Understanding How CAPTCHA Is Broken

An anonymous reader writes "Websense Security Labs explains the spammer Anti-CAPTCHA operations and mass-mailing strategies. Apparently spammers are using combination of different tactics — proper email accounts, visual social engineering, and fast-flux — representing a strategy, explains their resident CAPTCHA expert. It is evident that spammers are working towards defeating anti-spam filters with their tactics."

Page design

[Anonymous Coward]

Whose bright idea was it to use light grey text on a white background?

This article is an advertisement

[Omnifarious]

This article links to what is basically an infomercial. What it links to is filled with pictures and seeming explanations, but it's written in scare-mongering language and not written with an eye towards the reader understanding it. It as an advertisement telling you that Websense is a fantastic company because they understand all this terribly scary stuff and already have the technology to defeat it for you.

Re:Really?

[SUB7IME]

Because people like me would never, ever use their service under those conditions?

Fighting spam will either succeed or it will fail

[davidwr]

Either the spam-fighters will keep spam down to an acceptable level or they won't.

Mail services that don't provide good spam protection will fail.

If it becomes too hard to fight spam, mail as we know it will end and be replaced by something else, much like USENET was for most purposes replaced by other, less-spam-prone media.

Why are we so helpless?

[Chemisor]

It ought to be obvious to everyone that spam is a property violation crime. Putting unrequested email in my account is the same as dumping used tires on my front lawn. Sure I have an address, but that doesn't mean I want just anyone to deliver anything to it without my permission. Why aren't we making this explicitly illegal, just like dumping and vandalism already are? Why are we putting up with these people?

Re:Why are we so helpless?

[gsgriffin]

Unfortunately, it is not that simple. Your analogy is not correct. Email is more like snail-mail. And yes, anyone can send email to your mailbox via snail-mail and not go to jail. The difference is that snail-mail costs them something. The real solution is to get all the stupid people off the web that actually make purchases from companies that they received a spam email from. They keep spammers continuing to spam. If the idiot purchaser got off the web, the spam would quickly dry up. Ultimately, this battle will never end...there will always be idoits that can get on the web.

Re:Why are we so helpless?

[Anonymous Coward]

No it's not obvious.

How on earth would you actually request each individual email you want to receive? Fax your dad and tell him he's authorized to send you an email detailing his vacation cruise? Have people call you up, where you give them an ID number that must be in the subject line?

Even if you went as far as white-listing email addresses (which you actually can do now) you'd miss out when your buddy gave your email to someone who was looking to offer you a job at twice your current salary, or that girl who really dug you at that party.

I don't see how you could propose a law that requires permission to send an email without destroying most of email's practical benefits as well.

Re:A more practical approach - 3 grades of service

[Anonymous Coward]

* verified user, someone using a credit card or providing some other ID that, if faked, can be prosecuted criminally

This is a good idea, since spammers and other criminals don't have access to a large number of credit card numbers.

Re:I guess I've gotten used to it

[Fred_A]

Most Americans pay $.10 per message, incoming or outgoing.

There, fixed that for you. It's quite unheard of here in Germany.

Or in any country with a mature wireless industry for that matter.

Re:This article is an advertisement

[Omnifarious]

It would be really nice if people would tag articles like this with 'slashvertisement'. :-)

Re:I guess I've gotten used to it

[dargaud]

As far as I know, the US is the only country where the SMS receiver pays up, which seems absurd to anybody else. Anyone cares to enlighten me as to the reason for that ?!?

Re:Really?

[SUB7IME]

No, I'm worried about a world in which I have to divulge my social security number to private corporations online to partake in services that should never require such information.

Would I give a bank my SS#? Sure.
Would I give my SS# to Yahoo? Not as long as there are other places where I can get free email and play fantasy sports.

Re:Phone-based varification

[dargaud]

Yeah, right, with the spammer putting your own phone number on the form and registering for the account at 3am... I don't think so.

Re:What about a CAPTCHA made in flash?

[Dwedit]

The only thing really protecting you is that your solution is not standard, so bot writers have to treat your website differently, so they won't be as easily able to post there. The instant your solution becomes more commonplace, bot writers will be able to parse your SWF files, read the images, or do whatever else it takes to solve it.

It's a classic case of Security through Obscurity, and this time it works.

However, SWF files have accessibility issues, and there are always people who love to block them.

Re:Phone-based varification

[Tony Hoyle]

Enjoy paying for all those peak rate calls to russia...

It would be so easy to bankcrupt a site that tried this (phone number generator, script) that no sane site owner would try it.

Re:My spam rules--

[Cedric Tsui]

Maybe that's the point. s/he doesn't want to have to hide his e-mail address from the world.

Re:Animated CAPTCHAs?

[Anonymous Coward]

>The most likely captcha technologies to win, I think, are the ones that require some amount of contextual knowledge about our world.

The only problem is you could never automatically generate CAPTHAs like that because you need a human knowledge database. Which, again, can be learned by the bot; so the system is defeated. Logic implies that any test a computer could generate could always be solved by a computer, so no CAPTCHA technology will ever "win". Sorry :)

Comment removed

[account_deleted]

Comment removed based on user account deletion