In his excellent anti spam blog, Terry Zink discusses measures that can be taken by the webmail giants such as GMail, Yahoo! Mail, and Hotmail to prevent the phenomenon of automated spam bots successfully breaking CAPTCHA to create new accounts and send spam from those services.
Zink rightly suggests that the industry needs to look into some sort of secondary measure to prevent this happening. After all, spammers only need to break CAPTCHA once to win, while service providers must constantly battle to lock them out. However, we feel that his suggestion of sending a link which needs to be clicked in order to complete the email account signup process is seriously flawed. While this may be the perfect solution for newsletters and mailing lists it would not be suitable for email accounts as it assumes too readily that the person signing up (assuming it is a real person) already has an email address at which to receive that link.
While many of us nowadays do actually have more than a handful of email addresses, it is important to remember that there is always a generation of new internet users (students, children at home, people in developing countries, etc) who are signing up to these services for the very first time.
In these cases, where could you possibly send them that authentication link? Anti spam measures must continue to prevent the successful delivery of spam to our inboxes, while minimising the inconvenience to real people. The cops and robbers analogy is perfect to explain this.
The robber can indiscriminately shoot and cause harm to achieve his purpose while the cop must attempt to apprehend the robber yet keep innocent members of the community safe (and relatively unrestricted) during his pursuit.
That’s the anti spam fight in a nutshell.
