On Fri, May 27, 2016 at 11:07:44AM -0700, Jay Hennigan wrote: > CAPTCHA could potentially fix it, but that is sure to raise > objections as being too inconvenient for list operators playing the > numbers game.
Captchas are also not a valid anti-abuse mechanism: they have been quite thoroughly beaten and are only used today by those who have failed to pay attention to adversarial progress over the last 10-15 years. Resources are either targets for abuse or they're not; adversaries are either competent and well-resourced or they're not. In the case where resources *are* targets and adversaries *are* competent/well-resourced, they will defeat captcha mechanisms at will using either automated, manual, or hyrid techniques. In the other three cases, captchas aren't necessary, either because the resource isn't being targeted, or adversaries aren't capable, or both. Moreover, we have long since passed the point on the curve where "captchas that be successfully attacked" became harder than "captchas that can be solved by most humans". Having worked on this problem extensively, I've found that other measures are much more effective, predictable, stable under load, and diagnosable -- depending on the use case, of course, and one size does not fit all. The key, as it so often is with any anti-abuse measure, is to carefully study one's own log files and understand (qualitatively and quantitatively) what "normal" looks like and what "abnormal" looks like. Lots of people skip this analysis in their haste to deploy "solutions" and thus don't actually understand the the nature of their problem(s). This inevitably results in poor outcomes. ---rsk _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop