What simple (and easy to double-check) computation could be requested that benefits the web-master?

ReCAPTCHA answers that question: Human-assisted OCR.

At the time of writing, it has become an epidemic of SIX people.

Time for action. Release the porn!

I had imagined that the attack would involve the bad guy copying the image and sending it to the user. Otherwise, the dynamically-generated CAPTCHA image seen by the dupe and the CAPTCHA image seen by the bad guy wouldn’t match.

So, that would prevent blocking by referer header.

(Are CAPTCHA’s dynamically generated and unique? I’ve heard of cases where there has only been a set of a dozen of so pre-cached images, so at least sometimes the answer is “No”. Expensive image-generation per simple request = simple denial of service attack opportunity - one machine could generate more requests than one server could fulfill - so may be they shouldn’t be generated on the fly.)

I am not really clear where the “sweet spot” of blacklists is, so I am not clear whether they would help. I suspect they are good at blocking open-relays, where the naive system administrator hasn’t stop spam being relayed. I suspect they are somewhat useful for blocking the flood of personal machines taken over by botnets. I suspect they are somewhat useful at over-aggressively blocking entire IP ranges from anti-social ISPs who are known for deliberately accepting spammers as customers as part of their business model.

However, would blacklists be successful against this attack, which could probably be done undetected right under the nose of even a responsible ISP? Do motivated people really find it that hard to move their machines onto a new IP address when the old one is burned?

Or blacklisting. Even that is a feasible defence in the case of CAPTCHA farming.

The actual *opportunity cost* of porn, at least static-image-type porn, is already pretty close to zero. If you want to look at naked people, it’s not difficult.

I would shout “Yay! Those free porn-sites are already protecting us from spam!” but my tongue is stuck too firmly in my cheek to make out the words!

Maybe, but somehow I doubt that porn-seeking CAPTCHA farmers would care too much about doing the right thing. If they even exist.

I agree. We would need to give them incentives.

I once saw a sign in an fast food restaurant in a U.S. airport that said “If you don’t get a receipt with your meal, the meal is free.” It turned every patron into an auditor, ensuring the cashier wasn’t pocketing the money.

Imagine if the CAPTCHA image contained the following text:

Please type in this word: k3jsad
If you see this image on a site that is not somethinkodd.com, please send the URL to CAPTCHA-abuse @ somethinkodd.com. If it turns out to be CAPTCHA-farming, you’ll be in the draw to win a new iPod Pico!

It would be a great tool for locating the bad guys, but it would be a usability nightmare on the original site.

Maybe it would be enough to, for example, include a web-logo watermark in the CAPTCHA image, and widely advertise your policy. That might be sufficient to work for the big boys (Yahoo, Google, etc.).

I’d argue that this has already happened. The actual opportunity cost of porn, at least static-image-type porn, is already pretty close to zero. If you want to look at naked people, it’s not difficult. I think adding a captcha to that would be already too much work, compared to the scads of free porn you could click directly through to with no CAPTCHA in sight.

Including the name (or some explanatory text) on the original site in the CAPTCHA image would help detection of the issue to occur faster.

Maybe, but somehow I doubt that porn-seeking CAPTCHA farmers would care too much about doing the right thing. If they even exist.