Spammers Targeting Microsoft's Revised CAPTCHA 303
toomuchtoomuchspam writes "According to Websense, Microsoft's CAPTCHA has been busted again. CAPTCHA was surely a logical move for different service providers to fight against spammers, but it seems to be melting down. 'Realizing the potential for massive abuse from spammers with anti-CAPTCHA capabilities, who could use the clean IP reputation to carry out various attacks over Email and Web space, Microsoft attempted to increase the complexity of their CAPTCHA system. The CAPTCHA system was revised in an attempt to both prevent automatic registrations from computer programs or automated bots, and preserve CAPTCHA's usability and reliability. As this attack shows, those efforts have failed,' says Websense security researcher Prasad. Could there be any better CAPTCHA? A better solution?"
Akismet (Score:3, Informative)
Akismet [akismet.com] is great for comments and such. Basically, it's a neural net using user submissions to determine whether or not a submission (sent automatically from your site for checking) is spam or not.
Re:reCAPTCHA (Score:2, Informative)
But if a computer can't read such a CAPTCHA, how does the system know the correct answer to the puzzle? Here's how: Each new word that cannot be read correctly by OCR is given to a user in conjunction with another word for which the answer is already known. The user is then asked to read both words. If they solve the one for which the answer is known, the system assumes their answer is correct for the new one. The system then gives the new image to a number of other people to determine, with higher confidence, whether the original answer was correct.
http://recaptcha.net/learnmore.html [recaptcha.net]
The CAPTCHA isn't dead yet. (Score:5, Informative)
When going through the step-by-step in the article, (which is pretty awesome, btw), it appears that there is no character recognition being employed, but rather the security is being defeated by a fairly hacky work-around.
Hacky work-arounds can be defeated simply by programming smarter, (less sloppily?). There's no graphic-reading AI involved, which means the basic fundamentals of the CAPTCHA system remain sound.
While I find CAPTCHAs a little annoying when signing up for stuff, I recognize their necessity and actually kind of grin while doing them, thinking, "Hh ha! Look at this monkey, all smarter than a dumb computer. This must be frustrating for spammers. Ho ho!"
-FL
The article is almost 6 months old. (Score:3, Informative)
this is the article mentioned in the original "Hotmail CAPTCHA sucks" [slashdot.org] slashdot post.
Re:Key exchange. (Score:4, Informative)
Cut it out with the finger pointing at China and Russia. The vast majority of spam comes from the US, initiated by US citizens. It's not "the Russians" at fault. Anyway, what is this? The 80s?
I don't buy that. Accuse me of over-indulging on Kool-Aid if you must. Most spam streams out of America - That's no surprise. We've got a helluva lot of computers with broad-band access and clueless users who basically bend over and hand lube to zombie-lords.
I've seen cyber-intelligence numbers (disclaimer - collected by US intelligence) and they indicate pretty clearly that the bots are being controlled by people in Russia and China (Poland, Switzerland, and Holland house a surprising number too). Those people may be Russians, Chinese, Americans, whatever, but they're running their armies from overseas (relative to the US). I'm actually surprised fewer are operating out of Africa - It seems to be a relative safe-house.
It's not paranoia once you've got data supporting it. (Let me be the first to criticize myself for not supplying a link...)
Re:Captchas are no longer good enough (Score:3, Informative)
>What happens when you send something to someone and they reply? Do they have to use your unique address to reply?
Yep. There's even a nice extension for Thunderbird ("Virtual Identity") that lets me send outgoing email with arbitrary return addressess (so if I'M the one initiating contact, I just generate the alias I want them to use to reply to me and use it as the return address so they can just hit 'reply'). Even better, Virtual Identity keeps track of what alias goes with what sender/recipient, so the NEXT time I go to send email to that person, Virtual Identity recognizes their email address and automatically changes the "reply-to" address to the adhoc alias I used the first time I sent email to them.
> What do you do when you need write an email address out or give it over the phone?
> goofball-yourdomain-a23fbf32a4e544303... good times.
Compared to the fun I have getting them to spell the domain name (Americanized spelling of Ukranian-Slovak-ish last name), it's really not a problem. I DO, however, have occasional problems with stupid websites that try to be too clever and filter out what THEY think are invalid characters for an email address. Nine times out of 10, it's a javascript validation script with braindamaged regex, and all I have to do to get past it is use Firebug to comment-out their wolf-calling sanity-checker and let it through to the server. Back when I ran my own mail server using Mercury for Win32, ITS primitive adhoc-alias support gave me lots of website grief, because IT used "+" instead of "-" to indicate the division between username and alias, and lots of stupid form-handling code treated "+" as if it were a HTML-encoded space character at the server end.
> Or if someone forwards your message to a 3rd person to reply to you...
In which case I now have two people using the alias to reach me, not one. It's still a vast improvement over having one address you have to guard with your life, and still accept the fact that SOMEONE is eventually going to get their addressbook harvested and compromise it anyway.
The nice thing about my strategy, vs SpamAssasin and Bayesian strategies is that as long as the sender gets the alias right, there's ZERO risk of a legit message getting spam-trapped. A tiny bit of extra work to set up that first email contact, but reliable communication every single time thereafter.
Re:Captchas are no longer good enough (Score:3, Informative)
Good work in TFA documenting an attack. A critical piece is that the CAPTCHA image is sent off and an encrypted answer of eight letters returns in an average of six seconds.
Most replies in all of these CAPTCHA /. threads assume the image is being decoded by computer (i.e., OCR), therefore suggest supposedly harder tests for a computer to solve as a solution (although most suggestions are actually easier).
There is a possibility of that going on, but more likely the images are being transmitted to humans to decode. I don't know for sure, but I've never seen one post ever that gave any good indication it was OCR being used, and plenty of known situations where humans are decoding it.
So for the case where OCR is actually being used, some of the characters in each image need to physically overlap to break OCR. But if humans are decoding, then obviously they can do what we can do, so just overlap the CAPTCHA characters to make OCR impossible and forget about all the other exotic suggestions.
In the case of phpBB (forum software I use), the CAPTCHA's don't overlap but the image is displayed embedded in the web page via CSS (as far as I can tell) so the whole page would have to be transmitted back for decoding versus an image file as from Hotmail's process. Not that that solves anything, but at least make it that much harder to transmit and decode the CAPTCHA.
If there is a service that anyone can abuse based on nothing more than ability to read some letters from an image, then everyone else needs to protect themselves from that abusive service. One possibility is blacklisting the domain and only allowing whitelisted addresses from it. But I use Postini and it traps most spam without anything special going on with hotmail. If it's spam it gets trapped and if it's good it comes through to me.
But hotmail could do a few things to keep from being blacklisted. One would be to require a confirmation from another email address, a different one for each hotmail account, to enable the hotmail registration with info such as a code provided with the registration required to be typed into the body of the reply email. Three failures or a timeout would delete the registration.
I also would suggest a controversial but effective strategy. I would allow for a whitelist of worldwide ISP domains that have identifiable customers. Other services similar to hotmail such as gmail wouldn't be on that list. I would allow email only from registrants who confirmed from a whitelisted domain to be sent from hotmail to any address. Others would only be allowed to send email to addresses for domains within their own regional internet registries.
This of course does not address spam overall as a problem, just spam emanating from hotmail accounts.
Speaking of which, I see the usual about most spam coming from the US. Yes, it may, but if it does it's because US PC's were owned by Euroasian botmasters and the spam is controlled by them.
In my experience with my small phpBB forum, by a huge amount most attacks come from Euroasia. It's those attacks that take over PC's, and it's taken over PC's that send out spam. Looking at the source of the spam from an IP address perspective isn't the answer. You would need to look at where the botmasters are to say where spam comes from.
rd