Spammers Learn to Outsource Their Captcha Needs

lukeknipe writes "Guardian Unlimited reporter Charles Arthur speaks with a spammer, discussing the possibility that his colleagues may be paying people in developing countries to fill in captchas. In his report, Arthur discusses Nicholas Negroponte's gift of hand-powered laptops to developing nations and the wide array of troubles that could arise as the world's exploitable poor go online." From the article: "I've no doubt it will radically alter the life of many in the developing world for the better. I also expect that once a few have got into the hands of people aching to make a dollar, with time on their hands and an internet connection provided one way or another, we'll see a significant rise in captcha-solved spam. But, as my spammer contact pointed out, it's nothing personal. You have to understand: it's just business."

These lead shoes

[future assassin]

are nothing to do with business its just personal. I would be more more then happy to plead guilty if I ever got cought for beating the fuck out of a spammer.

Dupe/Oldnews

[Threni]

http://it.slashdot.org/article.pl?sid=06/09/06/121 7240 [slashdot.org]

Re:These lead shoes

[SharpFang]

Actually, Russia and China are far second behind USA which holds over 60% of spam market.

So you've just described a proxy

[Moraelin]

So basically with all that IP checking and all, you've just said (in so many words) that the spammer must use a proxy.

Basically if machine A is the server, machine B is doing the spamming, and the paid peon cracking captchas for a living is on machine C, then it can jolly well go on like this:

- the peon's machine C connects to one of the many machines B doing the spamming (it can also be the other way around: machine B could initiate a connection and wait for the human to be ready. Works great if machine B is behind a firewall too, since outgoing connections typically get through just fine.)

- machine B connects to the server A, gets the image, the cookie and everything

- machine B relays this to machine C

- the peon does the captcha on his machine C, in the chinese sweatshop where he works

- machine C relays this answer back to machine B

- machine B now gives it to your server, together with the cookie and all. It comes with the right cookie, from the right IP, etc. So _how_ is your server going to know about all the proxying behind it?

- machine B now proceeds to spam with impunity, since most servers don't ask for a captcha for each and every single message sent

It's not even a new idea. Exactly this kind of relaying, in various forms (including this, and using unknowing visitors to a porn site to crack proxied captchas thinking they're logging in to the porn site, etc) has been discussed ever since the first lemming thought that captchas are _the_ ultimate, unbreakable solution.

Except every time it prompted a barrage of weird "well, it hasn't happened yet, so it's not possible" and similar, and the lemmings went back to pretending that proxying doesn't exist, and machine recognition is obviously the only way to crack a captcha. In fact, back to solving the wrong problem.

Well now it's happening exactly as predicted. In a way I feel vindicated, even though it's sad that something harmful has to happen for people to finally pry their heads out of their asses and acknowledge reality.

Re:A long-time problem

[bogado]

I use readable captcha, the challenge to the spammer is not only "reading" the text but parsing it. I have a categorized database of words, each word belongs to one or more categories. The system makes a question what word in the list belongs, or not, to a certain category.

Just to make it harder I put it in an image, that has several rotated letters that have a sufficiently different color, this is only a stop gag because all of this can be filtered easily enough, but it can look like a usual captcha to a normal program that tries to solve.

Since it is a blog in Portuguese, this will filter people who don't speak it, but I guess those would not be interested in commenting about something that do not understand. :-)

Re:This is just stupid

[Doctor Crumb]

Usually, if a bot is getting past your captcha, it is circumventing it, not solving it. First, check if you are running with REGISTER_GLOBALS set to "off". Then, make sure your site is only accepting form submissions from the relevant form on your own site; a simple referer check is enough to stop most forum/comment spam. Only if you have secured everything else and you have proof that the bots are actually solving your captcha should you blame the captcha.

Re:A long-time problem

[FlunkedFlank]

That's basically what http://www.kittenauth.com/ [kittenauth.com] is trying to do.

Re:using porn to solve captchas

[Anonymous Coward]

OK so you're takling shit. There's not a single piece of technical information in anything you've said.

No, you are a clueless git who can't understand a simple concept. It's liking trying to explain a nuclear reactor to a four year old.

To point 4. How does Z "send a copy of the CAPTCHA" ? How do you generically differentiate between, wallpaper, advertising and captcha images on a web page?

How does Z send a copy of the CAPTHA? Perhaps you've heard of this thing called the Internet. Z could open a direct socket connection, Z could post it to a web form, Z could use IRC, Z could use IM, Z could send an email--the options are numerous. How does Z identify the CAPTHCA image? In case you haven't noticed, the image is typically very near the input field for the solution. Worst case, Z could send all markup from the target site and it would be presented to the dummy on the other end in exactly the same layout as if he were visiting the real site.

The answer is of course you can't. Maybe you could go by dimensions of the image. Or do some sort of OCR on each image to see if it contains CAPTCHA like stuff. But if you can OCR the thing you don't need horny porn dude at all do you?

Of course you can solve it. I just told you how. Anybody with over a room temperature IQ could figure it out. That clearly excludes you. Absolute worst case: send the entire damn page content to the dummy who is solving the CAPTHA for you.

Again I think you end up building an entire system just to post spam to one site, which would probably deal with your silly attack effectively and permanently within hours, or at most a day or two.

In case you haven't noticed, spammers have already built generic systems to target web sites. As I have clearly demonstrated, those systems can easily be modified to enlist third-parties to break the CAPTCHAs for them.

Yea solutions are always obvious when you have no ability to implement them. Anyhow engaging in this discussion is getting a little embaressing. bye bye.

The only thing embarassing here is your ignorance. You are absolutely clueless about the web and about programming in general. Find a new career and stop giving real software developers a bad name.

P.S. I love the way your childish web site claims you've been developing on NT for 15 years, when NT hasn't even been out for 15 years. Grow up, you ignorant retard.