Captchas aren’t a FUSSUP. They’re meant to address a specific problem - listbombing. COI contributes to the problem of listbombing. SMS challenge is going to make that worse. 1000 SMS messages in an hour is a problem.
There are people who’ve been working on this issue for years and I’m sure they’d be very happy to hear your contributions and alternative solutions. In fact, I hear a conference is actively looking for contributors who have experience with listbombing (victim, ESPs, other victim, ISP) to work on the issue. laura > On 9 May 2019, at 23:10, Michael Wise via mailop <mailop@mailop.org> wrote: > > > My replies keep going to the original author. Grr. > > Anyway, yeah, completely agree. > Y’all who trumpet CAPTCHA as the FUSSP need to know who’s on the opposing > team: > > http://scraping.pro/8-best-captcha-solving-services-and-tools/ > <http://scraping.pro/8-best-captcha-solving-services-and-tools/> > > You’re going to need to think about an SMS challenge as a basic, entry level > requirement. > > Aloha, > Michael. > -- > Michael J Wise > Microsoft Corporation| Spam Analysis > "Your Spam Specimen Has Been Processed." > Got the Junk Mail Reporting Tool > <http://www.microsoft.com/en-us/download/details.aspx?id=18275> ? > > -----Original Message----- > From: mailop <mailop-boun...@mailop.org <mailto:mailop-boun...@mailop.org>> > On Behalf Of Rich Kulawiec via mailop > Sent: Thursday, May 9, 2019 2:54 PM > To: mailop@mailop.org <mailto:mailop@mailop.org> > Subject: Re: [mailop] Howto be a good mailop (best practice / insights wanted) > > On Thu, May 09, 2019 at 09:26:50AM -0400, Rob McEwen via mailop wrote: > > you should strongly encourage your customers to captcha-protect their > > signup forms to prevent bots from signing up spamtrap addresses. > > No, you shouldn't. I'm going to quote something that I just sent elsewhere, > so my apologies to anyone who's seen it. > > > Captchas are a worst practice. They can be and are defeated at will by any > adversary who can trouble themselves to do so. [1] They're security theater: > think Wile E. Coyote holding an umbrella over his head while a boulder drops > toward him. [2] Worth noting as well are (a) the continued and accelerating > convergence of the trend lines denoting "captcha hard enough to defeat > automation" > and "captcha easy enough to be solvable by humans" and (b) the onerous > additional burden that these often place on people who have diminished > eyesight and hearing, who are part of different cultures, etc. > > There are far better ways to defend resources, and -- judiciously deployed -- > these methods are not nearly as susceptible to adversarial manipulation, nor > do they make life more difficult for people whose lives are arguably > difficult enough already. > > ---rsk > > [1] Here's an example of what I mean by "defeated at will": > Wiseguys Indicted in $25 Million Online Ticket Ring | Threat > Level | Wired.com <http://wired.com/> > > https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.wired.com%2Fthreatlevel%2F2010%2F03%2Fwiseguys-indicted%2F&data=02%7C01%7Cmichael.wise%40microsoft.com%7Cf81408659824450b119808d6d4c9c782%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636930360432181620&sdata=nQA9YpkXlpMYs0d5qI7vvtPMoP%2B%2BUY7xsQuXOiZ7jp8%3D&reserved=0 > > <https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.wired.com%2Fthreatlevel%2F2010%2F03%2Fwiseguys-indicted%2F&data=02%7C01%7Cmichael.wise%40microsoft.com%7Cf81408659824450b119808d6d4c9c782%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636930360432181620&sdata=nQA9YpkXlpMYs0d5qI7vvtPMoP%2B%2BUY7xsQuXOiZ7jp8%3D&reserved=0> > > > [2] A partial list of references follows. Do note that the contemporary > state of the art in captcha-defeating techniques is much more advanced than > any of these suggest. Of course it is: attacks always get better - they > never get worse. (h/t to Bruce Schneier) > > Also, there's plenty of funding -- see footnote [1] above -- available to > support research and development in this area that will NOT be helpfully > published in blogs or journals. So consider what is enumerated below as the > lower bound of what *was* possible and extrapolate markedly upwards to > estimate what *is* currently available. > > Stanford researchers outsmart captcha codes > > https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.physorg.com%2Fnews%2F2011-11-stanford-outsmart-captcha-codes.html&data=02%7C01%7Cmichael.wise%40microsoft.com%7Cf81408659824450b119808d6d4c9c782%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636930360432181620&sdata=AO%2BhAUVSgXsSsnB%2Bg29mpZB5v0V52YaCIUWolM%2B0x%2B8%3D&reserved=0 > > <https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.physorg.com%2Fnews%2F2011-11-stanford-outsmart-captcha-codes.html&data=02%7C01%7Cmichael.wise%40microsoft.com%7Cf81408659824450b119808d6d4c9c782%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636930360432181620&sdata=AO%2BhAUVSgXsSsnB%2Bg29mpZB5v0V52YaCIUWolM%2B0x%2B8%3D&reserved=0> > > CIntruder: pentesting tool to bypass captchas > > https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fcintruder.sourceforge.net%2F&data=02%7C01%7Cmichael.wise%40microsoft.com%7Cf81408659824450b119808d6d4c9c782%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636930360432181620&sdata=PrdAVLPG3OW7hwZsctUKvPTqHevEbT4SM354e5Iif%2Bw%3D&reserved=0 > > <https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fcintruder.sourceforge.net%2F&data=02%7C01%7Cmichael.wise%40microsoft.com%7Cf81408659824450b119808d6d4c9c782%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636930360432181620&sdata=PrdAVLPG3OW7hwZsctUKvPTqHevEbT4SM354e5Iif%2Bw%3D&reserved=0> > > How a trio of hackers brought Google's reCAPTCHA to its knees | > Ars Technica > > https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Farstechnica.com%2Fsecurity%2F2012%2F05%2Fgoogle-recaptcha-brought-to-its-knees%2F&data=02%7C01%7Cmichael.wise%40microsoft.com%7Cf81408659824450b119808d6d4c9c782%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636930360432181620&sdata=etl0tN7yv86ABF1kVR2jITgY%2Fh7neRxTptqzKXQ38Ls%3D&reserved=0 > > <https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Farstechnica.com%2Fsecurity%2F2012%2F05%2Fgoogle-recaptcha-brought-to-its-knees%2F&data=02%7C01%7Cmichael.wise%40microsoft.com%7Cf81408659824450b119808d6d4c9c782%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636930360432181620&sdata=etl0tN7yv86ABF1kVR2jITgY%2Fh7neRxTptqzKXQ38Ls%3D&reserved=0> > > Snapchat Account Registration CAPTCHA Defeated - Slashdot > > https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fit.slashdot.org%2Fstory%2F14%2F01%2F23%2F2037201%2Fsnapchat-account-registration-captcha-defeated&data=02%7C01%7Cmichael.wise%40microsoft.com%7Cf81408659824450b119808d6d4c9c782%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636930360432181620&sdata=FtdQqZUTvTohCo5bBdD5n9Wd0BQTtbDCtmK5tOMNp%2Fg%3D&reserved=0 > > <https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fit.slashdot.org%2Fstory%2F14%2F01%2F23%2F2037201%2Fsnapchat-account-registration-captcha-defeated&data=02%7C01%7Cmichael.wise%40microsoft.com%7Cf81408659824450b119808d6d4c9c782%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636930360432181620&sdata=FtdQqZUTvTohCo5bBdD5n9Wd0BQTtbDCtmK5tOMNp%2Fg%3D&reserved=0> > > Gone in 60 seconds: Spambot cracks Live Hotmail CAPTCHA > > https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Farstechnica.com%2Fnews.ars%2Fpost%2F20080415-gone-in-60-seconds-spambot-cracks-livehotmail-captcha.html&data=02%7C01%7Cmichael.wise%40microsoft.com%7Cf81408659824450b119808d6d4c9c782%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636930360432181620&sdata=0uCp03EJeLieLa85psnC42mPFIGyhP7piB13oywuIrk%3D&reserved=0 > > <https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Farstechnica.com%2Fnews.ars%2Fpost%2F20080415-gone-in-60-seconds-spambot-cracks-livehotmail-captcha.html&data=02%7C01%7Cmichael.wise%40microsoft.com%7Cf81408659824450b119808d6d4c9c782%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636930360432181620&sdata=0uCp03EJeLieLa85psnC42mPFIGyhP7piB13oywuIrk%3D&reserved=0> > > Troy Hunt: Breaking CAPTCHA with automated humans > > https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.troyhunt.com%2F2012%2F01%2Fbreaking-captcha-with-automated-humans.html&data=02%7C01%7Cmichael.wise%40microsoft.com%7Cf81408659824450b119808d6d4c9c782%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636930360432181620&sdata=QG20ON%2FmKKU04PSWk6Cdw728cV83YWIDZfLqVS0UjTc%3D&reserved=0 > > <https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.troyhunt.com%2F2012%2F01%2Fbreaking-captcha-with-automated-humans.html&data=02%7C01%7Cmichael.wise%40microsoft.com%7Cf81408659824450b119808d6d4c9c782%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636930360432181620&sdata=QG20ON%2FmKKU04PSWk6Cdw728cV83YWIDZfLqVS0UjTc%3D&reserved=0> > > Slashdot | Now Even Photo CAPTCHAs Have Been Cracked > > https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fit.slashdot.org%2Farticle.pl%3Fsid%3D08%2F10%2F14%2F1442213&data=02%7C01%7Cmichael.wise%40microsoft.com%7Cf81408659824450b119808d6d4c9c782%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636930360432191620&sdata=gmcywid4DJleKg8F1%2BVopHPuobSjMNrnbI3bVPocopw%3D&reserved=0 > > <https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fit.slashdot.org%2Farticle.pl%3Fsid%3D08%2F10%2F14%2F1442213&data=02%7C01%7Cmichael.wise%40microsoft.com%7Cf81408659824450b119808d6d4c9c782%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636930360432191620&sdata=gmcywid4DJleKg8F1%2BVopHPuobSjMNrnbI3bVPocopw%3D&reserved=0> > > Cheap CAPTCHA Solving Changes the Security Game > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffreedom-to-tinker.com%2Fblog%2Ffelten%2Fcheap-captcha-solving-changes-security-game%2F&data=02%7C01%7Cmichael.wise%40microsoft.com%7Cf81408659824450b119808d6d4c9c782%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636930360432191620&sdata=dHZiNqn7jOon5HJiH8mFKMZfEiHjofOjegVEJ6HuR9s%3D&reserved=0 > > <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffreedom-to-tinker.com%2Fblog%2Ffelten%2Fcheap-captcha-solving-changes-security-game%2F&data=02%7C01%7Cmichael.wise%40microsoft.com%7Cf81408659824450b119808d6d4c9c782%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636930360432191620&sdata=dHZiNqn7jOon5HJiH8mFKMZfEiHjofOjegVEJ6HuR9s%3D&reserved=0> > > unCAPTCHA Breaks 450 ReCAPTCHAs in Under 6 Seconds > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Ftechnology%2Funcaptcha-breaks-450-recaptchas-in-under-6-seconds%2F&data=02%7C01%7Cmichael.wise%40microsoft.com%7Cf81408659824450b119808d6d4c9c782%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636930360432191620&sdata=1XRoLHKsVxb1h25srkn4CEtpe7QHq5ICxdhFTHPbsTw%3D&reserved=0 > > <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Ftechnology%2Funcaptcha-breaks-450-recaptchas-in-under-6-seconds%2F&data=02%7C01%7Cmichael.wise%40microsoft.com%7Cf81408659824450b119808d6d4c9c782%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636930360432191620&sdata=1XRoLHKsVxb1h25srkn4CEtpe7QHq5ICxdhFTHPbsTw%3D&reserved=0> > > > > > _______________________________________________ > mailop mailing list > mailop@mailop.org <mailto:mailop@mailop.org> > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fchilli.nosignal.org%2Fcgi-bin%2Fmailman%2Flistinfo%2Fmailop&data=02%7C01%7Cmichael.wise%40microsoft.com%7Cf81408659824450b119808d6d4c9c782%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636930360432191620&sdata=mZVeD5qo0%2FU3rojiXXGpZ3Pmj3nOT1qf1tAmE0KV8g4%3D&reserved=0 > > <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fchilli.nosignal.org%2Fcgi-bin%2Fmailman%2Flistinfo%2Fmailop&data=02%7C01%7Cmichael.wise%40microsoft.com%7Cf81408659824450b119808d6d4c9c782%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636930360432191620&sdata=mZVeD5qo0%2FU3rojiXXGpZ3Pmj3nOT1qf1tAmE0KV8g4%3D&reserved=0>_______________________________________________ > mailop mailing list > mailop@mailop.org <mailto:mailop@mailop.org> > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop > <https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop> -- Having an Email Crisis? We can help! 800 823-9674 Laura Atkins Word to the Wise la...@wordtothewise.com (650) 437-0741 Email Delivery Blog: https://wordtothewise.com/blog
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
