On 2/12/07, Chris Shiflett <[EMAIL PROTECTED]> wrote:
There's also the "porn attack" that has been used for years:
1. Request the form with the CAPTCHA you want to solve.
2. On a high-traffic page, promise free porn (representative of anything
desired, although porn was the actual first use case) in exchange for
the solution to the CAPTCHA from Step 1.
3. Submit the form from Step 1, along with the CAPTCHA solution obtained
in Step 2.
I hadn't considered this before, but if you think about the problem in
terms of volume-per-hour, the captcha approach becomes preferable
again. The answer to a good captcha can't be scripted, so there's a
built-in rate limit. Even if you hire humans to decipher them, the
answer has to be manually typed.
Captchas are vulnerable to the porn-in-the-middle attack, but you
would have to have some really hot porn in order to post large volumes
of spam across millions of sites. Interesting...
--
Chris Snyder
http://chxo.com/
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php
