verification code??

Just tried to post an Email, via the Web-Mail interface (Squirrelmail), & it has just asked me for a "verification code", which is a 6 character Alpha-numeric that is "hidden" inside a graphic!!

Trouble is, because it is trying to prevent Spammers, it uses this "graphic" of the code, but it is EXTREMELY difficult to read with the "naked eye". On occasions (because I've seen this before when I've posted from abroad), if there is either an "i" or a "j" in the code (plus various other combinations), these are virtually indistinguishable & I end having to try it many times before I'm successful.

Why can't PN introduce something that is easier to read by the "naked eye"??

Because then its easy to read with software (and spammer can get round it) ;-)

Ben

These are always a problem. The easier they are to read the easier it is to get round them. There is no ideal solution unfortunately.

Very true, but I'm not sure why they are being used for SquirrelMail. These sort of systems are good for anonymous posting, i.e. as an alternative to registering with a site to post, say, a comment. But for a webmail system you are presumably already logged in and 'known' to the system. So why have this extra and cumbersome authentication? Surely a username/password combined with a delay on the speed at which e-mail can be sent and some basic monitoring of mails-per-hour or something would be enough to prevent most abuse?

I guess it just makes PlusNet 'look' as if they're taking security seriously to the casual observer.

>I guess it just makes PlusNet 'look' as if they're taking security seriously to the casual observer.



Trouble is can't see it helpful to any partially sighted people.

Assuming it is used at the login point of a webmail system it means even if you have managed to obtain a list of user names and passwords it makes it hard to login via a script and then send automated spam via the account. It will have no impact on spaming known EMail addresses but is a usefull enough safeguard.

I don't use any ISP's EMail system as they tend not be that reliable and it means if I change ISP my EMail is the same as before.

What would you recommend to help the security for partially sighted people in this instance ?

Specsavers

There is a system that allows you to answer a question from a range of photos.

IE

Which picture is the orange? Then you click on that etc

Edited by soundsystem (Wed 13-Jun-07 17:18:45)

What if you are colour blind

The main point is whatever you put in place not everyone will like it.

Is there not a webstandard for this sort of thing?

When I meant Orange, I didn't mean the colour I mean't an orange.

Trees, bus etc etc

Even if black and white (the pictures) hopefully you would see the outline.

EDIT.

Things are brighter with Orange

Edited by deleted (Wed 13-Jun-07 17:33:32)

The system you describe makes a lot more sense from a security point of view than that which PlusNet have implemented. The check is not performed when logging in, but, as indicated by the OP, when actually composing an e-mail.

It's true that no system such as this will be ideal for everyone, but this one doesn't seem to be particularly well thought out, or helpful. Especially not when there are still gaping holes elsewhere

Edited by h0tblack (Wed 13-Jun-07 18:33:01)

Something that would read out the characters, perhaps. Or something that complied with the Disability Discrimination Act, maybe. I'll add it to my list of laws broken by plusnet.

It's pretty easy to create a login for webmail, you just signup a free PAYG account. With that you can then send email with webmail. The Captcha image is there as a safety net to stop a spammer from using a script to send email via Webmail. Adding in a delay or tarpitting or limit on the number of mails that a username can send per day but isn't going to be as effective as the Captcha.

When you put it like that I can see how the system could be abused by spammers. Although with adequate system for picking up abuse I'm sure it wouldn't be difficult to dissuade people from doing so.

I still don't think the system is ideal in it's current form though, ignoring the possible circumvention techniques, it could well be seen as an accessibility issue as others have (more strongly but correctly) mentioned.

Hopefully it can be fine tuned over time and you won't stick with the system as it is, but I now understand PlusNet's reasoning for implementing it. Thanks Dave.

Have you seen the capatcha that uses pictures of ducks and kittens? The idea is that computers/scripts can tell the difference between kittens and other animals.

I think we either need something like that, or biometric ID that isn't fooled by melted gummy bears..

In reply to:

---

isn't going to be as effective as the Captcha.

---

But if it is OFTEN so difficult to read so that it PREVENTS sending out any emails, you might as well just close down Squirrelmail!!

Before now it has taken me upto 6 attempts to send a valid email - sorry, but I want a working email system, I do NOT have the time to play silly games of "Guess the Graphic"!!

It is noticeable that you DON'T put that same constraint on someone using the mail2web interface.

Before anyone asks, the mail2web interface is far better at receiving/sending emails, but it DOESN'T let you check/manage the Spam Folder to retrieve those emails that have been wrongly sent to the Spam Folder!!

In reply to:

---

can't see it helpful to any partially sighted people

---

Don't have to be down to the level of "partially sighted"!! I'm at the level of needing the occasional use of low-powered Reading Glasses & I'm finding it difficult!!

Even more reason PN will have to look into it and how it plans to let partially sighted people who
fall under the Disability Discrimination Act use this system.

Just to be clear, PlusNet have absolutely nothing to do with mail2web.com, they don't run it, they don't pay for it, they have no links with the company that does. They just suggested it as an alternative way of getting your e-mail when they couldn't sort out a solution themselves.

Rakeingrass (amongst others) use a Captcha where you have to solve a (simple) mathematical puzzle, as opposed to trying to work out what letters are what.

Is most of the spam travelling through Plusnet's network the result of

a) Spammers using the webmail client
or
b) Plusnet's lax security

In reply to:

---

Just to be clear, PlusNet have absolutely nothing to do with mail2web.com

---

They do!! They have effectively given it permission (& one that PN have recommended) to access the PN Email System & send Emails out via it!!

It does seem a bit rich that PN are justifying the inclusion of this "peculiar/unreadable" graphic because of the open nature of a Web-Based Email interface, but still letting another Web-Based Email interface have access without that level of security!!

Okay, I'll rephrase. PlusNet have absolutely nothing to do with the running or management or funding of mail2web. The previous post seemed to imply they had set it up or were somehow involved, I just want to make the distinction. Additionally they haven't 'given permission' mail2web to do anything. The service is a web-based interface to pop3/imap mail servers. Finally, mail2web is for receiving not sending. It does not give access to PlusNet's SMTP servers, which PlusNet's webmail service does. It's spamming via PlusNet's SMTP servers that the measure they have implemented is designed to limit.

I'm not defending PlusNet, but they are two different companies and this is very important. There's enough FUD around after all There are also myriad of double-standards within PlusNet and their policies, but adding to the confusion doesn't help.

This would be better..

The audio captcha..

Google Releases Audio CAPTCHA

Google has now unveiled the Audio CAPTCHA for blind and low-vision users for many of the Google services. Gmail, Google Groups and the Google Account for the homepage. Users simply have to click the link and type the numbers they hear.

http://www.accessibilityblog.com/2006/04/11/google-releases-audio-captcha/

Great idea, however if you were at work, most work PC's do not have audio.

If this was implemented the choice of 2 either visual or audio would be cool.

That's exactly what google are planing on doing

There's no way any system is going to be perfect, but allowing options and accessibility for people with different needs is something that has to be striven for.

I haven't dared to use the new WebMail since the problems with the old one but if the Captcha system is the same system that was being used then I can confirm that the images are very difficult to read with the naked eye and it often took me 5+ attempts to work out what characters were being shown. This makes the system rather self defeating as it just upsets real customers.

In reply to:

---

Finally, mail2web is for receiving not sending.

---

Strange!!! I've BOTH sent & replied to Emails using the Mail2Web interface onto the PN Email Servers.

If you're going to quote me, please do so in full

I didn't say you couldn't send, I said you couldn't send using PlusNet's SMTP servers. There is a large but important difference, just as there is a large but important difference between PlusNet linking to a website that provides a service and them running a website that provides a service.

If you don't understand the difference I'll be happy to explain.

Edited by h0tblack (Thu 14-Jun-07 15:19:35)

You can log in to our mail servers to receive mail from anywhere, whether that's via webmail a mail client or just using telnet. To send mail via our relay servers you need to be connected to our network and we'll know the identity (username or CLI) of everyone connecting. With webmail you aren't necessarily connecting via our network but you are still sending mail via our mail servers. As such as I said above there's a much greater danger of an anonymous spammer sending spam via webmail.

With something like Mail2Web you are sending mail via their mail servers rather than our servers and they may well have different processes in place to trap spammers.

This is something that I believe is already being addressed, I will check into it.

I know hotmail lets you have an audio that says numbers and then you type the numbers in.

The issue we have is that spammers can and have written scripts to sign up free accounts and then use webmail to send lots of spam - It's pretty easy to do and to automate if you know how. We could stop offering free accounts, and to be honest that is something that will probably happen anyway, but at least until then some sort of mechanism is needed to prevent the automation.

The problem with whatever way we choose to achieve this, we are using Squirrelmail and we are restricted by the availability of suitable plug-ins. Unless anyone knows of a suitable Squirrelmail Plugin that is well tested and bug free, writing our own plugin that could do sound or has "pick the kitten" type images is probably the only way we can improve this and that isn't a quick fix.

I do see your (and many other like you) problems.
To conform with the Disability Discrimination Act you have to do certain things.
If you are offering something for free, where is the value of spending X amount of money & time.
So the end result is removing the service so no one gets it!

In reply to:

---

To conform with the Disability Discrimination Act you have to do certain things.
If you are offering something for free, where is the value of spending X amount of money & time.
So the end result is removing the service so no one gets it!

---

The end result has always been an issue I have with the DDA. It seeks to make things easier for the disabled (which is good) but very often at the expense of the majority as services get cut back as it costs so much more to provide them whilst being fully compliant.

It reminds me of a shop in Stratford on Avon. The shop is in a listed building in the middle of town so alterning it is a very difficult process and is unlikely to be approved. The door in (and the only door at that) is up a couple of steps through a narrow door. Someone in a wheelchair came past just after the law was enacted threatening to take the shop to court because they couldn't get in without assistance. The problem is there was no easy to alter the shop entrance to make it wheelchair accessible without breaking planning laws. The shop were stuck in a catch22.

In reply to:

---

It reminds me of a shop in Stratford on Avon. The shop is in a listed building in the middle of town so alterning it is a very difficult process and is unlikely to be approved. The door in (and the only door at that) is up a couple of steps through a narrow door. Someone in a wheelchair came past just after the law was enacted threatening to take the shop to court because they couldn't get in without assistance. The problem is there was no easy to alter the shop entrance to make it wheelchair accessible without breaking planning laws. The shop were stuck in a catch22.

---

I feel for shopkeepers in that position. It's not an shopkeepers fault someone is in a wheelchair,
but they now have to pay to convert so it costs them X amount.

Anyway going OT now so better shut up shop, so to speak!

It's one of those things that people describe as swings and roundabouts I guess.

If only subscription accounts used webmail then it wouldn't need the captcha but it's probably an even bigger piece of development to be able to filter them.

Looking at the call graphs for dial-up over the last 4 years there's a steady decrease, I can see there being a market for a while yet for PAYG dial-up but that market for new sign ups will just get smaller and smaller so at some point it does make sense to discontinue it.