Re: [mailop] Howto be a good mailop (best practice / insights wanted)

Thu, 09 May 2019 15:13:52 -0700 


My replies keep going to the original author. Grr.



Anyway, yeah, completely agree.

Y’all who trumpet CAPTCHA as the FUSSP need to know who’s on the opposing team:



              http://scraping.pro/8-best-captcha-solving-services-and-tools/



You’re going to need to think about an SMS challenge as a basic, entry level 
requirement.

Aloha,
Michael.
--
Michael J Wise
Microsoft Corporation| Spam Analysis
"Your Spam Specimen Has Been Processed."
Got the Junk Mail Reporting 
Tool<http://www.microsoft.com/en-us/download/details.aspx?id=18275> ?



-----Original Message-----
From: mailop <mailop-boun...@mailop.org> On Behalf Of Rich Kulawiec via mailop
Sent: Thursday, May 9, 2019 2:54 PM
To: mailop@mailop.org
Subject: Re: [mailop] Howto be a good mailop (best practice / insights wanted)



On Thu, May 09, 2019 at 09:26:50AM -0400, Rob McEwen via mailop wrote:

> you should strongly encourage your customers to captcha-protect their

> signup forms to prevent bots from signing up spamtrap addresses.



No, you shouldn't.  I'm going to quote something that I just sent elsewhere, so 
my apologies to anyone who's seen it.





Captchas are a worst practice.  They can be and are defeated at will by any 
adversary who can trouble themselves to do so. [1] They're security theater: 
think Wile E. Coyote holding an umbrella over his head while a boulder drops 
toward him. [2]  Worth noting as well are (a) the continued and accelerating 
convergence of the trend lines denoting "captcha hard enough to defeat 
automation"

and "captcha easy enough to be solvable by humans" and (b) the onerous 
additional burden that these often place on people who have diminished eyesight 
and hearing, who are part of different cultures, etc.



There are far better ways to defend resources, and -- judiciously deployed -- 
these methods are not nearly as susceptible to adversarial manipulation, nor do 
they make life more difficult for people whose lives are arguably difficult 
enough already.



---rsk



[1] Here's an example of what I mean by "defeated at will":

              Wiseguys Indicted in $25 Million Online Ticket Ring | Threat 
Level | Wired.com

         
https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.wired.com%2Fthreatlevel%2F2010%2F03%2Fwiseguys-indicted%2F&amp;data=02%7C01%7Cmichael.wise%40microsoft.com%7Cf81408659824450b119808d6d4c9c782%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636930360432181620&amp;sdata=nQA9YpkXlpMYs0d5qI7vvtPMoP%2B%2BUY7xsQuXOiZ7jp8%3D&amp;reserved=0





[2] A partial list of references follows.  Do note that the contemporary state 
of the art in captcha-defeating techniques is much more advanced than any of 
these suggest.  Of course it is: attacks always get better - they never get 
worse. (h/t to Bruce Schneier)



Also, there's plenty of funding -- see footnote [1] above -- available to 
support research and development in this area that will NOT be helpfully 
published in blogs or journals.  So consider what is enumerated below as the 
lower bound of what *was* possible and extrapolate markedly upwards to estimate 
what *is* currently available.



              Stanford researchers outsmart captcha codes

         
https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.physorg.com%2Fnews%2F2011-11-stanford-outsmart-captcha-codes.html&amp;data=02%7C01%7Cmichael.wise%40microsoft.com%7Cf81408659824450b119808d6d4c9c782%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636930360432181620&amp;sdata=AO%2BhAUVSgXsSsnB%2Bg29mpZB5v0V52YaCIUWolM%2B0x%2B8%3D&amp;reserved=0



              CIntruder: pentesting tool to bypass captchas

         
https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fcintruder.sourceforge.net%2F&amp;data=02%7C01%7Cmichael.wise%40microsoft.com%7Cf81408659824450b119808d6d4c9c782%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636930360432181620&amp;sdata=PrdAVLPG3OW7hwZsctUKvPTqHevEbT4SM354e5Iif%2Bw%3D&amp;reserved=0



              How a trio of hackers brought Google's reCAPTCHA to its knees | 
Ars Technica

         
https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Farstechnica.com%2Fsecurity%2F2012%2F05%2Fgoogle-recaptcha-brought-to-its-knees%2F&amp;data=02%7C01%7Cmichael.wise%40microsoft.com%7Cf81408659824450b119808d6d4c9c782%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636930360432181620&amp;sdata=etl0tN7yv86ABF1kVR2jITgY%2Fh7neRxTptqzKXQ38Ls%3D&amp;reserved=0



              Snapchat Account Registration CAPTCHA Defeated - Slashdot

         
https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fit.slashdot.org%2Fstory%2F14%2F01%2F23%2F2037201%2Fsnapchat-account-registration-captcha-defeated&amp;data=02%7C01%7Cmichael.wise%40microsoft.com%7Cf81408659824450b119808d6d4c9c782%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636930360432181620&amp;sdata=FtdQqZUTvTohCo5bBdD5n9Wd0BQTtbDCtmK5tOMNp%2Fg%3D&amp;reserved=0



              Gone in 60 seconds: Spambot cracks Live Hotmail CAPTCHA

         
https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Farstechnica.com%2Fnews.ars%2Fpost%2F20080415-gone-in-60-seconds-spambot-cracks-livehotmail-captcha.html&amp;data=02%7C01%7Cmichael.wise%40microsoft.com%7Cf81408659824450b119808d6d4c9c782%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636930360432181620&amp;sdata=0uCp03EJeLieLa85psnC42mPFIGyhP7piB13oywuIrk%3D&amp;reserved=0



              Troy Hunt: Breaking CAPTCHA with automated humans

         
https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.troyhunt.com%2F2012%2F01%2Fbreaking-captcha-with-automated-humans.html&amp;data=02%7C01%7Cmichael.wise%40microsoft.com%7Cf81408659824450b119808d6d4c9c782%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636930360432181620&amp;sdata=QG20ON%2FmKKU04PSWk6Cdw728cV83YWIDZfLqVS0UjTc%3D&amp;reserved=0



              Slashdot | Now Even Photo CAPTCHAs Have Been Cracked

         
https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fit.slashdot.org%2Farticle.pl%3Fsid%3D08%2F10%2F14%2F1442213&amp;data=02%7C01%7Cmichael.wise%40microsoft.com%7Cf81408659824450b119808d6d4c9c782%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636930360432191620&amp;sdata=gmcywid4DJleKg8F1%2BVopHPuobSjMNrnbI3bVPocopw%3D&amp;reserved=0



              Cheap CAPTCHA Solving Changes the Security Game

         
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffreedom-to-tinker.com%2Fblog%2Ffelten%2Fcheap-captcha-solving-changes-security-game%2F&amp;data=02%7C01%7Cmichael.wise%40microsoft.com%7Cf81408659824450b119808d6d4c9c782%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636930360432191620&amp;sdata=dHZiNqn7jOon5HJiH8mFKMZfEiHjofOjegVEJ6HuR9s%3D&amp;reserved=0



              unCAPTCHA Breaks 450 ReCAPTCHAs in Under 6 Seconds

         
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Ftechnology%2Funcaptcha-breaks-450-recaptchas-in-under-6-seconds%2F&amp;data=02%7C01%7Cmichael.wise%40microsoft.com%7Cf81408659824450b119808d6d4c9c782%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636930360432191620&amp;sdata=1XRoLHKsVxb1h25srkn4CEtpe7QHq5ICxdhFTHPbsTw%3D&amp;reserved=0









_______________________________________________

mailop mailing list

mailop@mailop.org<mailto:mailop@mailop.org>

https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fchilli.nosignal.org%2Fcgi-bin%2Fmailman%2Flistinfo%2Fmailop&amp;data=02%7C01%7Cmichael.wise%40microsoft.com%7Cf81408659824450b119808d6d4c9c782%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636930360432191620&amp;sdata=mZVeD5qo0%2FU3rojiXXGpZ3Pmj3nOT1qf1tAmE0KV8g4%3D&amp;reserved=0

_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Reply via email to