Spammers Learn to Outsource Their Captcha Needs 221
lukeknipe writes "Guardian Unlimited reporter Charles Arthur speaks with a spammer, discussing the possibility that his colleagues may be paying people in developing countries to fill in captchas. In his report, Arthur discusses Nicholas Negroponte's gift of hand-powered laptops to developing nations and the wide array of troubles that could arise as the world's exploitable poor go online." From the article: "I've no doubt it will radically alter the life of many in the developing world for the better. I also expect that once a few have got into the hands of people aching to make a dollar, with time on their hands and an internet connection provided one way or another, we'll see a significant rise in captcha-solved spam. But, as my spammer contact pointed out, it's nothing personal. You have to understand: it's just business."
These lead shoes (Score:3, Informative)
Dupe/Oldnews (Score:2, Informative)
Re:These lead shoes (Score:3, Informative)
So you've just described a proxy (Score:3, Informative)
Basically if machine A is the server, machine B is doing the spamming, and the paid peon cracking captchas for a living is on machine C, then it can jolly well go on like this:
- the peon's machine C connects to one of the many machines B doing the spamming (it can also be the other way around: machine B could initiate a connection and wait for the human to be ready. Works great if machine B is behind a firewall too, since outgoing connections typically get through just fine.)
- machine B connects to the server A, gets the image, the cookie and everything
- machine B relays this to machine C
- the peon does the captcha on his machine C, in the chinese sweatshop where he works
- machine C relays this answer back to machine B
- machine B now gives it to your server, together with the cookie and all. It comes with the right cookie, from the right IP, etc. So _how_ is your server going to know about all the proxying behind it?
- machine B now proceeds to spam with impunity, since most servers don't ask for a captcha for each and every single message sent
It's not even a new idea. Exactly this kind of relaying, in various forms (including this, and using unknowing visitors to a porn site to crack proxied captchas thinking they're logging in to the porn site, etc) has been discussed ever since the first lemming thought that captchas are _the_ ultimate, unbreakable solution.
Except every time it prompted a barrage of weird "well, it hasn't happened yet, so it's not possible" and similar, and the lemmings went back to pretending that proxying doesn't exist, and machine recognition is obviously the only way to crack a captcha. In fact, back to solving the wrong problem.
Well now it's happening exactly as predicted. In a way I feel vindicated, even though it's sad that something harmful has to happen for people to finally pry their heads out of their asses and acknowledge reality.
Re:A long-time problem (Score:3, Informative)
Just to make it harder I put it in an image, that has several rotated letters that have a sufficiently different color, this is only a stop gag because all of this can be filtered easily enough, but it can look like a usual captcha to a normal program that tries to solve.
Since it is a blog in Portuguese, this will filter people who don't speak it, but I guess those would not be interested in commenting about something that do not understand.
Re:This is just stupid (Score:4, Informative)
Re:A long-time problem (Score:2, Informative)
Re:using porn to solve captchas (Score:1, Informative)
How does Z send a copy of the CAPTHA? Perhaps you've heard of this thing called the Internet. Z could open a direct socket connection, Z could post it to a web form, Z could use IRC, Z could use IM, Z could send an email--the options are numerous. How does Z identify the CAPTHCA image? In case you haven't noticed, the image is typically very near the input field for the solution. Worst case, Z could send all markup from the target site and it would be presented to the dummy on the other end in exactly the same layout as if he were visiting the real site. Of course you can solve it. I just told you how. Anybody with over a room temperature IQ could figure it out. That clearly excludes you. Absolute worst case: send the entire damn page content to the dummy who is solving the CAPTHA for you. In case you haven't noticed, spammers have already built generic systems to target web sites. As I have clearly demonstrated, those systems can easily be modified to enlist third-parties to break the CAPTCHAs for them. The only thing embarassing here is your ignorance. You are absolutely clueless about the web and about programming in general. Find a new career and stop giving real software developers a bad name.
P.S. I love the way your childish web site claims you've been developing on NT for 15 years, when NT hasn't even been out for 15 years. Grow up, you ignorant retard.