2007-04-08

Spammers play the numbers game. They send millions of emails a day, hoping to hit at least a few marks. Any idiot that responds by doing business is pure profit for a spammer. The phrase "There's one born every minute" certainly fits there.

Since no-one wants to let go of their beloved SMTP and come up with a brand new, trust-based email protocol, the only logical step is to make CAPTCHAs an interstitial part of the SMTP handshake for unknown senders. I don't claim this to be my own idea - there's plenty of hits Googling for "CAPTCHA" and "spam". Most of the search results are for discussions on why CAPTCHAs are evil and why they should not be used for website sign-up verifications, because they apparently discriminate against blind users.

Of all the discussions and arguments put forward, there isn't one single FUSSP - only a blended defence (of technological and sociological measures) will make a significant dent in the spam problem. Anyone who tries to think differently from the net-intelligentsia, is labeled an Anti-spam Kook.

So here are the arguments and counter-arguments:

(1) Visual CAPTCHAs discriminate against the blind: yes, they do. But then, logic-test CAPTCHAs discriminate against persons with learning disabilities; natural language-based CAPTCHAs discriminate against persons who don't speak the language used in the CAPTCHA; audio-CAPTCHAs discriminate against the deaf. So, whichever CAPTCHA is used, it will inevitably impact a person with one disability or another. Just as there is no universal solution to the spam problem, there isn't one CAPTCHA that will tell a human from a computer without affecting a minority of people. Trouble is, there are so many vocal tax-payer-subsidised, minority pressure-groups out there, who'd rather tell us to eat our spam than allow one disabled person to be unintentionally excluded. Solution: make alternative contact methods available or have a person assist the user in decoding the CAPTCHA.

(2) Spammers will just hire people to decode CAPTCHAs: perhaps. But remember, spammers play the numbers game. Use this against them. When it becomes prohibitively expensive for even the biggest of spammers to hire manual decoders, the spam will stop. To send 1 million emails and hire X number of flunkies to decode even half of the CAPTCHA challenge-responses in order to reach a handful of marks would just not make it worth the cost or effort.

(3) Spammers will redirect CAPTCHA images/logic-puzzles to their own sites and have people decode the CAPTCHA in exchange for access to pr0n: perhaps. But again, it's all about the numbers. How many visitors (dynamic) could decode a CAPTCHA before it expires? Hot-linking of images is easy to disable anyway.

(4) SMTP challenge-response systems are evil and just add to the spam volume: sometimes. I believe a dynamically-generated 5xx SMTP error message with a CAPTCHA URL is an acceptable method of challenge-response. To accept a message and then reply to it with a CAPTCHA URL is not acceptable. Also, until the original unknown sender is CAPTCHA authenticated, no more 5xx messages should be sent.

It's unfortunate that it's come down to this. But let's not forget that people have been obfuscating (munging) information for a long time - even before spammers started harvesting email addresses from usenet, people used images of email addresses on their websites. Did anyone complain when a blind person couldn't privately email a usenet poster because they had munged their email address? I'm sure I would have noticed the noise from the pressure groups if that happened.

Talking of usenet, here's an extremely inciteful post* made in 2003 by a NANAE regular. I am not going to repost the contents here, as it's archived on numerous sites - just Google for "thank the spammers". Even in 2003, CAPTCHAs were being used to prevent access to WHOIS data miners.

In our zeal to bend-over-backwards to help people who are less abled than ourselves to get onto the 'net, the spammers have been exploiting that good will to pump out their spam. I'm sorry, but I'm not going to be told to eat my spam in deference to the "politically correct" pressure groups.

And anyway, spammers themselves discriminate against the blind since there's a trend to circumvent text-based spam filters by using image text in their spams. Would the pressure groups complain about that? Didn't think so.

No comments: