Understanding How CAPTCHA Is Broken 148
An anonymous reader writes "Websense Security Labs explains the spammer Anti-CAPTCHA operations and mass-mailing strategies. Apparently spammers are using combination of different tactics — proper email accounts, visual social engineering, and fast-flux — representing a strategy, explains their resident CAPTCHA expert. It is evident that spammers are working towards defeating anti-spam filters with their tactics."
I guess I've gotten used to it (Score:4, Interesting)
My spam rules-- (Score:1, Interesting)
If the message is not in english or lojban, I don't want to see it.
If the message is in caps, I don't want to see it.
If the message was sent to more than ten people, I don't want to see it.
If more than 10% of the message text is not valid and correctly
spelled english or lojban, I don't want to see it.
If the message has anything to do with a lottery, I don't want to see
it-- I don't gamble, period.
If the message has anything to do with sex, I don't want to see it.
(for various reasons)
If the message has anything to do with drugs, pharmaceutical or
otherwise, I don't want to see it.
If the message was sent from africa, I don't want to see it. I don't
know anyone in africa.
If the message was sent from asia, with the exception of south korea
and the one guy in the UAE, I don't want to see it either.
If the message was sent from central or south america, with the
exception of one guy in argentina, same thing.
If the message
to see it. Death to chain mail.
If anyone knows of an email provider where I can set rules that
detailed and flexible that currently exists, please let me know.
ethana2@gmail.com
Animated CAPTCHAs? (Score:5, Interesting)
CAPTCHA sucks (Score:3, Interesting)
Re:Animated CAPTCHAs? (Score:5, Interesting)
Re:This article is an advertisement (Score:4, Interesting)
Web page redirection may have to go (Score:5, Interesting)
We're seeing the need for some limits on web page redirection. Most of these attacks involve putting something on a trusted place which redirects to an untrusted place. Google, with incredible sloppyness, allows Blogspot accounts to do this, and as a result, they are heavily exploited by spammers. (Try, for example, "nikaluti21040.blogspot.com", which will redirect, via some iframes and other tricks, to "selissia.com", which is hosted on "secureserver.net").
Exploitation of legitimate sites to get through spam filters is a problem, but it can be dealt with if you're willing to take a hard line. Our first step in that direction was our list of major domains being exploited by active phishing scams. [sitetruth.com] Our position is that one phishing attack from within a domain blacklists the whole domain. But within three hours after the problem is fixed, they're off the list. Major sites make the list now and then; Google, Dell, MSN, and Yahoo have all been on the list at one time or another. But they now know to take steps to get themselves off within hours. The Anti-Phishing Working Group and PhishTank have been helpful with this effort. We're down to 47 such domains today. It was about 175 when we started last fall. Most of the remaining entries are free web hosting services or DSL providers.
We and others have observed that there's an inverse relationship between the number of redirects and the legitimacy of a web page. We've been looking at this at SiteTruth [sitetruth.com]. For things like AdWords ads, where some sites use redirection as part of a tracking systems, it's typically the bottom-feeders who are using redirection. An advertiser promoting their own product or service doesn't need it; it's brokers, intermediaries, and made-for-Adwords sites that use redirection. Anything with more than one redirect is almost bad. We expect to use redirection as part of our legitimacy metric in the future.
It's thus time for browsers to limit their acceptance of redirection. One HTTP-level redirect, OK. Beyond that, put up a popup warning of suspicious redirection behavior. Redirects via META tags and Javascript should produce a popup. Sure, some site operators will look bad, but they will adapt.
A more practical approach - 3 grades of service (Score:5, Interesting)
* verified user, someone using a credit card or providing some other ID that, if faked, can be prosecuted criminally
* established regular user, a person with a reasonably long and regular history, say, at least 10 logins a month, at least 10 outbound messages a month, and at least 10 inbound messages a month, for 3 of the past 6 months, and a minimal history of complaints.
* other - anyone else
On outbound messages, include a tag that the recipient's mail provider can use as part of its trust-assessment.
The "minimal history of complaints" is a potential problem due to false allegations and joe-jobbing.
Lack of ID could be a problem for users from countries whose IDs are not deemed trustworthy. If I give Yahoo my Nigerian passport number....
Re:I guess I've gotten used to it (Score:1, Interesting)
What's to say that your phone company isn't paying people to send SMS to all their users?
Spammers trick - REuseable captcha (Score:4, Interesting)
Present Captcha image to 2 users (agreement = correct)
So the monkeys pull the right lever and get the reward
of viewing the next adult video, and the spammer gets
a near-realtime solution to even the best of captchas.