Have Spammers Overcome the CAPTCHA? 330
thefickler writes "It appears that spammers have found a way to automatically create Hotmail and Yahoo email accounts. They have already generated more than 15,000 bogus Hotmail accounts, according to security company BitDefender. The company says that a new threat, dubbed Trojan.Spammer.HotLan.A, is using automatically generated Yahoo and Hotmail accounts to send out spam email, which suggests that spammers have found a way to overcome Microsoft's and Yahoo's CAPTCHA systems."
it's easy... (Score:4, Insightful)
500 accounts created every hour? (Score:5, Insightful)
FREE PR0N! (Score:5, Insightful)
Not really.
The way they've worked around it probably goes like this: "Free pr0n sets! See more of this hot chick! We don't want automated downloads of these sets, so you need to solve this code to get the download. What? It looks just like the hotmail cpachas? Yeah, we're using the same advanced technology here."
So I guess this approach would also solve other AI problems - by having bored RIs solve them. Maybe not such a bad solution after all?
OCR or humans (Score:4, Insightful)
If a human is used to read the captcha then there is not much that can be done as that is what a captcha is for: to make sure a human only will be able to bypass it....
Re:it's easy... (Score:3, Insightful)
I don't think there is any shortage of porn on the net. There is no point in "collecting it all". So, that the same content of one site is available on another distribution medium too, does not matter at all.
Re:OCR or humans (Score:4, Insightful)
How do I make questions that are simple enough to be obvious to legitimate members, but obscure for outsourced human spammers?
I then wondered exactly WHY I'd want to use simple questions anyway, surely I'd want people posting intelligently, so why not moderate at the first access point! Elitism, sure, but I don't think that asking for some mathematically obscure reference for a forum catering to that userbase is Evil, nor any other purpose-specific odd questions. The truly determined can always google the answers.
Re:Arguably Impractical but Satisfying Suggestions (Score:4, Insightful)
There are problems with this approach.
1. the allocation of IP addresses has been (and is continuing to be) done in a manner that makes it difficult to quickly block a whole country. AP-NIC allocates blocks of addresses in the entire Asian-Pacific region nearly sequentially and at very funny boundaries.
2. the spam source country varies a lot. you may have a problem with spam from China, but I have a lot more spam from the USA so I need to block that. While I already blocked many DSL/Cable provider netblocks to reduce the crap from infected Windows PCs a bit, there is an increasing risk of collateral damage.
Overcome with Manpower? (Score:3, Insightful)
A sophisticaed enough system could easily "pipe" these graphics to someone who just sits and types all day. At one capcha every 10 seconds, that's about 8000 in a day working 24/7.
Not everything these spammers do has to be automated.
Re:FREE PR0N! (Score:3, Insightful)
People keep suggesting this. It might work, but no one has ever, to my knowledge, put it into practice. And by its nature, this would be pretty public. So if you don't have a URL, this is just an urban legend.
Actually, I think if put into practice, it would itself be attacked by anti-spammers. They'd try to poison the OCR; do DDOS, etc. In a short time it would be useless.
Simpler just to pay some computer sweatshop in Bangladesh, Manila, etc who could crank out hundreds per hour for a few cents.
Re:FREE PR0N! (Score:5, Insightful)
Re:Arguably Impractical but Satisfying Suggestions (Score:5, Insightful)
Ever heard of proxies?
Also, have a look at the ROKSO list [spamhaus.org]. Most spam originates in the USA. They may route it through Russia or China or Korea, but its source is the USA. Block China, say, and next week it'll be coming via Brazil, or .... faster than you can reconfigure.
If the USA wants to take decisive action, something the government has actively avoided doing, it could shut down spammers in a week. How many spammers have been prosecuted and gone to jail? It's big news when they do, but only a handful have been prosecuted. The feds just don't care enough to build cases, even when the evidence is handed to them. Only if AOL or Microsoft push does anything happen.
Spammers have to make money. Credit card companies do that for them, and they are all based in the USA. As for the pump-and-dump spammers, that's a bit harder, but the stock exchanges should be able to block suspicious activity based on that. Thay don't care now because it's just foolish home investors losing money when they try to "take advantage" of the tips.
Have they? (Score:5, Insightful)
Re:Creative CAPTCHA (Score:4, Insightful)
From another post above: http://www.getafreelancer.com/projects/Data-Proce
Re:500 accounts created every hour? (Score:4, Insightful)
Defeating *any* capcha is an AI problem. Defeating the capcha for a website (or group of websites that use the same software) is just a programming task.
Good! (Score:2, Insightful)
So bye-bye CAPTCHA, I won't miss you.
Could be, according to this /. article (Score:5, Insightful)
Spammers Learn To Outsource Their Captcha Needs
Posted by Zonk on Saturday November 25, @05:36AM
from the hearing-some-ominous-muttering dept.
lukeknipe writes
From the article:
Re:Wow the people there are cheap. (Score:3, Insightful)
There's enough places in the world where $2.50 is not only a decent day's wage (especially if you can do more than one of these) but more importantly where there simply no industrial infrastructure to compete with this job. It's either this or an hour of sitting around and picking your nose. Or maybe an hour of backbreaking ditch digging for $1.