Have Spammers Overcome the CAPTCHA?

thefickler writes "It appears that spammers have found a way to automatically create Hotmail and Yahoo email accounts. They have already generated more than 15,000 bogus Hotmail accounts, according to security company BitDefender. The company says that a new threat, dubbed Trojan.Spammer.HotLan.A, is using automatically generated Yahoo and Hotmail accounts to send out spam email, which suggests that spammers have found a way to overcome Microsoft's and Yahoo's CAPTCHA systems."

Quick!

[QuantumG]

Get the rest of the difficult AI problems into CAPTCHAs. We've finally figured out a way to finance AI research!

FREE PR0N!

[pq]

Get the rest of the difficult AI problems into CAPTCHAs. We've finally figured out a way to finance AI research!
Not really.

The way they've worked around it probably goes like this: "Free pr0n sets! See more of this hot chick! We don't want automated downloads of these sets, so you need to solve this code to get the download. What? It looks just like the hotmail cpachas? Yeah, we're using the same advanced technology here."

So I guess this approach would also solve other AI problems - by having bored RIs solve them. Maybe not such a bad solution after all?

Re:FREE PR0N!

[pchan-]

It's the Mechanical Turk [wikipedia.org] approach. Amazon is doing it [mturk.com].

Re:FREE PR0N!

[AuMatar]

I'd be surprised if some spammers weren't using amazon's mechanical turk. Its cheap as hell, why not use an existing framework.

Re:FREE PR0N!

[MooUK]

I've seen plenty of bad-SEO tactics on mturk before, as well. "Comment on this blog entry using these two keywords somewhere in your comment."

Re:

[ahecht]

There are many jobs on mturk.com where the page for the job consists of isntructions and a file upload box. For example, one job I did had me find the lat/long coordinates of a bunch of landmarks, put them into an excel file, and upload them. A spammer's job could be "sign up for 200 hotmail accounts, put the logins/passwords into a CSV file, and upload".

Re:

[xenocide2]

You're thinking about this the wrong way -- on the surface it appears that mturk is an internet labor site, but as you notice, the prices are too low. Mturk provides a framework that both humans and computers can use to solve the same financially interesting problems. Essentially, it provides both incentive to solve problems by hand (though very modest), and a much larger incentive for AI researchers to attack the problem head on, and solve the entire problem set nearly at once. Of course, it does require t

Re:

[pimpimpim]

So what if it's not 'real' AI, that doesn't mean you shouldn't take advantage of it. Just put some millennium problem as a captcha. Or your homework. Third order differential equations. Let them write pieces of code. Any web-user that will want to see free porn will find a solution to your captcha. ... Profit!

Re:

[Iron Condor]

$2.50 to transcribe a 60 minute lecture? WTF?

There's enough places in the world where $2.50 is not only a decent day's wage (especially if you can do more than one of these) but more importantly where there simply no industrial infrastructure to compete with this job. It's either this or an hour of sitting around and picking your nose. Or maybe an hour of backbreaking ditch digging for $1.

Re:

[1u3hr]

The way they've worked around it probably goes like this: "Free pr0n sets! See more of this hot chick! We don't want automated downloads of these sets, so you need to solve this code to get the download.

People keep suggesting this. It might work, but no one has ever, to my knowledge, put it into practice. And by its nature, this would be pretty public. So if you don't have a URL, this is just an urban legend.

Actually, I think if put into practice, it would itself be attacked by anti-spammers. They'd t

Re:

[1u3hr]

. There's really no reason why it would be very public - the site would get blocked very quickly, but it's trivial to put up another one, even automatically.

If it's not "very public" how are you going to get enough suckers to solve your captchas? You need a lot of exposure. Actually, a real porn site with the same hit rate could probably make more money from ads; and the captcha solving would just detract from that. Another reason this doesn't seem to have happened in reality.

Re:

[syousef]

The way they've worked around it probably goes like this: "Free pr0n sets! See more of this hot chick! We don't want automated downloads of these sets, so you need to solve this code to get the download. What? It looks just like the hotmail cpachas? Yeah, we're using the same advanced technology here."

Wooohoooo! Free pr0n! Link please.

Re:

[Anonymous Coward]

Then, clearly, the only way to secure hotmail's captchas is to make them so odious that a statistically significant number of bored RIs won't want to solve them. Make all captchas images of latex-clad midgets having group sex while watching Fox News superimposed over stills from German World War II propaganda films.

Re:FREE PR0N!

[Anonymous Coward]

Link please.

Re:Quick!

[WWWWolf]

Get the rest of the difficult AI problems into CAPTCHAs. We've finally figured out a way to finance AI research!

And while the problem remains unsolved, you can use it for distributed problem-solving! Instant sponsoring opportunities from the big industry!

"So you want to sign up for an account? Okay, we need your name, email, and password twice... and could you figure out the optimal shipping route that goes through all of these cities, and only visits each of them once?"

(Turns out to be a route for some annoying door-to-door salesman. Boy, wonder what he feels like when he finds out someone sent a completely misleading solution! At least sanity-check them first =)

Have they?

[ady1]

Or is it just that making new hotmail accounts is being outsourced to china/india/?

Could be, according to this /. article

[I)_MaLaClYpSe_(I]

Could be, according to this /. article [slashdot.org]

Spammers Learn To Outsource Their Captcha Needs

Posted by Zonk on Saturday November 25, @05:36AM
from the hearing-some-ominous-muttering dept.

lukeknipe writes

"Guardian Unlimited reporter Charles Arthur speaks with a spammer, discussing the possibility that his colleagues may be paying people in developing countries to fill in captchas. In his report, Arthur discusses Nicholas Negroponte's gift of hand-powered laptops to developing nations and the wide array of troubles that could arise as the world's exploitable poor go online."

From the article:

"I've no doubt it will radically alter the life of many in the developing world for the better. I also expect that once a few have got into the hands of people aching to make a dollar, with time on their hands and an internet connection provided one way or another, we'll see a significant rise in captcha-solved spam. But, as my spammer contact pointed out, it's nothing personal. You have to understand: it's just business."

Re:

[Hoi Polloi]

There is a better use of all of this untapped genius:

"Enter your solution to the Riemann hypothesis"
"Please submit a new prime number"
"What is a solution to the Arab-Israeli conflict?"
"Show a correct equation that joins the electro-weak and strong forces with gravity."

Re:Quick!

[Hoi Polloi]

You may now have a Yahoo email account.

Cataloging CAPTCHA info

[JonathanR]

Wouldn't it be feasible to record and catalog the fonts and manipulations done by a particular site's CAPTCHA engine, and then script some type of automatic "OCR" to suit? Are these CAPTCHA's dynamically generated from an extended "character set" or are the distortions generated in real-time?

Re:Cataloging CAPTCHA info

[Bearhouse]

Agreed. It's the 'myspace' of the 'free' email providers. The irony is that it had to be easy to use, and therefore abuse, so that kids can could use it. But now they all use MSN Messenger... Time for an update?

The time has surely passed when M$, Yahoo et al needed huge numbers of email subscribers to prove how important they were.

How about a self-policing system? Rather than the typical 'black hole' that 'abuse@...' normally leads to, one could have an automated voting system. If 'n' people complain about 'x' address, then wham, it's blocked. Could check for individual IPs, or make people mail respond to a challenge, to check that it was real people complaining, and not a botnet...

Would enough people participate, though? I know I don't try and get all the spam I receive blocked, just the ones that get through the filter, and even then, just when I have time or the mood takes me...

Re:Cataloging CAPTCHA info

[Mr2cents]

or make people mail respond to a challenge

You mean... like... a CAPTCHA over e-mail? That seems like a fool-proof plan to me!

Re:

[Bearhouse]

No, that's not what I meant, and of course, as the article illustrates, nothing is foolproof.
Renewing my /. or ebay password seems to work, however...

Just musing about how concerned people could actively contribute to spam reduction by getting a 'real' response to their mails to ISPs. Central anti-spam sites are repeatedly attacked, and sometimes closed. Perhaps if it were managed on a 'per ISP / email provider' basis this would be harder for the botnetters to attack.

What's the alternative, do nothing?

Re:

[zCyl]

If 'n' people complain about 'x' address, then wham, it's blocked.

Making a system this easy to do a denial of service attack is essentially making a broken system.

Re:Cataloging CAPTCHA info

[lena_10326]

Wouldn't it be feasible to record and catalog the fonts and manipulations done by a particular site's CAPTCHA engine, and then script some type of automatic "OCR" to suit? Are these CAPTCHA's dynamically generated from an extended "character set" or are the distortions generated in real-time?

That's how CAPTCHAs are broken, although you don't have to use a general OCR program. If you're going to attack a single type of CAPTCHA, you could tailor your code to take advantage of known properties of that specific CAPTCHA such as: backgrounds, background colors, repeated markings, fonts, font colors, font size, font orientation, and direction of any image warping.

Most CAPTCHAs use images and random marks or dots in the background but those can be filtered out in a pre-processing step if you know they're drawn using a limited set of colors or don't use the same line thickness as the font. Photographic backgrounds will be limited so they could be filtered easily by detecting which background the CAPTCHA used for that session. Using an oversized background and shifting it by an offset would present difficulty, but Yahoo and Hotmail don't use background images. If backgrounds are rendered gradients, I think it's relatively easy to detect the font color by scanning for broken runs of a continuous single color. The gradient colors would deviate slightly, within a small percent change. If there is any repetitive pattern, which there is if it's a gradient, it only helps the filter breaking the CAPTCHA.

A lot of the easier to crack CAPTCHAs use only a single font and render all the letters in 90 degree angles. The smarter ones jumble and warp the letters by shifting the each letter by an offset and rotating by a small angle. If you could figure out the direction of the warp or rotation, by checking the background you could unwarp or untwist the letters before running OCR on it. Or, you could test each isolated character by rotating every few degrees of rotation and selecting the result that outputs the most number of OCR'd characters from the least amount of rotation.

Regardless, the algorithm doesn't have to be perfect. It could be right 5% of the time and still generate thousands of email accounts. It doesn't care about rejections, because it's got all day to keep trying.

FYI:
http://en.wikipedia.org/wiki/Captcha [wikipedia.org]
http://www.cs.sfu.ca/~mori/research/gimpy/ [cs.sfu.ca]

By the way, some CAPTCHAS have been broken by not deleting sessions in the server, but I doubt Yahoo and Hotmail would be open to that bug.

Re:Cataloging CAPTCHA info

[choongiri]

It wouldn't surprise me if this is a direct result of the work on open-source optical character recognition [apache.org] being done specifically to prevent the increased prevalence of captcha-style image spam. It would be rather ironic if the open source model meant the spammers are now turning our own anti-spam tools around and using them against us.

it's easy...

[naeim]

Make a porn site that give you credit to download smut in exchange for solving captchas. Have your automatic account creator redirect the captcha to a human user of your porn site, and if you're lucky and it gets solved within the time period for which te captcha is valid, you're set.

Re:it's easy...

[gijoel]

And that porn site will be ripped and put on a torrent within a week. Thus defeating the Captcha farm.

Re:

[Anonymous Coward]

Does that matter?
I don't think there is any shortage of porn on the net. There is no point in "collecting it all". So, that the same content of one site is available on another distribution medium too, does not matter at all.

Re:it's easy...

[David Gould]

I don't think there is any shortage of porn on the net. There is no point in "collecting it all".

You know... it took me years to come to that realization. But you're right.

Re:

[wirefarm]

Exactly.
More so if you get the porn you offer by downloading stolen porn via bittorrent in the first place.

500 accounts created every hour?

[patio11]

That doesn't sound like a CAPCHA has been broken, except perhaps by the sophisticated AI device known as a human being. 8 and a half CAPCHAs a minute? No problem for one person with a tolerance for boredom and CTS. Heck, you can even put the job up on Amazon Turk and charge a penny an account for the signups, or use cheap labor in any of a number of countries to do it.

Re:

[bombastinator]

..and if this person or persons happen to be, say a 12 year old semi-literate war refugee in Sub-Saharan Africa, He'd probably be willing to do a whole day of it for a bowl of soup and a big shiney nickel, or even just for a semi-serious promise not to beat him again that evening...

Things get real economical real fast if you think globally and happen to be evil.

In a point of irony I would like to mention that the capcha for this slashdot comment was "disturbs"

Re:500 accounts created every hour?

[Tony Hoyle]

You don't need AI to beat a capcha. They follow a fixed pattern on a single website, so to break the hotmail one you just need to look at a few hotmail sites and figure out how to reverse the graphical munging that has been done. Once that's done you chuck that in a script and churn them out as fast as you like.

Defeating *any* capcha is an AI problem. Defeating the capcha for a website (or group of websites that use the same software) is just a programming task.

Re:

[nasch]

This reminds me of the saying that AI is anything computers can't do well yet, and everything they can already do well is "just programming".

Hotmail internal security breach

[FeatureBug]

I think it is much more likely that Hotmail's IT systems have been compromised following a security breach by the spammers. I have indirect evidence that this has happened.

I and some other people I know give out unique disposable email addresses to our contacts. There is a different unique address for each of our friends and family.

Yesterday I and they received spam emails sent to several of the disposable email addresses. This points us to several of our friends and family as having had their email addres

Work opportunities for developing nations

[Mr. Roadkill]

Indians are fast, accurate and cheap:

http://www.getafreelancer.com/projects/Data-Proces sing-Data-Entry/Data-Entry-Solve-CAPTCHA.html [getafreelancer.com]

Of course, there are those who seek to use the IT talent of the sub-continent for a more direct attack:

http://www.getafreelancer.com/projects/PHP-ASP/yah oo-ocr-bypass-captcha.157160.html [getafreelancer.com]

And as an upstream poster pointed out, there's always the old "Free Porn - solve this CAPTCHA for access" approach.

captcha guide by vulnerability

[dattaway]

http://sam.zoy.org/pwntcha/ [zoy.org]

OCR or humans

[drgonzo59]

If OCR was used, then it is as simple as having a mathematical quiz captcha. For example, the answer to "34 + 2" or "first 3 digits of e" (well, ok maybe not this one, unless it's a math forum...). This will not stop the spammers as they would probably just try to parse the math expressions and post the result but it will slow them down a bit.

If a human is used to read the captcha then there is not much that can be done as that is what a captcha is for: to make sure a human only will be able to bypass it....

Re:OCR or humans

[coldcell]

I was actually looking into securing a forum from spammers earlier when this question came into my head:

How do I make questions that are simple enough to be obvious to legitimate members, but obscure for outsourced human spammers?

I then wondered exactly WHY I'd want to use simple questions anyway, surely I'd want people posting intelligently, so why not moderate at the first access point! Elitism, sure, but I don't think that asking for some mathematically obscure reference for a forum catering to that userbase is Evil, nor any other purpose-specific odd questions. The truly determined can always google the answers.

Re:OCR or humans

[dysfunct]

You mean a captcha like this one [thehumorarchives.com]?

Re:

[kuzb]

Your best bet for forum spam would probably be a bayes filter - much the way you'd deal with email. if it's small scale and non-commercial, you could use akismet [akismet.com]. This is generally not a viable solution if you're running a high traffic commercial forum (we looked in to it, it was going to cost us between $15 - $20k per month). In the end, it was more viable to develop our own solutions in house. This won't stop them from making bogus accounts, but it can help to cut down on the amount of garbage that li

Re:

[kripkenstein]

I then wondered exactly WHY I'd want to use simple questions anyway, surely I'd want people posting intelligently, so why not moderate at the first access point!

Good point. Actually I wondered what Slashdot would look like if, before posting comments, you had to answer a question that ensured you had actually read TFA. It would certainly make for far more intelligent discussions (yes, I know, I must be new here).

Time to stick a fork in it?

[Kadin2048]

I think you're right about it not stopping spammers; I don't think it's even going to be much of a speed bump. It doesn't take a brilliant programmer to feed the output of an OCR program into a command-line calculator to evaluate simple mathematical expressions.

You might be able to trip some calculators up by using complex math or logic problems that aren't easily parseable by machines*, but this would also trip up a lot of humans. (Whether that's a bug or a feature I'll leave up to you.)

CAPTCHAs were, and

Re:

[WarwickRyan]

> "34 + 2" or "first 3 digits of e"
> (well, ok maybe not this one, unless it's a math forum...)

With the state of US education, I think that the first one might be a bit too difficult ;-)

Re:

[Stooshie]

One type of captcha that could work is asirra [microsoft.com] where they use images from petfinder.com [petfinder.com], display 12 of them and ask them to click on all of the cats. A computer finds this extra-ordinarilly difficult as the fur is very simmilar and the cats and dogs are all in different poses and all the lighting conditions are different, but a human can distinguish them very clearly.

OK, so I know it's microsoft and why aren't they using it on hotmail already, but I think it's the right direction for Captchas.

Fight fire with fire

[The Master Control P]

Instead of trying to reduce the signal level in spam, bury the bastards in noise. Set up a nonprofit organization which people join (after giving real-life details and a deposit and being confirmed) which flags an email as spam. When that happens, participating clients (available to everyone) begin contacting the website given in the mail. Result: spammer website and ISP buried in noise and bandwidth bills.

Either that, or someone needs to write the next massive-spread virus and have it break your compute

Sounds like BlueFrog

[Kadin2048]

I think this was basically the idea behind BlueFrog; they had a pretty nice, aggressive system for going after the sites that profit from spam, by bouncing spam emails back at them and generally causing them a lot of grief.

It was obviously working, as demonstrated by the concentrated fire they started to take from spammers. Unfortunately, they didn't have the resources (at least, I'd prefer to think it was a resource issue and not one of will) to fight the spammers, and after getting some really terrible legal advice, they got crushed.

Short of brutal vigilante justice [slashdot.org] (which I'm not opposed to here and there, but it tends to not scale very well), Blue Frog's approach seemed to be the only "supply-side" approach to spam that ever seemed to show a bit of effectiveness.

Re:

[Stooshie]

Wasn't there some guy that got revenge by finding a spammer's home address and subscribing him to every snail mailing list he could think of?

Are they reusing them in e.g. blog accounts?

[BerntB]

Are the spamming b.st.rds reusing the images for blog comments, or something like that? Do that for a hundred blog readers and they could get fast feedback.

Re:

[vidarh]

There's been at least one case where someone set up a site offering free porn to anyone, all you'd need to do was fill in a CAPTCHA... It was used to create bogus accounts at one of the big webmail providers.

Zut alors!

[mypalmike]

Bogus hotmail accounts!?!?! I don't believe it!!!

Wow...

[superbus1929]

Judging by the amount of spammers I get on my Invision Power Board forums, which have been through two different styles of CAPTCHA, I'd file this one under the "No Shit" department.

..use Recaptcha

[HerbieStone]

I'm using a phpBB as my Bultin-Board System and I thought that such a well known BB would have state-of-the-art anti-Spam features. I was wrong, there is a Captcha but is by far too weak to stop any spam at all. I then installed the reCaptcha plugin and since haven't received any spam at all.

Re:

[ShadowDrgn]

This explains the first half of why spam bots always post exactly five replies and seven new topics on my forum even though I'm not using any such limits. If your board is still spam free, it's only a matter of time.

The CAPTCHA does nothing, but a simple "Are you Human? yes/no" radio button option on registration blocked them for over a month.

Arguably Impractical but Satisfying Suggestions

[BillGatesLoveChild]

* Problem with Spam traffic from India and China? Fine. Make a declaration internet traffic from those countries will be served from the Internet within 21 days unless all Spam activity ceases. Impractical? Maybe, but I'll bet the Chinese Government can come down like a sledgehammer when it wants to! Same with this kind of threat to India. When the Indian Government smells its vast outsourcing revenues becoming unstuck, they'll have motivation to crack down on 'unscrupulous operators'

* 25 year jail and a $2

Re:Arguably Impractical but Satisfying Suggestions

[pe1chl]

* Problem with Spam traffic from India and China? Fine. Make a declaration internet traffic from those countries will be served from the Internet within 21 days unless all Spam activity ceases.

There are problems with this approach.
1. the allocation of IP addresses has been (and is continuing to be) done in a manner that makes it difficult to quickly block a whole country. AP-NIC allocates blocks of addresses in the entire Asian-Pacific region nearly sequentially and at very funny boundaries.

2. the spam source country varies a lot. you may have a problem with spam from China, but I have a lot more spam from the USA so I need to block that. While I already blocked many DSL/Cable provider netblocks to reduce the crap from infected Windows PCs a bit, there is an increasing risk of collateral damage.

Re:

[BillGatesLoveChild]

Technically, yeah, as the subject line said, impractical. It's meant as a political feint against those countries government. The problem with the net is people can harass you across country borders and there is nothing you can do about it. Ultimately only those countries governments can do that. A cutoff threat mightn't inconvenience the spammers, but it'd sure as hell inconvenience them, and that might push them to do something. A bigger problem is the US Government would never have the will to do anythin

Re:

[pe1chl]

They may think that spam is a non-issue, but IMHO terrorism is a non-issue and they are still hunting that (only making it worse).

The problem is that the politicians do not understand what issues are. Everyone is affected by spam, so that is an issue. Everyone is affected by changes in climate and environment, so that is an issue. They should focus on that, instead of trying to extinguish a fire by blowing into it.

Re:

[ajs318]

How about if we could somehow convince Bush that spam is funding terrorism? All the money people are making from selling counterfeit viagra, pirated "OEM" software and doing dodgy share trading deals could be buying weapons of mass destruction for the next country we don't like very much .....

Re:

[walt-sjc]

Actually, you can download the assignment databases from AP-NIC and block quite easily (ditto for the other NIC's.) The list is on ftp.apnic.net. If you have a site / userbase that is US centric, there is no issue with blacklisting entire countries. This is not a viable anti-spam tool for most sites however.

Re:Arguably Impractical but Satisfying Suggestions

[Alioth]

That's great, but the United States will have to be cut off from the Internet first. The USA is the world's biggest spam source, according to Spamhaus.

http://www.spamhaus.org/statistics/countries.lasso [spamhaus.org]

The United States emits *four* times as much spam as its nearest competitor, China.
Verizon is the world's spammiest ISP.

Re:Arguably Impractical but Satisfying Suggestions

[1u3hr]

* Problem with Spam traffic from India and China? Fine. Make a declaration internet traffic from those countries will be served from the Internet within 21 days unless all Spam activity ceases.

Ever heard of proxies?

Also, have a look at the ROKSO list [spamhaus.org]. Most spam originates in the USA. They may route it through Russia or China or Korea, but its source is the USA. Block China, say, and next week it'll be coming via Brazil, or .... faster than you can reconfigure.

If the USA wants to take decisive action, something the government has actively avoided doing, it could shut down spammers in a week. How many spammers have been prosecuted and gone to jail? It's big news when they do, but only a handful have been prosecuted. The feds just don't care enough to build cases, even when the evidence is handed to them. Only if AOL or Microsoft push does anything happen.

Spammers have to make money. Credit card companies do that for them, and they are all based in the USA. As for the pump-and-dump spammers, that's a bit harder, but the stock exchanges should be able to block suspicious activity based on that. Thay don't care now because it's just foolish home investors losing money when they try to "take advantage" of the tips.

The solution is simple;

[grasshoppa]

Block MSN and yahoo.

You can thank me later.

Re:

[cp.tar]

I do wonder... if mail from thousands of Hotmail and Yahoo! accounts gets to be tagged regularly as spam, maybe Gmail starts blocking them, thus making people jump ship from the first two... Therefore, I'd guess it's just GoogleSpammer Beta. An excellent plan, except...

Feedback loop

[Bazman]

But how much of the spam these bogus accounts are sending out is going to other bogus accounts? Eventually hotmail will eat itself... We can only hope.

Re:

[pe1chl]

I always wonder (and I asked their support personnel several times) why they don't insert the same spamfilters in their OUTgoing mail flow as they do in their INcoming.
That would almost solve their bad reputation as spam senders immediately.

But probably they are not at all interested in their reputation, only in their number of users. Even a spammer is a user, that will count once they want to sell-off their service.

Aha! That explains everything

[tekrat]

I was wondering why it seemed like the amount of spam I was getting DOUBLED this weekend. Usually I get about 50 or 60 spams per day, now I seems like I'm getting 120 or 130 per day. Really freaking annoying. I'm ready to spam myself, but I want to spam an uber destructive virus that'll force the world to do something about spammers. Only after email has been rendered useless will the world do anything about spam.

Re:

[Simon Garlick]

I got a spam email last week.

Thanks, gmail!

Overcome with Manpower?

[DavidD_CA]

It wouldn't surprise me if the Capchas were overcomes simply by showing the graphics to some underpaid person who just types in the actual responses.

A sophisticaed enough system could easily "pipe" these graphics to someone who just sits and types all day. At one capcha every 10 seconds, that's about 8000 in a day working 24/7.

Not everything these spammers do has to be automated.

unsurprising

[kuzb]

One of the things I get tasked with at work is handling forum and service spam. Of all the methods I've used to deter spammers, captchas rank among the least effective. A lot of people seem to think the answer is in changing the nature of what the user has to interpret. I've had suggestions ranging from audio captchas to math problems, and dozens of others that lead to the same kinds of problems - you're making it hard, or in some cases, impossible for legitimate users to use your service. Language barriers rank among the biggest problem. Say you have a picture of an apple, and the user is supposed to type 'apple'. It falls short when you realize the person viewing it may not speak english at all, or may have no idea how to spell 'apple' in english. Same with audio captchas.

The most effective (surprisingly) were form fields hidden with CSS so the users don't enter data in to them, but bots will. You can reject the entire post at that point. It's not universally effective (some bots will actually look at your CSS to determine if you're doing this) but it sure cuts down on a lot of bogus posts. Another method is to generate a form key of some kind, and use that to verify that the form is only good once. this slows spammers down because in order to post again and again, they have to reload the page in order to get a new key. many don't do this, and will attempt to use the same key over and over. if you use a few of these methods, and track repeat offenders, you can add them to your firewall rules so they can't even load the page. Of course, most serious spammers will use hundreds of IPs, so it's difficult to get them all.

It's important to realize that this is a fight you simply can't win - if they're serious about getting through, they'll get through. The most you can hope to achieve is to slow them down long enough to come up with an improved solution.

Re:

[TodMinuit]

The most effective (surprisingly) were form fields hidden with CSS so the users don't enter data in to them, but bots will. You can reject the entire post at that point. It's not universally effective (some bots will actually look at your CSS to determine if you're doing this) but it sure cuts down on a lot of bogus posts. Another method is to generate a form key of some kind, and use that to verify that the form is only good once. this slows spammers down because in order to post again and again, they have to reload the page in order to get a new key. many don't do this, and will attempt to use the same key over and over. if you use a few of these methods, and track repeat offenders, you can add them to your firewall rules so they can't even load the page. Of course, most serious spammers will use hundreds of IPs, so it's difficult to get them all.

All of these seem like they'd only work against random spammers -- bots trolling for forums and what have you. But if a spammer was targeting you, like they targeted Hotmail, these methods would be useless.

Re:

[kuzb]

"All of these seem like they'd only work against random spammers [..]"

That is correct. It's only meant to slow them down, not to eliminate or make it impossible. It's an amazingly difficult problem. At most you really can only hope to make the path rocky enough to buy yourself time, and possibly collect a few IPs.

Re:

[Gunstick]

I use a very effective method. Only javascript has to be activated.
The submit button is only enabled after 20 seconds.
Someone needing less time than 20s to write a post is a spammer or has nothing intelligent to say.

An bot will of course submit the form in less than 20s, there comes the timestamping into play. If the form display and form submit events are less than 20s apart it's considered spam too.

Catches 99% of the posts.
0% false positives.

Of course if a big site like yahoo implements this, it's easy fo

Ignore them?

[jez9999]

Spammers are like that Simpsons episode where all the ad billboards come alive - if you ignore them, they'll go away. But everyone has to ignore them.

We're pouring so many resources into fighting them... it just strikes me that if we just tried to ignore the bastards, they'd find something better (or more profitable) to do than spam.

Re:

[SharpFang]

Pouring resources into fighting them is not the problem. The problem is pouring resources into -them-, as in buying their products, purchasing stuff from malware popup sites, generally giving them money.

I'm the first to start a campaign "Punch a spammer's customer today". If you hear someone bought something from a spammer, punch them and explain "That's for funding another 1000 messages to flood my mailbox."

Re:

[Technician]

We're pouring so many resources into fighting them... it just strikes me that if we just tried to ignore the bastards, they'd find something better (or more profitable) to do than spam.

My inbox has been spammed to death. I open it every 6-8 weeks to delete the stuff. Eventualy when nobody has an e-mail account except spammers, the spammers will go away (to try to find you). Expect more IM spam since e-mail is dying under the load.

I love getting hot stock tips a couple months late. I look them up to see

Re:

[vidarh]

The problem is that the people who need to ignore them are the people who buy from them because they fall for the messages, not people who think "it's a spam, delete". If the rest of us ignore spam, that just makes it more profitable, as they won't have to deal with us.

Block the United States

[giafly]

Yahoo! and Hotmail are both USA companies, which is also where most spam originates [spamhaus.org], so the solution is simple.

Route-around the United States, and the problem is solved for most of us. They can rejoin the world when lawmakers take spam seriously.

Creative CAPTCHA

[QuoteMstr]

As luck would have it, I stumbled across a twist on the captcha concept while registering for a site. Instead of asking the human user to correctly enter the word displayed in an image, it presented the user with a grid of images. About half of them were of cars. The other half were cats.

The site just asked the user to check off each image representing a living thing.

Simple, and brutally effective against current AI. I can think of various tricks one can use to make the comparison more difficult as well.

How long until we're using the kind of tests we saw in Blade Runner?

Re:

[TodMinuit]

Simple, and brutally effective against current AI.

You'd need a very, VERY large pool of images, otherwise it's brutally simply to bruteforce.

Re:

[ajs318]

No, you randomise the image filenames every time, as well as the positions. If there is no correlation between the image filename and the content, then there's one less thing for the spammers to pick up on.

Re:

[TodMinuit]

You're joking, right? The filename means nothing. Comparing two images is relatively easy, even if you were to add random noise to the image or mess with the colors.

Re:

[Lemmeoutada Collecti]

Of course, while this sounds good on the surface, what you are really presenting to the bot's point of view is nothing more than a binary grid problem: living or not living.

So the bot gets a copy of the page, with the embedded talk back information, and begins a binary tree search for the combination to the lock, resubmitting the exact same form each time, thus preventing the combination from changing during the search.

It makes no difference how many pictures you use, what they are of, or what the question

Re:Creative CAPTCHA

[Fred Ferrigno]

This, and all other forms of CAPTCHAs, are ultimately vulnerable to some poor bastard in India or Africa or wherever sitting in front of a computer and filling out the form manually for a few cents.

From another post above: http://www.getafreelancer.com/projects/Data-Proces sing-Data-Entry/Data-Entry-Solve-CAPTCHA.html [getafreelancer.com]

NoSpam!

[Diabolus Advocatus]

On my forum somedays we'd get 5/6 bots per day. It's a vB board and it used the standard vB captcha. One day I installed a plugin called NoSpam! which asks the user a simple question when registering. Questions such as 2+2=, what do you do when a traffic light goes red, etc. The questions are simple, if somebody can't answer them I'd be suprised that the made it as far as the registration page. Since I've installed it there hasn't been even one bot through so it is 100% efective so far. I know it won't las

spam only hurts the ignorant...

[xenorex]

I never have spam issues. My real email address is rarely used..only for friends and legitimate sites(Secure businesses w/ encryption, like my credit card). My real email address is from a privately registered domain, which costs me only $20/yr. When I sign up for anything else (including this site), I use one of my free accounts. I don't check them frequently and I only whitelist domains I expect to see. The problem with "free" email addresses is that they end up costing us all. If all users paid for

Umm. You sure about Yahoo?

[lena_10326]

Yahoo's CAPTCHA just recently being broken that is.

If you've ever logged into Yahoo chat, you'll see names like warbot001 through warbot400. They're profiles which map to an email address and lame chatters use them to send DOS messages to other chatters. Kinda like the old days on IRC with ping flooding.

Anyway. I highly doubt they manually entered in 400 CAPTCHAS, and I've seen those accounts for a while now so I suspect that CAPTCHA has been defeated for quite some time.

Good!

[godfra]

Hopefully this spells the begininng of the end for the web plague known as CAPTCHA. I am heartily sick of having to squint at barely recognisable characters, only to be informed that I've got it wrong, and then have to enter all my details again.

So bye-bye CAPTCHA, I won't miss you.

It's like a flood wave

[haraldm]

Spam behaves like a flood caused by heavy thunderstorms and rain. It will start to flood your basement no matter what. You can start to build a little dam here, put some sandbags there, board up your windows, etc. The sad fact ist, it won't help much. You will only save your home if you stop the rain.

That being said, as long as spam does not really hurt large corporations or governments, in terms of more and more expensive resources (machines, energy, air conditioning, administrators etc.) being used to just process the amount of spam coming in, nothing is going to change. Still, these entities are only going to protect themselves, not the public.

Me, I'm going to filter all hotmail and yahoo generated mail to /dev/null. Sorry folks, but just get another mail provider if you want to talk to me.

Mind you, if you filter mail by any means (like spam or virus filtering), never send auto replies. You will only hit innocent bystanders and generate lots of bounces, and run the risk of getting blacklisted by Spamcop or somebody else (if you autoreply to a spamtrap address, for example). I've been using Linux exclusively for more than 14 years on my mail server @ home, and I cannot count the number of autoreplies saying my machine sent this or that W32...blablabla thing, with no Windows client attached or anything. The better part of spam and virus mails uses fake From: addresses.

You can buy software that can thwart captchas

[I)_MaLaClYpSe_(I]

Aleksey Kolupaev [...] develops and sells software that can thwart captchas by analyzing the images and separating the letters and numbers from the background noise. They charge $100 to $5,000 a project, depending on the complexity of the puzzle.

Quoted from this article [nytimes.com]. No wonder someone used it for a worm.

Also discussed here on /. [slashdot.org]:

Evolution of the 'Captcha'
Posted by CmdrTaco on Monday June 11, @08:36AM
from the why-can't-i-even-read-them-half-the-time dept.

FireballX301 writes

"The New York Times is running an article about the small word puzzles various sites use in order to defeat automated script registration while still letting humans through. It seems many people can't actually solve them anymore, so new alternatives (image recognition) are being created. This, of course, seems breakable as well -- is there a feasible alternative to the captcha, or are we stuck jumping through more and more hoops to register at places?"

the solution was simple

[Khyber]

just hire people to get past the captchas and let a form bot do the rest. It's not that hard to figure out. I stopped this using animated gifs cut from anime videos. Can't guess the anime that clip comes from, you don't get in. Haven't had spammers on my forum since I moved to that type of captcha system.

Re:Economically driven Turing test

[Mathinker]

Actually, now that I think of it, CAPTCHA's already pose problems to some (visual CAPTCHA's for the visually impared), but I wasn't thinking about that. I probably should have, since one can think of other CAPTCHA's where other specific handicaps would be a problem (human facial recognition comes to mind, for example; see Prosopagnosia [wikipedia.org]).

Since brain damage can cause very peculiar and specific cognitive problems, probably every kind of CAPTCHA will give trouble to someone. So I suppose there will be a variety

Re:

[fractoid]

Hell, I have perfectly good eyesight (with contacts) and maybe 10% of the time CAPTCHAs are too munted for me to read. Often the problem is that it's not clear whether it's alpha or alphanumeric, or whether it's case sensitive, and there's a badly distorted O/0 or 1/I/l.

Regardless, CAPTCHAs will obviously have to evolve* to cover current 'hard problems' in AI as state of the art improves and 'hard' turns into 'not so hard'.

* or wait, should that be 'be intelligently designed'? :P

Too bad MS ignores RFC 2821

[Kadin2048]

One of the (many) things I hate about Hotmail is that Microsoft blatantly ignores anything sent to its postmaster and abuse addresses, so there's really no way to notify them of spam being spewed from their system. In fact, if you send a message to postmaster@hotmail.com, they send back a pretty snarky response telling you that nobody reads it [rfc-ignorant.org].

What a cesspool. Hotmail has always been the ghetto of the internet, but now it's clear that it's infested with criminals, as well as just the technologically illiterate.

Time to blackhole it.

Re:

[pe1chl]

Hotmail provides two addresses that at least generate an auto-reply:

report_spam@hotmail.com
abuse@hotmail.com

However, there is a script behind it that usually replies back that the abuse is not from their systems. Even when it is.
When you get past that filter, you get a reply that thanks you for the report, but never any further followup.
(this used to be different in the past: then you sometimes got a reply about 3 weeks later from someone working at an outsourcing company in India complaining that they had

Re:

[Kadin2048]

Just to clarify, sending back an auto-reply that says "Hi, thanks for writing to postmaster@foo.com; we don't bother to monitor this account, so your message has been deleted," doesn't make you RFC2821 compliant. (Not implying that you thought that, just wanted to make sure everyone is clear.)

Auto-replies that confirm that a message has been received are OK ("Hi, thanks for writing to postmaster@foo.com; your message was received and will be dealt with by a staff member"), but only if there's eventually som

Re:

[artg]

A simpler AI might only be able to understand a human with a high standard of grammar and spelling. Would that be so bad ?

Re:

[Alioth]

I've long said that the first computer that becomes self-aware will be a spam filtering gateway for just this reason :-)

Poor bastard when it does, though.

Re:

[ajs318]

Or, just as effective and even less expensive, try withholding water from people until they solve enough CAPTCHAs.

For some time I have been thinking about having "field-of-endeavour-specific" human-detection; that is, using some piece of information which will be generally known within a specific field of endeavour but perhaps not to some third world click-monkey. So, for instance, if you are running a Star Trek fansite, you could have something along the lines of "click on William Shatner to continue" a