Spammers Learn To Outsource Their Captcha Needs

lukeknipe writes "Guardian Unlimited reporter Charles Arthur speaks with a spammer, discussing the possibility that his colleagues may be paying people in developing countries to fill in captchas. In his report, Arthur discusses Nicholas Negroponte's gift of hand-powered laptops to developing nations and the wide array of troubles that could arise as the world's exploitable poor go online." From the article: "I've no doubt it will radically alter the life of many in the developing world for the better. I also expect that once a few have got into the hands of people aching to make a dollar, with time on their hands and an internet connection provided one way or another, we'll see a significant rise in captcha-solved spam. But, as my spammer contact pointed out, it's nothing personal. You have to understand: it's just business."

I call job theft!

Damn those developing countries, stealing all the decent jobs from the hard working Americans.

These lead shoes

are nothing to do with business its just personal. I would be more more then happy to plead guilty if I ever got cought for beating the fuck out of a spammer.

I doubt you would, actually

Actually, I doubt you would actually beat one. Not meant as an insult, but I believe that you don't have what it takes. If you had, you'd already be either in jail, or a CEO, or chief of marketting or various other positions suited to people able to think "it's just business" when harming others. Or in his place making a good living sending spam and 419 mails.

See most people are quite able to speak/cheer about and for beating others up, killing others, war, etc, as long as it's just talking. They might even actually do it, if a fit of rage disables their sanity for long enough. But fits of rage aren't something you can plan and execute whenever you wish. And otherwise when you actually have to do it, there's this interlock against harming other humans. It's partially "what if it was me in his shoes" education (even if you logically know it would never be in his place spamming) and partially that interlock most animals have against harming their own more than strictly necessary. (Even when cats or dogs fight their own there is always a mechanism to signal "I give up" and the other _will_ cease.)

It's a strange world, really. The same people who could be shaking a fist and screaming for war against X at the top of their lungs, would actually have trouble looking one of X in the eyes and squeezing the trigger. A lot of PTSD cases in war aren't just people getting shocked by being shot at, but shocked by having shot other humans.

There is one cathegory that can cheerfully think "it's only business": the sociopaths. They live in a strange world in which the others are NPCs: the others don't matter, they're not the same, "it could be me in his shoes" doesn't apply, etc. They can lie, cheat, murder, torture, whatever, and be perfectly able to look themselves in the mirror after it. Because the other guy didn't matter.

And, sad to say, if you weren't born one, I doubt you could actually beat this guy up in cold blood. If anyone gave you a baseball bat and this guy tied to a chair, you just couldn't actually do it.

And it's probably better that way. I'm thinking we as a society would do better to just start recognizing sociopaths for what they are, and the damage they can do. This guy, for example, is a sociopath, plain and simple. He's not just "being smart", he's not "just doing business", he's not "just doing what's needed", or the other things these guys like to pose as. He's just someone who doesn't even see you as a human being, much less his equal.

A long-time problem

I'm not sure if poor people filling in CAPTCHAs should be our biggest concern, when people are in fact dying all over the world from war, starvation, and so on (yes, I know that it's possible to focus on several problems at once). However, the problem with CAPTCHAs being worked around by real people (either by hiring people to do it or by luring porn surfers to fill it in for them) has been there for ages.

If I am not mistaken, there have been several stories on this kind of thing on Slashdot...

Ayway, the bottom line is that spammers have been doing this for a long time, and I'm not sure if the $100 laptops will make a difference either way. Will these $100 laptops all have internet access?

Re:A long-time problem

I'm sure there are ways of defeating that at the CAPTCHA server level. Generate a brand new image every time, and send it out along with a cookie. The cookie is a database key which refers to the CAPTCHA solution; the record also contains the timestamp when the image was generated and the IP address to which it was sent. (NOT the MD5 of the solution: anyone can generate an MD5 for any word and send that as the cookie contents with their word as the answer, effectively bypassing the image altogether.) The answer must not only be correct; it must also come from the same IP address that received the image, and within a reasonable time limit. IP addresses cannot be forged (or else the server would be speaking to the wrong client) and nor can timestamps (which come from the server anyway), so this ought to be fairly robust. Checking the referrer won't help, because referrers can be forged.

The CAPTCHA image and question themselves need some thought as well. Just having a person type some "distorted" text verbatim is a bit christian IMHO, because it's vulnerable to OCR. Insisting to change the order or capitalisation ("type this backwards in all lower case") would be a good start, but there are plenty more techniques involving pictures that only a human being will be able to use; and you can possibly even set a knowledge barrier (by using challenges that will be easy for people in your chosen field but not random idiots) to keep out undesirables.

Re:A long-time problem

this is exactly how most session-based CAPTCHAs work. The timestamp idea is unworkable - it doesn't take that long for data to be ferried half way across the world, so if you implement a timeout, you'll end up pissing off your legitmate users as well thwarting spammers, and if you make the timeout longer it'll render it completely ineffective - what I'm saying is that it takes as long for a spammer to type a captcha as it does a legitmate user.

Stuff like "type this backwards in lower case" won't help *in the least* - it'd be trivial to get past, as trivial as writing a bot to collect email addresses, and we know how many of those there are.

Checking the IP address won't work (unfortunately) because certain ISPs (*cough*AOL*cough*) use multiple outgoing IPs for the same user; it's ridiculous but there you have it.

In any case, IP addresses can be forged; the spammer doesn't need to receive a response, he just needs to send his CAPTCHA and spam message; if he's on 4.3.2.1 and needs to send from 1.2.3.4 then he will - the server's "yes you got it" response will be sent to 1.2.3.4 but the spammer doesn't care; his spam has got through.

In short, there is no serverside way of preventing a captcha from being relayed to/from a 'processor' be it OCR or human.

However, what needs to be remembered is that in 95% of cases, any type of captcha will stop 100% of spam. Most captchas out there are pitifully weak in terms of OCR resistance [ocr-research.org.ua], have implementation bugs [puremango.co.uk] coming out of their *ahem* and 'in principle' offer no security whatsoever, but they work because most spammers only after the low hanging fruit.

Now what?

This is deeply troubling. What can be done to stop it?

Re:Now what?

Hire someone in the developing world to monitor your blog and clear it of spam. If the cost is insignificant to them it is insignificant to you. And as the cost of labour rises with competition the problem naturally goes away.

So the question becomes

The question becomes if the spammers filling in captcha's for blog comments will win or lose over the spammers creating fake blogs. Will some spammers (not the sharpest knives in the drawer) end up paying one set of people doing captchas for new blogs and another set to junk their own blogs by choking them with fake comments?

In any case, the economy of spamming changes fundamentally once it's no longer cost free to do.

using porn to solve captchas

Cory Doctorow wrote some time ago about an umbeatable way to solve captchas: have a the captcha-circumventing bot connected to a free porn site [boingboing.net], inline the images in the gateway pages to the photos and videos, and have the porn-seekers gain access by solving the images. They would have the same infrastructure that they would need if they used developing world click-workers, without the hassle of having to arrange payments.

This tell us two things

1. The cost of computing and Internet access have truly dropped to a point to where it is nearly "universal".
2. The Human solution sometimes is the best.

What's going to be interesting is threefold: how do we conquer this problem, and how long until "sweat spam shops" have opened up, and how long until the outsourcers become the main branches? Much like the Cory Doctorow story revolving around sweat shops of MMO players, it might not be long until automated scripts are combined with "sweat shop" style workers, who's only job it so enter in the proper "human" data to fill spam.

On the other hand, as outsourcing has taught us, it is only a matter of time before the outsourcees become the suppliers as they get the training they need. Once the "local guy" starts making up the scripts, it's only a matter of time before he/she goes to open up their own spamming sweat shop. Which is a good thing in a weird way as the article points out - it encourages new business at the expense of annoyance.

The next phase of solutions might have to focus on more detailed question/responses - but there's a danger in this in finding the "sweet spot". You want to make it as expensive as possible for spammers, but not so annoying for your "true customers". Much like my new bank's online service, perhaps, where they made me select my "security image" and more personal questions so I had to enter 2-3 things to truly "log in" the first time.

it is just business

I think people should not just be upset with the spammers, but those who buy from spammers. Spammers just fill a market need. If nobody was buying penis pills, you would never be spammed.

Re:it is just business

The problem with this reasoning is that there is only a small group of people buying the pills, but the spam is received by a much larger group.

This is of course because spreading spam costs too little to be worried about pre-selecting the audience. When advertising on TV or sending info by post, companies usually try to match their audience to the product they are going to sell. I.e. they do not send adverts for luxury products to houses in poor neighborhoods, they try to weed their lists so that bouncing addresses are not kept on it forever, etc.
All this to maximize the return on the cost of sending the adverts.

Spammers don't have to do this, because they make money anyway.
When it would cost 1 cent to send a spam message, it would not be worthwile to send it to 100000 addresses and make 1 sale of a $25 product.

Re:it is just business

Easier solution: Kill all those with tiny penes. Only the well-endowed should be allowed to live, thus no need for penis pills. QED.

Haha, what a clueless article

Spammers with a brain display the captchas from the site they want to spam on another (fake or not) site and let real users solve them to gain access to pr0n or whatever. Then they can access the original site with the captcha solution. So, it's completely pointless to pay someone for it, I take it the author of this article was just guessing (and without much imagination).

or maybe...

It's pretty depressing when one of the primary worries of bringing the third world on-line is that it will drive the cost of breaking anti-spam measures to zero.

In fact, there is a lot of good, low-end on-line work low-skilled third-world labor can do once they are on-line. That's a good development: it gets work done that otherwise wouldn't get done, and it gets people jobs that beat the back-breaking, dangerous work they'd otherwise have to do (provided they aren't too old, weak or ill to do it in the first place).

Hey, maybe that third world labor can also do the spam classification, manually. I'd be willing to pay for that.

Dupe/Oldnews

http://it.slashdot.org/article.pl?sid=06/09/06/121 7240 [slashdot.org]

What I think

In his report, Arthur discusses Nicholas Negroponte's gift of hand-powered laptops to developing nations and the wide array of troubles that could arise as the world's exploitable poor go online."

If you see ten troubles coming down the road, you can be sure that nine will run into the ditch before they reach you.

-- Calvin Coolidge.

Previous article

Slashdot had an article [slashdot.org] about this a couple of months ago.

This is simply stupid

The very point of spam is it is almost zero cost to the spammer. When you pay people to answer to captchas the zero cost factor disappears. I don't think cheap computers and internet will make the problem dangerous
Not everyone in the third world is going to get computers
Every computer is not going to get internet connected
Not everyone on the internet is going to be spamming
Also consider the fact how much can a single person spam. If the dude with the new cheap computer answers captchas for even 15 hours a day they would hardly generate over a 1000 spam messages which is likely to get the spammer one or two hits. Do you think the spammer is stupid enough to pay for this much profit?

I hope the spammer understands...

When someone sets up a fund that pays out to the first person to brutally murder a spammer and hang his head on a lamp post using cat5, it's not personal... it's just business.

Spam will never be stopped as long as the perceived gains > perceived risks. Unless there is a holocaust of stupid people, there will always be people dumb enough to buy from spam, so you're not going to solve this equation by reducing the left side. So raise the right side... Put $10 million into ten Swiss bank accounts. Then get the message out: First ten times a known major spammer is brutally murdered, the first party to provide evidence of their involvement gets the location of a buried bank account key.

I don't usually believe in violence to solve problems, but when you're dealing with people who've demonstrated that there is nothing so depraved they won't do it, and the alternative is governments regulating the 'Net... *shudder*...

Now, speaking seriously (okay, more seriously - hearing that Alan Ralsky got brutally tortured to death on the evening news would KICK ASS), as long as everyone with a brain is absolutely determined to not respond to any spam the problem will never be solved. Why? Because as long as that is true, the S-N ratio at the spammer's inbox will be favorable, because you can never block 100% of spam, and unless you DO, idiots will get it and will click it.

So, e-mail clients should be programmed to automatically respond to EVERY message they get (or at the very least, every message flagged as spam) with an ad-libbed "O rly? tell me more", unless the e-mail came from a known-good mailing list or contact. Result: If even 1% of recipients responded and didn't buy, the signal-to-noise ratio at the bastard's inbox plunges by a factor of a hundred. Everybody responds, and spam-friendly ISPs implode under a digital tsunami of replies. The SOB pumping out 100 million messages can't possibly sort out the 1000 buyers from the 99,999,000 fakes.

And for spammers who use links to their websites: Users submit suspect sites to open database of spammer sites. Sites are voted on; After 100 votes, if the guilty verdict > 90% the site it put in the "to DDOS" list for a client script to retrieve and wget entries from. Certain disreputable hackers, whom the database operators want nothing to do with, unfortunately rent botnets and install this client program on millions of hacked windows boxes. Would that be an immoral action? Yes. Spammers have all the moral restraint of Nazis, and they're winning the spam war - playing nice is no longer an option.

Unfortunately, it won't happen. MS, Google, Yahoo, and Firebird need to incorporate this into all their clients, along with whitelisting utilities, all at once - NGH. Because of the sheep mentality, no one will want to be the first to stand up. In short, like the decay of diamond into graphite, it's *should* happen but has far too high of an energy barrier to actually happen.

Okay, I'm ready - someone ^C^V that stupid checklist.

Follow the money

So, e-mail clients should be programmed to automatically respond to EVERY message they get (or at the very least, every message flagged as spam) with an ad-libbed "O rly? tell me more", unless the e-mail came from a known-good mailing list or contact. Result: If even 1% of recipients responded and didn't buy, the signal-to-noise ratio at the bastard's inbox plunges by a factor of a hundred. Everybody responds, and spam-friendly ISPs implode under a digital tsunami of replies. The SOB pumping out 100 million messages can't possibly sort out the 1000 buyers from the 99,999,000 fakes.

I don't think spammers read the replies - at least they'd be fools if they did. They don't typically expect any useful replies - they're simply acting on behalf of a third party either raising the profile of its brand or promoting some offer. I personally find it more fruitful to go after the organisation being advertised. If someone is touting Viagra, get in touch with the highest marketing authority you can at Pfizer. If someone is selling cheap watches, go to the website where you can buy the watch, go through the process and find out where your money would go and/or who owns the domains etc. Then follow the chain back up to someone who might give a damn and give them a really hard time. If everyone did that it'd be far more effective than replying to the spam mails. :)

r jobs!

They tk r jebs!

Money

I always thought that there are many other ways we can help the poorer nations than giving them technology. With $100 you could almost feed a village for a year, so why waste that sum on a laptop? But now I see the laptop idea could actually work in solving poverty if the people are going to be paid to create havoc..... Obviously though, they're going to need an internet connection which is either going to be very difficult or very expensive in the poorer areas of Africa

Another way to make CAPTCHAs hard to outsource

Instead of simple character recognition (which OCR will eventually evolve to beat) use culturally sensitive questions. Knowing the IP, and therefore the probable location of the request, show/display a series of items and have the user complete the sequence. In fact there are numerous variations on the theme: show a picture of cheney, bush, and rice and have the user enter the political party that ties them together. I realize most Americans are st00pid, but if they cant type republican (with liberal spelling variations) do you even want them on your site?

"As long as there's sex and drugs, I can do without the rock and roll"

That's great!

I'll be able to help poor people in Africa just by putting a captcha controlled access to blogs and stuff, spammers will pay them.

Just business?

I'm currently hiring 3rd world citizens to kick spammers in the crotch.

To the spammers: it's nothing personal. You have to understand: it's just business.

Yaz.

It's not like captchas can't be beaten without

Scenario: You're a spammer and want someone to fill in a captcha for you.
Solution: Offer a porn-page, where you can "unlock" a picture by filling in a captcha for you.

That captcha comes from a captcha-protected site, of course, and your user solves it for you to see his inspiration material.

I'd wager that would be even cheaper than paying $100 laptop users. I mean, people even pay money for porn, you'd probably have more people wanting to fill in captchas for you than your spam machine can handle.

root cause of spam ..

Do all those compromised Windows machines in use as spambot networks have anyting to do with the current spam infestation and not some people in developing countries.

Is this really about money?

I've being wondering for a long time weither spammers actually make enough money to justify the effort. I'm sure some do, but the scams that they send are so obviously frauduent that there must be a lot of spammers that don't make any money at all. So, why do they do it? I think it's the same reason why people vandalise public property, just because they can, and they enjoy fucking things up for other people.
Basically, it's vandalism of the internet. Spamming isn't just e-mail you know, many wikis and forums are regularly spammed so much that they have become unusable.

Are humans even necessary?

Software like this http://www.botmaster.net/ [botmaster.net] claims to decode many popular captchas anyway - do they need humans to do it for them? With tools like this even an idiot can spam sites protected with captchas, though they'd have to pay through the nose to do it (400 USD!!!). I'd love to see sites like this which profit from stupidity shut down, but as an individual it's hard to see how to do it.

This is just stupid

Come on!, Remember the usual "Don't teach the poor to read, that would make them a threat"? This all sounds as "don't give the poor any access to the internet, they could become a threat" . And for god's sake it is not like captchas are any difficult for just a program to beat.

I administrate a site with a vBulletin forum, and every once in a while a bot posts messages. Registration requires passing a captcha, in fact, I decided to just remove the captcha, it was seriously not helping stop the spam and was just making the registration harder FOR HUMANS.

BTW: I noticed that Russian bots are more likely to beat captchas.

Re:This is just stupid

Usually, if a bot is getting past your captcha, it is circumventing it, not solving it. First, check if you are running with REGISTER_GLOBALS set to "off". Then, make sure your site is only accepting form submissions from the relevant form on your own site; a simple referer check is enough to stop most forum/comment spam. Only if you have secured everything else and you have proof that the bots are actually solving your captcha should you blame the captcha.

Humans not needed here

If the spammer in the article needs Humans to decode the captchas then he seriously needs to upgrade his software http://www.botmaster.net/pictocod/ [botmaster.net]

KittenAuth

Looks like it is time to implement KittenAuth [kittenauth.com].

KittenAuth presents a series of pictures, and you have to select the ones that are kittens, in order to prove you are a human.

----------------
http://www.chrismay.org [chrismay.org]

Luis von Ahn

The first I heard about this was by a Google tech talk with Luis von Ahn. That was in July; the video [google.com] is very interesting. The talk is mainly about tagging images as a game.

Win-Win

Should both discourage use of CAPTCHAs and put money in the hands of the poor. Sounds like a win-win situation to me.

is blogging in and of itself the problem

First, this is an old, old,old problem, see G Hardin, the tragedy of the commons

second, why on earth does anyont think that an open free public blog/post spot, like /. wont be abused.

In the old days, they solved this problem in a very, very, very simple way - $ for subscriptions.

perhpas we are seeing the natural evolution of the web back to the paid/publish model that sustained newspapers for nearly 200 years or so

(I'm sure the old timers remember when the web would revolutionize everything, and it has turned, mainly, into a marketing tool for large corporations [wiki has substantial corp funding, once removed, as did open office])
after all, if you ain't willin go pay for it, how much can it be worth ?

Who will be the most vulnerable

Spam filters on my email seem to work pretty good, a few get buy but no big deal. Now with all these scamps going around who will be the most vulnerable? The poor folks who never had a computer before now gets one with a hand crank and suddenly they are booking a trip to Nigeria to meet the disposed prince who's gong to set them up with a fortune that awaits in Switzerland... Or they get a job processing international checks. Then they get EBAY accounts and they click on the first email from another ebayer that claims they never recieved their merchandise or they click on a phish telling them to update their account. So we might start seeing the worlds impoversed masses start screwwing each other, that would be a hoot

The program to do this is trivial anyway

Spammers have been able to do this for some time. After reading this article, I wrote one that does a basic job in about an hour. (demonstrated at http://www.brandonchecketts.com/capdef/ [brandonchecketts.com]). If I can do it in about an hour, then I think it's safe to assume that spammers have had the capability for quite a while now. Since most sites that use CAPTCHAS seem to be quite satisfied with them, I think that it's safe to say that spammer's aren't using methods like this. The major appeal of spam is that it costs virtually nothing. Introducing a cost by having to pay somebody to solve CAPTCHAs seems to be deterrent enough to stop it pretty well.

Re:I suggest death penalty to spammers!

roll them into a fire ants nest!

Re:would be happy to do this

It's more like a few cents a day than a few dollars. And they don't actually pay you anyway. There are enough desperate people in developing countries that it's a reasonable business model to rip them off like this.

Re:I suggest death penalty to spammers!

I guess slashdot don't got any sense of humor since I wrote this as a joke :S