Slashdot Mirror
Turing Tests to Stop Spam
cexy writes "The Register has a story about how Hotmail and Yahoo! are using Carnegie Mellon developed captcha technology (completely automated public Turing tests to tell computers and humans apart) to stop spammers from automating signups for accounts from which they can send spam. These guys are using captcha too, but to stop incoming spam."
my Spam filter in Yahoo catches way, way, more than the one at hotmail. It is always surprising to me when you open a new hotmail account that it takes only like a week to be flooded with Spam. A week of doing nothing with the account but initially opening it. *sigh*
that is why. all the spammers are targetting hotmail. I hate the anti-ms bias. I use a filter on my hotmail. It is an allow only filter. Those are the best kind because I make the decision of who gets through to me.
One thing I can't seem to find anywhere on their site... what are the terms of their license?
The source code is there to download, but are we allowed to use it in our own sites?
According to the article, it says that the spammers could pay ppl to signup instead of using scripts. IANAL. but this would seem to be intentional misrepresentaion and "transferrance"(sp?) of the email account. I would think there would be some legal ramifacations of this.
The truth is accounts like Yahoo and Hotmail only exist to turn a profit for their owners. I know not everyone can get an e-mail address that they can use for personal means in any other way, but you have to accept what you are getting into when you open one of these accounts.
Personally, I have several e-mail accounts and only use my hotmail and yahoo for things like web page registration.
I recently had to create an e-mail address that I could use for posting to a mailing list where the addresses are all public. I tried Hotmail first, and although I passed part 1 of their Turing test, the captcha test, I think I failed part 2: once I was all done filling in my personal information (retired female homemaker in Antarctica, born in 1891), I got some kind of mystifying error message saying something about my .NET account (which I don't have). I guess if I was human, I'd have been able to figure out what they meant.
Oh well, I passed Yahoo's captcha test, and they didn't have a part 2...
As a recipient of spam, I also don't see this having any benificial effects. I gets lots and lots of spam from hotmail.com and yahoo.com addresses. They're all forged headers, so it doesn't matter that Yahoo and Hotmail have botproofing -- the accounts I'm getting spam from aren't even real Yahoo and Hotmail accounts. It's great that they're trying to make sure they aren't spam havens (and of course it costs them money if spammers use their services), but I really think the whole e-mail infrastructure needs reworking in order to get rid of spam. Sending e-mail should cost some token amount of money, and there should also be some way of tossing out mail with forged headers (e.g., my mail client should be able to tell whether the cryptographic signature on an e-mail indicates that it really came from hotmail.com or yahoo.com).
Find free books.
Second, I would like to know if I have any legal recourse against unsolicited email hogging my bandwidth. Could I stockpile a years worth and send the spammers a bill for the used bandwidth?
It's been tried. But don't wait a week to try to find them; they tend to, um, move a lot. A prosecutor I talked to said they needed three PI's and several months to corner one who started a new corporation every week.
Yes, it's possible, and has been done recently by some guys in CS at Berkeley. Breaking captchas had always been posed as an open challenge to the AI/image processing community.
NY Times article
Berkeley press release
Computer vision pages (w/papers)
Greg's page on breaking Gimpy
Uh oh, looks like Spam Arrest is inflicted with Patent Priapism, a horrible disease in which you feel you must patent some stupid thing you "invented", when you actually just combined two or more existing things in a most un-original way.
They have patent pending on "calling back to verify a phone number" except it's email.
I would suggest avoiding this company's products and services.
It works with Outlook (not Outlook Express).
The coolest part is when you find an email that is spam, which it didn't catch (perhaps about 5% of the time), just click "Block" and it'll record that you blocked it on their servers, so anyone else receiving the same (or nearly similar, I think) email will have it blocked as well.
In other words, it's a community-driven spam blocker which works better the more people use it. And it already works very well.
I feel fantastic, and I'm still alive.
This idea means licensing them so that they are properly registered, Meaning we know who they are and where they live.
Meaning that they can be billed for use of service, etc. and jail those not properly licensed.
Meaning that we can send bill collectors and tax collectors hunting after them.
The bottom line is that IF we can make it profitable to go after these guys, someone will make a business of it. We just go to figure a way how.
Then we get to use the scum of society, such as bill collectors and tax collectors, and turn them to some good, going after spammers.
And we can use the money collected to subsidise the cost of something useful.
Now Lessig has also proposed something similar to this:
http://www.cioinsight.com/article2/0,3959,533225,0 0.asp
Which essentially means that there are more eyeballs to track the scum down. And a financial reward to do so.
The twist in my proposal is to mach spam have a cost even if sent "legally" - [lots of states have finance problems], and make the penalties truly painful if done illegally. I want to set my own fees for receiving spam
"It is a greater offense to steal men's labor, than their clothes"
It is amazing how much spam you can block by filtering out all mail with a "%" or "$" sign in the subject line. Another good one is filtering subject lines ending with "?". Although the question mark filter doesn't work if you are on mailing lists. These are far from foolproof, but could be used to determine the spamness of an email. Hotmail/Yahoo could work on a method for rating/filtering email based on a series of spamness tests.
Having said that, I believe that prevention is better than the cure. Especially from a bandwidth point of view.
Could be
Like what that Spam Jerky said, it's a business. What's going to keep someone from creating an extensive/ultimate filter list/software, and offer a safe loophole for other Spam Jerkies to get by for an X amount of dough?
The graphics basically don't work with OCR.
I wrote Yahoo about this problem just about a year ago, after
finding no explanation in their online help on about how
visually impaired users were supposed to use their service,
and this is what they had to say.
I kind of thought this sucked, that apparently the solution
is to wait for a human operator to read the feedback
form and phone you back. Surely someone can come up with
a better system.
=-=-=-=
Hello,
Thank you for writing to Yahoo! Account Services.
If you are a visually impaired or blind user, please fill out the
feedback form at:
http://add.yahoo.com/fast/help/us/edit/cgi_access
A customer care representative will call you back, to assist you with
registering for a Yahoo! account.
If we can be of further assistance, please let us know.
Thank you again for contacting Yahoo! Customer Care.
Regards,
Yahoo! Customer Care
For assistance with all Yahoo! services, please visit:
http://help.yahoo.com/
I know you know this, but I thought I would point this out. People sending spam out "from hotmail" are not actually going through the trouble to sign up for hotmail accounts. They're just sending the mail out from their smtp servers with phoney hotmail addresses on it. So this really isn't going to help with that.
So, if you want to use their code, it's going to be harder than just typing "make install".
I believe we have miscommunicated, and I apologize. What I meant to point out was that the code was so inacessible that professional Slashdot programmers had to start from scratch rather than use any of the 5 systems developed at CMU. This means that not only was it a little harder than "make install", but it would have taken more time to adapt the CMU code than it did to attack the problem independently from scratch. There really isn't any other answer to the question of why Slashdot spent months developing a home-brewed system that doesn't even come close to measuring up. I think we'd all agree that the Occam's Razor dictates this answer, since the only other possible alternative was that deep-seated hubris or other mental defects prevented them from using off-the-shelf software.
If guns kill people, then CmdrTaco's keyboard misspells words.
I was thinking that a technique that might help is to set up two accounts - something like a hotmail account in addition to your normal email account. One account is the valid one you use for whatever, the other address you don't give out to anyone you expect mail from.
Then, when you get mail at your "real" account that mail is examined to see if it matches any of the mail received at the "fake" account.
This is sort of like the digital camera technique of taking a "picture" of the CCD image with the shutter closed after a long exposure, to get an idea of what just the noise from the CCD looks like so it can be subtracted from the image data collected.
Of course, I'm not sure how well it would work in practice or if you'd really get the same spam very opten in both accounts...
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Is to make it a crime to send email from a bogus account. I'm thinking this crime would be called.. oh I dunno maybe fraud. If I have a real email address then I can request to be removed and am not, then it should be just like telemarketing and I could sue for $500.
As long as you spam me from a legitmate email address I can request that the ISP delete your account. If the ISP chooses not to do so, then I can block the whole damn domain guilt-free. If the ISP has a decent EULA they could sue their subscriber for breaking the terms of their agreement and use that money to pay their various postmasters to take care of spam complaints.
the project itself is pretty interesting, but something rubs me the wrong way about the term "automated turing test". The turing test is based on the idea that sentience can not be defined in any simple mechanizable way.
maybe it's just my cognitive science degree making me touchy, but i'd prefer the term "automated coherence filter" or something(even "automated intelligence test" would be an improvement).
lysergically yours
FTC Consumer Complaint form
It's that simple. Once the federal government starts to get half a million reports of spam a day, may be someone will realize that it's costing a lot of money to a lot of people and maybe Congress will act.
there's no place like ~
I only use SpamAssassin to tag suspect emails. I have a filter rule in KMail that sends tagged mail directly to it's Trash folder. A quick scan of the subjects and froms suffices to weed out the (rare) false positives. Note that I don't have to read the spam bodies to verify them and I've already been spared the trouble of weeding them from my legitimate mail.
Use a little imagination; it isn't necessary for a spam filter to immediately trash suspect mails. By default, all SpamAssassin does is TAG the emails in their subject lines and add a scoring report to the body. It suffices for me to have probable spams all collected together so that it is only one quick scan and a button click away from destruction.
Come to think of it, if my quick from/subject scan method doesn't suffice, that attached scoring report does. A mail with a score of 33 with a web bug is certainly bogus. I'll cheerfully trash that without reading the rest of the body and those reports can be quickly parsed as well. Not that I usually bother. Simply having your signal not interleaved with the probable noise is useful and SpamAssassin can certainly be trusted for that.
I think this method could very easily be used to create an almost spam-proof email client.
The idea is to have a buddy list in your email client, which is a list of all the people authorized to send you email. If one of those people sends you an email you simply get it.
If someone not on your list sends you an email, the mail client automagically sends them a reply explaining that they need to pass a test. That test could be one with a scrambled text image or whatever. Once they pass the test (replying to the email with the right answer) the email client tells you that a new buddy sent you an email, and if you want to permanently add them to your list.
The list could also contain wildcards to use when you expect to get an automated email (like a bill from a credit card company) but you don't know the exact email ahead of time.
It sounds like a good idea to me, I was wondering if anyone could think of reasons why this wouldn't work