Have Spammers Overcome the CAPTCHA?

thefickler writes "It appears that spammers have found a way to automatically create Hotmail and Yahoo email accounts. They have already generated more than 15,000 bogus Hotmail accounts, according to security company BitDefender. The company says that a new threat, dubbed Trojan.Spammer.HotLan.A, is using automatically generated Yahoo and Hotmail accounts to send out spam email, which suggests that spammers have found a way to overcome Microsoft's and Yahoo's CAPTCHA systems."

it's easy...

[naeim]

Make a porn site that give you credit to download smut in exchange for solving captchas. Have your automatic account creator redirect the captcha to a human user of your porn site, and if you're lucky and it gets solved within the time period for which te captcha is valid, you're set.

500 accounts created every hour?

[patio11]

That doesn't sound like a CAPCHA has been broken, except perhaps by the sophisticated AI device known as a human being. 8 and a half CAPCHAs a minute? No problem for one person with a tolerance for boredom and CTS. Heck, you can even put the job up on Amazon Turk and charge a penny an account for the signups, or use cheap labor in any of a number of countries to do it.

FREE PR0N!

[pq]

Get the rest of the difficult AI problems into CAPTCHAs. We've finally figured out a way to finance AI research!
Not really.

The way they've worked around it probably goes like this: "Free pr0n sets! See more of this hot chick! We don't want automated downloads of these sets, so you need to solve this code to get the download. What? It looks just like the hotmail cpachas? Yeah, we're using the same advanced technology here."

So I guess this approach would also solve other AI problems - by having bored RIs solve them. Maybe not such a bad solution after all?

OCR or humans

[drgonzo59]

If OCR was used, then it is as simple as having a mathematical quiz captcha. For example, the answer to "34 + 2" or "first 3 digits of e" (well, ok maybe not this one, unless it's a math forum...). This will not stop the spammers as they would probably just try to parse the math expressions and post the result but it will slow them down a bit.

If a human is used to read the captcha then there is not much that can be done as that is what a captcha is for: to make sure a human only will be able to bypass it....

Re:it's easy...

[Anonymous Coward]

Does that matter?
I don't think there is any shortage of porn on the net. There is no point in "collecting it all". So, that the same content of one site is available on another distribution medium too, does not matter at all.

Re:OCR or humans

[coldcell]

I was actually looking into securing a forum from spammers earlier when this question came into my head:

How do I make questions that are simple enough to be obvious to legitimate members, but obscure for outsourced human spammers?

I then wondered exactly WHY I'd want to use simple questions anyway, surely I'd want people posting intelligently, so why not moderate at the first access point! Elitism, sure, but I don't think that asking for some mathematically obscure reference for a forum catering to that userbase is Evil, nor any other purpose-specific odd questions. The truly determined can always google the answers.

Re:Arguably Impractical but Satisfying Suggestions

[pe1chl]

* Problem with Spam traffic from India and China? Fine. Make a declaration internet traffic from those countries will be served from the Internet within 21 days unless all Spam activity ceases.

There are problems with this approach.
1. the allocation of IP addresses has been (and is continuing to be) done in a manner that makes it difficult to quickly block a whole country. AP-NIC allocates blocks of addresses in the entire Asian-Pacific region nearly sequentially and at very funny boundaries.

2. the spam source country varies a lot. you may have a problem with spam from China, but I have a lot more spam from the USA so I need to block that. While I already blocked many DSL/Cable provider netblocks to reduce the crap from infected Windows PCs a bit, there is an increasing risk of collateral damage.

Overcome with Manpower?

[DavidD_CA]

It wouldn't surprise me if the Capchas were overcomes simply by showing the graphics to some underpaid person who just types in the actual responses.

A sophisticaed enough system could easily "pipe" these graphics to someone who just sits and types all day. At one capcha every 10 seconds, that's about 8000 in a day working 24/7.

Not everything these spammers do has to be automated.

Re:FREE PR0N!

[1u3hr]

The way they've worked around it probably goes like this: "Free pr0n sets! See more of this hot chick! We don't want automated downloads of these sets, so you need to solve this code to get the download.

People keep suggesting this. It might work, but no one has ever, to my knowledge, put it into practice. And by its nature, this would be pretty public. So if you don't have a URL, this is just an urban legend.

Actually, I think if put into practice, it would itself be attacked by anti-spammers. They'd try to poison the OCR; do DDOS, etc. In a short time it would be useless.

Simpler just to pay some computer sweatshop in Bangladesh, Manila, etc who could crank out hundreds per hour for a few cents.

Re:FREE PR0N!

[AuMatar]

I'd be surprised if some spammers weren't using amazon's mechanical turk. Its cheap as hell, why not use an existing framework.

Re:Arguably Impractical but Satisfying Suggestions

[1u3hr]

* Problem with Spam traffic from India and China? Fine. Make a declaration internet traffic from those countries will be served from the Internet within 21 days unless all Spam activity ceases.

Ever heard of proxies?

Also, have a look at the ROKSO list [spamhaus.org]. Most spam originates in the USA. They may route it through Russia or China or Korea, but its source is the USA. Block China, say, and next week it'll be coming via Brazil, or .... faster than you can reconfigure.

If the USA wants to take decisive action, something the government has actively avoided doing, it could shut down spammers in a week. How many spammers have been prosecuted and gone to jail? It's big news when they do, but only a handful have been prosecuted. The feds just don't care enough to build cases, even when the evidence is handed to them. Only if AOL or Microsoft push does anything happen.

Spammers have to make money. Credit card companies do that for them, and they are all based in the USA. As for the pump-and-dump spammers, that's a bit harder, but the stock exchanges should be able to block suspicious activity based on that. Thay don't care now because it's just foolish home investors losing money when they try to "take advantage" of the tips.

Have they?

[ady1]

Or is it just that making new hotmail accounts is being outsourced to china/india/?

Re:Creative CAPTCHA

[Fred Ferrigno]

This, and all other forms of CAPTCHAs, are ultimately vulnerable to some poor bastard in India or Africa or wherever sitting in front of a computer and filling out the form manually for a few cents.

From another post above: http://www.getafreelancer.com/projects/Data-Proces sing-Data-Entry/Data-Entry-Solve-CAPTCHA.html [getafreelancer.com]

Re:500 accounts created every hour?

[Tony Hoyle]

You don't need AI to beat a capcha. They follow a fixed pattern on a single website, so to break the hotmail one you just need to look at a few hotmail sites and figure out how to reverse the graphical munging that has been done. Once that's done you chuck that in a script and churn them out as fast as you like.

Defeating *any* capcha is an AI problem. Defeating the capcha for a website (or group of websites that use the same software) is just a programming task.

Good!

[godfra]

Hopefully this spells the begininng of the end for the web plague known as CAPTCHA. I am heartily sick of having to squint at barely recognisable characters, only to be informed that I've got it wrong, and then have to enter all my details again.

So bye-bye CAPTCHA, I won't miss you.

Could be, according to this /. article

[I)_MaLaClYpSe_(I]

Could be, according to this /. article [slashdot.org]

Spammers Learn To Outsource Their Captcha Needs

Posted by Zonk on Saturday November 25, @05:36AM
from the hearing-some-ominous-muttering dept.

lukeknipe writes

"Guardian Unlimited reporter Charles Arthur speaks with a spammer, discussing the possibility that his colleagues may be paying people in developing countries to fill in captchas. In his report, Arthur discusses Nicholas Negroponte's gift of hand-powered laptops to developing nations and the wide array of troubles that could arise as the world's exploitable poor go online."

From the article:

"I've no doubt it will radically alter the life of many in the developing world for the better. I also expect that once a few have got into the hands of people aching to make a dollar, with time on their hands and an internet connection provided one way or another, we'll see a significant rise in captcha-solved spam. But, as my spammer contact pointed out, it's nothing personal. You have to understand: it's just business."

Re:Wow the people there are cheap.

[Iron Condor]

$2.50 to transcribe a 60 minute lecture? WTF?

There's enough places in the world where $2.50 is not only a decent day's wage (especially if you can do more than one of these) but more importantly where there simply no industrial infrastructure to compete with this job. It's either this or an hour of sitting around and picking your nose. Or maybe an hour of backbreaking ditch digging for $1.