?

Log in

No account? Create an account
A big FU to spammers: Ben's email address goes whitelist. - Adventures in Engineering — LiveJournal
The wanderings of a modern ronin.

Ben Cantrick
  Date: 2006-09-06 20:52
  Subject:   A big FU to spammers: Ben's email address goes whitelist.
Public
  Mood:plotting
  Music:Blue Oyster Cult - Veteran of the Psychic Wars

Since I'll soon be getting a new email address for the first time in a decade, I'm thinking about what I can do to avoid spam. I didn't have complete control over web, email and other services at my old ISP, but I will at the new place. I'm planning to go to what I consider close to the ultimate Fuck You to spammers: I'm going to impose a whitelist on my email address and only email addresses on the whitelist will get through.

I don't want to actually prevent legit email from people I didn't previously know from reaching me, though. So I need an error recovery mechanism. The best one I've seen is to send an email back to the rejected address, with the URL of a web page that contains a captcha. The user can load up the page and solve the captcha, and then their email address will be added to the whitelist. This way they only have to go through the trouble once.

Distorted number-letter captchas were broken a few months ago by a researcher. I can't find the Slashdot story, but PWNtcha should be convincing enough. So I think I'd rather use something akin to kitten-auth. You'll basically have to load up a CGI script that will serve an image and a form. The <img=> URL will be a symlink dynamically generated on a random basis at run time, so spam-bots won't be able to read the text in the tag and auto-gen it. If I'm feeling really malicious, I might even put an intentionally fake word as the text in the img tag, and auto-ban any IP address that types in the obviously fake name. There are also a couple other tricks I can apply here that I won't mention in public.

The end result of this, I'm hoping, is that I'll be able to spread my email address far and wide without using any of the obnoxious obsfucation that I've engaged in for the last decade, but the spammers will still get bounces. I'll put the email addresses of everyone I know in the whitelist initially, of course. So hopefully almost nobody who I've ever emailed before will have to do the captcha.

We'll see how it all works out. There's a story on /. today about spammers paying people $0.60/hr to solve captchas. I don't believe I'm clever enough to create a captcha that is solveable only by my friends and no other human beings in the world. Kitten-auth and similiar schemes are designed to block bots, not human beings. If they can afford to hire people, I'm sunk. But I suspect they won't go to the trouble to hire a person just to spam me. And of course I can manually delete addresses from the whitelist if they do manage to sneak through once in a while.

Basically, I'm just looking to make their lives hard. See, the spam wars in general is an arms race. The technology on both sides gets continuously more sophisticated, but nobody ever really wins. That said though, I'm more than happy to build and test weapons if I know they're for the good guys. Anything I can do to hurt the spammers is a good thing.

Edit: Looks like ESP-PIX is about as good as I'm going to get for an off the shelf solution. I should probably make my own image and word database though, since the security of the captcha depends on the secrecy of the image and word database. If I want to be really smart, I should make sure none of the images I use are in Google Image Search.

Edit 2: Wanna know why people still spam? How does 3/4 of a million per month sound?
Post A Comment | 21 Comments | | Link






Ben Cantrick
  User: mackys
  Date: 2006-09-06 21:25 (UTC)
  Subject:   Things that humans are good at but machines are bad at:
- Logic (i.e., story problems)
- Counting syllables in a word
- Processing audio stimulus - tweeting bird vs car going by
- Identifying things in an image without being told what to look for

Anything else?
Reply | Thread | Link



Ben Cantrick
  User: mackys
  Date: 2006-09-06 22:50 (UTC)
  Subject:   Re: Things that humans are good at but machines are bad at:
- Common sense/cultural knowledge ("Dick and Jane went to the well with their buckets. They came back with the buckets full. What was in the buckets?") ("What are the oceans full of?" - though I suppose you could say "fish" for that one too.)

- Rhyming ("What common liquid rhymes with "otter"?") Though there is a rhyming dictionary on the web spammers could use.

- Categories and things classified within them. ("Golden Retreivers, Dalmations and Pitbulls are all what kind of animal?" - smart-asses who type in "vertebrates" or "mammals" deserve to be blacklisted anyway. ;]) ("Name a model of car made by Honda.")
Reply | Parent | Thread | Link



Ben Cantrick
  User: mackys
  Date: 2006-09-06 22:53 (UTC)
  Subject:   Re: Things that humans are good at but machines are bad at:
"Using Hard Problems in AI for Captchas"
http://www.cs.cmu.edu/~biglou/captcha_crypt.pdf
Reply | Parent | Thread | Link



Ben Cantrick
  User: mackys
  Date: 2006-09-06 23:09 (UTC)
  Subject:   This is shaping up nicely...
A series of 3-5 tests, randomly chosen. The tests will be "hard problems" from AI, consisting generally of:

- Visual recognition of an image with a single subject. (No giveaways in the img tag or other HTML elements.)

- Something that depends on non-trivial language processing ability, like a story problem that requires logic and/or cultural knowledge/common sense to solve.

- Auditory identification (only when the user's computer has sound)
Reply | Parent | Thread | Link



Ben Cantrick
  User: mackys
  Date: 2006-09-06 23:10 (UTC)
  Subject:   BONK!
Notes to self: Someone smarter than you has almost always thought of this stuff already.

Install ESP-PIX and be done with it.
Reply | Parent | Thread | Link



Ben Cantrick
  User: mackys
  Date: 2006-09-07 19:44 (UTC)
  Subject:   Oh man...
FACIAL EXPRESION RECOGNITION!

"Click on all the people who are smiling/frowning."

There's *no chance in hell* I'll live to see a computer break that one with any kind of consistancy.
Reply | Parent | Thread | Link



Triggur
  User: triggur
  Date: 2006-09-07 04:15 (UTC)
  Subject:   Re: Things that humans are good at but machines are bad at:
Heh.

If AI has any hope of ever getting anywhere at all, best let the spammers attack it. :)
Reply | Parent | Thread | Link



  User: nickhalfasleep
  Date: 2006-09-06 21:44 (UTC)
  Subject:   (no subject)
-use alternate communication methods
-putting together a message through lossy communication
-get a joke


But beware, mailing list software and list owners get really tweaked at gettinging that kind of stuff.

Did I ever tell you the one about the grad student who set up a .forward file incorrectly to his other account and filled the /var/mail partition with the redirects back and forth? Any whitelist captcha should be able to understand if it's in a loop with another mail server.

Reply | Thread | Link



Ben Cantrick
  User: mackys
  Date: 2006-09-06 22:38 (UTC)
  Subject:   (no subject)
> -use alternate communication methods

I'm not sure what you mean. Are you suggesting I should make a captcha based on american sign language? Or take up a collection of rebuses? ;]

> But beware, mailing list software and list owners get really tweaked at gettinging that kind of stuff.

The last time I signed up for a mailing list was... was... uh... I can't remember ever signing up for a mailing list. I think that's a non-issue for me personally.

> Did I ever tell you the one about the grad student who set up a .forward file incorrectly to his other account and filled the /var/mail partition with the redirects back and forth? Any whitelist captcha should be able to understand if it's in a loop with another mail server.

I was thinking I would need to time-rate limit the "go here to get on the whitelist" emails. Like, you don't get one more than one per week per email address.
Reply | Parent | Thread | Link



  User: nickhalfasleep
  Date: 2006-09-06 23:04 (UTC)
  Subject:   (no subject)
alternate communications as in browse a website, or call a phone number, not just email. Though I suppose in the future you might get a bot that could do it all (since it all gets transmitted online anyway).
Reply | Thread | Link



osmium_ocelot: Nene Scribble
  User: osmium_ocelot
  Date: 2006-09-07 01:22 (UTC)
  Subject:   (no subject)
Keyword:Nene Scribble
If you want a database of essentially random pictures, (link potentially VERY NSFW) you could do worse than to build off of this : http://www.fuzzysquid.com/LJ.php
Reply | Thread | Link



Ben Cantrick
  User: mackys
  Date: 2006-09-07 01:38 (UTC)
  Subject:   (no subject)
That's not a bad idea. And the page is actually surprisingly safe for work at this particular moment. I was thinking, though, that I might use my collection of digicam photos. They're pretty much guaranteed to not be in GIS, and there's no chance of being sued for copyright infringement. ;]
Reply | Parent | Thread | Link



  User: nickhalfasleep
  Date: 2006-09-07 01:45 (UTC)
  Subject:   (no subject)
Make it really hard, use pictures of the GWB and have them pick the stupidest.
Reply | Parent | Thread | Link



Ben Cantrick
  User: mackys
  Date: 2006-09-07 01:54 (UTC)
  Subject:   (no subject)
I think that problem has been proved to be mathematically undecideable. ;]
Reply | Parent | Thread | Link



  User: (Anonymous)
  Date: 2006-09-07 02:47 (UTC)
  Subject:   Suggestion
How about a group of pictures (some people and some not) and have them pick you out of the lineup?
Reply | Thread | Link



Ben Cantrick
  User: mackys
  Date: 2006-09-07 04:59 (UTC)
  Subject:   (no subject)
That's an interesting idea. Though it seems to depend on the people who want to email me knowing what I look like in advance. And I'm not sure that's always going to be the case...
Reply | Parent | Thread | Link



Alex Belits
  User: abelits
  Date: 2006-09-07 03:17 (UTC)
  Subject:   (no subject)
We'll see how it all works out. There's a story on /. today about spammers paying people $0.60/hr to solve captchas. I don't believe I'm clever enough to create a captcha that is solveable only by my friends and no other human beings in the world. Kitten-auth and similiar schemes are designed to block bots, not human beings.

I doubt, people are going to go to the trouble of guessing your favorite anime for $0.60/hr, and click on the characters from it.
Reply | Thread | Link



Triggur
  User: triggur
  Date: 2006-09-07 04:21 (UTC)
  Subject:   (no subject)
Well, spam only works because they can send a million messages for essentially nothing.

At $0.60/hr, it takes a lot of man-hours to solve a million captchas, and the appeal may no longer be there.
Reply | Thread | Link



Triggur
  User: triggur
  Date: 2006-09-07 04:22 (UTC)
  Subject:   (no subject)
As for your new email, you spam-adverse pussy (kidding!), I would like to have it as a rather lengthy EE email I recently sent you...bounced. >.>
Reply | Thread | Link



Ben Cantrick
  User: mackys
  Date: 2006-09-07 04:57 (UTC)
  Subject:   (no subject)
Sorry about that. My much-beloved ISP that I've been with since college has been down for the last nearly-week. The last time this happened, two months ago, it took them two weeks to come back online. I hate to leave KaosOL, but this is just unacceptable.

So, I'll be moving. Not sure of the exact domain yet, or if it even will be its own domain.

In the meantime, you can try and email me with the same username, but using dhp.com instead of kaosol.net. Clear enough?
Reply | Parent | Thread | Link



(no subject) - (Anonymous)
Ben Cantrick
  User: mackys
  Date: 2006-09-11 07:16 (UTC)
  Subject:   (no subject)
Sounds great, but perhaps a little more complicated than a whitelist and a CGI script.
Reply | Parent | Thread | Link



browse
May 2015