[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Asrg] Unique innovations made to anti-spam system
I also note that his CAPTCHAs are
not text based. I'd need to do some more work to comment as to whether
his stick-figures are genuinely harder to solve. They looked as if they
made some cultural assumptions that might not travel well.]
The 3-D CAPTCHA is not text based but as I explain on my site I believe that existing text based CAPTCHA such as the Microsoft CAPTCHA provides more than enough security.
So one could get appropriate skills for about $10 or so a week [labour
rates are higher for towns with broadband]. For a 50 hour week that
means you're paying about 20 cents an hour.
I've never tried solving CAPTCHAs at speed, so I couldn't predict how
fast I could do them for hours on end. But it looks to me that the cost
is definitely going to be in fractions of a cent/solution.
Try solving a few of the Microsoft CAPTCHA. An experienced person should take about 3 seconds. Working nonstop 12 hours a day would get you 14,400 solved CAPTCHA. I'll use my figure of 80 million CAPTCHA solved in order to deliver one million spam. That means that every day the spammer is employing 5,556 workers using 5,556 computers that use electricity and may need air conditioning. And the third world owner of this business needs a cut and you'll need security guards so that the computers won't get stolen and...
However you crunch the numbers this is a major expense.
Why does the filter suddenly improve when the email is sent for the
second time (viz: it starts to discard 95% of the email that it approved
earlier ?). Or -- same idea but different: why does the spammer send
something that is filterable at the first stage ?
>> Further, I'd dispute that applying two 95%-effective spam
>> filters has
>> a net 99.75% success rate.
>
> Very well
hmm... I think it needs more than that as a reply :(
During the harvesting phase the spammer must do what spammers never do: use a real and functional return address. We can speculate about how crippling this would be for the spammer. I'll assume that spammers will be forced to send poorly filterable material during the first round but the incredible burden of using a real return address may still allow for a degree of filtering.
So we will say that it is on the second round that real spam is sent and that 95% of this will be filtered. Almost every commonly used domain is trusted, but this spam is using a sub-address that was sent to an untrusted domain; a stronger filter can be applied to sub-addresses sent to untrusted domain.
But also remember that it is very obvious which domains are sending harvest spam. An ISACS utilizing email service provider may normally get only 50 bounce generating emails a day from the little known untrusted domain
Sleazy.com. Now over the last 30 minutes 100,000 bounce generating emails come in from
Sleazy.com.
Now the second round of spam comes in using real sub-address but spoofed "From" fields. The email service provider can reject and send ISACS bounces to all of these extremely suspicious sub-addresses if they do not use the
Sleazy.com domain. Legitimate correspondents usually would resend the bounce from the same domain but ISACS usually allows them to use any domain. Extra restrictions can be placed on these extraordinarily suspicious sub-address. Or this extra-suspicious sub-addresses can just have a ridiculously strong filter applied to them.
There are endless ways to play with the numbers, but I'll stick with the estimate of 1.6 billion spam emails with real return addresses sent in order to deliver one million spam (And I repeat the question - Is this even possible?)
Thank you,
Michael Kaplan
_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg