Spammers Learn to Outsource Their Captcha Needs 221
lukeknipe writes "Guardian Unlimited reporter Charles Arthur speaks with a spammer, discussing the possibility that his colleagues may be paying people in developing countries to fill in captchas. In his report, Arthur discusses Nicholas Negroponte's gift of hand-powered laptops to developing nations and the wide array of troubles that could arise as the world's exploitable poor go online." From the article: "I've no doubt it will radically alter the life of many in the developing world for the better. I also expect that once a few have got into the hands of people aching to make a dollar, with time on their hands and an internet connection provided one way or another, we'll see a significant rise in captcha-solved spam. But, as my spammer contact pointed out, it's nothing personal. You have to understand: it's just business."
I call job theft! (Score:4, Funny)
Re: (Score:3, Insightful)
*blink* what country do you live in? In a 1st world nation, that's *well* below the standard minimum wage. Here in Ontario, for example, minimum wage is $6.85/hour. Even after taxes are taken off, that's about $45/day if you're working full time, and I think there's talk about raising the minimum wage to $7.40. Hell, an untrained private in the
Re: (Score:2)
These lead shoes (Score:3, Informative)
I doubt you would, actually (Score:5, Interesting)
See most people are quite able to speak/cheer about and for beating others up, killing others, war, etc, as long as it's just talking. They might even actually do it, if a fit of rage disables their sanity for long enough. But fits of rage aren't something you can plan and execute whenever you wish. And otherwise when you actually have to do it, there's this interlock against harming other humans. It's partially "what if it was me in his shoes" education (even if you logically know it would never be in his place spamming) and partially that interlock most animals have against harming their own more than strictly necessary. (Even when cats or dogs fight their own there is always a mechanism to signal "I give up" and the other _will_ cease.)
It's a strange world, really. The same people who could be shaking a fist and screaming for war against X at the top of their lungs, would actually have trouble looking one of X in the eyes and squeezing the trigger. A lot of PTSD cases in war aren't just people getting shocked by being shot at, but shocked by having shot other humans.
There is one cathegory that can cheerfully think "it's only business": the sociopaths. They live in a strange world in which the others are NPCs: the others don't matter, they're not the same, "it could be me in his shoes" doesn't apply, etc. They can lie, cheat, murder, torture, whatever, and be perfectly able to look themselves in the mirror after it. Because the other guy didn't matter.
And, sad to say, if you weren't born one, I doubt you could actually beat this guy up in cold blood. If anyone gave you a baseball bat and this guy tied to a chair, you just couldn't actually do it.
And it's probably better that way. I'm thinking we as a society would do better to just start recognizing sociopaths for what they are, and the damage they can do. This guy, for example, is a sociopath, plain and simple. He's not just "being smart", he's not "just doing business", he's not "just doing what's needed", or the other things these guys like to pose as. He's just someone who doesn't even see you as a human being, much less his equal.
Re: (Score:2)
Just because someone doesn't care does not imply they feel they are beyond the law. I'm sure there are plenty of potential crimes just lying in wait, but they really don't want to be incarcerated. On a different note, not every one can be a basketball star and not everyone can be a CEO either (or insert glorious position). Perhaps he lacks the real ambition it takes to pursue his sociopathic goals in life! (Can't blame a guy if he doesn't try!)
No, I'm afraid our sociopath friend just doesn't have what it
Re: (Score:2)
Nah, I'd yell at one in public and give him a hug and a "thank you" in private. After all, I have a consulting company and we'd not have half of ou
Re: (Score:2)
Now granted, in most cases, these people are as dumb as doorknobs. But, if you think about it (REALLY think about it..
Re: (Score:3, Insightful)
But in the end that all bears fairly little relevance. Even if there is no afterlife at all (in fact, especially if there isn't one), there are some millenia of learning to, more or less, work together to make our stay here reasonably acceptable. That's in the end all that society is.
If all humans actually were unchecked wolves to other humans, you'd probably find this one existence here to be very shitty and very short. Because at least 1%,
Re: (Score:2)
Re: (Score:3, Insightful)
Re: (Score:3, Insightful)
The point still stands that you can't just snap your fingers and become one, so it's kinda pointless to dream about becoming one. "Man, if I were alone with this guy for a minute, I'd soo punch his clock" is a pipe dream. Either you aren't a sociopath at all, and in practice you couldn't do anything to this gu
Re: (Score:3, Insightful)
Re: (Score:2)
Re: (Score:3, Informative)
Re: (Score:2)
There are a surprisingly large numbers of spammers in Australia as well - I lost track of the one born in New Zealand that was trying to get people to do dodgy work for him on a promise of money in three months - funny thing is his last name really was "Fagin" ala the Oliver Twist crook. He wanted to employ people to write software to look for open rela
A long-time problem (Score:3, Insightful)
If I am not mistaken, there have been several stories on this kind of thing on Slashdot...
Ayway, the bottom line is that spammers have been doing this for a long time, and I'm not sure if the $100 laptops will make a difference either way. Will these $100 laptops all have internet access?
Re: (Score:2)
Why, of course they will.
Developing countries all have broadband Internet access, even WiFi. And those who do not, well, the spammers will pay them enough for each solved captcha that they offset the surely insignificant cost of modem access.
Even if it does happen, though, it will only go to show that captchas aren't the way to get rid of spam, bots etc.
I would prefer it, though, if spammers learned to circumvent captchas automatically... can you imagine what it would mean for OCR?
Re: (Score:3, Interesting)
I would certainly like to see the end of captchas, and I have resisted using them on my own sites. They are really bad for accessibility and therefore illegal in many situations and just generally unfair to anyone who can't solve captchas (whether that be by disability or browser choice). However, I have yet to see any other technology able to do the job.
Re: (Score:2)
Does that fall under any of 'unfair treatment' laws?
Re: (Score:3, Insightful)
Re: (Score:3, Informative)
Just to make it harder I put it in an image, that has several rotated letters that have a sufficiently different color, this is only a stop gag because all of this can be filtered easily enough, but it can look like a usual captcha to a n
Re: (Score:3, Interesting)
I did DSL installs in an ex-soviet block backwater which is not even in the EU yet in 1998. At that time UK and the rest of Europe (except Scandinavia) was still wetting themselves over a second ISDN channel and 56K modems. In the same country ethernet to the home in big cities is the norm, not the exemption. The cable operators built bandit networks using twisted pair as far back as 1999-2000. So on, so fourth.
Similarly, I had to design, deploy a
Working from a clean slate (Score:2)
1) No competion for space, e.g. when running cable in a location where old cable exists you need to be very careful where you dig. Also, if going wireless there probably isn't much competition for desirable locations from cell phn, radio, or other wifi operators for space.
2) Interoperability with older technologies isn't as much of an issue. Since there aren't any. So working out the kinks to get older and newer tech
Re: (Score:2)
OCr is pretty good now. I've scanned some books with Abbyy OCR and the error rate was maybe one per page. While that's good enough for most purposes, and maybe even for captchas, it still needs to be proofread if you want to republish.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re:A long-time problem (Score:4, Interesting)
The CAPTCHA image and question themselves need some thought as well. Just having a person type some "distorted" text verbatim is a bit christian IMHO, because it's vulnerable to OCR. Insisting to change the order or capitalisation ("type this backwards in all lower case") would be a good start, but there are plenty more techniques involving pictures that only a human being will be able to use; and you can possibly even set a knowledge barrier (by using challenges that will be easy for people in your chosen field but not random idiots) to keep out undesirables.
Re: (Score:2)
Err... Wrong. All they would have to do is put a VPN client on the laptops, and run them through a NATing router on the spammers end (which would probably be necessary on the spammer's end anyway to get the images to the in the first place).
The word 'contact' in this post's captcha was farmed out to an Anonymous Coward
Re: (Score:3, Funny)
Maybe it's just too early in the morning for me, but what does that mean? That typing distorted text is easy? That it's smart/dumb? That it makes you love your neighbor as you would have them love you?
Re:A long-time problem (Score:5, Interesting)
Stuff like "type this backwards in lower case" won't help *in the least* - it'd be trivial to get past, as trivial as writing a bot to collect email addresses, and we know how many of those there are.
Checking the IP address won't work (unfortunately) because certain ISPs (*cough*AOL*cough*) use multiple outgoing IPs for the same user; it's ridiculous but there you have it.
In any case, IP addresses can be forged; the spammer doesn't need to receive a response, he just needs to send his CAPTCHA and spam message; if he's on 4.3.2.1 and needs to send from 1.2.3.4 then he will - the server's "yes you got it" response will be sent to 1.2.3.4 but the spammer doesn't care; his spam has got through.
In short, there is no serverside way of preventing a captcha from being relayed to/from a 'processor' be it OCR or human.
However, what needs to be remembered is that in 95% of cases, any type of captcha will stop 100% of spam. Most captchas out there are pitifully weak in terms of OCR resistance [ocr-research.org.ua], have implementation bugs [puremango.co.uk] coming out of their *ahem* and 'in principle' offer no security whatsoever, but they work because most spammers only after the low hanging fruit.
Re: (Score:2)
I think people spend far too much time worrying about false positives with CAPTCHA tests and not enough time worrying about false negatives.
The proliferation of CAPTCHAs is a big problem for web accessibility and one that needs to be a addressed a little more urgently than the possible emergence of human spam teams in india.
I've created my own CAPTCHA solution, which I'm too embaressed to plug... again... I've already plugged it 2 or 3 times in other replies to this post, just do a search for m
Re: (Score:2)
Re: (Score:2)
You know, if you stopped and thought for half a minute, you would see how an IP check is completely useless.
Re: (Score:2)
So you've just described a proxy (Score:3, Informative)
Basically if machine A is the server, machine B is doing the spamming, and the paid peon cracking captchas for a living is on machine C, then it can jolly well go on like this:
- the peon's machine C connects to one of the many machines B doing the spamming (it can also be the other way around: machine B could initiate a connection and wait for the human to be ready. Works great if machine B
Re: (Score:3, Interesting)
Only problem is, those with screenreaders would be very much disadvantaged unless you had audio cues to go with the images.
Re: (Score:2, Informative)
Re: (Score:2)
You are correct. For example,Will Solve Captcha for Money? [slashdot.org]
I wonder how much of this is due to forums like /. raising the media's awareness of the the next impending Internet-based doom?
Now what? (Score:2)
Re:Now what? (Score:4, Insightful)
Re: (Score:2)
A number of things:
Re: (Score:2)
get rid of corrupt American politicians that took huge backhanders during the CAN-SPAM fiasco
To my great surprise, it looks like steps are being taken in this direction. Quite a few incumbents got tossed out in the recent election, and the Democrats now in charge are making a fuss about dealing with corruption. Of course I don't expect that to lead anywhere, but at least they're making a fuss.
get the politicians to write legislation with real bite. It can take up to 15 seconds to delete an email e.g. so 15 seconds of prison time for every sent spam email sounds about right; i.e. 8 months in prison for a million emails. On second thoughts 60 seconds in prison, because they knew what they was doing was wrong, so 30 months in prison. A few spam runs, and it's essentially life imprisonment. Yay! (My heart bleeds, but essentially they kill person lifetimes every time they do a spam run).
I'm not convinced that increasing the sentences will serve as a significant deterrent. Many spammers go to great lengths to avoid getting caught.
Also, I'm tired of people complaining that CAN-SPAM is worthl
Re: (Score:2)
When a group of people borrow money from a bank, they are "jointly and severally liable" for the outstanding portion of the debt. If a husband and wife borrow £100 000, then the husband pays back his half, each of them is considered still to owe the bank £50 000. If the wife disappears of the face of the planet, well, the husband has 50 000 extra motiv
Re: (Score:2)
Re: (Score:2)
So the question becomes (Score:2)
In any case, the economy of spamming changes fundamentally once it's no longer cost free to do.
using porn to solve captchas (Score:5, Interesting)
Re: (Score:2)
Nice idea, but there are going to be problems with this. For starters most CAPTCHA images time out, the bot would need to get it solved by a horny porn dude within about 1min of it being served. Also you have the problem of actuall relaying the image to the horny porn dude. Most CAPTCHA images work by not allowing you to serve the image to more than one request, new request, new CAPTCHA. So they would have to capture the captcha. Tryin to pick the image from the download cache is going to be a little t
Re: (Score:2)
What the hell are you talking about?
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
You're either relaying the request and the post for the CAPTCHA.
Or you could get your horny porn dude to request the CAPTCHA directly and run your spam bot as client side javascipt from his browser.
In either case I don't think a generic solution is going to be possible, I think your porn site would need to be specifically coded to attack a specific site. Both of these approaches have problems and are going to be ridiculously easy to counter, compared to the amount of effort required to make the
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
If it WAS just one machine accessing the image, then you can always catch that machine's IP and ban it. Your average user is not going to modify their HTTP headers to change the referral..
Re: (Score:2)
This tell us two things (Score:4, Insightful)
2. The Human solution sometimes is the best.
What's going to be interesting is threefold: how do we conquer this problem, and how long until "sweat spam shops" have opened up, and how long until the outsourcers become the main branches? Much like the Cory Doctorow story revolving around sweat shops of MMO players, it might not be long until automated scripts are combined with "sweat shop" style workers, who's only job it so enter in the proper "human" data to fill spam.
On the other hand, as outsourcing has taught us, it is only a matter of time before the outsourcees become the suppliers as they get the training they need. Once the "local guy" starts making up the scripts, it's only a matter of time before he/she goes to open up their own spamming sweat shop. Which is a good thing in a weird way as the article points out - it encourages new business at the expense of annoyance.
The next phase of solutions might have to focus on more detailed question/responses - but there's a danger in this in finding the "sweet spot". You want to make it as expensive as possible for spammers, but not so annoying for your "true customers". Much like my new bank's online service, perhaps, where they made me select my "security image" and more personal questions so I had to enter 2-3 things to truly "log in" the first time.
Re: (Score:2)
Indeed. So why not outsource the spam filtering, and have a human being in Nigeria read through your mails, and decide if they are spam or not. I am sure they would know if King Mukabuto really was that rich or not.
it is just business (Score:3, Interesting)
Re:it is just business (Score:4, Insightful)
This is of course because spreading spam costs too little to be worried about pre-selecting the audience. When advertising on TV or sending info by post, companies usually try to match their audience to the product they are going to sell. I.e. they do not send adverts for luxury products to houses in poor neighborhoods, they try to weed their lists so that bouncing addresses are not kept on it forever, etc.
All this to maximize the return on the cost of sending the adverts.
Spammers don't have to do this, because they make money anyway.
When it would cost 1 cent to send a spam message, it would not be worthwile to send it to 100000 addresses and make 1 sale of a $25 product.
Re: (Score:2)
Whilest spam is by far the worst case, all direct marketting suffers from this problem to some extent. Very little of the crap that's shoved through my door, SMSed or telemarketted to me is actually relevent to me.
At least in the UK we have some of the direct marketting a little more under control (unsolicited SMS messages are illegal... although some do still get sent. Telemarketting to phones registe
Re: (Score:2, Insightful)
I can assure you that all direct marketing bureaus match the product and target audience. When living in a lower-class neighborhoud, you will find very few Mercedes or Jaguar flyers on your doorstep. It will not be perfect, but nobody is just throwing away money they know they can better spend e
Re:it is just business (Score:4, Funny)
Re: (Score:2)
The only working solution to spam is to give botnet operators a revenue stream that pays more per GB than what spammers can afford.
Re: (Score:2)
because they're not doing anything wrong (it's just business). But we should be unhappy with
Haha, what a clueless article (Score:2)
or maybe... (Score:4, Insightful)
In fact, there is a lot of good, low-end on-line work low-skilled third-world labor can do once they are on-line. That's a good development: it gets work done that otherwise wouldn't get done, and it gets people jobs that beat the back-breaking, dangerous work they'd otherwise have to do (provided they aren't too old, weak or ill to do it in the first place).
Hey, maybe that third world labor can also do the spam classification, manually. I'd be willing to pay for that.
Re: (Score:2)
Re: (Score:3, Insightful)
Re: (Score:2)
That's what the anti-sweatshop people fail to understand. It's not like high-priced lawyer jobs await these people if only they weren't being forced to make shoes for Nike. Working in this sweatshop is literally the best choice they have, often by quite a lot, and you want to . . . take it away from them?
I remain confused.
Re: (Score:2)
Re: (Score:2)
Dupe/Oldnews (Score:2, Informative)
Re: (Score:3, Interesting)
I think this one is a little different, the other article was just a hypothetical, this is actually a real case of spamming occuring with a captcha image.
I also found his quotation from Bill Gates quite interesting...
Oh well. I guess I'll have to sit in the corner with Bill Gates, who declared in January 2004 that "spam will be solved in two years". After you with the pointy-D hat, Bill.
Perhaps Bill was thinking about his trusted/treacherous [slashdot.org] computing model (posted earlier today on slashdot) when he
Re: (Score:2)
In any case I never claimed it was resistant to this sort of attack. I'm sure it's going to be more resistant than a system that requires simple data entry.
I don't think you're going to find a flawless system for verifying the authenticity of anonymous requests, that statement in itself is kind of a give away. Obviously the
Re: (Score:2)
Ahem.
Hindi and Urdu may be "official languages", but thanks to centuries of British rule, English is the lingua franca of the land. Each state has its own regional language, which isn't well-known outside that state. My parents, who fit the definition of "well educated", would have trouble holding a conversation in Hindi, bu
Re: (Score:2)
What I think (Score:2)
Previous article (Score:2)
Slashdot had an article [slashdot.org] about this a couple of months ago.
This is simply stupid (Score:5, Insightful)
Not everyone in the third world is going to get computers
Every computer is not going to get internet connected
Not everyone on the internet is going to be spamming
Also consider the fact how much can a single person spam. If the dude with the new cheap computer answers captchas for even 15 hours a day they would hardly generate over a 1000 spam messages which is likely to get the spammer one or two hits. Do you think the spammer is stupid enough to pay for this much profit?
I hope the spammer understands... (Score:3, Interesting)
Spam will never be stopped as long as the perceived gains > perceived risks. Unless there is a holocaust of stupid people, there will always be people dumb enough to buy from spam, so you're not going to solve this equation by reducing the left side. So raise the right side... Put $10 million into ten Swiss bank accounts. Then get the message out: First ten times a known major spammer is brutally murdered, the first party to provide evidence of their involvement gets the location of a buried bank account key.
I don't usually believe in violence to solve problems, but when you're dealing with people who've demonstrated that there is nothing so depraved they won't do it, and the alternative is governments regulating the 'Net... *shudder*...
Now, speaking seriously (okay, more seriously - hearing that Alan Ralsky got brutally tortured to death on the evening news would KICK ASS), as long as everyone with a brain is absolutely determined to not respond to any spam the problem will never be solved. Why? Because as long as that is true, the S-N ratio at the spammer's inbox will be favorable, because you can never block 100% of spam, and unless you DO, idiots will get it and will click it.
So, e-mail clients should be programmed to automatically respond to EVERY message they get (or at the very least, every message flagged as spam) with an ad-libbed "O rly? tell me more", unless the e-mail came from a known-good mailing list or contact. Result: If even 1% of recipients responded and didn't buy, the signal-to-noise ratio at the bastard's inbox plunges by a factor of a hundred. Everybody responds, and spam-friendly ISPs implode under a digital tsunami of replies. The SOB pumping out 100 million messages can't possibly sort out the 1000 buyers from the 99,999,000 fakes.
And for spammers who use links to their websites: Users submit suspect sites to open database of spammer sites. Sites are voted on; After 100 votes, if the guilty verdict > 90% the site it put in the "to DDOS" list for a client script to retrieve and wget entries from. Certain disreputable hackers, whom the database operators want nothing to do with, unfortunately rent botnets and install this client program on millions of hacked windows boxes. Would that be an immoral action? Yes. Spammers have all the moral restraint of Nazis, and they're winning the spam war - playing nice is no longer an option.
Unfortunately, it won't happen. MS, Google, Yahoo, and Firebird need to incorporate this into all their clients, along with whitelisting utilities, all at once - NGH. Because of the sheep mentality, no one will want to be the first to stand up. In short, like the decay of diamond into graphite, it's *should* happen but has far too high of an energy barrier to actually happen.
Okay, I'm ready - someone ^C^V that stupid checklist.
Re: (Score:2)
And I don't even have to pay anyon
Re: (Score:2)
When you've got 500 or 30,000 mailboxes to admin, and they're all getting 100k images every two minutes as we have in the last few weeks, server side filtering becomes prohibitively complex. It's a stopgap measure, but it's leading to a defensive arms race.
I'm starting to think there's a solution in an IP blacklist t
Follow the money (Score:4, Insightful)
Re: (Score:2)
They are the owners of the brand that gets pirated, but they have not asked the spammers to send the messages. They don't know more about who they are than you.
I think it is more promising to go after the stock spammers. It should be easy to find who is behind them.
Re: (Score:2)
Reality check time. Do you think the spammers are authorized distributors for Pfizer, that Pfizer deals with them and has some control over them? Or is it more likely the pills were stolen, or remanufactured with more filler and less active ingredient, if not outright fakes with no real medication at all? Are any watches sold via spam ever a genuine Rolex, not a cheesy Fauxlex? Spammers are unscrupulous, spam
Re: (Score:2)
Do you really think Pfizer is using the spam to get "brand recognition" of Viagra? It's just some third party that managed to get a lot of Viagra on the cheap and is using Pfizer's legitimate marketing to his advantage.
At the least, why would the more recent mails say e.g. "V1agra |_ev!tra (ialis"? It's not like they're all made by Pfizer.
Re: (Score:3, Interesting)
Hit the credit card companies. Hit them hard. It seems too easy to get a merchant account for online trading with no valid product to sell. The Rolexes etc are usually sold as fakes anyway. Rolex would love to close them down, same goes for Pfizer and V1agra. Heck I've even complained to a software vendor about pirated software being openly sold. Microsoft replied with a orm letter but I had a more meaningful response from Adobe, but I had directed the complaint via an onsite consultant who took this seriou
That's great! (Score:2)
Just business? (Score:5, Funny)
I'm currently hiring 3rd world citizens to kick spammers in the crotch.
To the spammers: it's nothing personal. You have to understand: it's just business.
Yaz.
It's not like captchas can't be beaten without (Score:2)
Solution: Offer a porn-page, where you can "unlock" a picture by filling in a captcha for you.
That captcha comes from a captcha-protected site, of course, and your user solves it for you to see his inspiration material.
I'd wager that would be even cheaper than paying $100 laptop users. I mean, people even pay money for porn, you'd probably have more people wanting to fill in captchas for you than your spam machine can handle.
root cause of spam .. (Score:2)
This is just stupid (Score:4, Interesting)
Come on!, Remember the usual "Don't teach the poor to read, that would make them a threat"? This all sounds as "don't give the poor any access to the internet, they could become a threat" . And for god's sake it is not like captchas are any difficult for just a program to beat.
I administrate a site with a vBulletin forum, and every once in a while a bot posts messages. Registration requires passing a captcha, in fact, I decided to just remove the captcha, it was seriously not helping stop the spam and was just making the registration harder FOR HUMANS.
BTW: I noticed that Russian bots are more likely to beat captchas.
Re:This is just stupid (Score:4, Informative)
Re: (Score:2)
Re: (Score:2)
Spamming, does indeed make money.
The purchase of the product pushed in spam is not the method. Its the Spammer selling 20,000 page impressions to the hapless dumbass small business owner, or other crook.
Basically, the spammer gets paid to send the email, they have no preference or not if anyone actually buys anything as a result.