On Monday, Sep 23, 2002, at 04:40 US/Pacific, Phil Tanny wrote:
>> If such a program becomes widespread enough to seriously hurt spammers
>> I'd be surprised if it took a year for spamware vendors to figure ways
>> to automatically respond to the current systems' autoreplies or web
>> pages.
>
> OK, interesting point. Let's see if we can brainstorm it.
>
> First, the spam bot has to receive my autoreply, and follow the link
> contained to my web page form. Yea, this seems doable.
>
> Then the spam robot has to look at a series of images on my form.
> Let's
> say the images display the number 3485. The spam robot would have to
> read those image files, and determine which numbers they represent, and
> then enter those numbers in to the form. Then they would have to paste
> their message in to the correct field and submit the form, all by
> automation.
The only technically challenging aspect is recognizing the text in an
image - everything else is at most half an hour's worth of Perl. OCR
isn't generally reliable but this isn't the general case - there's
comparatively small range of input values. If this is a plain generated
GIF, it would be a comparatively easy challenge, particularly if you're
allowed a mistake or two (is it your fudge-fingered boss or an OCR-bot
trying a couple maybes?). The standard dodge is adding some sort of
noisy background to the image but most of the current approaches I've
seen would be easily filtered simply by removing things like any
non-black pixels. An approach using something like alpha-blending would
be more effective but I'm dubious about this as a long-term strategy
given the state of modern image processing technology combined with
ever-increasing cheap CPU capacity.
Some things we can do to harden the system:
- alpha-blending and similar techniques which require significantly
more CPU capacity to defeat
- complex fonts (e.g. setting the whole mess in Zapfino)
- rendering fonts with noise / textures to default solid-area filters
- increasing the length and complexity of the challenge by including
letters and punctuation
- giving up on text entirely and requiring them to match arbitrary
symbols or pictures
I particularly like that last idea - a challenge along the lines of
"Click on the portrait of the man next to the dog in this photo" should
be computationally infeasible for some time. The low value of a single
temporary sender-receiver address pair will hopefully make it
unprofitable to employ humans to respond to these messages (some crooks
used to hire people to manually brute-force cell phone passwords).
Unfortunately, the drawbacks to this approach increase as you use these
techniques:
- I'm almost certain it would violate section 508 or possibly even the
ADA by excluding color-blind or blind people
- harder challenges will annoy people
- there isn't a reliable way to exchange these challenges - my
whitelist query may be blocked by your filter until one of us reviews
the spamtrap. There's also the problem of messages which don't come
from real people - postmaster, various autoresponders for websites,
etc. Would you want to be the guy at Yahoo who receives a flurry of
these every time an automatic notification goes out?
Finally, the whole system is easily fooled if you don't use encryption
since I can easily forge the From address. Most people are going to
whitelist things like their postmaster or addresses used by popular
sites like Amazon's or ebay's confirmation messages and if Microsoft or
Netscape happened to whitelist their support address while adding
support into their mail clients...
We really need widespread encryption be it OpenPGP or x509 to make a
whitelist work (of course, this would be A Good Thing for quite a few
other reasons, too.). Until then I think the better approaches are
filtering a la SpamAssassin, auto-blacklist trap addresses and
increasing the legal penalties for spammers and irresponsible network
providers.
Chris
_______________________________________________
spamcon-general mailing list
[EMAIL PROTECTED]
http://mail.spamcon.org/mailman/listinfo/spamcon-general#subscribers
Subscribe, unsubscribe, etc: Use the URL above or send "help" in body
of message to [EMAIL PROTECTED]
Contact administrator: [EMAIL PROTECTED]
