Hey all, just wanted to give a quick update on all of the balance and 1 thing sites:
Some of you may notice that on the individual content pages you can no longer e-mail the page to a recipient. This functionality has been disabled for the time being as there are concerns about the possibility of e-mail spam being sent from those forms. This same problem was noticed a couple of weeks ago, so reCAPTCHA was added to the form, though it has seemed to pop up again.
This realization bothered me quite a bit. I have read articles in the past about how reCAPTCHA had been hacked, but it is pretty much understood that with any popular service there is a constant battle between the maintainers of the service and those that would see the service brought to it’s knees (especially when the service in question is security related).
In doing some more research I have found that there are “companies” that actually provide outsourced manual labor for solving CAPTCHA problems. So, imagine a large warehouse that looks kind of like you would imagine a calling center looking like in China or India, now imagine that all of those people are answering CAPTCHA’s all day long. This means that for $0.01 cents USD (approx) someone spamming can send an e-mail that subverts a CAPTCHA widget. So what is the e-mailer’s ROI? Well in many cases and entire ID and credit line. So if someone sends out 1000 e-mails for $10 USD and they fool a single person in filling out information about themselves it becomes quite clear that there is quite the profit opportunity there.
So why not just shut down all of these warehouses of CAPTCHA crackers? Well, for one we don’t exactly have jurisdiction, but more importantly you don’t need a warehouse. One of the more popular trends now is to make viewers of adult content do that for you. A very popular adult site model right now is to force a would-be viewer to fill out a CAPTCHA response before allowing them to view a video. I guess they figure that people are more apt to deal with a minor inconvenience of typing a couple of words over paying for their content.
So what does this all mean? Generally, the fact that reCAPTCHA can be subverted isn’t a huge deal because most scripts don’t allow the end user to actually type in the e-mail address of the recipient. I will be looking for some other solutions next week to get this functionality back into the sites.
Josh 10:56 am on August 5, 2009 Permalink
Interesting post Brian.
Brian 11:45 am on August 5, 2009 Permalink
Thanks Josh.
As a follow up, we have not seen any spam complaints regarding our servers since these changes were made. This is good news as we would obviously prefer our servers to be used for the good of making awesome blog posts as opposed to the evils of sending out spam.