Turing Tests to Stop Spam

cexy writes "The Register has a story about how Hotmail and Yahoo! are using Carnegie Mellon developed captcha technology (completely automated public Turing tests to tell computers and humans apart) to stop spammers from automating signups for accounts from which they can send spam. These guys are using captcha too, but to stop incoming spam."

CAPTCHA project

[nekdut]

For those who dont know, The CMU developed captcha project is great. Check out their work here:

http://www.captcha.net/ [captcha.net]

I find Yahoo to work much better though...

[saskboy]

I've only had my Yahoo account since last year and my Hotmail account since 1997, so this may not be a fair comparison:
Yahoo spam today:
0

Hotmail spam today:
18

Which is doing a better job at stopping spam you say?

Re:Yahoo works, hotmail not

[EmagGeek]

I've run the "Hotmail Test" several times and every time, I get spam within 4-5 days of opening the account. Even if I never ever send an email, the amount of spam grows approximately linearly with time... it only takes about 2 months to exhaust your 2MB quota daily....

At least that was the case the last time I ran this little experiment...

It's no secret, at least it shouldn't be, that Micro$oft is making money selling your hotmail address (yet then they spam you with advertisements for their spam-blocking software)...

*sigh*

****** SPAM ****** SpamAssassin Plug

[sulli]

I have SpamAssassin at my isp (Verio) and it kicks ass. Probably a false positive per week (and that's often a slashdot Daily Stories email), and a false negative every 3-4 days. Pretty damn good. Cut inbox crapola from 10-20 per day to, well, zero.

Re:Why?

[iksowrak]

RTFA. The very first thing the article says is: "Spam fighters have come up with an idea to frustrate the automatic creation of email accounts often used to send spam."

It's to help stop spambots from being able to create email accounts to send spam from, not to filter spam on the client side.

Think the editors could pass a no-repeat test?

[Froze]

Now if they could just come up with a turing test for slashdot
repeats!

http://developers.slashdot.org/article.pl?sid=02 /1 2/30/1740211&mode=thread&tid=111

Granted this is not a direct repeat but the articles are just different sources for the same story.

Re:Yahoo works, hotmail not

[b0r1s]

Even if I never ever send an email, the amount of spam grows approximately linearly with time... it only takes about 2 months to exhaust your 2MB quota daily....

You must have some bad luck. I've got a hotmail account I've used consistently for two years, and I'm typically around ~10% of my quota.

Either you're advertising your email address, or you've got some really easy to guess address, because the behavior you describe is far from typical.

Re:The first step is stopping it from getting ther

[Anonymous Coward]

have you tried to add '@spammailer.com' to the mail blocker? And things still get through?

Whitelists do the trick.

[My_nickname_is_taken]

I turned on my hotmail filters so now only people on my whitelist can send mail directly to my inbox.

0 spam for months now.

The only negative is if someone not on my whitelist sends mail, I have to rummage throught the rest of the junk to find it.

Re:The first step is stopping it from getting ther

[geekoid]

click mail options:
go to
"Enter email address (or domain) to block:"
enter domain in text baox, such as
whatever.com

click, add block

Re:Yahoo works, hotmail not

[Andorion]

When you sign up, if I remember correctly, hotmail used to have an ENABLED option to share your email address... you had to go into options and disable it. Also, make sure you're not signed up for any newsletters or other crap. I've created multiple hotmail accounts, and never get spammed until I use that address somewhere.

-Berj

Re:Yahoo works, hotmail not

[doorbot.com]

Just change your preferences to deny messages from anyone who is not in your address book. Problem solved.

Here's an idea to solve this:

[Prof.Phreak]

Every time you want to send an e-mail to someone, their ISP (or even their own mail server) quickly replies to you with a challenge (image for you to decipher), when you decipher the image, and reply ("as in confirm you're a human") your original message appears in the in-box of the person to whom you've sent it. Anyone can define their own tests if they're not happy with default ones, and you never see an e-mail which hasn't passed YOUR tests.

And since these tests are interactive (ie: you're asking the PERSON who e-mailed you a question, they can be quite hard to fool with a computer).

Non-challenging e-mail addresses (or mailings) can still exist, and will be clearly marked as haven't bee 'verified'... ie: streated as bulk e-mail.

In Mozilla News..

[bahwi]

Well, it's not, but you know...

Mozilla now comes with it's own Spam Filter [mozilla.org] starting with 1.3Alpha. Anyone know how well it works? I haven't had a chance to try it.

Think this is off topic? Read the last line of the slashdot story and click the link, where you can take a "Free 30-Day Trial!!"

=)

Shameless OS X Plug

[Galahad2]

Mail.app's filtering is fantastic. I only look at around one spam message every two weeks, and I've only had one false positive (which was adveritising something, as it was) in the year and a half that I've been using it. The filter is probably too CPU intensive to use on any large scale, though.

Re:An idea for hotmail

[hhknighter]

well, probably because the spammers already found a way to get by that. Spam nowadays come in different packages. Different subject lines everytime, different email addresses everytime (some are illegal like penis@enlarge.it, I have even seen some from another user who had no idea a spam was sent through their account. Two things also to consider: the amount of CPU power needed to do content filters, and service objective. Like you said, filtering through email address. What about those that use illegal + dynamic addresses? Content, the content is roughly the same. But account for the number of people using hotmail, and account for # of emails per user, and account for the power needed to read through all messages doing an greedy search for matching keywords and phrases. As for service objective, Hotmail is a email provider, and they can't really afford to be wrong in their filtering. Some people use hotmail for professional reasons, and hotmail can't afford to miss

Links to previous Slashdot stories on CAPTCHA

[yerricde]

See also:

• Slashdot: Email (As We Know It) Doomed? [slashdot.org]
• Slashdot: Human vs. Computer Intelligence [slashdot.org]
• Everything 2: The CAPTCHA Project [everything2.com]

Re:wrong

[AnyoneEB]

4. SpamBot picks it up off a web site

Re:CAPTCHA project

[fgodfrey]

Err, so from what I understand (my brother worked on this project briefly) this is basically an academic research project, that has some commercial uses. As such, CMU's CS department is interested in publishing papers, not code. The code for projects like this gets written more as a proof of concept than as a production ready set of code. So, if you want to use their code, it's going to be harder than just typing "make install". Remeber, this is code coming from the CS research department at CMU (which is quite good, I might add!), not the people who do Andrew (the academic computing environment that is more like "production code" - see the Cyrus mail system as an example of their code).

Re:CAPTCHA project

[js7a]

what are the terms of their license?

First of all, the largest sole source of CAPTCHA funding is the National Science Foundation, so if you are a U.S. taxpayer, you are paying for this work.

Having said that, the rights to and interests in NSF-sponsored work are very much up in the air, nowhere moreso than the Carnegie Mellon School of Computer Science. The Dean is said to have a somewhat different view than the Provost, who is probably not in agreement with the President, and the Board of Trustees are clearly all over the map on the issue, too. CMU is a study in contrasts when it comes to intellectual property opinions. CMU switched intellectual property policies [cmu.edu] exactly three days after I entered (yeay for freshman camp -- I knew it was worth the extra few bucks!) and the new (1985) one is draconian yet astoundingly vague [cmu.edu]. So, the authors might not even know the actual rights under which they are allowed to distribute their software. Noboday may know -- often an ajudication committee is required to make an arbitrary decision on a case-by-case basis.

However, principles of academic freedom have repeatedly trumped the Intellectual property policy, and that means that the researchers have the right to publish their code as sceintific research results, without restriction which is what they have apparently done. The scientific method requires absolutly no restrictions on such results (so as to allow for unimpeded replication), which means that the code is in the public domain. Even if it is released under copyright or GPL later, it is still in the public domain.

I am not a lawer, but years ago I paid a lawyer to answer a related question and I am faithfully repeating his answer above.

Re:In Mozilla News..

[TheBishop]

I have been building the 1.3 from source routinely just to get access to the mozilla spam filter.

I have this to say about it

GET IT.

I trained it on a corpus of spam I've been keeping around for just such a purpose (about 300 messages, not a lot really). Since then I have been giving it minor corrections to tag new spam and it is nearly perfect. No false positives. The interface is easy to use.

If you use Mozilla now for Mail, you owe it to yourself to start using the 1.3a. If you're using something else, it's worth looking at Mozilla.

REALLY old news

[quintessent]

Turing test is a bit of an exaggeration. They have you look at some garbled text and type what you see. And it's been going on for a very long time.

The Register article had absolutely nothing of value to add. As you were.

the mousetrap race continues...

[dwoolridge]

Some people have already produced excellent results in breaking visual CAPTCHAs [berkeley.edu].

Re:captcha stops blind people too

[leob]

They know that. The blind people can call a phone number and assert that they are blind. An ALT tag that explains the purpose of the picture and mentions the phone number will be enough.

Re:Messages lost between Spam Arrest users

[Anonymous Coward]

Yes.

Case #1: Spam Arrest will allow internally generated email (like the verifications) through, so there is no loop between two spam arrest users.

Case #2: You can, at anytime, check the messages waiting to be verified, so if you are expecting an email for a order confirmation or whatever, you can see it on the spam arrest website, and either respond/read it there, or authorize them as a sender & add them to your whitelist from then on out.