHA addresses don't filter spam, mail sent to them
>> are guaranteed to be seen prominently by the recipient. So a spammer
>> only needs to send 1000 spams to find a gullible person who'll respond.
>
> These CAPTCHA based addresses are nearly worthless as compared to an
> ordinary email address.  A spammer can use an ordinary email address 
> for years.

With a very low delivery rate.

>  A spammer can pay 0.1 cent to have a sub-address decoded but the
> receiver will almost certainly deactivate this sub-address after the
> first time they receive spam.

So the spammer has a big incentive to hit it hard, with many spams at
one time, for guaranteed delivery.  It's still worth something.

> Also there is no concern that any service that decodes the CAPTCHA
> on behalf of a commercial entity will then secretly sell the list to
> spammers.

There clearly is concern, since some of us have expressed it.

> Paypal could have a company decode 20,000 of these CAPTCHA.  If this
> list was given to spammers then it would be instantly obvious what
> happened after the Paypal customers instantly deactivate these newly
> decoded sub-addresses in response to spam.  The customers would also
> know that the spam was sent using a sub-address sent to Paypal; go
> see Reflexion.net and how each email will list the original owner of
> the sub-address whenever that sub-address is used by an unknown
> entity.

So Paypal loses.  But if it was the "Joe's Cheap Nigerian
CAPTCHA-Decoding Company" that Paypal used who was actually stealing
and selling the addresses, Paypal got screwed.  True, that company
will go out of business, to be replaced by "Mike's Cheap Nigerian
(etc.)"

Or maybe they'll just sell the addresses of their ex-customers, or
people who haven't done enough business lately.

Or if a few big users of Paypal wanted to screw Paypal, they could
release some sample of Paypal addresses, which (if they play the right
statistical games) would be very hard to trace back to them, and again
Paypal looks guilty.

Seth

_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg

References:
- Re: [Asrg] Please critique my anti-spam system
  - From: Michael Kaplan

Prev by Date: Re: [Asrg] Please critique my anti-spam system
Next by Date: Re: [Asrg] Please critique my anti-spam system
Previous by thread: Re: [Asrg] Please critique my anti-spam system
Next by thread: Re: [Asrg] Please critique my anti-spam system
Index(es):
- Date
- Thread