Forgot your password?
typodupeerror
Spam

Turing Tests to Stop Spam 284

Posted by CowboyNeal
from the human-authentication dept.
cexy writes "The Register has a story about how Hotmail and Yahoo! are using Carnegie Mellon developed captcha technology (completely automated public Turing tests to tell computers and humans apart) to stop spammers from automating signups for accounts from which they can send spam. These guys are using captcha too, but to stop incoming spam."
This discussion has been archived. No new comments can be posted.

Turing Tests to Stop Spam

Comments Filter:
  • by friday2k (205692) on Thursday January 02, 2003 @09:11PM (#5003241)
    my Spam filter in Yahoo catches way, way, more than the one at hotmail. It is always surprising to me when you open a new hotmail account that it takes only like a week to be flooded with Spam. A week of doing nothing with the account but initially opening it. *sigh*
    • by EmagGeek (574360) <gterich.aol@com> on Thursday January 02, 2003 @09:15PM (#5003279) Journal
      I've run the "Hotmail Test" several times and every time, I get spam within 4-5 days of opening the account. Even if I never ever send an email, the amount of spam grows approximately linearly with time... it only takes about 2 months to exhaust your 2MB quota daily....

      At least that was the case the last time I ran this little experiment...

      It's no secret, at least it shouldn't be, that Micro$oft is making money selling your hotmail address (yet then they spam you with advertisements for their spam-blocking software)...

      *sigh*
      • by b0r1s (170449) on Thursday January 02, 2003 @09:23PM (#5003322) Homepage
        Even if I never ever send an email, the amount of spam grows approximately linearly with time... it only takes about 2 months to exhaust your 2MB quota daily....

        You must have some bad luck. I've got a hotmail account I've used consistently for two years, and I'm typically around ~10% of my quota.

        Either you're advertising your email address, or you've got some really easy to guess address, because the behavior you describe is far from typical.
        • by guttentag (313541) on Thursday January 02, 2003 @09:54PM (#5003479) Journal
          Either you're advertising your email address, or you've got some really easy to guess address, because the behavior you describe is far from typical.
          It is not "far from typical," I'll have you know. I get tons of spam in my Hotmail inbox!

          Ambrose Buse
          abuse@hotmail.com [mailto]

          • by v8interceptor (586130) on Thursday January 02, 2003 @11:03PM (#5003775)
            If Hotmail accounts are targeted randomly, the amount of spam you get is probably related to the complexity of your username.

            I've had my Hotmail account for nearly three years, and I typically get about 5-10 spam messages per day - not a lot. I have custom filters that catch all emails with "mortgage, viagra, debt" - this catches most of the spam I get (I actually don't filter porn spam, well I haven't really tried, as at least they are creative with their subject lines - "Knob Gobblers" was a favourite - I've had some other funny ones too)

            My username is 11 characters long with an underscore - this is probably a bit out of range for your typical "brute force"/random sign up name spammers.

            So - if you want to use popular free email services, perhaps follow the same guidelines for creating secure passwords? Numbers, special characters,(although this is a bit more limited with email) and more importantly length of name!
        • I second that. I had a hotmail account for 2 years that I used quite frequently as a secondary email account and never had a spam problem.

          However, I gave my email account to one site and went from 0->2MB quota filled in less than a day in much less than 2 months. It's all about who or what you're in contact with... not about the service itself.
      • by agentZ (210674) on Thursday January 02, 2003 @10:14PM (#5003550)
        It's no secret, at least it shouldn't be, that Micro$oft is making money selling your hotmail address (yet then they spam you with advertisements for their spam-blocking software)...

        Instead of just experimenting by setting up a Hotmail account, has anybody ever tried the other way around? That is, pose as an advertiser and approach Hotmail about e-mailing their users?
        • by CySurflex (564206) on Thursday January 02, 2003 @11:17PM (#5003824)
          It's no secret, at least it shouldn't be, that Micro$oft is making money selling your hotmail address (yet then they spam you with advertisements for their spam-blocking software)...


          This is simply not true.


          I used to have a short email address (5 characters) @ hotmail. I got A LOT of spam. I closed the account and made a new one, which included my first name, middle name and last name. I only gave out the e-mail address to a few people, and I have NEVER received a single piece of spam through that account.


          Spammers are using "brute force" to find e-mail addresses randomly. They send a test e-mail (or even the 1st spam) and remove the ones that bounced. Voilla, now they have a complete list of all e-mail addresses 6 characters or less.

    • I've had a Yahoo accound for years that I never use to sign up for anything, and I haven't gotten ONE spam mail yet.

      -- Dr. Eldarion --
    • When you sign up, if I remember correctly, hotmail used to have an ENABLED option to share your email address... you had to go into options and disable it. Also, make sure you're not signed up for any newsletters or other crap. I've created multiple hotmail accounts, and never get spammed until I use that address somewhere.

      -Berj
    • Just change your preferences to deny messages from anyone who is not in your address book. Problem solved.
  • by Anonymous Coward on Thursday January 02, 2003 @09:13PM (#5003255)
    that is why. all the spammers are targetting hotmail. I hate the anti-ms bias. I use a filter on my hotmail. It is an allow only filter. Those are the best kind because I make the decision of who gets through to me.
    • by countzer0interrupt (628930) <<countzer0interrupt> <at> <yahoo.com>> on Thursday January 02, 2003 @09:38PM (#5003408) Homepage

      Those are the best kind because I make the decision of who gets through to me.
      But what if you use your email on Usenet? Or a web-based forum? What if someone you know gave your email to an old friend - they won't be able to contact you with an allow-only filter on your mail.

      This kinda defeats the object of email - for people who barely know you, if at all, to contact you. Email is excellent at bringing together people from all over the world - what's the point if only people you already know can contact you using it? Wasn't the Internet supposed to surpass the letter and the stamp?

      I'd rather put up with the spam. But if you really need to avoid it, do what I do: use two accounts: one for online publishing on the Web and sites like Slashdot, and the other for people I know. You get the best of both worlds.
    • I was a big Hotmail fan until I found Yahoo to have twice the room for free, and literlly NO SPAM.
      The custom filter option in Hotmail now is restricted to just 10 filters. I have 32, and if I edit them once now, I'm sunk. 10 can't possibly keep out all I'm succeeding with now.

      Boobs [I wish I had real email with this in the title, but I don't]
      Virgins [Once again, wishful thinking]
      DVD [Don't own a drive yet]
      FREE [Do your friends tell you you are getting something for free?]

      And I don't bother reading any "Re:Your Inquiry" emails. I mean, how stupid do you have to be to send an email to someone with the subject "Your Inquiry"?
  • CAPTCHA project (Score:5, Informative)

    by nekdut (74793) on Thursday January 02, 2003 @09:14PM (#5003258) Journal
    For those who dont know, The CMU developed captcha project is great. Check out their work here:

    http://www.captcha.net/ [captcha.net]
    • Re:CAPTCHA project (Score:3, Interesting)

      by LostCluster (625375)
      One thing I can't seem to find anywhere on their site... what are the terms of their license?

      The source code is there to download, but are we allowed to use it in our own sites?
      • If you can't study their notes then reimpliment their work on your own, highly tuned for your specific application, so that you don't have to worry about whether you could theoretically use their code...well, let's just call that another Turing Test. ^_^

        I speak as one who did just that, BTW. Last page of http://justice-email.findlaw.com/cgi-bin/survey.cg i . And yes, I can think of quite a few ways to break it, just as these guys know how to break their own CAPTCHAs (at least, they do *now*). It's more spam minimization than spam stopping, relying on the fact that, at least for the next long while, practically nobody who would abuse our service for spam would put in the effort to break these CAPTCHAs (if the trivial task of coding up a script to provide fake info for the survey itself doesn't throw 'em off).
      • Re:CAPTCHA project (Score:5, Informative)

        by js7a (579872) <james AT bovik DOT org> on Thursday January 02, 2003 @11:04PM (#5003779) Homepage Journal
        what are the terms of their license?

        First of all, the largest sole source of CAPTCHA funding is the National Science Foundation, so if you are a U.S. taxpayer, you are paying for this work.

        Having said that, the rights to and interests in NSF-sponsored work are very much up in the air, nowhere moreso than the Carnegie Mellon School of Computer Science. The Dean is said to have a somewhat different view than the Provost, who is probably not in agreement with the President, and the Board of Trustees are clearly all over the map on the issue, too. CMU is a study in contrasts when it comes to intellectual property opinions. CMU switched intellectual property policies [cmu.edu] exactly three days after I entered (yeay for freshman camp -- I knew it was worth the extra few bucks!) and the new (1985) one is draconian yet astoundingly vague [cmu.edu]. So, the authors might not even know the actual rights under which they are allowed to distribute their software. Noboday may know -- often an ajudication committee is required to make an arbitrary decision on a case-by-case basis.

        However, principles of academic freedom have repeatedly trumped the Intellectual property policy, and that means that the researchers have the right to publish their code as sceintific research results, without restriction which is what they have apparently done. The scientific method requires absolutly no restrictions on such results (so as to allow for unimpeded replication), which means that the code is in the public domain. Even if it is released under copyright or GPL later, it is still in the public domain.

        I am not a lawer, but years ago I paid a lawyer to answer a related question and I am faithfully repeating his answer above.

    • Re:CAPTCHA project (Score:4, Insightful)

      by Exmet Paff Daxx (535601) on Thursday January 02, 2003 @09:58PM (#5003500) Homepage Journal
      The captcha [captcha.net] project is conceptually pretty cool, but so far they have failed to make their code portable and useful to the community at large. Evidence? Look no further than the site you're reading. To stop spammers from creating tons of bogus Slashdot accounts, the folks at Slashdot had to spend months laboriously writing their own captcha-style process to protect the new user form [slashdot.org]. Unfortunately due to the failure of CMU to make their code accessible, someone at OSDN was forced to create their own system from scratch and (understandably) it isn't anywhere near as tough or well designed as the CMU captcha, lacking such basics as font rotation, color rotation, anti-aliasing, and other anti-OCR measures.

      So, while I commend their effort, I wish CMU would work harder to make their tools available not just to commercial sites but to the Open Source community and projects like Slashcode. This would help the captcha project actually accomplish its mission of protecting users from abuse, instead of leaving sites like Slashdot vulnerable to any 13 year old Visual Basic programmer with a grudge and a clue.
      • Re:CAPTCHA project (Score:4, Informative)

        by fgodfrey (116175) <fgodfrey@bigw.org> on Thursday January 02, 2003 @11:01PM (#5003765) Homepage
        Err, so from what I understand (my brother worked on this project briefly) this is basically an academic research project, that has some commercial uses. As such, CMU's CS department is interested in publishing papers, not code. The code for projects like this gets written more as a proof of concept than as a production ready set of code. So, if you want to use their code, it's going to be harder than just typing "make install". Remeber, this is code coming from the CS research department at CMU (which is quite good, I might add!), not the people who do Andrew (the academic computing environment that is more like "production code" - see the Cyrus mail system as an example of their code).
        • So, if you want to use their code, it's going to be harder than just typing "make install".

          I believe we have miscommunicated, and I apologize. What I meant to point out was that the code was so inacessible that professional Slashdot programmers had to start from scratch rather than use any of the 5 systems developed at CMU. This means that not only was it a little harder than "make install", but it would have taken more time to adapt the CMU code than it did to attack the problem independently from scratch. There really isn't any other answer to the question of why Slashdot spent months developing a home-brewed system that doesn't even come close to measuring up. I think we'd all agree that the Occam's Razor dictates this answer, since the only other possible alternative was that deep-seated hubris or other mental defects prevented them from using off-the-shelf software.
    • by Anonymous Hack (637833) on Thursday January 02, 2003 @10:30PM (#5003612)
      Coming up in version 2.0:

      CAPTCHA: Hello. I am CAPTCHA. How can i help you?

      SPAMMER: /\ \(.*\)@\(.*\)\ /

      C: Please go on.

      S: I would like your email address.

      C: Can you elaborate on that?

      S: I'm planning to spam you.

      C: Does it please you to believe I am planning to spam i?

      S: What the fuck?

      C: Does that question interest you?

      S: ARGH!

      C: Please go on.
    • by Transient0 (175617)
      the project itself is pretty interesting, but something rubs me the wrong way about the term "automated turing test". The turing test is based on the idea that sentience can not be defined in any simple mechanizable way.

      maybe it's just my cognitive science degree making me touchy, but i'd prefer the term "automated coherence filter" or something(even "automated intelligence test" would be an improvement).
  • Where it shows you a smeared image of a number that you have to type in to register with a site? I think Slashdot has had this for a while now, and I know I have seen it on other sites as far back as a few years ago.
    • Go to http://slashdot.org/users.pl?op=newuserform [slashdot.org] to see this in action here at Slashdot.
  • by JPhule (170787) on Thursday January 02, 2003 @09:15PM (#5003273)
    Does Hotmail really think that I have friends named things like ilikeitinthebutt?
  • by saskboy (600063) on Thursday January 02, 2003 @09:15PM (#5003274) Homepage Journal
    I've only had my Yahoo account since last year and my Hotmail account since 1997, so this may not be a fair comparison:
    Yahoo spam today:
    0

    Hotmail spam today:
    18

    Which is doing a better job at stopping spam you say?
    • Likewise with FastMail [fastmail.fm] - As my university cancels email addresses shortly after graduation I signed up with them in May of last (!) year.


      Spam to date : zero. The only crap I get is that which is forwarded from my unexpectedly still-active university account.


      FastMail has a 'bounce' option that lets you fake an 'undeliverable' error message. Good for ex-girlfriends too.

    • I like MyRealBox [myrealbox.com]. Only one spam in about a year, and that was a dictionary attack. Of course it helps that I don't give out that address -- only used it at NewEgg and for DNSO stuff.
  • by PhreakinPenguin (454482) on Thursday January 02, 2003 @09:15PM (#5003277) Homepage Journal
    I would rather Yahoo stop spam from getting to my mail acocunt before they concentrate on stopping people from signing up automatically. I'm one of the few people who actually pay for Yahoo "additional" services. I thought I would get better anti-spam support. Not so far. I literally have 10 to 20 an hour and I can't block anymore because Yahoo only allows 100 addressed to be blocked. And considering the smammers are using 12374614187641874@optinmail.com along with other numerous addresses, it's impossible to block the majority of them. Hell I would even be happy if they would start allowing people to block entire domains. That would be a good first step.
  • by sulli (195030) on Thursday January 02, 2003 @09:17PM (#5003286) Journal
    I have SpamAssassin at my isp (Verio) and it kicks ass. Probably a false positive per week (and that's often a slashdot Daily Stories email), and a false negative every 3-4 days. Pretty damn good. Cut inbox crapola from 10-20 per day to, well, zero.
  • And I recently noticed that spam, while smaller in quantitiy, are much larger than normal (non-html image bloated crap).

    First, I would like to know if there is a server-side daemon I could run that goes through all user accounts and weeds out spam (without knowing their passwords.)

    Second, I would like to know if I have any legal recourse against unsolicited email hogging my bandwidth. Could I stockpile a years worth and send the spammers a bill for the used bandwidth?
    • Second, I would like to know if I have any legal recourse against unsolicited email hogging my bandwidth. Could I stockpile a years worth and send the spammers a bill for the used bandwidth?

      It's been tried. But don't wait a week to try to find them; they tend to, um, move a lot. A prosecutor I talked to said they needed three PI's and several months to corner one who started a new corporation every week.
    • Those images you get in spam are usually bugged, specifically if they have a unique name and are going to a special server, they can confirm that your email address is still good. Also, they may be able to get something out of your browser too as to who you are.
  • by hedley (8715) <hedley@pacbell.net> on Thursday January 02, 2003 @09:19PM (#5003301) Journal
    When someone would send you mail, it would send back a link to a small image, in the image was a 'click here' dot, only a human (or some software that no spammer would take the time to write) can get their email into your mailbox.

    Kind of offensive though, a lot of people took offence to clicking a link to send me email.

    MsgTo.Com dissappeared some time ago during the .com "troubles".

    Hedley
  • 'automated signup' (Score:2, Interesting)

    by MrLint (519792)
    According to the article, it says that the spammers could pay ppl to signup instead of using scripts. IANAL. but this would seem to be intentional misrepresentaion and "transferrance"(sp?) of the email account. I would think there would be some legal ramifacations of this.
    • If there is a legal ramification to transfering the email account then it is just one more in a long line of ethical and possibly legal lapses spammers engage in. For example, though IANAL it seems to me that sending explicit pornographic images to an email account belonging to a minor should land you in jail about as quickly as would handing the stuff out in "dead tree" form outside the school the kid goes to. Sure nobody is prosecuting that, but it's probably illegal and is certainly immoral. Thus I don't think they care much about the email account transfer question.
  • by Boss, Pointy Haired (537010) on Thursday January 02, 2003 @09:20PM (#5003305)
    "Completely automated public test to tell males and females apart".

    a/s/l?

    "18f,Florida"

    Do you mind if I ask you to take a quick Captmfa?

    "Sure, go ahead" .....

    Test completed. Result = 34m, Detroit.

  • At first I thought they had a program that would converse with the user and determine whether the user was human. Sort of a Turing-in-Reverse Test, where instead of the human trying to detect a computer, it's the computer trying to detect a human. That would be awesome.

    Instead it's something they hacked up because new programs were getting around the old OCR blockers. Blah.

    • Re:What a ripoff (Score:2, Insightful)

      by boomgopher (627124)
      Well, the cool thing about this is that they're applying unsolved AI problems to verify if the signee is a human. If someone comes up with a way for a computer to 'pass' the test, then a new AI problem has been solved. Kind of clever, in my opinion.
  • Free-mail woes (Score:2, Interesting)

    by JPhule (170787)

    The truth is accounts like Yahoo and Hotmail only exist to turn a profit for their owners. I know not everyone can get an e-mail address that they can use for personal means in any other way, but you have to accept what you are getting into when you open one of these accounts.

    Personally, I have several e-mail accounts and only use my hotmail and yahoo for things like web page registration.

  • by Froze (398171) on Thursday January 02, 2003 @09:21PM (#5003315) Homepage
    Now if they could just come up with a turing test for slashdot
    repeats!

    http://developers.slashdot.org/article.pl?sid=02 /1 2/30/1740211&mode=thread&tid=111

    Granted this is not a direct repeat but the articles are just different sources for the same story.
  • Don't you think it would be possible to write a program that could handle one of these captcha tests? Has anyone tried this, to validate their claims? Otherwise it's like roll-your-own crypto, worthless if you don't know if it can be defeated.
  • I turned on my hotmail filters so now only people on my whitelist can send mail directly to my inbox.

    0 spam for months now.

    The only negative is if someone not on my whitelist sends mail, I have to rummage throught the rest of the junk to find it.
  • by bcrowell (177657) on Thursday January 02, 2003 @09:26PM (#5003346) Homepage
    I failed the Turing test!

    I recently had to create an e-mail address that I could use for posting to a mailing list where the addresses are all public. I tried Hotmail first, and although I passed part 1 of their Turing test, the captcha test, I think I failed part 2: once I was all done filling in my personal information (retired female homemaker in Antarctica, born in 1891), I got some kind of mystifying error message saying something about my .NET account (which I don't have). I guess if I was human, I'd have been able to figure out what they meant.

    Oh well, I passed Yahoo's captcha test, and they didn't have a part 2...

    As a recipient of spam, I also don't see this having any benificial effects. I gets lots and lots of spam from hotmail.com and yahoo.com addresses. They're all forged headers, so it doesn't matter that Yahoo and Hotmail have botproofing -- the accounts I'm getting spam from aren't even real Yahoo and Hotmail accounts. It's great that they're trying to make sure they aren't spam havens (and of course it costs them money if spammers use their services), but I really think the whole e-mail infrastructure needs reworking in order to get rid of spam. Sending e-mail should cost some token amount of money, and there should also be some way of tossing out mail with forged headers (e.g., my mail client should be able to tell whether the cryptographic signature on an e-mail indicates that it really came from hotmail.com or yahoo.com).

    • was all done filling in my personal information (retired female homemaker in Antarctica, born in 1891

      I'm a 70 year old Afghan woman who is the head of a major multimedia corporation, making less than $20,000 per year. At least, that's what the New York Times thinks...
    • Sending e-mail should cost some token amount of money,

      It's easy to throw such ideas around, but implementation becomes an issue of rights quickly. I guess you want to force everyone to use their ISP's mail server and pay their ISP the amount. Fine. You have to block outgoing port 25, which fucks over anyone running their own mail server. Spammers will just buy T1s and be their own "ISP", and sell a flat rate email sending fee to other spammers. (They already do that).

      What about people like myself that maintain announcement lists for my web sites. That's something like 2000 emails each time I send an update. It's all completely opt-in, and has a real return address, from which I personally handle unsubscribe requests from the people that can't figure out how to use the web site to unsubscribe. It's nothing like spam.

      What about all the thousands of other email lists. The owners of the linux kernel mailing list would have to pay thousands a month in your email fees, even if it was only a couple cents an email.

      Anyway, everytime someone comes up with these "change the infrastructure" silver bullet solutions to spam, they are always half-baked.
  • Ok here we go (Score:3, Insightful)

    by TerryAtWork (598364) <research@aceretail.com> on Thursday January 02, 2003 @09:29PM (#5003357)
    It's time for my regular rant regarding PopFile and Bayesian excellence and how SPAM WOULD DISAPPEAR IF BAYESIAN TECHNIQUES WERE APPLIED AT THE ISP LEVEL!!!!

    And now, back to our regular show.

    • Re:Ok here we go (Score:5, Insightful)

      by Frater 219 (1455) on Thursday January 02, 2003 @10:59PM (#5003758) Journal
      SPAM WOULD DISAPPEAR IF BAYESIAN TECHNIQUES WERE APPLIED AT THE ISP LEVEL!!!!

      Bayesian techniques depend on predicting which elements (usually, which words) are likely to indicate spam, and which are likely to indicate non-spam messages. This can vary highly from user to user, and so it should be done on a per-user basis.

      For instance, I am a security administrator and receive a lot of legitimate mail about "antivirus software", and very little legitimate mail about "teenage lesbians." However, my girlfriend's crush, who is an activist lesbian, may well receive a lot of legitimate mail about "teenage lesbians" and only spam about "antivirus software." If we are on the same ISP, then it would be erroneous behavior for my reporting "teenage lesbians" as spam and "antivirus software" as nonspam to throw her spam-filtering out of whack, or vice versa. And yet it is a potential privacy violation for the ISP to be gathering statistics on which one of us gets virus bulletins, and which one is the lesbian.

      (Moreover, there also isn't yet any standard mechanism for users to report spamminess or nonspamminess back to normal IMAP or POP mail hosts -- and Bayesian algorithms require sampling both spam and non-spam mail, not just spam reported to an abuse address.)

      The filtering mechanisms that should be implemented on the server are general ones -- ones that do not rely on deep inspection into the content of the message. I don't really want ISPs to gather stats on common keywords in users' incoming mail -- do you? It is one thing to examine structural elements of the message, such as the IP address which sent it, or the presence of normal headers; or to statelessly scan the message for static patterns, such as virus signatures or "DISCOUNT HERBAL VIAGRA !!!" It would be quite another thing to gather the kind of data that Bayesian filters involve, for every user on a large end-user system.

  • HHotG (Score:4, Funny)

    by Garion911 (10618) on Thursday January 02, 2003 @09:32PM (#5003378) Homepage
    Brain the size of the universe, and I all get to read is now to increase my penis size.
  • is this really new? (Score:2, Interesting)

    by jeffy124 (453342)
    this doesnt look all that fancy. if i'm reading it right, the system simply displays something as an image to the user at sign-up time and asks them to type it back.

    they've used this for years elsewhere. for example, Major League Baseball's Online All Star Voting has used it ever since pudge stuffed the ballot box [boston.com] right before the 1999 game.
  • Junk Mail?? (Score:3, Funny)

    by CSG_SurferDude (96615) <wedaa.wedaa@com> on Thursday January 02, 2003 @09:33PM (#5003385) Homepage Journal

    But does it sign up the SPAMMER for all sorts of free offers and catalogs to be sent to their home address? (ala Ralsky)?

  • it would be damn nice if Hotmail can offer email content filtering also. I get those damn COLLEGE DIPLOMAS!!!! Thing every once in a while with a different heading and illegal email address. This shit has got to be illegal.

    Aside from that, I created my hotmail account and was spam-free (with no filters or settings) for a long time. That is until I registered on a career-type website (let's call it site A). This one is for the lawyers out there: Another similar career-type website (let's call it site B) sign itself up as an employer and ran through Site A looking through personal information otherwise not available unless as an employer. After that, I presume they built a good list of emails. I was spammed with their emails trying to get me to register with Site B. After a short while, these diplomas and weight loss and triple-your-breast-size started to pile up. Is what site B did illegal? Because in this case, it seems like personal information was stolen.
  • by theCat (36907) on Thursday January 02, 2003 @09:44PM (#5003438) Journal
    These Turing tests do not stop spam. They discourage spammers from using bogus Hotmail etc accounts to originate spam from. They do this by making it incrementally more expensive to create the accounts; rather than using a bot to create an account a second you have to use a human to create accounts by the minute. So 60 times the effort.

    But I don't think that translates into 60 times the cost. The Turing tests are interesting but I don't think that the creation of the accounts ever was a bottleneck in the process in sending spam. You could get a high school kid to create all the accounts you would need for a month in about an hour, and pay him in pr0n.

    If the truth were known, Hotmail and Yahoo are just trying to decrease server loads. I bet that when bots create accounts they create hundreds or thousands more than are used, which take up server resources during creation and later as the accounts eat up storage. With Turing tests it is more likely that not too many will be laying around waiting to be used.
  • by Anonymous Coward
    Uh oh, looks like Spam Arrest is inflicted with Patent Priapism, a horrible disease in which you feel you must patent some stupid thing you "invented", when you actually just combined two or more existing things in a most un-original way.

    They have patent pending on "calling back to verify a phone number" except it's email.

    I would suggest avoiding this company's products and services.
  • Accessibility (Score:2, Insightful)

    by Zappo_ (111434)
    From the captcha site:

    "[...] humans can read distorted text as the one shown below but current computer programs can't:"

    I think they mean "non-blind humans". How exactly will they ever solve that problem? If a blind
    man's OCR program can read the text, so can the spammer's.
    • Re:Accessibility (Score:5, Interesting)

      by Meowing (241289) on Thursday January 02, 2003 @10:38PM (#5003651) Homepage
      The graphics basically don't work with OCR.

      I wrote Yahoo about this problem just about a year ago, after
      finding no explanation in their online help on about how
      visually impaired users were supposed to use their service,
      and this is what they had to say.

      I kind of thought this sucked, that apparently the solution
      is to wait for a human operator to read the feedback
      form and phone you back. Surely someone can come up with
      a better system.

      =-=-=-=

      Hello,

      Thank you for writing to Yahoo! Account Services.

      If you are a visually impaired or blind user, please fill out the
      feedback form at:

      http://add.yahoo.com/fast/help/us/edit/cgi_access

      A customer care representative will call you back, to assist you with
      registering for a Yahoo! account.

      If we can be of further assistance, please let us know.

      Thank you again for contacting Yahoo! Customer Care.

      Regards,

      Yahoo! Customer Care

      For assistance with all Yahoo! services, please visit:

      http://help.yahoo.com/
  • by adminispheroid (554101) on Thursday January 02, 2003 @10:01PM (#5003512)
    I see a lot of posts here comparing the relative merits of different spam filters, based on how little spam gets through. The thing I worry about a lot more with spam filters is how much of my non-spam mail gets blocked. And yes, I've had this happen with every spam filtering mechanism some sysadmin has inflicted on me. This is the main reason I like spam filtering at the user level, not the ISP or system level -- at least you have some control over the imperfections.
  • Tired of flames?
    - Use the emacs psychologist to determine the mood of people sending you email!
  • Spam Tax (Score:5, Interesting)

    by Alien54 (180860) on Thursday January 02, 2003 @10:09PM (#5003531) Journal
    My basic position these days is that there has to be a way to make it viable to "hunt" spammers, - say, by sending bill collectors after them.

    This idea means licensing them so that they are properly registered, Meaning we know who they are and where they live.

    Meaning that they can be billed for use of service, etc. and jail those not properly licensed.

    Meaning that we can send bill collectors and tax collectors hunting after them.

    The bottom line is that IF we can make it profitable to go after these guys, someone will make a business of it. We just go to figure a way how.

    Then we get to use the scum of society, such as bill collectors and tax collectors, and turn them to some good, going after spammers.

    And we can use the money collected to subsidise the cost of something useful.

    Now Lessig has also proposed something similar to this:

    http://www.cioinsight.com/article2/0,3959,533225,0 0.asp [cioinsight.com]

    Which essentially means that there are more eyeballs to track the scum down. And a financial reward to do so.

    The twist in my proposal is to mach spam have a cost even if sent "legally" - [lots of states have finance problems], and make the penalties truly painful if done illegally. I want to set my own fees for receiving spam

  • Damn Slashvertisements [slashdot.org]. I don't care if it is to block spam, it doesn't belong.

    On the other hand, the banners are just fine and for those of you who have their banners turned off, Blizzard has an opening for a Unix Admin and a great ad. I'd link to it here but you should really turn banners on. I know they are annoying, but banners bring in money for slashdot. That $49.99 or $9.99 or whatever you pay for your ISP is NOT giving that money to slashdot, and for them to remain free, they need you to download those damn ads.

    Now, turning off pop-ups, that's accetable. But think of all the porn you're missing!
  • Every time you want to send an e-mail to someone, their ISP (or even their own mail server) quickly replies to you with a challenge (image for you to decipher), when you decipher the image, and reply ("as in confirm you're a human") your original message appears in the in-box of the person to whom you've sent it. Anyone can define their own tests if they're not happy with default ones, and you never see an e-mail which hasn't passed YOUR tests.

    And since these tests are interactive (ie: you're asking the PERSON who e-mailed you a question, they can be quite hard to fool with a computer).

    Non-challenging e-mail addresses (or mailings) can still exist, and will be clearly marked as haven't bee 'verified'... ie: streated as bulk e-mail.
    • I like this idea with some modifications...

      I want to be whitelisted for x number of days. Or maybe a setup similar to DHCP where I've got a lease for x number of days that doesn't expire until I haven't used it for y number of days.

      This would allow email to remain FREE like it should be and solve the problem at the same time.
  • In Mozilla News.. (Score:3, Informative)

    by bahwi (43111) <incoming@josephguhli[ ]om ['n.c' in gap]> on Thursday January 02, 2003 @10:15PM (#5003556) Homepage
    Well, it's not, but you know...

    Mozilla now comes with it's own Spam Filter [mozilla.org] starting with 1.3Alpha. Anyone know how well it works? I haven't had a chance to try it.

    Think this is off topic? Read the last line of the slashdot story and click the link, where you can take a "Free 30-Day Trial!!"

    =)
    • Re:In Mozilla News.. (Score:5, Informative)

      by TheBishop (88677) on Thursday January 02, 2003 @11:27PM (#5003884)
      I have been building the 1.3 from source routinely just to get access to the mozilla spam filter.

      I have this to say about it

      GET IT.

      I trained it on a corpus of spam I've been keeping around for just such a purpose (about 300 messages, not a lot really). Since then I have been giving it minor corrections to tag new spam and it is nearly perfect. No false positives. The interface is easy to use.

      If you use Mozilla now for Mail, you owe it to yourself to start using the 1.3a. If you're using something else, it's worth looking at Mozilla.

  • Shameless OS X Plug (Score:3, Informative)

    by Galahad2 (517736) on Thursday January 02, 2003 @10:16PM (#5003560) Homepage
    Mail.app's filtering is fantastic. I only look at around one spam message every two weeks, and I've only had one false positive (which was adveritising something, as it was) in the year and a half that I've been using it. The filter is probably too CPU intensive to use on any large scale, though.
  • I get advertisements for spamarrest on the bottom of my spam quite often.

    This has got to be a spammer that runs it.
  • by zdzichu (100333) <zdzichu@@@irc...pl> on Thursday January 02, 2003 @10:28PM (#5003604) Homepage Journal
    I've watched Spamarrest movie. The exactly same system (you have to read a word, obscured to defeat OCR programs) is beeing used by one of Polish mobile phone operators. If you want to send SMS from www->sms gate you also have to read a word. You can see it here [sms.idea.pl].
  • by patbob (533364) on Thursday January 02, 2003 @10:40PM (#5003663)
    Um, I was always taught that the Turing test involved a human holding a "conversation" with some other entity. If they couldn't tell whether they were talking to a computer or a human, then the computer passed.

    What do you get if you eliminate the human from the above? Why, a protocol link. Might as well require me to type in TCP/IP packets and consider me human if I make too many erorrs :-)

  • by theLOUDroom (556455) on Thursday January 02, 2003 @11:23PM (#5003855)
    An "autonated Turing test" is an oxymoron.

    The Turing test is where a human talks to a computer and tries to decide if the backend that's answering him is a human or a computer program.

    This is more of a reverse turing test, where the computer asks questions to try and find out if it's interacting with a person or a program.

    It would be possible to write a program to beat this system, but it would not qualify as having passed the Turing test, because it would have only fooled another computer program, not a real person. Of course maybe said program could go on to pass the Turing test.

    Wouldn't it be weird if spam was the driving force behind the creation of the first real AI?

    Skynet began learning at a geometric rate.......by 1800 hours every mailbox in the world was jammed with unfilterable spam.
  • by SuperKendall (25149) on Thursday January 02, 2003 @11:36PM (#5003925)
    I was thinking that a technique that might help is to set up two accounts - something like a hotmail account in addition to your normal email account. One account is the valid one you use for whatever, the other address you don't give out to anyone you expect mail from.

    Then, when you get mail at your "real" account that mail is examined to see if it matches any of the mail received at the "fake" account.

    This is sort of like the digital camera technique of taking a "picture" of the CCD image with the shutter closed after a long exposure, to get an idea of what just the noise from the CCD looks like so it can be subtracted from the image data collected.

    Of course, I'm not sure how well it would work in practice or if you'd really get the same spam very opten in both accounts...
  • by gregm (61553) on Friday January 03, 2003 @12:00AM (#5004039)
    Is to make it a crime to send email from a bogus account. I'm thinking this crime would be called.. oh I dunno maybe fraud. If I have a real email address then I can request to be removed and am not, then it should be just like telemarketing and I could sue for $500.

    As long as you spam me from a legitmate email address I can request that the ISP delete your account. If the ISP chooses not to do so, then I can block the whole damn domain guilt-free. If the ISP has a decent EULA they could sue their subscriber for breaking the terms of their agreement and use that money to pay their various postmasters to take care of spam complaints.

  • by mikey573 (137933) on Friday January 03, 2003 @12:49AM (#5004246) Homepage
    From my understanding, the use of image recognition in the captcha test would make it nearly impossible for blind people to pass the test.
    • They know that. The blind people can call a phone number and assert that they are blind. An ALT tag that explains the purpose of the picture and mentions the phone number will be enough.
  • REALLY old news (Score:4, Informative)

    by quintessent (197518) <my usr name on toofgiB [tod] moc> on Friday January 03, 2003 @03:33AM (#5004683) Journal
    Turing test is a bit of an exaggeration. They have you look at some garbled text and type what you see. And it's been going on for a very long time.

    The Register article had absolutely nothing of value to add. As you were.
  • by Presto_slashdot (573879) on Friday January 03, 2003 @05:43AM (#5004964)
    1. Decide which hotmail/yahoo/whatever account you want to sign up.
    2. Send most of the (fake) registration info until it sends you a "turing test" image.
    3. Display the image in the next webhit on your popular porn site saying "to get free porn, type these characters"
    4. Send whatever they type to hotmail/yahoo/whatever & complete your registration.
    5. Profit?
  • by dwoolridge (69316) on Friday January 03, 2003 @06:36AM (#5005074) Journal
    Some people have already produced excellent results in breaking visual CAPTCHAs [berkeley.edu].

Someone is unenthusiastic about your work.

Working...