[Adverblessly]

I'd prefer to see proof-of-work based captchas. I'd much rather give up 10 minutes of CPU time for a token that can be revoked as soon as I actually use it for evil than give up all of my privacy (and two minutes of my personal time) for the privilege of using your annoying website.

[bawolff]

Proof of work captchas are pretty hard to tune. You need it high enough to deter spammers (who can pre-compute and dont care about latency), but low enough not to deter real users on low powered devices who are using your site live and get more frustrated every second they have to wait.

It might work for spammers who really are just making billion of attempts, but then again if they are making that many attempts then you can block on the IP level.

[hedora]

This is basically how Apple does things. Instead of proof of work, they bake the tokens into devices.

The basic idea is that they'll happily let you sneak a few spam messages through iMessage if you're willing to spend a few hundred dollars on a burner iPhone. This is one reason why they're so resistant to allowing gateway protocols between iMessage and third party devices or RCS.

[Symbiote]

That is what those Cloudflare "checking your connection before proceeding" page is doing.

[YetAnotherNick]

Spammers would actually prefer it I think. I think for each captcha solved, spammer are ready to pay more than real users(be it electricity or real money). They were already paying real humans before AI became good enough for solving captcha.

[avidiax]

Spammers are probably not using their own computer or electricity, so this would be very attractive for them.

[throw10920]

No, it would not. Spammers are still paying for the devices - most botnets are built and used (to spam) by different actors. Systems that require more computational power to spam take up more of their resources, making spamming significantly less profitable.

[YetAnotherNick]

Depends on how much do you want real users to spend per captcha in electricity cost? If say it is $1/captcha it would be untenable for real users. If it is 0.01 cent, it wouldn't hurt spammer's margins.

[throw10920]

Yes, $1/captcha is clearly infeasible - it'd be far too slow, first of all.

I don't have any knowledge of what spammers' financials are like, but it's possible that even 0.01c/captcha would still be impactful if the click rate is low enough.

Probably the best way to start tuning the PoW difficulty is just by starting out with what users are willing to tolerate - e.g. 3s solve time on the median mobile device. The gap between mobile and desktop devices has significantly lessened over the past decade, so desktop-grade equipment won't have that much of an advantage - say 1s per captcha, which is a lot for a spammer who would otherwise be able to send out dozens of spam per second.

It's not about making spam impossible, but about making it unprofitable enough that the criminals go elsewhere. Economic warfare.

[YetAnotherNick]

According to google search, captcha solving companies charges 0.3c per captcha[1], which basically translates to half an hour of PoW for digitalocean instance. So if the PoW is less than half hour, spammers would need to pay less with PoW.

[1]: https://2captcha.com/pricing