Insufficient Anti-Automation is fat becoming the #1 threat to web sites. Since Captcha has been proved practically useless, especially when there is a financial gain from automating access to the site, sites are pretty much defenceless against harmful automation. Techdirt's story about Craigslist losing the battle against automation tool is a very good example of this serious problem.

Read the comments, they are enlightening. As usual, one of the problem when spam is involved is defining if and what is a wrong doing and what is a  valid action. Some commenters say that Craigslist has become useless due to the spam, while others say that Craiglist is the worst censors on the Internet not letting small time businesses work. Other argue about whether this is a crime or not. 132 comments, and they keep coming 8 months after the article has been published.

Update (April 19^th 2009) - A recent article in the Vancouver Sun further discuss the issue. While there are no new technical details, the discussion that follows the article is illuminating

Insufficient anti-automation is fast becoming a major, if not the major threat to web application. The reason is that it can be very profitable for the hacker, and on the other hand it is far from a simple vulnerability just requiring a quick fix.

TicketMaster on going combat with hackers line bypassing to buy event tickets to resell them for a high price is a very good example of the issue. In this specific example the hackers demonstrate that Captcha, a method of blocking automated programs by presenting a challenge supposedly difficult for a computer software, is not sufficient.

Someone, and not for the 1st time, succeeded in manipulating Google Trends, a Google service listing popular search terms. In this case the New York Time reports that a symbol at presumably denoting 9/11 reached number 2 in the list of hot Trends (see picture right).

While this may be nothing more than a joke, the capability to create a trend can have a huge and sometimes devastating effect. After all in recent months the future of big financial institutes was determined by the rumor mill.

On the technical side, insufficient anti-automation controls have been one of the more obscure and hardest to fix vulnerabilities in web applications. Starting with the Lexis-Nexis incident (WHID 2005-65), many incidents where waved off as nothing more than an automated client. However, as the incidents pile it becomes clear that it is the responsibility of the site owner to mitigate such harmful automation attacks.