Have Spammers Overcome the CAPTCHA?

thefickler writes "It appears that spammers have found a way to automatically create Hotmail and Yahoo email accounts. They have already generated more than 15,000 bogus Hotmail accounts, according to security company BitDefender. The company says that a new threat, dubbed Trojan.Spammer.HotLan.A, is using automatically generated Yahoo and Hotmail accounts to send out spam email, which suggests that spammers have found a way to overcome Microsoft's and Yahoo's CAPTCHA systems."

Work opportunities for developing nations

[Mr. Roadkill]

Indians are fast, accurate and cheap:

http://www.getafreelancer.com/projects/Data-Proces sing-Data-Entry/Data-Entry-Solve-CAPTCHA.html [getafreelancer.com]

Of course, there are those who seek to use the IT talent of the sub-continent for a more direct attack:

http://www.getafreelancer.com/projects/PHP-ASP/yah oo-ocr-bypass-captcha.157160.html [getafreelancer.com]

And as an upstream poster pointed out, there's always the old "Free Porn - solve this CAPTCHA for access" approach.

captcha guide by vulnerability

[dattaway]

http://sam.zoy.org/pwntcha/ [zoy.org]

Re:Economically driven Turing test

[Mathinker]

Actually, now that I think of it, CAPTCHA's already pose problems to some (visual CAPTCHA's for the visually impared), but I wasn't thinking about that. I probably should have, since one can think of other CAPTCHA's where other specific handicaps would be a problem (human facial recognition comes to mind, for example; see Prosopagnosia [wikipedia.org]).

Since brain damage can cause very peculiar and specific cognitive problems, probably every kind of CAPTCHA will give trouble to someone. So I suppose there will be a variety of choices, just like there is sometimes an auditory choice given now.

Too bad MS ignores RFC 2821

[Kadin2048]

One of the (many) things I hate about Hotmail is that Microsoft blatantly ignores anything sent to its postmaster and abuse addresses, so there's really no way to notify them of spam being spewed from their system. In fact, if you send a message to postmaster@hotmail.com, they send back a pretty snarky response telling you that nobody reads it [rfc-ignorant.org].

What a cesspool. Hotmail has always been the ghetto of the internet, but now it's clear that it's infested with criminals, as well as just the technologically illiterate.

Time to blackhole it.

Sounds like BlueFrog

[Kadin2048]

I think this was basically the idea behind BlueFrog; they had a pretty nice, aggressive system for going after the sites that profit from spam, by bouncing spam emails back at them and generally causing them a lot of grief.

It was obviously working, as demonstrated by the concentrated fire they started to take from spammers. Unfortunately, they didn't have the resources (at least, I'd prefer to think it was a resource issue and not one of will) to fight the spammers, and after getting some really terrible legal advice, they got crushed.

Short of brutal vigilante justice [slashdot.org] (which I'm not opposed to here and there, but it tends to not scale very well), Blue Frog's approach seemed to be the only "supply-side" approach to spam that ever seemed to show a bit of effectiveness.

Re:Too bad MS ignores RFC 2821

[pe1chl]

Hotmail provides two addresses that at least generate an auto-reply:

report_spam@hotmail.com
abuse@hotmail.com

However, there is a script behind it that usually replies back that the abuse is not from their systems. Even when it is.
When you get past that filter, you get a reply that thanks you for the report, but never any further followup.
(this used to be different in the past: then you sometimes got a reply about 3 weeks later from someone working at an outsourcing company in India complaining that they had to handle lots of mail so the processing got delayed a lot. and then usually some standard request for full headers (that were already in the report) or statement that they cannot do anything about it)

Yahoo is different. They close spamming accounts, or at least they claim to do so in the replies to abuse mail.

Time to stick a fork in it?

[Kadin2048]

I think you're right about it not stopping spammers; I don't think it's even going to be much of a speed bump. It doesn't take a brilliant programmer to feed the output of an OCR program into a command-line calculator to evaluate simple mathematical expressions.

You might be able to trip some calculators up by using complex math or logic problems that aren't easily parseable by machines*, but this would also trip up a lot of humans. (Whether that's a bug or a feature I'll leave up to you.)

CAPTCHAs were, and still are, a neat hack, but as you increase their complexity beyond what's trivially solvable by an army of 'mechanical turk' keypunch monkies (either for real money or porn), you start to eliminate broader and broader swaths of humanity from the content. There's no good problem to use, because the criteria conflict with each other. On one hand, you want something that only takes a person a few seconds to figure out, because otherwise, people aren't going to want to go through them all the time. On the other hand, you want something that's non-trivial, because otherwise a spammer can just use an army of people to cut through them as if they weren't there.

I'm not sure that the CAPTCHA avenue has a lot left in it as a general solution.

* E.g., you could write flowery word problems that only involve basic arithmetic, so that the challenge is in natural language processing. This knocks out a lot of non-native language speakers, however. (Which again, could be acceptable if it's a regional website in a monolingual area; it also narrows the pool of 'mechanical turk' workers that can be hired to solve them as well.) But I'm not sure this is anything but a temporary setback, and it would come at too high a cost to be generally useful.

Goatse'd!

[Bazman]

Hey! That's the first time I've been sent to a goatse image from slashdot for a long long time! Ah, the memories.

  Don't scroll down too far on that page if you are of a sensitive nature.

Re:OCR or humans

[kuzb]

Your best bet for forum spam would probably be a bayes filter - much the way you'd deal with email. if it's small scale and non-commercial, you could use akismet [akismet.com]. This is generally not a viable solution if you're running a high traffic commercial forum (we looked in to it, it was going to cost us between $15 - $20k per month). In the end, it was more viable to develop our own solutions in house. This won't stop them from making bogus accounts, but it can help to cut down on the amount of garbage that litters your forum.

Re:Arguably Impractical but Satisfying Suggestions

[Alioth]

That's great, but the United States will have to be cut off from the Internet first. The USA is the world's biggest spam source, according to Spamhaus.

http://www.spamhaus.org/statistics/countries.lasso [spamhaus.org]

The United States emits *four* times as much spam as its nearest competitor, China.
Verizon is the world's spammiest ISP.

Re:Econonmically driven Turing test

[fractoid]

Hell, I have perfectly good eyesight (with contacts) and maybe 10% of the time CAPTCHAs are too munted for me to read. Often the problem is that it's not clear whether it's alpha or alphanumeric, or whether it's case sensitive, and there's a badly distorted O/0 or 1/I/l.

Regardless, CAPTCHAs will obviously have to evolve* to cover current 'hard problems' in AI as state of the art improves and 'hard' turns into 'not so hard'.

* or wait, should that be 'be intelligently designed'? :P

It's like a flood wave

[haraldm]

Spam behaves like a flood caused by heavy thunderstorms and rain. It will start to flood your basement no matter what. You can start to build a little dam here, put some sandbags there, board up your windows, etc. The sad fact ist, it won't help much. You will only save your home if you stop the rain.

That being said, as long as spam does not really hurt large corporations or governments, in terms of more and more expensive resources (machines, energy, air conditioning, administrators etc.) being used to just process the amount of spam coming in, nothing is going to change. Still, these entities are only going to protect themselves, not the public.

Me, I'm going to filter all hotmail and yahoo generated mail to /dev/null. Sorry folks, but just get another mail provider if you want to talk to me.

Mind you, if you filter mail by any means (like spam or virus filtering), never send auto replies. You will only hit innocent bystanders and generate lots of bounces, and run the risk of getting blacklisted by Spamcop or somebody else (if you autoreply to a spamtrap address, for example). I've been using Linux exclusively for more than 14 years on my mail server @ home, and I cannot count the number of autoreplies saying my machine sent this or that W32...blablabla thing, with no Windows client attached or anything. The better part of spam and virus mails uses fake From: addresses.

Re:Cataloging CAPTCHA info

[lena_10326]

Wouldn't it be feasible to record and catalog the fonts and manipulations done by a particular site's CAPTCHA engine, and then script some type of automatic "OCR" to suit? Are these CAPTCHA's dynamically generated from an extended "character set" or are the distortions generated in real-time?

That's how CAPTCHAs are broken, although you don't have to use a general OCR program. If you're going to attack a single type of CAPTCHA, you could tailor your code to take advantage of known properties of that specific CAPTCHA such as: backgrounds, background colors, repeated markings, fonts, font colors, font size, font orientation, and direction of any image warping.

Most CAPTCHAs use images and random marks or dots in the background but those can be filtered out in a pre-processing step if you know they're drawn using a limited set of colors or don't use the same line thickness as the font. Photographic backgrounds will be limited so they could be filtered easily by detecting which background the CAPTCHA used for that session. Using an oversized background and shifting it by an offset would present difficulty, but Yahoo and Hotmail don't use background images. If backgrounds are rendered gradients, I think it's relatively easy to detect the font color by scanning for broken runs of a continuous single color. The gradient colors would deviate slightly, within a small percent change. If there is any repetitive pattern, which there is if it's a gradient, it only helps the filter breaking the CAPTCHA.

A lot of the easier to crack CAPTCHAs use only a single font and render all the letters in 90 degree angles. The smarter ones jumble and warp the letters by shifting the each letter by an offset and rotating by a small angle. If you could figure out the direction of the warp or rotation, by checking the background you could unwarp or untwist the letters before running OCR on it. Or, you could test each isolated character by rotating every few degrees of rotation and selecting the result that outputs the most number of OCR'd characters from the least amount of rotation.

Regardless, the algorithm doesn't have to be perfect. It could be right 5% of the time and still generate thousands of email accounts. It doesn't care about rejections, because it's got all day to keep trying.

FYI:
http://en.wikipedia.org/wiki/Captcha [wikipedia.org]
http://www.cs.sfu.ca/~mori/research/gimpy/ [cs.sfu.ca]

By the way, some CAPTCHAS have been broken by not deleting sessions in the server, but I doubt Yahoo and Hotmail would be open to that bug.

Re:FREE PR0N!

[Anonymous Coward]

One of the most senior Yahoo Paranoids team members claimed that Yahoo was subjected to this at one point, and that they initially until they figured out what was going on saw a massive increase in bogus accounts. It's a couple of years ago since I heard them mention it (while I worked at Yahoo), and it wasn't a new thing. There's really no reason why it would be very public - the site would get blocked very quickly, but it's trivial to put up another one, even automatically.

Re:unsurprising

[Gunstick]

I use a very effective method. Only javascript has to be activated.
The submit button is only enabled after 20 seconds.
Someone needing less time than 20s to write a post is a spammer or has nothing intelligent to say.

An bot will of course submit the form in less than 20s, there comes the timestamping into play. If the form display and form submit events are less than 20s apart it's considered spam too.

Catches 99% of the posts.
0% false positives.

Of course if a big site like yahoo implements this, it's easy for a spammer to work around this special case. It's always easy to work around a blocking if you know that some kind of measure is in place.
So I added another trick: I show to the spammer his submitted post like as if he succeeded. You only see that it's bogous when you reload the original page and notice that oyur post is not there.

You can buy software that can thwart captchas

[I)_MaLaClYpSe_(I]

Aleksey Kolupaev [...] develops and sells software that can thwart captchas by analyzing the images and separating the letters and numbers from the background noise. They charge $100 to $5,000 a project, depending on the complexity of the puzzle.

Quoted from this article [nytimes.com]. No wonder someone used it for a worm.

Also discussed here on /. [slashdot.org]:

Evolution of the 'Captcha'
Posted by CmdrTaco on Monday June 11, @08:36AM
from the why-can't-i-even-read-them-half-the-time dept.

FireballX301 writes

"The New York Times is running an article about the small word puzzles various sites use in order to defeat automated script registration while still letting humans through. It seems many people can't actually solve them anymore, so new alternatives (image recognition) are being created. This, of course, seems breakable as well -- is there a feasible alternative to the captcha, or are we stuck jumping through more and more hoops to register at places?"

Re:FREE PR0N!

[ahecht]

There are many jobs on mturk.com where the page for the job consists of isntructions and a file upload box. For example, one job I did had me find the lat/long coordinates of a bunch of landmarks, put them into an excel file, and upload them. A spammer's job could be "sign up for 200 hotmail accounts, put the logins/passwords into a CSV file, and upload".

Re:Too bad MS ignores RFC 2821

[cswiger]

I've annoyed a few spamers in the past so I get my domain name in from addresses from time to time so every once in a while I will get a real person with a legit complaint however the postmaster address is now getting several thousand messages a day and I have no choice but to remove it.

I doubt it's anything personal; some spammers grovel through WHOIS records and simply joe-job random domains and set the bounce address to postmaster@ or the listed WHOIS contacts-- and, of course, they also do the traditional scraping of email addys from websites, mailing lists, etc. Setting up SPF records and doing SPF checking does quite a bit to reduce the backscatter from forged email which gets bounced back to you.

Once or twice in drastic cases, I've actually had to use HELO-level checking to reject all mail coming from .ru and .cn domains during a heavy run of forged spam bouncing back to a domain I run, but only for a few days until the domains in question started gaining some clue about SPF.

However, if you reject email delivered to postmaster@your_domain, then your mail system isn't configured right, and you should expect to be blacklisted.