Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security The Internet IT

Spammers Learn to Outsource Their Captcha Needs 221

lukeknipe writes "Guardian Unlimited reporter Charles Arthur speaks with a spammer, discussing the possibility that his colleagues may be paying people in developing countries to fill in captchas. In his report, Arthur discusses Nicholas Negroponte's gift of hand-powered laptops to developing nations and the wide array of troubles that could arise as the world's exploitable poor go online." From the article: "I've no doubt it will radically alter the life of many in the developing world for the better. I also expect that once a few have got into the hands of people aching to make a dollar, with time on their hands and an internet connection provided one way or another, we'll see a significant rise in captcha-solved spam. But, as my spammer contact pointed out, it's nothing personal. You have to understand: it's just business."
This discussion has been archived. No new comments can be posted.

Spammers Learn To Outsource Their Captcha Needs

Comments Filter:
  • by hclyff ( 925743 ) on Saturday November 25, 2006 @04:43AM (#16982630)
    Damn those developing countries, stealing all the decent jobs from the hard working Americans.
  • These lead shoes (Score:3, Informative)

    by future assassin ( 639396 ) on Saturday November 25, 2006 @04:44AM (#16982636)
    are nothing to do with business its just personal. I would be more more then happy to plead guilty if I ever got cought for beating the fuck out of a spammer.
    • by Moraelin ( 679338 ) on Saturday November 25, 2006 @09:17AM (#16983840) Journal
      Actually, I doubt you would actually beat one. Not meant as an insult, but I believe that you don't have what it takes. If you had, you'd already be either in jail, or a CEO, or chief of marketting or various other positions suited to people able to think "it's just business" when harming others. Or in his place making a good living sending spam and 419 mails.

      See most people are quite able to speak/cheer about and for beating others up, killing others, war, etc, as long as it's just talking. They might even actually do it, if a fit of rage disables their sanity for long enough. But fits of rage aren't something you can plan and execute whenever you wish. And otherwise when you actually have to do it, there's this interlock against harming other humans. It's partially "what if it was me in his shoes" education (even if you logically know it would never be in his place spamming) and partially that interlock most animals have against harming their own more than strictly necessary. (Even when cats or dogs fight their own there is always a mechanism to signal "I give up" and the other _will_ cease.)

      It's a strange world, really. The same people who could be shaking a fist and screaming for war against X at the top of their lungs, would actually have trouble looking one of X in the eyes and squeezing the trigger. A lot of PTSD cases in war aren't just people getting shocked by being shot at, but shocked by having shot other humans.

      There is one cathegory that can cheerfully think "it's only business": the sociopaths. They live in a strange world in which the others are NPCs: the others don't matter, they're not the same, "it could be me in his shoes" doesn't apply, etc. They can lie, cheat, murder, torture, whatever, and be perfectly able to look themselves in the mirror after it. Because the other guy didn't matter.

      And, sad to say, if you weren't born one, I doubt you could actually beat this guy up in cold blood. If anyone gave you a baseball bat and this guy tied to a chair, you just couldn't actually do it.

      And it's probably better that way. I'm thinking we as a society would do better to just start recognizing sociopaths for what they are, and the damage they can do. This guy, for example, is a sociopath, plain and simple. He's not just "being smart", he's not "just doing business", he's not "just doing what's needed", or the other things these guys like to pose as. He's just someone who doesn't even see you as a human being, much less his equal.
      • by Cylix ( 55374 )
        Eh,

        Just because someone doesn't care does not imply they feel they are beyond the law. I'm sure there are plenty of potential crimes just lying in wait, but they really don't want to be incarcerated. On a different note, not every one can be a basketball star and not everyone can be a CEO either (or insert glorious position). Perhaps he lacks the real ambition it takes to pursue his sociopathic goals in life! (Can't blame a guy if he doesn't try!)

        No, I'm afraid our sociopath friend just doesn't have what it
      • Actually, I doubt you would actually beat one. Not meant as an insult, but I believe that you don't have what it takes. If you had, you'd already be either in jail, or a CEO, or chief of marketting or various other positions suited to people able to think "it's just business" when harming others. Or in his place making a good living sending spam and 419 mails.

        Nah, I'd yell at one in public and give him a hug and a "thank you" in private. After all, I have a consulting company and we'd not have half of ou

      • There is one cathegory that can cheerfully think "it's only business": the sociopaths. They live in a strange world in which the others are NPCs: the others don't matter, they're not the same, "it could be me in his shoes" doesn't apply, etc. They can lie, cheat, murder, torture, whatever, and be perfectly able to look themselves in the mirror after it. Because the other guy didn't matter.


        Now granted, in most cases, these people are as dumb as doorknobs. But, if you think about it (REALLY think about it..
        • Re: (Score:3, Insightful)

          by Moraelin ( 679338 )
          They love to pose as just the smart ones, yes. They do that a lot.

          But in the end that all bears fairly little relevance. Even if there is no afterlife at all (in fact, especially if there isn't one), there are some millenia of learning to, more or less, work together to make our stay here reasonably acceptable. That's in the end all that society is.

          If all humans actually were unchecked wolves to other humans, you'd probably find this one existence here to be very shitty and very short. Because at least 1%,
      • by xant ( 99438 )
        Thank you for your compelling and well-argued thesis, titled "Some People Exaggerate." Wow.
      • Re: (Score:3, Insightful)

        by guaigean ( 867316 )
        The problem with your logic is that sociopaths exist in much higher ratio's than you seem to believe. See, according to http://www.psychiatric-disorders.com/personality/ a ntisocial.php [psychiatri...orders.com] and other sources, nearly 3.6% of the US population is sociopaths. Essentially, the only thing keeping 1/30th of the population from this behavior is laws. While sociopaths may not care whether you live or die, they do care whether or not they go to jail. That means 1 in 30 people CAN squeeze that trigger, and not really
        • Re: (Score:3, Insightful)

          by Moraelin ( 679338 )
          Nothing against all that, and yes, I knew that they're not uncommon. I was going by a roughly 4% number, but 3.6% is close enough. In a nutshell, yes, we can very quickly aggree about all you've wrote.

          The point still stands that you can't just snap your fingers and become one, so it's kinda pointless to dream about becoming one. "Man, if I were alone with this guy for a minute, I'd soo punch his clock" is a pipe dream. Either you aren't a sociopath at all, and in practice you couldn't do anything to this gu
          • Re: (Score:3, Insightful)

            by guaigean ( 867316 )
            Well, from that line of thought, I agree. I have to say, that is one of the most well thought out responses I've seen on /., and thanks for further explaining. You're right, in that throughout history we have shown that the sociopathic can be contained, but only when they cross a certain line that enough people find unacceptable, and I think the most important thing, as you pointed out, is that sociopaths can only operate when there is a certain amount of apathy from the masses.
  • by worb ( 935866 ) on Saturday November 25, 2006 @04:45AM (#16982648)
    I'm not sure if poor people filling in CAPTCHAs should be our biggest concern, when people are in fact dying all over the world from war, starvation, and so on (yes, I know that it's possible to focus on several problems at once). However, the problem with CAPTCHAs being worked around by real people (either by hiring people to do it or by luring porn surfers to fill it in for them) has been there for ages.

    If I am not mistaken, there have been several stories on this kind of thing on Slashdot...

    Ayway, the bottom line is that spammers have been doing this for a long time, and I'm not sure if the $100 laptops will make a difference either way. Will these $100 laptops all have internet access?

    • by cp.tar ( 871488 )

      Why, of course they will.

      Developing countries all have broadband Internet access, even WiFi. And those who do not, well, the spammers will pay them enough for each solved captcha that they offset the surely insignificant cost of modem access.

      Even if it does happen, though, it will only go to show that captchas aren't the way to get rid of spam, bots etc.
      I would prefer it, though, if spammers learned to circumvent captchas automatically... can you imagine what it would mean for OCR?

      • Re: (Score:3, Interesting)

        by FireFury03 ( 653718 )
        Even if it does happen, though, it will only go to show that captchas aren't the way to get rid of spam, bots etc.

        I would certainly like to see the end of captchas, and I have resisted using them on my own sites. They are really bad for accessibility and therefore illegal in many situations and just generally unfair to anyone who can't solve captchas (whether that be by disability or browser choice). However, I have yet to see any other technology able to do the job.
        • I, for one, found out I can't solve most captchas while being drunk.
          Does that fall under any of 'unfair treatment' laws?
          • Re: (Score:3, Insightful)

            by secolactico ( 519805 )
            Most of the time, I can't while sober. Is that a g or a 9? Does case matters? That kinda look like an S but could be a distortion...
            • Re: (Score:3, Informative)

              by bogado ( 25959 )
              I use readable captcha, the challenge to the spammer is not only "reading" the text but parsing it. I have a categorized database of words, each word belongs to one or more categories. The system makes a question what word in the list belongs, or not, to a certain category.

              Just to make it harder I put it in an image, that has several rotated letters that have a sufficiently different color, this is only a stop gag because all of this can be filtered easily enough, but it can look like a usual captcha to a n
      • Re: (Score:3, Interesting)

        by arivanov ( 12034 )
        You are were joking, but in fact not that far from the truth.

        I did DSL installs in an ex-soviet block backwater which is not even in the EU yet in 1998. At that time UK and the rest of Europe (except Scandinavia) was still wetting themselves over a second ISDN channel and 56K modems. In the same country ethernet to the home in big cities is the norm, not the exemption. The cable operators built bandit networks using twisted pair as far back as 1999-2000. So on, so fourth.

        Similarly, I had to design, deploy a
        • I would also suppose that there is no need to accomodate existing infrastructure in 2 ways:
          1) No competion for space, e.g. when running cable in a location where old cable exists you need to be very careful where you dig. Also, if going wireless there probably isn't much competition for desirable locations from cell phn, radio, or other wifi operators for space.

          2) Interoperability with older technologies isn't as much of an issue. Since there aren't any. So working out the kinks to get older and newer tech
      • by 1u3hr ( 530656 )
        I would prefer it, though, if spammers learned to circumvent captchas automatically... can you imagine what it would mean for OCR?

        OCr is pretty good now. I've scanned some books with Abbyy OCR and the error rate was maybe one per page. While that's good enough for most purposes, and maybe even for captchas, it still needs to be proofread if you want to republish.

    • by darkain ( 749283 )
      Woah, that just gave me a heavily abusive idea.... What would happen if a "spam server" attempted to load a CAPTCHA page, and then streamed that CAPTCHA image to a different web server as part of a "login" system. Its own login system would just ignore the image itself, but take that user input for it and pass it along to the site it is spamming. This would be a piss poor easy way to get people to break CAPTCHA for FREE. Just shove this sort of bullshit into a popular porn web site, and you have hopeless
      • Been on /. already, even easier. Want to access free porn? Solve this captcha. And the captcha image gets imported from Yahoo mail account creation page.
      • by ajs318 ( 655362 ) <.sd_resp2. .at. .earthshod.co.uk.> on Saturday November 25, 2006 @07:02AM (#16983204)
        I'm sure there are ways of defeating that at the CAPTCHA server level. Generate a brand new image every time, and send it out along with a cookie. The cookie is a database key which refers to the CAPTCHA solution; the record also contains the timestamp when the image was generated and the IP address to which it was sent. (NOT the MD5 of the solution: anyone can generate an MD5 for any word and send that as the cookie contents with their word as the answer, effectively bypassing the image altogether.) The answer must not only be correct; it must also come from the same IP address that received the image, and within a reasonable time limit. IP addresses cannot be forged (or else the server would be speaking to the wrong client) and nor can timestamps (which come from the server anyway), so this ought to be fairly robust. Checking the referrer won't help, because referrers can be forged.

        The CAPTCHA image and question themselves need some thought as well. Just having a person type some "distorted" text verbatim is a bit christian IMHO, because it's vulnerable to OCR. Insisting to change the order or capitalisation ("type this backwards in all lower case") would be a good start, but there are plenty more techniques involving pictures that only a human being will be able to use; and you can possibly even set a knowledge barrier (by using challenges that will be easy for people in your chosen field but not random idiots) to keep out undesirables.
        • IP addresses cannot be forged (or else the server would be speaking to the wrong client)


          Err... Wrong. All they would have to do is put a VPN client on the laptops, and run them through a NATing router on the spammers end (which would probably be necessary on the spammer's end anyway to get the images to the in the first place).

          The word 'contact' in this post's captcha was farmed out to an Anonymous Coward
        • Re: (Score:3, Funny)

          Just having a person type some "distorted" text verbatim is a bit christian...

          Maybe it's just too early in the morning for me, but what does that mean? That typing distorted text is easy? That it's smart/dumb? That it makes you love your neighbor as you would have them love you?

        • by user24 ( 854467 ) on Saturday November 25, 2006 @08:20AM (#16983558)
          this is exactly how most session-based CAPTCHAs work. The timestamp idea is unworkable - it doesn't take that long for data to be ferried half way across the world, so if you implement a timeout, you'll end up pissing off your legitmate users as well thwarting spammers, and if you make the timeout longer it'll render it completely ineffective - what I'm saying is that it takes as long for a spammer to type a captcha as it does a legitmate user.

          Stuff like "type this backwards in lower case" won't help *in the least* - it'd be trivial to get past, as trivial as writing a bot to collect email addresses, and we know how many of those there are.

          Checking the IP address won't work (unfortunately) because certain ISPs (*cough*AOL*cough*) use multiple outgoing IPs for the same user; it's ridiculous but there you have it.

          In any case, IP addresses can be forged; the spammer doesn't need to receive a response, he just needs to send his CAPTCHA and spam message; if he's on 4.3.2.1 and needs to send from 1.2.3.4 then he will - the server's "yes you got it" response will be sent to 1.2.3.4 but the spammer doesn't care; his spam has got through.

          In short, there is no serverside way of preventing a captcha from being relayed to/from a 'processor' be it OCR or human.

          However, what needs to be remembered is that in 95% of cases, any type of captcha will stop 100% of spam. Most captchas out there are pitifully weak in terms of OCR resistance [ocr-research.org.ua], have implementation bugs [puremango.co.uk] coming out of their *ahem* and 'in principle' offer no security whatsoever, but they work because most spammers only after the low hanging fruit.
          • I agree 100%.

            I think people spend far too much time worrying about false positives with CAPTCHA tests and not enough time worrying about false negatives.

            The proliferation of CAPTCHAs is a big problem for web accessibility and one that needs to be a addressed a little more urgently than the possible emergence of human spam teams in india.

            I've created my own CAPTCHA solution, which I'm too embaressed to plug... again... I've already plugged it 2 or 3 times in other replies to this post, just do a search for m
        • I'm sure there are ways of defeating that at the CAPTCHA server level. Generate a brand new image every time, and send it out along with a cookie. The cookie is a database key which refers to the CAPTCHA solution; the record also contains the timestamp when the image was generated and the IP address to which it was sent. (NOT the MD5 of the solution: anyone can generate an MD5 for any word and send that as the cookie contents with their word as the answer, effectively bypassing the image altogether.) The an
        • by Goaway ( 82658 )
          it must also come from the same IP address that received the image, and within a reasonable time limit.

          You know, if you stopped and thought for half a minute, you would see how an IP check is completely useless.
        • by neoform ( 551705 )
          Locking the captcha to an ip address will cause problems for users who are accessing your site from services like AOL that cycle the user's ip address for every page request. every time i look at my logs and see an aol user, i see about 50 IPs for that one user.
        • So basically with all that IP checking and all, you've just said (in so many words) that the spammer must use a proxy.

          Basically if machine A is the server, machine B is doing the spamming, and the paid peon cracking captchas for a living is on machine C, then it can jolly well go on like this:

          - the peon's machine C connects to one of the many machines B doing the spamming (it can also be the other way around: machine B could initiate a connection and wait for the human to be ready. Works great if machine B
        • Re: (Score:3, Interesting)

          by Spacejock ( 727523 )
          I thought of a captcha the other day which would be easy for humans and hard for PCs to solve: show three images, tick the one which is smiling or crying or angry or whatever. (Or happiest, saddest) You could mix real photos (greyscale, say) with stick drawings to really stuff up the automated systems.

          Only problem is, those with screenreaders would be very much disadvantaged unless you had audio cues to go with the images.
    • If I am not mistaken, there have been several stories on this kind of thing on Slashdot...

      You are correct. For example,Will Solve Captcha for Money? [slashdot.org]

      I wonder how much of this is due to forums like /. raising the media's awareness of the the next impending Internet-based doom?

  • This is deeply troubling. What can be done to stop it?
    • Re:Now what? (Score:4, Insightful)

      by cyberon22 ( 456844 ) on Saturday November 25, 2006 @05:30AM (#16982818)
      Hire someone in the developing world to monitor your blog and clear it of spam. If the cost is insignificant to them it is insignificant to you. And as the cost of labour rises with competition the problem naturally goes away.
    • A number of things:

      • get rid of corrupt American politicians that took huge backhanders during the CAN-SPAM fiasco
      • get the politicians to write legislation with real bite. It can take up to 15 seconds to delete an email e.g. so 15 seconds of prison time for every sent spam email sounds about right; i.e. 8 months in prison for a million emails. On second thoughts 60 seconds in prison, because they knew what they was doing was wrong, so 30 months in prison. A few spam runs, and it's essentially life impris
      • by Phroggy ( 441 ) *

        get rid of corrupt American politicians that took huge backhanders during the CAN-SPAM fiasco

        To my great surprise, it looks like steps are being taken in this direction. Quite a few incumbents got tossed out in the recent election, and the Democrats now in charge are making a fuss about dealing with corruption. Of course I don't expect that to lead anywhere, but at least they're making a fuss.

        get the politicians to write legislation with real bite. It can take up to 15 seconds to delete an email e.g. so 15 seconds of prison time for every sent spam email sounds about right; i.e. 8 months in prison for a million emails. On second thoughts 60 seconds in prison, because they knew what they was doing was wrong, so 30 months in prison. A few spam runs, and it's essentially life imprisonment. Yay! (My heart bleeds, but essentially they kill person lifetimes every time they do a spam run).

        I'm not convinced that increasing the sentences will serve as a significant deterrent. Many spammers go to great lengths to avoid getting caught.

        Also, I'm tired of people complaining that CAN-SPAM is worthl

        • by ajs318 ( 655362 )
          Just because they are victims, does not mean they are blameless. Anyone who hasn't been living in a cave knows this kind of shit is going on.

          When a group of people borrow money from a bank, they are "jointly and severally liable" for the outstanding portion of the debt. If a husband and wife borrow £100 000, then the husband pays back his half, each of them is considered still to owe the bank £50 000. If the wife disappears of the face of the planet, well, the husband has 50 000 extra motiv
  • The question becomes if the spammers filling in captcha's for blog comments will win or lose over the spammers creating fake blogs. Will some spammers (not the sharpest knives in the drawer) end up paying one set of people doing captchas for new blogs and another set to junk their own blogs by choking them with fake comments?

    In any case, the economy of spamming changes fundamentally once it's no longer cost free to do.
  • by CandyMan ( 15493 ) <javier AT candeira DOT com> on Saturday November 25, 2006 @04:51AM (#16982668) Homepage
    Cory Doctorow wrote some time ago about an umbeatable way to solve captchas: have a the captcha-circumventing bot connected to a free porn site [boingboing.net], inline the images in the gateway pages to the photos and videos, and have the porn-seekers gain access by solving the images. They would have the same infrastructure that they would need if they used developing world click-workers, without the hassle of having to arrange payments.
    • Nice idea, but there are going to be problems with this. For starters most CAPTCHA images time out, the bot would need to get it solved by a horny porn dude within about 1min of it being served. Also you have the problem of actuall relaying the image to the horny porn dude. Most CAPTCHA images work by not allowing you to serve the image to more than one request, new request, new CAPTCHA. So they would have to capture the captcha. Tryin to pick the image from the download cache is going to be a little t

      • by Goaway ( 82658 )
        Tryin to pick the image from the download cache is going to be a little tricky for a single site, I think this gets exponentially harder if you try making a generic CAPTCHA breaking solution.

        What the hell are you talking about?
        • My reply to you is the same as the anonymous coward below (you're probably the same person anyhow)
        • by Goaway ( 82658 )
          Obviously if several people are calling you stupid, it's because there's one single guy out there with a grudge and sockpuppets, and not because you actually said something utterly idiotic.
    • by neoform ( 551705 )
      unbeatable? what's to stop you from putting hotlink protection on the captcha image?
      • by CandyMan ( 15493 )
        The bot could copy the image and present a copy to the porn-seekers. Hotlinking is not an issue, once the original webwerver has sent the image, it is just an image and can be copied and sent.
        • by neoform ( 551705 )
          This would require a computer to be constantly copying the image for redisplay.. this would make it a lot easier to catch the IP of the machine doing the copying.. and ban it.
  • by Dark Paladin ( 116525 ) <jhummel@jo[ ]ummel.net ['hnh' in gap]> on Saturday November 25, 2006 @04:52AM (#16982672) Homepage
    1. The cost of computing and Internet access have truly dropped to a point to where it is nearly "universal".
    2. The Human solution sometimes is the best.

    What's going to be interesting is threefold: how do we conquer this problem, and how long until "sweat spam shops" have opened up, and how long until the outsourcers become the main branches? Much like the Cory Doctorow story revolving around sweat shops of MMO players, it might not be long until automated scripts are combined with "sweat shop" style workers, who's only job it so enter in the proper "human" data to fill spam.

    On the other hand, as outsourcing has taught us, it is only a matter of time before the outsourcees become the suppliers as they get the training they need. Once the "local guy" starts making up the scripts, it's only a matter of time before he/she goes to open up their own spamming sweat shop. Which is a good thing in a weird way as the article points out - it encourages new business at the expense of annoyance.

    The next phase of solutions might have to focus on more detailed question/responses - but there's a danger in this in finding the "sweet spot". You want to make it as expensive as possible for spammers, but not so annoying for your "true customers". Much like my new bank's online service, perhaps, where they made me select my "security image" and more personal questions so I had to enter 2-3 things to truly "log in" the first time.
    • by Xemu ( 50595 )
      2. The Human solution sometimes is the best.

      Indeed. So why not outsource the spam filtering, and have a human being in Nigeria read through your mails, and decide if they are spam or not. I am sure they would know if King Mukabuto really was that rich or not.
  • it is just business (Score:3, Interesting)

    by PrinceAshitaka ( 562972 ) * on Saturday November 25, 2006 @04:53AM (#16982678) Homepage
    I think people should not just be upset with the spammers, but those who buy from spammers. Spammers just fill a market need. If nobody was buying penis pills, you would never be spammed.
    • by Anonymous Coward on Saturday November 25, 2006 @05:07AM (#16982732)
      The problem with this reasoning is that there is only a small group of people buying the pills, but the spam is received by a much larger group.

      This is of course because spreading spam costs too little to be worried about pre-selecting the audience. When advertising on TV or sending info by post, companies usually try to match their audience to the product they are going to sell. I.e. they do not send adverts for luxury products to houses in poor neighborhoods, they try to weed their lists so that bouncing addresses are not kept on it forever, etc.
      All this to maximize the return on the cost of sending the adverts.

      Spammers don't have to do this, because they make money anyway.
      When it would cost 1 cent to send a spam message, it would not be worthwile to send it to 100000 addresses and make 1 sale of a $25 product.
      • This is of course because spreading spam costs too little to be worried about pre-selecting the audience.

        Whilest spam is by far the worst case, all direct marketting suffers from this problem to some extent. Very little of the crap that's shoved through my door, SMSed or telemarketted to me is actually relevent to me.

        At least in the UK we have some of the direct marketting a little more under control (unsolicited SMS messages are illegal... although some do still get sent. Telemarketting to phones registe
        • Re: (Score:2, Insightful)

          by Anonymous Coward
          Whilest spam is by far the worst case, all direct marketting suffers from this problem to some extent. Very little of the crap that's shoved through my door, SMSed or telemarketted to me is actually relevent to me.

          I can assure you that all direct marketing bureaus match the product and target audience. When living in a lower-class neighborhoud, you will find very few Mercedes or Jaguar flyers on your doorstep. It will not be perfect, but nobody is just throwing away money they know they can better spend e
    • by Eggplant62 ( 120514 ) on Saturday November 25, 2006 @05:48AM (#16982880)
      Easier solution: Kill all those with tiny penes. Only the well-endowed should be allowed to live, thus no need for penis pills. QED.
    • We can't stop idiot customers from buying. We can't stop spammers from spamming. There is a massive demand, and there is an infinite supply.

      The only working solution to spam is to give botnet operators a revenue stream that pays more per GB than what spammers can afford.
    • Let me take this line of reasoning a bit further. You think that people should not be upset with the:
      • Land-mine manufacturers or dealers
      • crack cocaine or heroin manufacturers or dealers
      • orphan child sex slave dealers
      • stolen fissile material dealers
      • identity info thieves or dealers

      because they're not doing anything wrong (it's just business). But we should be unhappy with

      • some African dictator. (He laughs at your displeasure)
      • an addict. (she is too busy selling her ass to score a hit to worry about your
  • Spammers with a brain display the captchas from the site they want to spam on another (fake or not) site and let real users solve them to gain access to pr0n or whatever. Then they can access the original site with the captcha solution. So, it's completely pointless to pay someone for it, I take it the author of this article was just guessing (and without much imagination).

  • or maybe... (Score:4, Insightful)

    by idlake ( 850372 ) on Saturday November 25, 2006 @05:02AM (#16982712)
    It's pretty depressing when one of the primary worries of bringing the third world on-line is that it will drive the cost of breaking anti-spam measures to zero.

    In fact, there is a lot of good, low-end on-line work low-skilled third-world labor can do once they are on-line. That's a good development: it gets work done that otherwise wouldn't get done, and it gets people jobs that beat the back-breaking, dangerous work they'd otherwise have to do (provided they aren't too old, weak or ill to do it in the first place).

    Hey, maybe that third world labor can also do the spam classification, manually. I'd be willing to pay for that.
    • by joe 155 ( 937621 )
      I agreee that it could be good to get people in the third world to do classification job, if we paid them $2 a day then that would be a really good wage for some of these kids. Unfortunately these computers aren't for the most in need, ironically if we gave the absolute poor who couldn't afford water these OLPC computers then they could do this and buy their own well/cows/goats, which would help with both self esteem and with living conditions (I guess that works as a good refutation of that old troll abou
    • Re: (Score:3, Insightful)

      Comment removed based on user account deletion
      • Why would we boycott them? It's not like they're being forced to sit there and do anti-spam work - they're choosing to because (presumably) the pay or working conditions are better.

        That's what the anti-sweatshop people fail to understand. It's not like high-priced lawyer jobs await these people if only they weren't being forced to make shoes for Nike. Working in this sweatshop is literally the best choice they have, often by quite a lot, and you want to . . . take it away from them?

        I remain confused.
    • I think it's a good thing in some ways. Any kind of redistribution of wealth from the wealthy west to the 3rd world can't be a bad thing. It will just give us more reason to raise their standard of living, ie to make it too expensive for spammers to hire them.
    • by n3m6 ( 101260 )
      There are some good things that could happen too. Refer Amazon's Mechanical Turkey and what Jeff Bezos calls 'Artificial Artificial Intelligence'. Those are some very interesting outcomes of giving third world countries access to the Internet.
    • Re: (Score:3, Interesting)

      I think this one is a little different, the other article was just a hypothetical, this is actually a real case of spamming occuring with a captcha image.

      I also found his quotation from Bill Gates quite interesting...

      Oh well. I guess I'll have to sit in the corner with Bill Gates, who declared in January 2004 that "spam will be solved in two years". After you with the pointy-D hat, Bill.

      Perhaps Bill was thinking about his trusted/treacherous [slashdot.org] computing model (posted earlier today on slashdot) when he

  • In his report, Arthur discusses Nicholas Negroponte's gift of hand-powered laptops to developing nations and the wide array of troubles that could arise as the world's exploitable poor go online."
    If you see ten troubles coming down the road, you can be sure that nine will run into the ditch before they reach you.
    -- Calvin Coolidge.
  • Slashdot had an article [slashdot.org] about this a couple of months ago.

  • by trojjan ( 994851 ) on Saturday November 25, 2006 @05:22AM (#16982788)
    The very point of spam is it is almost zero cost to the spammer. When you pay people to answer to captchas the zero cost factor disappears. I don't think cheap computers and internet will make the problem dangerous
    Not everyone in the third world is going to get computers
    Every computer is not going to get internet connected
    Not everyone on the internet is going to be spamming
    Also consider the fact how much can a single person spam. If the dude with the new cheap computer answers captchas for even 15 hours a day they would hardly generate over a 1000 spam messages which is likely to get the spammer one or two hits. Do you think the spammer is stupid enough to pay for this much profit?
  • When someone sets up a fund that pays out to the first person to brutally murder a spammer and hang his head on a lamp post using cat5, it's not personal... it's just business.

    Spam will never be stopped as long as the perceived gains > perceived risks. Unless there is a holocaust of stupid people, there will always be people dumb enough to buy from spam, so you're not going to solve this equation by reducing the left side. So raise the right side... Put $10 million into ten Swiss bank accounts. Then get the message out: First ten times a known major spammer is brutally murdered, the first party to provide evidence of their involvement gets the location of a buried bank account key.

    I don't usually believe in violence to solve problems, but when you're dealing with people who've demonstrated that there is nothing so depraved they won't do it, and the alternative is governments regulating the 'Net... *shudder*...

    Now, speaking seriously (okay, more seriously - hearing that Alan Ralsky got brutally tortured to death on the evening news would KICK ASS), as long as everyone with a brain is absolutely determined to not respond to any spam the problem will never be solved. Why? Because as long as that is true, the S-N ratio at the spammer's inbox will be favorable, because you can never block 100% of spam, and unless you DO, idiots will get it and will click it.

    So, e-mail clients should be programmed to automatically respond to EVERY message they get (or at the very least, every message flagged as spam) with an ad-libbed "O rly? tell me more", unless the e-mail came from a known-good mailing list or contact. Result: If even 1% of recipients responded and didn't buy, the signal-to-noise ratio at the bastard's inbox plunges by a factor of a hundred. Everybody responds, and spam-friendly ISPs implode under a digital tsunami of replies. The SOB pumping out 100 million messages can't possibly sort out the 1000 buyers from the 99,999,000 fakes.

    And for spammers who use links to their websites: Users submit suspect sites to open database of spammer sites. Sites are voted on; After 100 votes, if the guilty verdict > 90% the site it put in the "to DDOS" list for a client script to retrieve and wget entries from. Certain disreputable hackers, whom the database operators want nothing to do with, unfortunately rent botnets and install this client program on millions of hacked windows boxes. Would that be an immoral action? Yes. Spammers have all the moral restraint of Nazis, and they're winning the spam war - playing nice is no longer an option.

    Unfortunately, it won't happen. MS, Google, Yahoo, and Firebird need to incorporate this into all their clients, along with whitelisting utilities, all at once - NGH. Because of the sheep mentality, no one will want to be the first to stand up. In short, like the decay of diamond into graphite, it's *should* happen but has far too high of an energy barrier to actually happen.

    Okay, I'm ready - someone ^C^V that stupid checklist.
    • This is pretty insane, and is not the proper solution. The proper solution is to stop using e-mail. A more workable solution is to setup something like OpenBSD's spamd white/black/greylist program. I use it on my mail server, and it kills about 99% of the spam that is being sent to me. Spamassassin does a pretty good job on the other 1%, and I see about 6-10 spams a week. Not perfect, but it doesn't cost me much in terms of resources, and it keeps e-mail useful for me.

      And I don't even have to pay anyon
      • by voidptr ( 609 )
        The problem with whitelist/greylist/blacklist or any other server side mechanism is that it still takes bandwidth, disk and CPU resources to accept and filter the spam before it hits my mailbox.

        When you've got 500 or 30,000 mailboxes to admin, and they're all getting 100k images every two minutes as we have in the last few weeks, server side filtering becomes prohibitively complex. It's a stopgap measure, but it's leading to a defensive arms race.

        I'm starting to think there's a solution in an IP blacklist t
    • Follow the money (Score:4, Insightful)

      by Attaturk ( 695988 ) on Saturday November 25, 2006 @06:19AM (#16983010) Homepage
      So, e-mail clients should be programmed to automatically respond to EVERY message they get (or at the very least, every message flagged as spam) with an ad-libbed "O rly? tell me more", unless the e-mail came from a known-good mailing list or contact. Result: If even 1% of recipients responded and didn't buy, the signal-to-noise ratio at the bastard's inbox plunges by a factor of a hundred. Everybody responds, and spam-friendly ISPs implode under a digital tsunami of replies. The SOB pumping out 100 million messages can't possibly sort out the 1000 buyers from the 99,999,000 fakes.
      I don't think spammers read the replies - at least they'd be fools if they did. They don't typically expect any useful replies - they're simply acting on behalf of a third party either raising the profile of its brand or promoting some offer. I personally find it more fruitful to go after the organisation being advertised. If someone is touting Viagra, get in touch with the highest marketing authority you can at Pfizer. If someone is selling cheap watches, go to the website where you can buy the watch, go through the process and find out where your money would go and/or who owns the domains etc. Then follow the chain back up to someone who might give a damn and give them a really hard time. If everyone did that it'd be far more effective than replying to the spam mails. :)
      • by pe1chl ( 90186 )
        Of course companies like Pfizer and Rolex are irritated by the spammers but there is not much they can do either.
        They are the owners of the brand that gets pirated, but they have not asked the spammers to send the messages. They don't know more about who they are than you.

        I think it is more promising to go after the stock spammers. It should be easy to find who is behind them.
      • by tcgroat ( 666085 )
        If someone is touting Viagra, get in touch with the highest marketing authority you can at Pfizer.

        Reality check time. Do you think the spammers are authorized distributors for Pfizer, that Pfizer deals with them and has some control over them? Or is it more likely the pills were stolen, or remanufactured with more filler and less active ingredient, if not outright fakes with no real medication at all? Are any watches sold via spam ever a genuine Rolex, not a cheesy Fauxlex? Spammers are unscrupulous, spam

      • If someone is touting Viagra, get in touch with the highest marketing authority you can at Pfizer.

        Do you really think Pfizer is using the spam to get "brand recognition" of Viagra? It's just some third party that managed to get a lot of Viagra on the cheap and is using Pfizer's legitimate marketing to his advantage.

        At the least, why would the more recent mails say e.g. "V1agra |_ev!tra (ialis"? It's not like they're all made by Pfizer.
      • Re: (Score:3, Interesting)

        by hughk ( 248126 )

        Hit the credit card companies. Hit them hard. It seems too easy to get a merchant account for online trading with no valid product to sell. The Rolexes etc are usually sold as fakes anyway. Rolex would love to close them down, same goes for Pfizer and V1agra. Heck I've even complained to a software vendor about pirated software being openly sold. Microsoft replied with a orm letter but I had a more meaningful response from Adobe, but I had directed the complaint via an onsite consultant who took this seriou

  • I'll be able to help poor people in Africa just by putting a captcha controlled access to blogs and stuff, spammers will pay them.
  • by Yaztromo ( 655250 ) on Saturday November 25, 2006 @06:09AM (#16982968) Homepage Journal

    I'm currently hiring 3rd world citizens to kick spammers in the crotch.

    To the spammers: it's nothing personal. You have to understand: it's just business.

    Yaz.

  • Scenario: You're a spammer and want someone to fill in a captcha for you.
    Solution: Offer a porn-page, where you can "unlock" a picture by filling in a captcha for you.

    That captcha comes from a captcha-protected site, of course, and your user solves it for you to see his inspiration material.

    I'd wager that would be even cheaper than paying $100 laptop users. I mean, people even pay money for porn, you'd probably have more people wanting to fill in captchas for you than your spam machine can handle.
  • Do all those compromised Windows machines in use as spambot networks have anyting to do with the current spam infestation and not some people in developing countries.
  • This is just stupid (Score:4, Interesting)

    by Vexorian ( 959249 ) on Saturday November 25, 2006 @07:57AM (#16983460)

    Come on!, Remember the usual "Don't teach the poor to read, that would make them a threat"? This all sounds as "don't give the poor any access to the internet, they could become a threat" . And for god's sake it is not like captchas are any difficult for just a program to beat.

    I administrate a site with a vBulletin forum, and every once in a while a bot posts messages. Registration requires passing a captcha, in fact, I decided to just remove the captcha, it was seriously not helping stop the spam and was just making the registration harder FOR HUMANS.

    BTW: I noticed that Russian bots are more likely to beat captchas.

    • by Doctor Crumb ( 737936 ) on Saturday November 25, 2006 @11:56AM (#16984676) Homepage
      Usually, if a bot is getting past your captcha, it is circumventing it, not solving it. First, check if you are running with REGISTER_GLOBALS set to "off". Then, make sure your site is only accepting form submissions from the relevant form on your own site; a simple referer check is enough to stop most forum/comment spam. Only if you have secured everything else and you have proof that the bots are actually solving your captcha should you blame the captcha.

You know you've landed gear-up when it takes full power to taxi.

Working...