On Mon, Jan 21, 2013 at 02:23:53AM -0600, Jimmy Hess wrote:
that sort of abuse is likely need to be protected against via a captcha challenge as well,
Once again: captchas have zero security value. They either defend (a) resources worth attacking or (b) resources not worth attacking. If it's (a) then they can and will be defeated as soon as someone chooses to trouble themselves to do so. If it's (b) then they're not worth the effort to deploy. See, for example: http://www.freedom-to-tinker.com/blog/ed-felten/2008/09/02/cheap-captcha-sol... http://www.physorg.com/news/2011-11-stanford-outsmart-captcha-codes.html http://arstechnica.com/news.ars/post/20080415-gone-in-60-seconds-spambot-cra... http://cintruder.sourceforge.net/ http://arstechnica.com/security/2012/05/google-recaptcha-brought-to-its-knee... http://www.troyhunt.com/2012/01/breaking-captcha-with-automated-humans.html http://it.slashdot.org/article.pl?sid=08/10/14/1442213 Now I'll grant that captchas aren't as miserably stupid as constructs like "user at example dot com" [1] but they really are worthless the moment they're confronted by even a modestly clueful/resourceful adversary. ---rsk [1] Such constructs are based on the proposition that spammers capable of writing and deploying sophisticated malware, operating enormous botnets, maintaining massive address databases, etc., are somehow mysteriously incapable of writing perl -pe 's/[ ]+dot[ ]+/./g; s/[ ]+at[ ]*/@/g; print $_, "\n";' and similar trivial bits of deobfuscation code.