Re: [Asrg] A CAPTCHA that automatically detects and neutralizes attacks.

["Michael Kaplan" <mkaplansolution at lycos.com>]

> > I think we can now embrace the concept that we can create CAPTCHA
> > that are = beyond any practical attack that a spammer can generate.
> 
> Hmmn.  I gather you're not familiar with the free porn proxy attack:
> spammer puts up a web site offering free porn with access granted by
> solving the CAPTCHAs that it proxies through from its spam runs.  I'm
> not sure if I've seen this used yet, but it would not be hard to do.

I am very familiar with the concept of the free porn proxy attack.  I address this issue specifically on my website:
http://home.nyc.rr.com/spamsolution/An%20Effective%20Solution%20for%20Spam.htm

The response is under the "Critique Questions and Answers" section.  After my website was featured on Slashdot there was a deluge of criticisms concerning the porn proxy attack by people who did not completely review my website, so near the end of my website I expounded once again on the futility of this attack (basically the small number of CAPTCHA that can be solved would be irrelevant within the context of my anti-spam system).

I will also mention that I attended the Second International Workshop on Human Interactive Proofs this month at Lehigh University http://www.cse.lehigh.edu/prr/hip2005/index.html
Everyone was aware of the concept of the porn proxy attack but no one was aware of it being in current use.  The organizers of the conference asked if anyone could provide a website where this was taking place but no one could.  If you know of such a website then please let me know and I will forward it to the organizer of the conference.

> CAPTCHA's of any form have two other killer flaws.  One is that in the
> absence of widespread strong user authentication, which doesn't seem
> any closer now than it's been for the past decade, spammers can avoid
> your challenge by spoofing mail from someone on your whitelist.  The
> other is that significant numbers of people, through bafflement or
> exasperation, decline to respond to challenges so unless you never get
> mail from people you don't know (in which case a whitelist is all you
> need) CAPTCHAs will always lose real mail.

You criticisms refer to a conventional C/R system but do not apply to my anti-spam system.  The whitelist system as described by my anti-spam system only contains personal contacts and individuals to whom you have sent email.  There is no way for a spammer to determine who is on your whitelist.  Even if spammers learned the identity of one or two contacts on your whitelist then it wouldn't matter; you would remove these names from the whitelist but you would still be able to receive mail from these individuals as they will just use a valid sub-address like everybody else.

Thank you for you input,
Michael G. Kaplan

-- 
_______________________________________________
NEW! Lycos Dating Search. The only place to search multiple dating sites at once.
http://datingsearch.lycos.com


_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg