Have Spammers Overcome the CAPTCHA? 330
thefickler writes "It appears that spammers have found a way to automatically create Hotmail and Yahoo email accounts. They have already generated more than 15,000 bogus Hotmail accounts, according to security company BitDefender. The company says that a new threat, dubbed Trojan.Spammer.HotLan.A, is using automatically generated Yahoo and Hotmail accounts to send out spam email, which suggests that spammers have found a way to overcome Microsoft's and Yahoo's CAPTCHA systems."
Work opportunities for developing nations (Score:4, Informative)
http://www.getafreelancer.com/projects/Data-Proce
Of course, there are those who seek to use the IT talent of the sub-continent for a more direct attack:
http://www.getafreelancer.com/projects/PHP-ASP/ya
And as an upstream poster pointed out, there's always the old "Free Porn - solve this CAPTCHA for access" approach.
captcha guide by vulnerability (Score:4, Informative)
Re:Economically driven Turing test (Score:2, Informative)
Since brain damage can cause very peculiar and specific cognitive problems, probably every kind of CAPTCHA will give trouble to someone. So I suppose there will be a variety of choices, just like there is sometimes an auditory choice given now.
Too bad MS ignores RFC 2821 (Score:5, Informative)
What a cesspool. Hotmail has always been the ghetto of the internet, but now it's clear that it's infested with criminals, as well as just the technologically illiterate.
Time to blackhole it.
Sounds like BlueFrog (Score:5, Informative)
It was obviously working, as demonstrated by the concentrated fire they started to take from spammers. Unfortunately, they didn't have the resources (at least, I'd prefer to think it was a resource issue and not one of will) to fight the spammers, and after getting some really terrible legal advice, they got crushed.
Short of brutal vigilante justice [slashdot.org] (which I'm not opposed to here and there, but it tends to not scale very well), Blue Frog's approach seemed to be the only "supply-side" approach to spam that ever seemed to show a bit of effectiveness.
Re:Too bad MS ignores RFC 2821 (Score:3, Informative)
report_spam@hotmail.com
abuse@hotmail.com
However, there is a script behind it that usually replies back that the abuse is not from their systems. Even when it is.
When you get past that filter, you get a reply that thanks you for the report, but never any further followup.
(this used to be different in the past: then you sometimes got a reply about 3 weeks later from someone working at an outsourcing company in India complaining that they had to handle lots of mail so the processing got delayed a lot. and then usually some standard request for full headers (that were already in the report) or statement that they cannot do anything about it)
Yahoo is different. They close spamming accounts, or at least they claim to do so in the replies to abuse mail.
Time to stick a fork in it? (Score:3, Informative)
You might be able to trip some calculators up by using complex math or logic problems that aren't easily parseable by machines*, but this would also trip up a lot of humans. (Whether that's a bug or a feature I'll leave up to you.)
CAPTCHAs were, and still are, a neat hack, but as you increase their complexity beyond what's trivially solvable by an army of 'mechanical turk' keypunch monkies (either for real money or porn), you start to eliminate broader and broader swaths of humanity from the content. There's no good problem to use, because the criteria conflict with each other. On one hand, you want something that only takes a person a few seconds to figure out, because otherwise, people aren't going to want to go through them all the time. On the other hand, you want something that's non-trivial, because otherwise a spammer can just use an army of people to cut through them as if they weren't there.
I'm not sure that the CAPTCHA avenue has a lot left in it as a general solution.
* E.g., you could write flowery word problems that only involve basic arithmetic, so that the challenge is in natural language processing. This knocks out a lot of non-native language speakers, however. (Which again, could be acceptable if it's a regional website in a monolingual area; it also narrows the pool of 'mechanical turk' workers that can be hired to solve them as well.) But I'm not sure this is anything but a temporary setback, and it would come at too high a cost to be generally useful.
Goatse'd! (Score:1, Informative)
Don't scroll down too far on that page if you are of a sensitive nature.
Re:OCR or humans (Score:3, Informative)
Re:Arguably Impractical but Satisfying Suggestions (Score:4, Informative)
http://www.spamhaus.org/statistics/countries.lass
The United States emits *four* times as much spam as its nearest competitor, China.
Verizon is the world's spammiest ISP.
Re:Econonmically driven Turing test (Score:2, Informative)
Regardless, CAPTCHAs will obviously have to evolve* to cover current 'hard problems' in AI as state of the art improves and 'hard' turns into 'not so hard'.
* or wait, should that be 'be intelligently designed'?
It's like a flood wave (Score:3, Informative)
Spam behaves like a flood caused by heavy thunderstorms and rain. It will start to flood your basement no matter what. You can start to build a little dam here, put some sandbags there, board up your windows, etc. The sad fact ist, it won't help much. You will only save your home if you stop the rain.
That being said, as long as spam does not really hurt large corporations or governments, in terms of more and more expensive resources (machines, energy, air conditioning, administrators etc.) being used to just process the amount of spam coming in, nothing is going to change. Still, these entities are only going to protect themselves, not the public.
Me, I'm going to filter all hotmail and yahoo generated mail to /dev/null. Sorry folks, but just get another mail provider if you want to talk to me.
Mind you, if you filter mail by any means (like spam or virus filtering), never send auto replies. You will only hit innocent bystanders and generate lots of bounces, and run the risk of getting blacklisted by Spamcop or somebody else (if you autoreply to a spamtrap address, for example). I've been using Linux exclusively for more than 14 years on my mail server @ home, and I cannot count the number of autoreplies saying my machine sent this or that W32...blablabla thing, with no Windows client attached or anything. The better part of spam and virus mails uses fake From: addresses.
Re:Cataloging CAPTCHA info (Score:4, Informative)
Most CAPTCHAs use images and random marks or dots in the background but those can be filtered out in a pre-processing step if you know they're drawn using a limited set of colors or don't use the same line thickness as the font. Photographic backgrounds will be limited so they could be filtered easily by detecting which background the CAPTCHA used for that session. Using an oversized background and shifting it by an offset would present difficulty, but Yahoo and Hotmail don't use background images. If backgrounds are rendered gradients, I think it's relatively easy to detect the font color by scanning for broken runs of a continuous single color. The gradient colors would deviate slightly, within a small percent change. If there is any repetitive pattern, which there is if it's a gradient, it only helps the filter breaking the CAPTCHA.
A lot of the easier to crack CAPTCHAs use only a single font and render all the letters in 90 degree angles. The smarter ones jumble and warp the letters by shifting the each letter by an offset and rotating by a small angle. If you could figure out the direction of the warp or rotation, by checking the background you could unwarp or untwist the letters before running OCR on it. Or, you could test each isolated character by rotating every few degrees of rotation and selecting the result that outputs the most number of OCR'd characters from the least amount of rotation.
Regardless, the algorithm doesn't have to be perfect. It could be right 5% of the time and still generate thousands of email accounts. It doesn't care about rejections, because it's got all day to keep trying.
FYI:
http://en.wikipedia.org/wiki/Captcha [wikipedia.org]
http://www.cs.sfu.ca/~mori/research/gimpy/ [cs.sfu.ca]
By the way, some CAPTCHAS have been broken by not deleting sessions in the server, but I doubt Yahoo and Hotmail would be open to that bug.
Re:FREE PR0N! (Score:1, Informative)
Re:unsurprising (Score:3, Informative)
I use a very effective method. Only javascript has to be activated.
The submit button is only enabled after 20 seconds.
Someone needing less time than 20s to write a post is a spammer or has nothing intelligent to say.
An bot will of course submit the form in less than 20s, there comes the timestamping into play. If the form display and form submit events are less than 20s apart it's considered spam too.
Catches 99% of the posts.
0% false positives.
Of course if a big site like yahoo implements this, it's easy for a spammer to work around this special case. It's always easy to work around a blocking if you know that some kind of measure is in place.
So I added another trick: I show to the spammer his submitted post like as if he succeeded. You only see that it's bogous when you reload the original page and notice that oyur post is not there.
You can buy software that can thwart captchas (Score:4, Informative)
Quoted from this article [nytimes.com]. No wonder someone used it for a worm.
Also discussed here on
Evolution of the 'Captcha'
Posted by CmdrTaco on Monday June 11, @08:36AM
from the why-can't-i-even-read-them-half-the-time dept.
FireballX301 writes
Re:FREE PR0N! (Score:3, Informative)
Re:Too bad MS ignores RFC 2821 (Score:2, Informative)
I doubt it's anything personal; some spammers grovel through WHOIS records and simply joe-job random domains and set the bounce address to postmaster@ or the listed WHOIS contacts-- and, of course, they also do the traditional scraping of email addys from websites, mailing lists, etc. Setting up SPF records and doing SPF checking does quite a bit to reduce the backscatter from forged email which gets bounced back to you.
Once or twice in drastic cases, I've actually had to use HELO-level checking to reject all mail coming from .ru and .cn domains during a heavy run of forged spam bouncing back to a domain I run, but only for a few days until the domains in question started gaining some clue about SPF.
However, if you reject email delivered to postmaster@your_domain, then your mail system isn't configured right, and you should expect to be blacklisted.