Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Spam

Baffling the Spam Bots 350

dumpster_dave writes "Scientific American is running an article, Baffling the Bots on techniques to outsmart and subvert spam bots and their chat-room cousins via CAPTCHA. You have probable seen this in the form of images containing text as gate-keepers to various on-line services. The latest evolution is using non-words and distorting the text such that even the best AI systems cannot decipher them, yet humans can not help but do so [cf., Gestalt Psychology]."
This discussion has been archived. No new comments can be posted.

Baffling the Spam Bots

Comments Filter:
  • Blind Users (Score:5, Insightful)

    by X-rated Ouroboros ( 526150 ) on Monday October 20, 2003 @02:03AM (#7258568) Homepage

    I've often wondered how these types of systems can be made handicapped accessible

    • Instead of sending an image of distorted text, send a wave file of distorted speech - easy for the human ear to discern, but harder for run-of-the-mill speech recognition tools to do.
      • Then you have to worry about those with poor or no hearing, as well as those with poor or no sound equipment. Why not have someone solve a riddle or puzzle, such as decode a /. mangled e-mail address?
    • by linking soundfiles ? natural language processing is also a very hard CS subject ...
    • Why not employ a system such as... "what item is in the picture below?" and have randomized pictures of cars, boats, irons, etc, etc. I suppose there could be some androgyny about it (typing "car" or "automobile" or "sedan" or "Toyota"), but this sort of system would cater to the visually impaired leagues better then the morphed words!?
    • Re:Blind Users (Score:4, Interesting)

      by zcat_NZ ( 267672 ) <zcat@wired.net.nz> on Monday October 20, 2003 @02:18AM (#7258634) Homepage
      Easy; When you generate your mangled GIF image, also create a wav/mp3 containing the same information (eg using TTS software, or by concatenating pre-recorded audio files).

      Most blind users are running windows with JAWS [synapseadaptive.com] or similar screen-reading software, and sites like ACB [acb.org] release a lot of their content as mp3's already, so I'd assume that most are well equipped to handle web audio.

    • Since it only restricts access at a certain point in the process, handicapped (e.g. blind) users will need help at that point, but not later. It's a problem only if you look at it as such: in most cases blind people need quite a lot of help in accessing the wider parts of society, and when seen positively this is a way of bringing them into contact with others, as those people help them.
    • The simple answer is you can't. There will be lots of suggestions that you use sound - so if you're blind and deaf then you're excluded from email? What about those using Braille interfaces to read email. Can sound files overcome language barriers? There are so many obstacles all of which point back to one simple fact, that you can't assume anything about the user at the other end. That's why the web was designed so web pages sent the content and the browser decides how to display it - a properly coded web
    • How about a text-based system based on inference? Text-only could be fed through a reader for the blind the same as any other page text.

      For example:

      Of "book", "cat", "tree", and "silver", which is an animal?

      Of course, since a bot could try all the permutations here, one try would be all that should be allowed, but that should be enough for a human. I'm sure there's a form that couldn't be brute-forced, but I'd have to think about that a bit more.
      • Okay, I thought about it more.

        Having two tables of nouns and categories, and from those generating a challenge of the type:

        Put "silver", "oak", "water", and "cat" in the order of liquid, tree, animal, metal.

        ...would require tries on average half the factorial of the number of terms used, and that's after writing a parser for the challenge and assuming that's the only form of challenge the web site will give. Scale for bot-elimination effectiveness, allowed tries, and/or user convenience.
        • Re:Blind Users (Score:3, Insightful)

          by vidarh ( 309115 )
          Big problem with this: Let's say this type of challenge is given 1 out of a 100 times. It has the MASSIVE weakness that word lists with classifications are readily available (hint: computational linguistics - academics have spent decades preparing computer readable databases of stuff like this for use in their research), and if not can relatively quickly be built (think parsing dictionary.com output, looking for the category keywords). Say these method will solve 1 out of 10 of the challenges, which I think
      • So now you're giving people a one in four chance of success. What the bot will then do is try a random answer, and if it fails it revisits the original page, gets a new problem and tries again. Voila, 25% success rate, and your e-mail system will be used for massive amounts of outbound spam.
    • by Pathwalker ( 103 ) *
      For some time, I've felt that math is the answer to verifying that a viewer is a human, and still keeping the test accessible to the widest number of disabled people.

      A couple of simple math/logic problems such as these should be suitable:
      1. Find the two roots of x*x-16x+60=0
      2. What are two numbers who have the sum of 16 and the product of 60?
      3. From the following facts, what can you infer about Albert?
        • All men are mortal.
        • Albert is a man

      Simple puzzles like this should be able to be figured out by almost a

      • Those first two just knocked out my mom and sister from the "human" category, and the first one my dad as well. Look, MOST humand can't find the roots of an equation. That is a damn math geek question and you should know it. Shit, that's not even something I can do anymore without giving it a considerable amount of thought, and it is actually something I learned how to do (but haven't done in years). Many people know NOTHING about advanced math and have no need to. If you haven't done a fair bit of algebra,
      • For your first one, my bet is that for any equation you'd come up with that more than 50% of humans could solve in a reasonable amount of time, you'd have a hard time finding ANY human that would solve it faster than a computer. Writing equation solvers that can handle the basics is trivially easy - you use a simple expression parser and recursively apply a small set of rules.

        For the second you're raising the bar by complicating the parsing, but the question is: How would you generate the problems? If the

    • Use an audio interface and embed the message in nonobtrusive background clutter. Speech recognition software is very bad at handling that sort of requirement.
    • A good question, but the solutions suggested are a bit over the top. Just list a toll-free number in the ALT text for help in completing the form. I doubt that the amount of people calling require just the occasional interruption of someone. If it becomes are larger labor problem, then at some point, finding a technical solution will become cheaper and will be implemented.

      (I know toll free US numbers aren't toll free outside the US, but I believe there is also a toll free international exchange or "countr

    • Say it. I saw one of these things the other day adn it had a link to where it would say the word.
  • by Sir Haxalot ( 693401 ) on Monday October 20, 2003 @02:03AM (#7258569)
    that just using johnsmithword-AT-hotmail.com works fine (where word is taken out and -AT- is replaced with @) I use that and have yet to have a single spam email.
    • by Grimster ( 127581 ) on Monday October 20, 2003 @02:12AM (#7258606) Homepage
      Yes this is a great solution if the only people you want to email you are a little towards the smart side. But speaking as someone who has to deal with "joe sixpack" daily I've seen people who are confused by user@NOSPAMdomain.com and when I tell them to go to http://webmail.domain.com/ to get their webmail they put www. on the front!

      These same people if I were verbally giving them the url to slashdot would end up at http://www.slash..org/ (god I wish I were trying to make a joke but seriously I've had this happen).

      Because of this my email is plainly visible on our web site, and in my forums, and on a few other forums and on an occasional usenet message. With a combination of RBL's, bayesian filtering, procmail soup and other goodies my spam count per day is kept to a low roar (double figures in spam number rather than four figures, again I wish this were joking).
      • Are you sure they wouldn't end up at http;\\www.\..org/?
      • by andih8u ( 639841 )
        I've been using this http://jodrell.net/projects/mailto [jodrell.net] which puts your mailto link into a coupla hundred character long javascript. People can still click on the mailto link as per norm, but getting the address from the source is a different matter.

        • Oh, come on. Next minute you'll be telling me you can disable the right mouse button so people can't steal your photos. (*cough*) alt-print screen (*cough*)

          Unmunging addresses that have been munged like that is a trivial matter, but nonetheless is left as an exercise for the reader. You don't even need a full JS interpreter. Just parse anything that looks like a bunch of escapes on the basis that someone probably did that because they don't want you to see it, and that assumption will be valid more of
    • Comment removed based on user account deletion
    • just using johnsmithword-AT-hotmail.com works fine

      Huh? For any other domain than hotmail.com, perhaps. :-)

      z
  • by Dancin_Santa ( 265275 ) <DancinSanta@gmail.com> on Monday October 20, 2003 @02:04AM (#7258575) Journal
    Hotmail's spam filter has gotten really smart in the past few months. Yahoo's filter used to be the best among web mailers, but Hotmail has improved to the point that I don't get any spam in my hotmail inbox anymore.

    I'm not one to go about shouting the praises of Microsoft, but someone over there's got their head out of their asses.
  • This is a losing battle.
    Smart humans will outsmart computers for quite a while. The average human is already dis-comforted with such a test (what's the middle word in the second image?!).

    But those systems should work for the dumbest (within reason) humans. They're trying to design a test that's passed by the dumbest of six million, yet makes the smartest of a few (bots) fail.

    I give in.

    *comment about spambot overlords*
  • by bigberk ( 547360 ) <bigberk@users.pc9.org> on Monday October 20, 2003 @02:17AM (#7258625)
    Everyone should know this by know, but you can control spam by keeping tabs on where your email address goes.

    The address I use to post to USENET is completely disposable. The 'swen' worm in fact picked up my USENET addy and spammed it with about 40,000 emails. The address is now dead, but I saw that coming.

    I have a public address which I give to casual contacts (who may not be totally trustworthy). This address changes yearly, and this keeps it spam free.

    My well guarded private address, which I only give to my closest friends, has gotten no spam for 5 years. I receive about 20 emails per day at that private address and there is 0 spam.
    • Well, lucky you. However, most people actually have some sort of public existence: they run a business and want clients to be able to contact them, they are teachers or professors and students need to be able to find out their address and contact them, etc. Hiding one's address simply isn't a solution.
    • uh huh. And what about those contacts that decide to send you 'greeting cards' or 'send this page to a friend' crap? (otherwise known as email harvesting scams).

      What about a web page which you want to publish your contact information? What about mailing lists? Yeah, you could have hundreds of different email addresses which you cut off and add as you see fit, but the overhead, hassles and lost email is more difficult than dealing with the spam. What if you post something to a mailing list, then a year late

    • I have the same policy and managed to keep my real email address hidden for about a year. Then one of my 'friends' decided to send me an e-card using my private address. A short time later I started receiving my first spam on that address. Years later, now I get about a dozen a day :-( As is so often the case, it's humans that are the weakest link.

    • Indeed, however this article is more about ways to stop people registering loads of webmail accounts using software tools. If they can't send mail you don't receive it.
    • My well guarded private address, which I only give to my closest friends, has gotten no spam for 5 years. I receive about 20 emails per day at that private address and there is 0 spam.

      I have young children who each have two email addresses. One address is the name of the kid @ our family domain. This address is only for close relatives and trusted friends. Spammers have not picked up these address.

      But I don't run a real SMTP server, being on a less than completely reliable connection to the net. So I ha

  • Instead of Text? (Score:2, Informative)

    by vraddict ( 653878 )
    Why not use a photograph of something very destinguishable by a human, IE a picture of a horse, or car, etc. It would be much more difficult to program a bot to detect what is in the picture. Or better yet, use that and the CAPTCHA text located in the corner of the photograph. It doesn't seem like it would be that much more trouble to enter in two pieces of information instead of just the CAPTHCA text.
  • by Eponymous Cowboy ( 706996 ) on Monday October 20, 2003 @02:24AM (#7258650)
    Earthlink has an optional system like this, where unknown senders are blocked by default. They receive an autoreply giving them a URL to go to where they must enter the text from a CAPTCHA.

    Unfortunately, the system does not work very well. My dad sells on eBay, and a buyer of one of his auctions had an Earthlink account, which blocked the message that told how much the shipping would be, where to send payment, etc. When my dad went to the specified URL, and entered the CAPTCHA text as requested he would simply get an error message that he had entered it incorrectly. He forwarded me the Earthlink email and asked me if it was just him; it wasn't; I couldn't get it to work either. The random string of numbers and letters was very distorted, and there were four possible meanings; I tried those plus at least ten more with no sucess. The message never got through.

    There are many problems with this type of system. Consider: what if both parties have CAPTCHA-enabled accounts, from different providers? The confirmation messages from both parties get blocked. Smarter systems whitelist people as messages are sent to them, but as in the eBay case, the recipient had no way of knowing my dad's email until AFTER a message from him was received. It's a Catch-22.

    And for people who are visually impaired, universal deployment of this system this makes email essentially impossible. Earthlink's page had a link "if you cannot see the picture, click here" and when you got to that they said to call their 1-800 number if you have any problems. Right.

    Adding CAPTCHAs to everyone's email systems is NOT the way to solve the spam problem. We need a more realistic, permanent solution. For example, cryptographically authenticating the sender (the "From" field) at the level of the originating ISP (and rejecting messages from senders it cannot authenticate, by password or whatever means), and then having each relay in turn authenticating the previous relay if it trusts it. Headers can be inserted in the emails, signing the previous headers with private encryption keys with their public counterparts obtainable from the ISPs by simple DNS lookups. This will build a chain of trust, which stops when a message gets outside of the sender's network, and therefore allows the original sender to be properly identified back through their ISP. Once we know who messages are from, people can be held responsible. And at that point, anti-spam laws can handle the rest.
    • And for people who are visually impaired, universal deployment of this system this makes email essentially impossible. Earthlink's page had a link "if you cannot see the picture, click here" and when you got to that they said to call their 1-800 number if you have any problems. Right.

      And, did you call that 1-800 number? I'm sure they would have been able to solve your problem. And what's more, your call would have cost Earthlink a couple of cents, and if lots of people who experienced problems would have

  • Big problem (Score:3, Insightful)

    by Lord_Dweomer ( 648696 ) on Monday October 20, 2003 @02:30AM (#7258664) Homepage
    I've always thought this was an incredibly creative solution. However...sometimes it works a little too well. I've encountered sites where I can't make out what the word is no matter what I try. And I'm not even colorblind/blind. The problem is....this filter does a good job of filtering not just computers who would have difficulty piecing the information together visually, but humans who might have problems doing that as well.

    One solution might be to offer multiple ways of deciphering. Such as an audio clip that could play a distorted version of the phrase that you could then type in. Or even ask simple questions, such as "What color is the background?".

    Then there's the other issue of the code not being visible simply because I'm using Mozilla....but thats a whole different can of worms.

  • by Rosco P. Coltrane ( 209368 ) on Monday October 20, 2003 @02:39AM (#7258687)
    Slashdot could benefit from such a human checker, each time someone posts, so that idiocies from crapflood scripts could be kept in check.
  • A big problem with CAPTCHAs is that they can be "broken" with some vigilance and know-how, although not 100% of the time. Yahoo!'s has been broken by a UC Berkeley group [berkeley.edu], they claim a 92% success rate. The UCB algorithm looks at the image then searches through a dictionary to find the most probably matches and spits them out (you can actually see on the site how it chooses and how close it gets when it misses, mistaking 'grip' for 'slip' and so on).

    What is really needed for a *good* CAPTCHA is not pure
    • by Rosco P. Coltrane ( 209368 ) on Monday October 20, 2003 @02:51AM (#7258717)
      I have a better idea : present a complex differential equation and ask the person to solve it in less than 10s. If he fails, he's human.
    • The problem with this is -- you would have the same "dictionary-size" problem as was mentioned in the article. That is, you would have to human-generate every test, and if you reused the tests, spambots could easily pick up on that and know the correct answers.

      And if you think you can computer-generate the quizzes, well, then, I'm betting a computer could guess the answers, if it used the same knowledge web for the word associations. The text-based CAPTCHAs work because you can computer-generate them but
    • Even if the algorithm was to correctly identify all 10 words, it would still have to figure out what the association is and then correctly identify the words that fit the association. Assuming that it did correctly identify all of the words, at that point random guessing would yeild a success rate of 0.83%, less if it misidentifies even just one of the words. Combine something like this with a slightly smarter word obfuscator and I think it'd be something that would be very hard to beat...unless you're hum
    • CAPTCHAs use a very basic (minimal) portion of our cognitive abilities: to read. They would be much more powerful if they tasked our higher abilities: to reason.

      For example, show 4 pictures; three of them of the same animal (say, a tiger) and the fourth of a random animal (say, a rhino). Ask the user to pick the odd one out. Make them grayscale, so that a color histogramming technique can't be used.

      Another example: show an analog clock, and ask the user to enter the time shown.

      By deploying 100s of su

    • Why yes, everyone understands word associations. Forest is to sunrise as wabi-sabi is to ...

      You have 10 seconds.
  • by danila ( 69889 ) on Monday October 20, 2003 @02:57AM (#7258739) Homepage
    Am I the only one having troubles deciphering the second word on the second picture [sciam.com]?
  • by Ron Bennett ( 14590 ) on Monday October 20, 2003 @03:13AM (#7258777) Homepage
    I'm not sure about others, but I have a difficult time with sites which use distorted numbers on a nearly matching background...and I'm not even color-blind.

    Sound is better, but even that sometimes can be difficult to understand - also, I don't have speakers hooked up on some machines I use; some folks disable sound due to abnoxious websites/ads that blast sound unexpectedly.

    Anyways, many of my relatives and friends can't get into sites that use distorted numbers, etc at all and are basically locked out; sometimes they get lucky and find a similar site (likely a competitor) to the site they desired, which doesn't use such nonsense...

    Seems to me a better way is use geotracking (too many inbound connections from similar sources [IP ranges, routes, browser config, etc), email verification, etc... ...and perhaps even requiring the person to call a phone number to activate the account - ideal for financial-based sites such as banks, payment
    sites, etc.

    With good heuristics (really the key to stopping automated bots in my view), any decent website should be able to filter out much of the bots and other junk - it's no accident really that many of the largest sites don't use distorted numbers, pictures, etc - how do they do without them?...perhaps be a good Ask Slashdot item :)

    Ron
  • by DaneelGiskard ( 222145 ) on Monday October 20, 2003 @03:25AM (#7258806) Homepage
    I use my email address for everything, including usenet. My provider runs a spam filter which reduces my spam / day to about 10 pieces. Of course, it filters out about 100-150 spam mails / day. When I'm bored I go through these filtered spam mails, but I did not find a false hit yet, so it works pretty well for me.

    This is convenient, I don't have to care where my email address goes, I just use it.
    • Don't count yourself lucky just yet!
      I used the same method, and my own mailserver with agressive filters, and it worked very well until... a Russian spammer started to send out spam with my mail address as the sender address. He did this via hacked systems (open proxies) so it was not possible to do any blocking.
      The load of crap that came in was just unbelievable, and all attempts to contact his spamvertized site or their providers just had no result.

      In the end the only thing I could do was remove the MX
    • That could really be a problem for simple filtering based on the address (domain) of the person sending the mail. But I do think that more sophisticated systems do not only use the address of the sender as a criteria to filter mail.

      One of my addresses uses "spam assasin" for protection for example. In its configuration it lets me give it a number called "hits" which interpretation is as follows:

      "Set the number of hits required before a mail is considered spam. n.nn can be an integer or a real number. 5.0
  • by gfody ( 514448 ) on Monday October 20, 2003 @03:49AM (#7258852)
    <img src="it_says_kitten.jpg">

    heh dumb bot
  • by gschmidt ( 18105 ) on Monday October 20, 2003 @04:42AM (#7258977)
    .. is that they can be brokered. If you give me a puzzle, *I* don't have to solve it; all I have to do is induce someone, somewhere, to solve it, and give me the answer. That means I can set up a CAPTCHA-solving factory in Taiwan, or field a porn site where users pay for their pictures in CAPTCHA answers. (*My* CAPTCHAs, the ones my script was assigned to answer in order to make Paypal transactions, not new ones I made up on the spot.)

    Suppose that a human can solve your CAPTCHA in an average of five seconds. Suppose unskilled labor costs $6/hour. Then it costs a bit under a cent to find the solution to your CAPTCHA, assuming that I want to solve at least a few thousand a day. As a result it is impractical to protect a service worth more than a penny with a CAPTCHA.

    Actually unskilled labor costs far less than $6/hour in some parts of the world, so if CAPTCHAs see wide use the value of the services they can protect is even lower. A tenth of a cent?

    CAPTCHAs should be seen as a proof-of-work mechanism, like "hash cash", not as an oracle that can determine whether a transaction was initiated by a human or a machine. Unlike proof-of-worth schemes that burn CPU time, the value of a CAPTCHA won't be inevitably halved every 18 months by Moore's law; on the other hand, it could be suddenly reduced to zero by breakthroughs in image processing.
  • This [sciam.com] example is a bit stupid - what stops a computer program from filtering out everything of the wavy background by just eliminating everything non-black? There seems to be so much contrast in the image that it would be a really trivial job.
    • what stops a computer program from filtering out everything of the wavy background by just eliminating everything non-black?

      Stupid? Well, then...go ahead: Provide an algorithm that not only correctly extracts this antialiased text out of three-channel color (hint: filtering out the wavy background is not mathematically easy), and then also can do an OCR regognition on the remaining distorted bitmap.

      Can it be done? Sure -- but it certainly isn't trivial. Coming up with a mathematical method (and hence
      • To counter this point, I loaded up my favourite image viewing program (Irfanview), opened the picture, increased the contrast to the max, then reduced the number of colours to two.

        The result: A near-clear, black and white representation of the letters remained. If wavy backgrounds can't defeat even the simplest of image software programs, how do you expect the same backgrounds to prove any challenge to custom-designed software?
        • And where is your algorithm (or "simple" program) that can read your manipulated image and produce the exact ASCII represented by the resulting image? Go ahead...provide one.

          Regardless of what you may think, CAPTCHA defeating programs are difficult to write and are never are 100% effective.

          Thus, it hardly seems appropriate to label this sample "stupid."

          Stupid for you, but hard for a program. That's the whole point!
  • by hey ( 83763 ) on Monday October 20, 2003 @05:25AM (#7259095) Journal
    How about those kid's puzzles where there is an image where many things are "wrong". Like the water from the tap is flowing up. These are easy to solve by people but very hard for machines.
  • Include an external javascript-file with a function that makes a document.write() on the email-adresses that you want.

    The spambots will never bother trying to run javascript, especially if it means downloading an external file. And using, for example, mozilla's command-line js-engine will not help, because without an attached browser most of the scripts will reference objects that does not exists (like windows and such).

    Dynamically generated documents are a pain in the ass for web-spiders. I know. I have
  • Sounds like one way to store or show passwords without the **** nonsense. Encrypt the data, and only display it in a the non-machine decypherable form. (Hold your objections...read on.)

    Socially, people like to pick dumb passwords. Tell them what makes a good password...and they will nod and pick a dumb password...then loose it. So, demanding that people follow good practices is not possible (unless you make fools of people with poor passwords by sending out funny but embarasing email using the person

  • Why not generate text that looks real (heck, use excerpts from real email), and include images that advertise the latest scam product? After all, they are supposed to be incomprehensible to programs, and Bayesian filters are programs...
  • Easy (Score:4, Funny)

    by fredrikj ( 629833 ) on Monday October 20, 2003 @07:56AM (#7259616) Homepage
    Just do a Burrows-Wheeler transform on your e-mail address. Comes with the bonus of preventing stupid people from trying to contact you.
  • I've been thinking lately of making a script that would generate fake email addresses and include it on a webpage; such that the fake email address list gets re-build on every hit. It would create addresses like xxxxx@yyyyy.com|net Where xxxxx is a random alpha-numeric sequence, yyyyy is a random alpha-numeric sequence. Or, perhaps yyyyy would be a random valid word from a dictionary or other list.

    The goal would be to feed the bots so many fakes that they choke on the bounced undeliverables, or, they ma

Whoever dies with the most toys wins.

Working...