Understanding How CAPTCHA Is Broken

An anonymous reader writes "Websense Security Labs explains the spammer Anti-CAPTCHA operations and mass-mailing strategies. Apparently spammers are using combination of different tactics — proper email accounts, visual social engineering, and fast-flux — representing a strategy, explains their resident CAPTCHA expert. It is evident that spammers are working towards defeating anti-spam filters with their tactics."

I guess I've gotten used to it

[Mordok-DestroyerOfWo]

Normally when I get spam I just delete it, by using trashmail [mozilla.org] and being somewhat safe about my browsing habits I've found that I only get one or two per week. However recently I've been getting spam through SMS on my phone and that's what I find really infuriating. Granted it is technically just another email, but the fact that I'm paying for this service is what really grinds my gears.

My spam rules--

[Anonymous Coward]

I have determined that:

If the message is not in english or lojban, I don't want to see it.
If the message is in caps, I don't want to see it.
If the message was sent to more than ten people, I don't want to see it.
If more than 10% of the message text is not valid and correctly
spelled english or lojban, I don't want to see it.
If the message has anything to do with a lottery, I don't want to see
it-- I don't gamble, period.
If the message has anything to do with sex, I don't want to see it.
(for various reasons)
If the message has anything to do with drugs, pharmaceutical or
otherwise, I don't want to see it.
If the message was sent from africa, I don't want to see it. I don't
know anyone in africa.
If the message was sent from asia, with the exception of south korea
and the one guy in the UAE, I don't want to see it either.
If the message was sent from central or south america, with the
exception of one guy in argentina, same thing.
If the message /contains/ more than ten email addresses, I don't want
to see it. Death to chain mail.

If anyone knows of an email provider where I can set rules that
detailed and flexible that currently exists, please let me know.

ethana2@gmail.com

Animated CAPTCHAs?

[MasaMuneCyrus]

Every time I see an article about CAPTCHAs being broken, I always think, "Why not try animated CAPTCHAs?" Surely something this simple has been thought of before and tried; is there any reason it wouldn't work? Or would it just have the same effectiveness as a static-image CAPTCHA, and so there's just no reason to put forth the effort to make one?

CAPTCHA sucks

[thetoadwarrior]

They keep trying to make it harder to read which isn't accessible but some places (like rapidshare) have made it nearly impossible for even normal people to guess.

Re:Animated CAPTCHAs?

[Anonymous Coward]

Animated captchas exist and are used but not too often. The only example I can think of is: https://www.e-gold.com/acct/login.html

Re:This article is an advertisement

[owlnation]

This article links to what is basically an infomercial.

Quite correct. It does. There's also no news here whatsoever. It's good to know that it's not only readers that don't read TFA, the editors -- and even Taco -- don't always read it either.

Web page redirection may have to go

[Animats]

We're seeing the need for some limits on web page redirection. Most of these attacks involve putting something on a trusted place which redirects to an untrusted place. Google, with incredible sloppyness, allows Blogspot accounts to do this, and as a result, they are heavily exploited by spammers. (Try, for example, "nikaluti21040.blogspot.com", which will redirect, via some iframes and other tricks, to "selissia.com", which is hosted on "secureserver.net").

Exploitation of legitimate sites to get through spam filters is a problem, but it can be dealt with if you're willing to take a hard line. Our first step in that direction was our list of major domains being exploited by active phishing scams. [sitetruth.com] Our position is that one phishing attack from within a domain blacklists the whole domain. But within three hours after the problem is fixed, they're off the list. Major sites make the list now and then; Google, Dell, MSN, and Yahoo have all been on the list at one time or another. But they now know to take steps to get themselves off within hours. The Anti-Phishing Working Group and PhishTank have been helpful with this effort. We're down to 47 such domains today. It was about 175 when we started last fall. Most of the remaining entries are free web hosting services or DSL providers.

We and others have observed that there's an inverse relationship between the number of redirects and the legitimacy of a web page. We've been looking at this at SiteTruth [sitetruth.com]. For things like AdWords ads, where some sites use redirection as part of a tracking systems, it's typically the bottom-feeders who are using redirection. An advertiser promoting their own product or service doesn't need it; it's brokers, intermediaries, and made-for-Adwords sites that use redirection. Anything with more than one redirect is almost bad. We expect to use redirection as part of our legitimacy metric in the future.

It's thus time for browsers to limit their acceptance of redirection. One HTTP-level redirect, OK. Beyond that, put up a popup warning of suspicious redirection behavior. Redirects via META tags and Javascript should produce a popup. Sure, some site operators will look bad, but they will adapt.

A more practical approach - 3 grades of service

[davidwr]

I'd prefer 2, or better yet, 3 grades of service:

* verified user, someone using a credit card or providing some other ID that, if faked, can be prosecuted criminally
* established regular user, a person with a reasonably long and regular history, say, at least 10 logins a month, at least 10 outbound messages a month, and at least 10 inbound messages a month, for 3 of the past 6 months, and a minimal history of complaints.
* other - anyone else

On outbound messages, include a tag that the recipient's mail provider can use as part of its trust-assessment.

The "minimal history of complaints" is a potential problem due to false allegations and joe-jobbing.

Lack of ID could be a problem for users from countries whose IDs are not deemed trustworthy. If I give Yahoo my Nigerian passport number....

Re:I guess I've gotten used to it

[Anonymous Coward]

You are PAYING to RECEIVE SMS?

What's to say that your phone company isn't paying people to send SMS to all their users?

Spammers trick - REuseable captcha

[fastgood]

Find somewhere with 1000s of pageviews (eg. pr0n site)
Present Captcha image to 2 users (agreement = correct)

So the monkeys pull the right lever and get the reward
of viewing the next adult video, and the spammer gets
a near-realtime solution to even the best of captchas.