scr.im: A new, cute way to fight with spam?

Posted Mon, 10/19/2009 - 12:22 by jayzeng

I ran across a site called scr.im (http://scr.im/) today. In my personal opinion, it is an extent of url shorten (e.g: http://bit.ly/).

You basically enter your email address and it will generate a shorten url for you with a simple mechanism to force users to choose the matched text block, a simplified version of captcha.

Looking to see this in action, give mine a try: http://scr.im/jayzeng

When clicking the text block, a POST request is made:
captcha=E3M94&action=view&token=87735429e36a2256b62b5ed27de9eeda&ajax=y

Obviously, captcha is the name and value of the captcha text, token appears to be a text-based (possibly) md5 hash (since it is 32bit and alphnumeric). My bet it is 

md5(current time + salt).

My quick attempt is it does not implement any 

if(number of failures > predefined_number_attempts) {
  block_ip() OR user_has_to_wait(5mins)(); 
}

This introduces the opportunity for attackers to brute force the site, which makes this service absolutely no-sense.

Well, not exactly right, it seems to me this site is simply an attempt to explore a new way to reduce number of spam, with little effort (and added complexity for end users).
Most users for this site will be individuals and/or small businesses. So even if the site is breakable, any one really cares? It is only an email address that is intended to share with a group of interested parties.

Comments

But why?

by Anonymous - 10/19/2009 - 13:45

Why would spammer waste time on this? If you're a spammer and want to send spam,
- harvest forums and craigslist
- send spam to a@a, b@a, c@a, till zzzzz@zzzzzzzz
- etc...
that would pay a lot more and a lot quicker.

You raised a valid point, in

by jayzeng - 10/20/2009 - 09:26

You raised a valid point, in fact, your voice represents a large group of application developers' point of view: "My site/app is so simple and only does XYZ, why would the bad guys want to attack my site? and who cares the data"

Well, you never know what they are thinking and how old they are. They can be script kiddies who are 12 years old and just learned SQL injection, looking for victims to try the new skills, or simply to show case themselves. Or it can be someone who wants intellectual challenge, this site can be a place to hunter email addresses, with some degree of fun. Well, I am just making up stories, but you see my point. Their incentive can be randomized and totally irrational.

While in this case, the incentive of using this site is to obfuscate email address, which just like you mentioned , can probably be found on anywhere over the web. However, if the email address can be found elsewhere, why do they use this app and what is the point of using this app as the address will be somewhat exposed?

^ Top of Page