Spammers Learn to Outsource Their Captcha Needs 221
lukeknipe writes "Guardian Unlimited reporter Charles Arthur speaks with a spammer, discussing the possibility that his colleagues may be paying people in developing countries to fill in captchas. In his report, Arthur discusses Nicholas Negroponte's gift of hand-powered laptops to developing nations and the wide array of troubles that could arise as the world's exploitable poor go online." From the article: "I've no doubt it will radically alter the life of many in the developing world for the better. I also expect that once a few have got into the hands of people aching to make a dollar, with time on their hands and an internet connection provided one way or another, we'll see a significant rise in captcha-solved spam. But, as my spammer contact pointed out, it's nothing personal. You have to understand: it's just business."
using porn to solve captchas (Score:5, Interesting)
it is just business (Score:3, Interesting)
Re:A long-time problem (Score:3, Interesting)
I would certainly like to see the end of captchas, and I have resisted using them on my own sites. They are really bad for accessibility and therefore illegal in many situations and just generally unfair to anyone who can't solve captchas (whether that be by disability or browser choice). However, I have yet to see any other technology able to do the job.
I hope the spammer understands... (Score:3, Interesting)
Spam will never be stopped as long as the perceived gains > perceived risks. Unless there is a holocaust of stupid people, there will always be people dumb enough to buy from spam, so you're not going to solve this equation by reducing the left side. So raise the right side... Put $10 million into ten Swiss bank accounts. Then get the message out: First ten times a known major spammer is brutally murdered, the first party to provide evidence of their involvement gets the location of a buried bank account key.
I don't usually believe in violence to solve problems, but when you're dealing with people who've demonstrated that there is nothing so depraved they won't do it, and the alternative is governments regulating the 'Net... *shudder*...
Now, speaking seriously (okay, more seriously - hearing that Alan Ralsky got brutally tortured to death on the evening news would KICK ASS), as long as everyone with a brain is absolutely determined to not respond to any spam the problem will never be solved. Why? Because as long as that is true, the S-N ratio at the spammer's inbox will be favorable, because you can never block 100% of spam, and unless you DO, idiots will get it and will click it.
So, e-mail clients should be programmed to automatically respond to EVERY message they get (or at the very least, every message flagged as spam) with an ad-libbed "O rly? tell me more", unless the e-mail came from a known-good mailing list or contact. Result: If even 1% of recipients responded and didn't buy, the signal-to-noise ratio at the bastard's inbox plunges by a factor of a hundred. Everybody responds, and spam-friendly ISPs implode under a digital tsunami of replies. The SOB pumping out 100 million messages can't possibly sort out the 1000 buyers from the 99,999,000 fakes.
And for spammers who use links to their websites: Users submit suspect sites to open database of spammer sites. Sites are voted on; After 100 votes, if the guilty verdict > 90% the site it put in the "to DDOS" list for a client script to retrieve and wget entries from. Certain disreputable hackers, whom the database operators want nothing to do with, unfortunately rent botnets and install this client program on millions of hacked windows boxes. Would that be an immoral action? Yes. Spammers have all the moral restraint of Nazis, and they're winning the spam war - playing nice is no longer an option.
Unfortunately, it won't happen. MS, Google, Yahoo, and Firebird need to incorporate this into all their clients, along with whitelisting utilities, all at once - NGH. Because of the sheep mentality, no one will want to be the first to stand up. In short, like the decay of diamond into graphite, it's *should* happen but has far too high of an energy barrier to actually happen.
Okay, I'm ready - someone ^C^V that stupid checklist.
Re:A long-time problem (Score:4, Interesting)
The CAPTCHA image and question themselves need some thought as well. Just having a person type some "distorted" text verbatim is a bit christian IMHO, because it's vulnerable to OCR. Insisting to change the order or capitalisation ("type this backwards in all lower case") would be a good start, but there are plenty more techniques involving pictures that only a human being will be able to use; and you can possibly even set a knowledge barrier (by using challenges that will be easy for people in your chosen field but not random idiots) to keep out undesirables.
This is just stupid (Score:4, Interesting)
Come on!, Remember the usual "Don't teach the poor to read, that would make them a threat"? This all sounds as "don't give the poor any access to the internet, they could become a threat" . And for god's sake it is not like captchas are any difficult for just a program to beat.
I administrate a site with a vBulletin forum, and every once in a while a bot posts messages. Registration requires passing a captcha, in fact, I decided to just remove the captcha, it was seriously not helping stop the spam and was just making the registration harder FOR HUMANS.
BTW: I noticed that Russian bots are more likely to beat captchas.
Re:Dupe/Oldnews (Score:3, Interesting)
I think this one is a little different, the other article was just a hypothetical, this is actually a real case of spamming occuring with a captcha image.
I also found his quotation from Bill Gates quite interesting...
Oh well. I guess I'll have to sit in the corner with Bill Gates, who declared in January 2004 that "spam will be solved in two years". After you with the pointy-D hat, Bill.
Perhaps Bill was thinking about his trusted/treacherous [slashdot.org] computing model (posted earlier today on slashdot) when he made this statement.
Anyhow old news is good news. It gives me a chance to plug my CAPTCHA solution [mblmsoftware.com], which will take more than just a few seconds for a 3rd world data entry person to get past. I created this component mainly because I'm trying to make a site that adheres to accessibility standards, which of course is an impossibility if you use CAPTCHA images. The other reason I think CAPTCHA images are a bad idea is OCR. If there isn't already an OCR solution available today I think it is inevitable that there'll one day be one that can read any image that a human can read. But I guess this is one more thing to add to the list of reasons as to why CAPTCHA images are stupid - 3rd world data entry teams.
Re:A long-time problem (Score:5, Interesting)
Stuff like "type this backwards in lower case" won't help *in the least* - it'd be trivial to get past, as trivial as writing a bot to collect email addresses, and we know how many of those there are.
Checking the IP address won't work (unfortunately) because certain ISPs (*cough*AOL*cough*) use multiple outgoing IPs for the same user; it's ridiculous but there you have it.
In any case, IP addresses can be forged; the spammer doesn't need to receive a response, he just needs to send his CAPTCHA and spam message; if he's on 4.3.2.1 and needs to send from 1.2.3.4 then he will - the server's "yes you got it" response will be sent to 1.2.3.4 but the spammer doesn't care; his spam has got through.
In short, there is no serverside way of preventing a captcha from being relayed to/from a 'processor' be it OCR or human.
However, what needs to be remembered is that in 95% of cases, any type of captcha will stop 100% of spam. Most captchas out there are pitifully weak in terms of OCR resistance [ocr-research.org.ua], have implementation bugs [puremango.co.uk] coming out of their *ahem* and 'in principle' offer no security whatsoever, but they work because most spammers only after the low hanging fruit.
I doubt you would, actually (Score:5, Interesting)
See most people are quite able to speak/cheer about and for beating others up, killing others, war, etc, as long as it's just talking. They might even actually do it, if a fit of rage disables their sanity for long enough. But fits of rage aren't something you can plan and execute whenever you wish. And otherwise when you actually have to do it, there's this interlock against harming other humans. It's partially "what if it was me in his shoes" education (even if you logically know it would never be in his place spamming) and partially that interlock most animals have against harming their own more than strictly necessary. (Even when cats or dogs fight their own there is always a mechanism to signal "I give up" and the other _will_ cease.)
It's a strange world, really. The same people who could be shaking a fist and screaming for war against X at the top of their lungs, would actually have trouble looking one of X in the eyes and squeezing the trigger. A lot of PTSD cases in war aren't just people getting shocked by being shot at, but shocked by having shot other humans.
There is one cathegory that can cheerfully think "it's only business": the sociopaths. They live in a strange world in which the others are NPCs: the others don't matter, they're not the same, "it could be me in his shoes" doesn't apply, etc. They can lie, cheat, murder, torture, whatever, and be perfectly able to look themselves in the mirror after it. Because the other guy didn't matter.
And, sad to say, if you weren't born one, I doubt you could actually beat this guy up in cold blood. If anyone gave you a baseball bat and this guy tied to a chair, you just couldn't actually do it.
And it's probably better that way. I'm thinking we as a society would do better to just start recognizing sociopaths for what they are, and the damage they can do. This guy, for example, is a sociopath, plain and simple. He's not just "being smart", he's not "just doing business", he's not "just doing what's needed", or the other things these guys like to pose as. He's just someone who doesn't even see you as a human being, much less his equal.
Re:A long-time problem (Score:3, Interesting)
I did DSL installs in an ex-soviet block backwater which is not even in the EU yet in 1998. At that time UK and the rest of Europe (except Scandinavia) was still wetting themselves over a second ISDN channel and 56K modems. In the same country ethernet to the home in big cities is the norm, not the exemption. The cable operators built bandit networks using twisted pair as far back as 1999-2000. So on, so fourth.
Similarly, I had to design, deploy and build QoS aware networks in 1998. UK and the rest of Europe is just about getting there in the last 2 years. US is not even close (regardless of how much noises does ATT make about net neutrality).
Similarly, VOIP was all over the place by 2000 up to an connecting SMEs and it is just about getting there now in EU.
Similarly...
Do not underestimate the effect of an incumbent monopoly on business and technology. In most 3rd world countries the local incumbent has been bypassed and regulation has been ignored. A few bribes here and there have been sufficient to effectively kill off any attempts by the incumbent to prevent the usage of "unallowed" technologies. As a result the deployment of many technologies is 5-6 years ahead of the "civilised world" where the incumbent can use the regulator and police to strangle any technological progress.
Re:A long-time problem (Score:3, Interesting)
Only problem is, those with screenreaders would be very much disadvantaged unless you had audio cues to go with the images.
Re:I call job theft! (Score:1, Interesting)
Re:Follow the money (Score:3, Interesting)
Hit the credit card companies. Hit them hard. It seems too easy to get a merchant account for online trading with no valid product to sell. The Rolexes etc are usually sold as fakes anyway. Rolex would love to close them down, same goes for Pfizer and V1agra. Heck I've even complained to a software vendor about pirated software being openly sold. Microsoft replied with a orm letter but I had a more meaningful response from Adobe, but I had directed the complaint via an onsite consultant who took this seriously. The response was along the lines of "You close one down, another springs up".
The real route would be to order something that is being sold as genuine, such as MS Office. Get the fake confirm it is a fake with MS and refuse the CC payment. The CC companies will soon start being more careful if they get a lot of refused transactions. Sure the merchant doesn't get paid, but it costs the CC company lots of time to process the reversal.