Re: human validation on post comments

> -----Original Message-----
> From: David Fetter [mailto:david@fetter.org]
> Sent: 21 March 2006 17:16
> To: Dave Page
> Cc: PostgreSQL WWW
> Subject: Re: [pgsql-www] human validation on post comments
>
> I see I didn't explain it well enough.  Here's the flow:
>
> 1.  Spammer generates spam and queues it up for sites.
> 2.  A person arrives at the porn site.
> 3.  The spam system generates a request including the spam to the
>     target site.  Clock starts ticking.
> 4.  The spam system presents the resulting capcha to the porn surfer.
>     Less than a second has elapsed.
> 5.  Porn surfer types in the string as asked.  Time elapsed is
>     probably still under 5 seconds.
> 6.  Spam system sends the string to the target site.  Time elapsed is
>     under 10 seconds for >90% of cases.

Ahh, gotcha.

>
> > > But apart from its ineffectiveness on spammers, as others have
> > > mentioned, capcha excludes blind people. :(
> >
> > Yes - it's a shame none of us thought about it when Gevik was
> > originally working on it.
> >
> > There is the audio option I suggested which Paypal use IIRC -
> > alternatively we could use some sort of puzzle - such as 'enter the
> > third, second from last and 2nd character from this string'.
>
> That lends itself to exactly the same attack I sketched out above.

Undoubtedley, but unless they write something specifically to work with
our site which is a lot of effort... And all we do then is fall back to
how things are now until we've broken whatever they were doing by
modifying the regexps in the auto-reject code or re-jigged the puzzles.
Of course, doing any of this we mustn't make it too difficult for the
user to submit things.

Regards, Dave.