Have Spammers Overcome the CAPTCHA?

thefickler writes "It appears that spammers have found a way to automatically create Hotmail and Yahoo email accounts. They have already generated more than 15,000 bogus Hotmail accounts, according to security company BitDefender. The company says that a new threat, dubbed Trojan.Spammer.HotLan.A, is using automatically generated Yahoo and Hotmail accounts to send out spam email, which suggests that spammers have found a way to overcome Microsoft's and Yahoo's CAPTCHA systems."

Quick!

Get the rest of the difficult AI problems into CAPTCHAs. We've finally figured out a way to finance AI research!

FREE PR0N!

Get the rest of the difficult AI problems into CAPTCHAs. We've finally figured out a way to finance AI research!
Not really.

The way they've worked around it probably goes like this: "Free pr0n sets! See more of this hot chick! We don't want automated downloads of these sets, so you need to solve this code to get the download. What? It looks just like the hotmail cpachas? Yeah, we're using the same advanced technology here."

So I guess this approach would also solve other AI problems - by having bored RIs solve them. Maybe not such a bad solution after all?

Re:FREE PR0N!

It's the Mechanical Turk [wikipedia.org] approach. Amazon is doing it [mturk.com].

Re:FREE PR0N!

I'd be surprised if some spammers weren't using amazon's mechanical turk. Its cheap as hell, why not use an existing framework.

Re:FREE PR0N!

I've seen plenty of bad-SEO tactics on mturk before, as well. "Comment on this blog entry using these two keywords somewhere in your comment."

Re:

The way they've worked around it probably goes like this: "Free pr0n sets! See more of this hot chick! We don't want automated downloads of these sets, so you need to solve this code to get the download.

People keep suggesting this. It might work, but no

Re:

Then, clearly, the only way to secure hotmail's captchas is to make them so odious that a statistically significant number of bored RIs won't want to solve them. Make all captchas images of latex-clad midgets having group sex while watching Fox News superi

Re:FREE PR0N!

Link please.

Re:Quick!

Get the rest of the difficult AI problems into CAPTCHAs. We've finally figured out a way to finance AI research!

And while the problem remains unsolved, you can use it for distributed problem-solving! Instant sponsoring opportunities from the big industry!

"So you want to sign up for an account? Okay, we need your name, email, and password twice... and could you figure out the optimal shipping route that goes through all of these cities, and only visits each of them once?"

(Turns out to be a route for some annoying door-to-door salesman. Boy, wonder what he feels like when he finds out someone sent a completely misleading solution! At least sanity-check them first =)

Have they?

Or is it just that making new hotmail accounts is being outsourced to china/india/?

Could be, according to this /. article

Could be, according to this /. article [slashdot.org]

Spammers Learn To Outsource Their Captcha Needs

Posted by Zonk on Saturday November 25, @05:36AM
from the hearing-some-ominous-muttering dept.

lukeknipe writes

"Guardian Unlimited reporter Charles Arthur speaks with a spammer, discussing the possibility that his colleagues may be paying people in developing countries to fill in captchas. In his report, Arthur discusses Nicholas Negroponte's gift of hand-powered laptops to developing nations and the wide array of troubles that could arise as the world's exploitable poor go online."

From the article:

"I've no doubt it will radically alter the life of many in the developing world for the better. I also expect that once a few have got into the hands of people aching to make a dollar, with time on their hands and an internet connection provided one way or another, we'll see a significant rise in captcha-solved spam. But, as my spammer contact pointed out, it's nothing personal. You have to understand: it's just business."

Re:Quick!

You may now have a Yahoo email account.

Cataloging CAPTCHA info

Wouldn't it be feasible to record and catalog the fonts and manipulations done by a particular site's CAPTCHA engine, and then script some type of automatic "OCR" to suit? Are these CAPTCHA's dynamically generated from an extended "character set" or are the distortions generated in real-time?

Re:Cataloging CAPTCHA info

Agreed. It's the 'myspace' of the 'free' email providers. The irony is that it had to be easy to use, and therefore abuse, so that kids can could use it. But now they all use MSN Messenger... Time for an update?

The time has surely passed when M$, Yahoo et al needed huge numbers of email subscribers to prove how important they were.

How about a self-policing system? Rather than the typical 'black hole' that 'abuse@...' normally leads to, one could have an automated voting system. If 'n' people complain about 'x' address, then wham, it's blocked. Could check for individual IPs, or make people mail respond to a challenge, to check that it was real people complaining, and not a botnet...

Would enough people participate, though? I know I don't try and get all the spam I receive blocked, just the ones that get through the filter, and even then, just when I have time or the mood takes me...

Re:Cataloging CAPTCHA info

or make people mail respond to a challenge

You mean... like... a CAPTCHA over e-mail? That seems like a fool-proof plan to me!

Re:Cataloging CAPTCHA info

Wouldn't it be feasible to record and catalog the fonts and manipulations done by a particular site's CAPTCHA engine, and then script some type of automatic "OCR" to suit? Are these CAPTCHA's dynamically generated from an extended "character set" or are the distortions generated in real-time?

That's how CAPTCHAs are broken, although you don't have to use a general OCR program. If you're going to attack a single type of CAPTCHA, you could tailor your code to take advantage of known properties of that specific CAPTCHA such as: backgrounds, background colors, repeated markings, fonts, font colors, font size, font orientation, and direction of any image warping.

Most CAPTCHAs use images and random marks or dots in the background but those can be filtered out in a pre-processing step if you know they're drawn using a limited set of colors or don't use the same line thickness as the font. Photographic backgrounds will be limited so they could be filtered easily by detecting which background the CAPTCHA used for that session. Using an oversized background and shifting it by an offset would present difficulty, but Yahoo and Hotmail don't use background images. If backgrounds are rendered gradients, I think it's relatively easy to detect the font color by scanning for broken runs of a continuous single color. The gradient colors would deviate slightly, within a small percent change. If there is any repetitive pattern, which there is if it's a gradient, it only helps the filter breaking the CAPTCHA.

A lot of the easier to crack CAPTCHAs use only a single font and render all the letters in 90 degree angles. The smarter ones jumble and warp the letters by shifting the each letter by an offset and rotating by a small angle. If you could figure out the direction of the warp or rotation, by checking the background you could unwarp or untwist the letters before running OCR on it. Or, you could test each isolated character by rotating every few degrees of rotation and selecting the result that outputs the most number of OCR'd characters from the least amount of rotation.

Regardless, the algorithm doesn't have to be perfect. It could be right 5% of the time and still generate thousands of email accounts. It doesn't care about rejections, because it's got all day to keep trying.

FYI:
http://en.wikipedia.org/wiki/Captcha [wikipedia.org]
http://www.cs.sfu.ca/~mori/research/gimpy/ [cs.sfu.ca]

By the way, some CAPTCHAS have been broken by not deleting sessions in the server, but I doubt Yahoo and Hotmail would be open to that bug.

Re:Cataloging CAPTCHA info

It wouldn't surprise me if this is a direct result of the work on open-source optical character recognition [apache.org] being done specifically to prevent the increased prevalence of captcha-style image spam. It would be rather ironic if the open source model meant the spammers are now turning our own anti-spam tools around and using them against us.

it's easy...

Make a porn site that give you credit to download smut in exchange for solving captchas. Have your automatic account creator redirect the captcha to a human user of your porn site, and if you're lucky and it gets solved within the time period for which te captcha is valid, you're set.

Re:it's easy...

And that porn site will be ripped and put on a torrent within a week. Thus defeating the Captcha farm.

Re:

Does that matter?
I don't think there is any shortage of porn on the net. There is no point in "collecting it all". So, that the same content of one site is available on another distribution medium too, does not matter at all.

Re:it's easy...

I don't think there is any shortage of porn on the net. There is no point in "collecting it all".

You know... it took me years to come to that realization. But you're right.

500 accounts created every hour?

That doesn't sound like a CAPCHA has been broken, except perhaps by the sophisticated AI device known as a human being. 8 and a half CAPCHAs a minute? No problem for one person with a tolerance for boredom and CTS. Heck, you can even put the job up on Amazon Turk and charge a penny an account for the signups, or use cheap labor in any of a number of countries to do it.

Re:

..and if this person or persons happen to be, say a 12 year old semi-literate war refugee in Sub-Saharan Africa, He'd probably be willing to do a whole day of it for a bowl of soup and a big shiney nickel, or even just for a semi-serious promise not to bea

Re:500 accounts created every hour?

You don't need AI to beat a capcha. They follow a fixed pattern on a single website, so to break the hotmail one you just need to look at a few hotmail sites and figure out how to reverse the graphical munging that has been done. Once that's done you chuck that in a script and churn them out as fast as you like.

Defeating *any* capcha is an AI problem. Defeating the capcha for a website (or group of websites that use the same software) is just a programming task.

Hotmail internal security breach

I think it is much more likely that Hotmail's IT systems have been compromised following a security breach by the spammers. I have indirect evidence that this has happened.

I and some other people I know give out unique disposable email addresses to our co

Work opportunities for developing nations

Indians are fast, accurate and cheap:

http://www.getafreelancer.com/projects/Data-Proces sing-Data-Entry/Data-Entry-Solve-CAPTCHA.html [getafreelancer.com]

Of course, there are those who seek to use the IT talent of the sub-continent for a more direct attack:

http://www.getafreelancer.com/projects/PHP-ASP/yah oo-ocr-bypass-captcha.157160.html [getafreelancer.com]

And as an upstream poster pointed out, there's always the old "Free Porn - solve this CAPTCHA for access" approach.

captcha guide by vulnerability

http://sam.zoy.org/pwntcha/ [zoy.org]

OCR or humans

If OCR was used, then it is as simple as having a mathematical quiz captcha. For example, the answer to "34 + 2" or "first 3 digits of e" (well, ok maybe not this one, unless it's a math forum...). This will not stop the spammers as they would probably just try to parse the math expressions and post the result but it will slow them down a bit.

If a human is used to read the captcha then there is not much that can be done as that is what a captcha is for: to make sure a human only will be able to bypass it....

Re:OCR or humans

I was actually looking into securing a forum from spammers earlier when this question came into my head:

How do I make questions that are simple enough to be obvious to legitimate members, but obscure for outsourced human spammers?

I then wondered exactly WHY I'd want to use simple questions anyway, surely I'd want people posting intelligently, so why not moderate at the first access point! Elitism, sure, but I don't think that asking for some mathematically obscure reference for a forum catering to that userbase is Evil, nor any other purpose-specific odd questions. The truly determined can always google the answers.

Re:OCR or humans

You mean a captcha like this one [thehumorarchives.com]?

Re:

Your best bet for forum spam would probably be a bayes filter - much the way you'd deal with email. if it's small scale and non-commercial, you could use akismet [akismet.com]. This is generally not a viable solution if you're running a high traffic commercial forum (

Time to stick a fork in it?

I think you're right about it not stopping spammers; I don't think it's even going to be much of a speed bump. It doesn't take a brilliant programmer to feed the output of an OCR program into a command-line calculator to evaluate simple mathematical expres

Wow...

Judging by the amount of spammers I get on my Invision Power Board forums, which have been through two different styles of CAPTCHA, I'd file this one under the "No Shit" department.

The solution is simple;

Block MSN and yahoo.

You can thank me later.

Overcome with Manpower?

It wouldn't surprise me if the Capchas were overcomes simply by showing the graphics to some underpaid person who just types in the actual responses.

A sophisticaed enough system could easily "pipe" these graphics to someone who just sits and types all day. At one capcha every 10 seconds, that's about 8000 in a day working 24/7.

Not everything these spammers do has to be automated.

unsurprising

One of the things I get tasked with at work is handling forum and service spam. Of all the methods I've used to deter spammers, captchas rank among the least effective. A lot of people seem to think the answer is in changing the nature of what the user has to interpret. I've had suggestions ranging from audio captchas to math problems, and dozens of others that lead to the same kinds of problems - you're making it hard, or in some cases, impossible for legitimate users to use your service. Language barriers rank among the biggest problem. Say you have a picture of an apple, and the user is supposed to type 'apple'. It falls short when you realize the person viewing it may not speak english at all, or may have no idea how to spell 'apple' in english. Same with audio captchas.

The most effective (surprisingly) were form fields hidden with CSS so the users don't enter data in to them, but bots will. You can reject the entire post at that point. It's not universally effective (some bots will actually look at your CSS to determine if you're doing this) but it sure cuts down on a lot of bogus posts. Another method is to generate a form key of some kind, and use that to verify that the form is only good once. this slows spammers down because in order to post again and again, they have to reload the page in order to get a new key. many don't do this, and will attempt to use the same key over and over. if you use a few of these methods, and track repeat offenders, you can add them to your firewall rules so they can't even load the page. Of course, most serious spammers will use hundreds of IPs, so it's difficult to get them all.

It's important to realize that this is a fight you simply can't win - if they're serious about getting through, they'll get through. The most you can hope to achieve is to slow them down long enough to come up with an improved solution.

Re:

I use a very effective method. Only javascript has to be activated.
The submit button is only enabled after 20 seconds.
Someone needing less time than 20s to write a post is a spammer or has nothing intelligent to say.

An bot will of course submit the form in

Creative CAPTCHA

As luck would have it, I stumbled across a twist on the captcha concept while registering for a site. Instead of asking the human user to correctly enter the word displayed in an image, it presented the user with a grid of images. About half of them were of cars. The other half were cats.

The site just asked the user to check off each image representing a living thing.

Simple, and brutally effective against current AI. I can think of various tricks one can use to make the comparison more difficult as well.

How long until we're using the kind of tests we saw in Blade Runner?

Re:Creative CAPTCHA

This, and all other forms of CAPTCHAs, are ultimately vulnerable to some poor bastard in India or Africa or wherever sitting in front of a computer and filling out the form manually for a few cents.

From another post above: http://www.getafreelancer.com/projects/Data-Proces sing-Data-Entry/Data-Entry-Solve-CAPTCHA.html [getafreelancer.com]

Umm. You sure about Yahoo?

Yahoo's CAPTCHA just recently being broken that is.

If you've ever logged into Yahoo chat, you'll see names like warbot001 through warbot400. They're profiles which map to an email address and lame chatters use them to send DOS messages to other chatters. Kinda like the old days on IRC with ping flooding.

Anyway. I highly doubt they manually entered in 400 CAPTCHAS, and I've seen those accounts for a while now so I suspect that CAPTCHA has been defeated for quite some time.

It's like a flood wave

Spam behaves like a flood caused by heavy thunderstorms and rain. It will start to flood your basement no matter what. You can start to build a little dam here, put some sandbags there, board up your windows, etc. The sad fact ist, it won't help much. You will only save your home if you stop the rain.

That being said, as long as spam does not really hurt large corporations or governments, in terms of more and more expensive resources (machines, energy, air conditioning, administrators etc.) being used to just process the amount of spam coming in, nothing is going to change. Still, these entities are only going to protect themselves, not the public.

Me, I'm going to filter all hotmail and yahoo generated mail to /dev/null. Sorry folks, but just get another mail provider if you want to talk to me.

Mind you, if you filter mail by any means (like spam or virus filtering), never send auto replies. You will only hit innocent bystanders and generate lots of bounces, and run the risk of getting blacklisted by Spamcop or somebody else (if you autoreply to a spamtrap address, for example). I've been using Linux exclusively for more than 14 years on my mail server @ home, and I cannot count the number of autoreplies saying my machine sent this or that W32...blablabla thing, with no Windows client attached or anything. The better part of spam and virus mails uses fake From: addresses.

You can buy software that can thwart captchas

Aleksey Kolupaev [...] develops and sells software that can thwart captchas by analyzing the images and separating the letters and numbers from the background noise. They charge $100 to $5,000 a project, depending on the complexity of the puzzle.

Quoted from this article [nytimes.com]. No wonder someone used it for a worm.

Also discussed here on /. [slashdot.org]:

Evolution of the 'Captcha'
Posted by CmdrTaco on Monday June 11, @08:36AM
from the why-can't-i-even-read-them-half-the-time dept.

FireballX301 writes

"The New York Times is running an article about the small word puzzles various sites use in order to defeat automated script registration while still letting humans through. It seems many people can't actually solve them anymore, so new alternatives (image recognition) are being created. This, of course, seems breakable as well -- is there a feasible alternative to the captcha, or are we stuck jumping through more and more hoops to register at places?"

the solution was simple

just hire people to get past the captchas and let a form bot do the rest. It's not that hard to figure out. I stopped this using animated gifs cut from anime videos. Can't guess the anime that clip comes from, you don't get in. Haven't had spammers on my forum since I moved to that type of captcha system.

Too bad MS ignores RFC 2821

One of the (many) things I hate about Hotmail is that Microsoft blatantly ignores anything sent to its postmaster and abuse addresses, so there's really no way to notify them of spam being spewed from their system. In fact, if you send a message to postmaster@hotmail.com, they send back a pretty snarky response telling you that nobody reads it [rfc-ignorant.org].

What a cesspool. Hotmail has always been the ghetto of the internet, but now it's clear that it's infested with criminals, as well as just the technologically illiterate.

Time to blackhole it.

Re:

Hotmail provides two addresses that at least generate an auto-reply:

report_spam@hotmail.com
abuse@hotmail.com

However, there is a script behind it that usually replies back that the abuse is not from their systems. Even when it is.
When you get past that fil

Re:

Just to clarify, sending back an auto-reply that says "Hi, thanks for writing to postmaster@foo.com; we don't bother to monitor this account, so your message has been deleted," doesn't make you RFC2821 compliant. (Not implying that you thought that, just w

Sounds like BlueFrog

I think this was basically the idea behind BlueFrog; they had a pretty nice, aggressive system for going after the sites that profit from spam, by bouncing spam emails back at them and generally causing them a lot of grief.

It was obviously working, as demonstrated by the concentrated fire they started to take from spammers. Unfortunately, they didn't have the resources (at least, I'd prefer to think it was a resource issue and not one of will) to fight the spammers, and after getting some really terrible legal advice, they got crushed.

Short of brutal vigilante justice [slashdot.org] (which I'm not opposed to here and there, but it tends to not scale very well), Blue Frog's approach seemed to be the only "supply-side" approach to spam that ever seemed to show a bit of effectiveness.

Re:Arguably Impractical but Satisfying Suggestions

* Problem with Spam traffic from India and China? Fine. Make a declaration internet traffic from those countries will be served from the Internet within 21 days unless all Spam activity ceases.

There are problems with this approach.
1. the allocation of IP addresses has been (and is continuing to be) done in a manner that makes it difficult to quickly block a whole country. AP-NIC allocates blocks of addresses in the entire Asian-Pacific region nearly sequentially and at very funny boundaries.

2. the spam source country varies a lot. you may have a problem with spam from China, but I have a lot more spam from the USA so I need to block that. While I already blocked many DSL/Cable provider netblocks to reduce the crap from infected Windows PCs a bit, there is an increasing risk of collateral damage.

Re:Arguably Impractical but Satisfying Suggestions

That's great, but the United States will have to be cut off from the Internet first. The USA is the world's biggest spam source, according to Spamhaus.

http://www.spamhaus.org/statistics/countries.lasso [spamhaus.org]

The United States emits *four* times as much spam as its nearest competitor, China.
Verizon is the world's spammiest ISP.

Re:Arguably Impractical but Satisfying Suggestions

* Problem with Spam traffic from India and China? Fine. Make a declaration internet traffic from those countries will be served from the Internet within 21 days unless all Spam activity ceases.

Ever heard of proxies?

Also, have a look at the ROKSO list [spamhaus.org]. Most spam originates in the USA. They may route it through Russia or China or Korea, but its source is the USA. Block China, say, and next week it'll be coming via Brazil, or .... faster than you can reconfigure.

If the USA wants to take decisive action, something the government has actively avoided doing, it could shut down spammers in a week. How many spammers have been prosecuted and gone to jail? It's big news when they do, but only a handful have been prosecuted. The feds just don't care enough to build cases, even when the evidence is handed to them. Only if AOL or Microsoft push does anything happen.

Spammers have to make money. Credit card companies do that for them, and they are all based in the USA. As for the pump-and-dump spammers, that's a bit harder, but the stock exchanges should be able to block suspicious activity based on that. Thay don't care now because it's just foolish home investors losing money when they try to "take advantage" of the tips.