Daejuan Jacobs wrote: >> The spammer, who also runs a porn site, hits up your blog, sees your >> captcha, copies the image and re-serves it as the captcha for someone >> visiting his porn site. That unknowing person successfully deciphers >> the captcha, and the spammer takes the result and feeds it back to >> the blog. > Getting the image doesn't do much without the session ID. You should > destory the session anyway.
I see. This is like using Google Answers, Yahoo Answers, or any given clone thereof. All the bot has to do is make a call-out to some abstract service which answers the question, and that service just uploads the image to practically anywhere they can find someone to decipher it. A porn site could host the same service, but of course, this assumes the porn site has enough traffic for there to be a user online who would be willing to do this for free. As soon as you start paying someone money, then it costs to spam, and that's probably against most spammers' ethics. It would work though, assuming such a bored user exists. And I mean, any user with more than 10,000 kills on The Kill Everyone Project probably fits into this category. Gives me a neat idea for a new web site which does nothing but feed the users images to decode. Of course, I wouldn't do it for cracking other CAPTCHAs, purely to see just how bored users get. ;-) TX _______________________________________________ Typo-list mailing list Typo-list@rubyforge.org http://rubyforge.org/mailman/listinfo/typo-list
