Slashdot Mirror
Turing Tests to Stop Spam
cexy writes "The Register has a story about how Hotmail and Yahoo! are using Carnegie Mellon developed captcha technology (completely automated public Turing tests to tell computers and humans apart) to stop spammers from automating signups for accounts from which they can send spam. These guys are using captcha too, but to stop incoming spam."
my Spam filter in Yahoo catches way, way, more than the one at hotmail. It is always surprising to me when you open a new hotmail account that it takes only like a week to be flooded with Spam. A week of doing nothing with the account but initially opening it. *sigh*
that is why. all the spammers are targetting hotmail. I hate the anti-ms bias. I use a filter on my hotmail. It is an allow only filter. Those are the best kind because I make the decision of who gets through to me.
For those who dont know, The CMU developed captcha project is great. Check out their work here:
http://www.captcha.net/
Does Hotmail really think that I have friends named things like ilikeitinthebutt?
I've only had my Yahoo account since last year and my Hotmail account since 1997, so this may not be a fair comparison:
Yahoo spam today:
0
Hotmail spam today:
18
Which is doing a better job at stopping spam you say?
Saskboy's blog is good. 9 out of 10 dentists agree.
I would rather Yahoo stop spam from getting to my mail acocunt before they concentrate on stopping people from signing up automatically. I'm one of the few people who actually pay for Yahoo "additional" services. I thought I would get better anti-spam support. Not so far. I literally have 10 to 20 an hour and I can't block anymore because Yahoo only allows 100 addressed to be blocked. And considering the smammers are using 12374614187641874@optinmail.com along with other numerous addresses, it's impossible to block the majority of them. Hell I would even be happy if they would start allowing people to block entire domains. That would be a good first step.
My sig of choice is Marlboro
I have SpamAssassin at my isp (Verio) and it kicks ass. Probably a false positive per week (and that's often a slashdot Daily Stories email), and a false negative every 3-4 days. Pretty damn good. Cut inbox crapola from 10-20 per day to, well, zero.
sulli
RTFJ.
When someone would send you mail, it would send back a link to a small image, in the image was a 'click here' dot, only a human (or some software that no spammer would take the time to write) can get their email into your mailbox.
.com "troubles".
Kind of offensive though, a lot of people took offence to clicking a link to send me email.
MsgTo.Com dissappeared some time ago during the
Hedley
"Completely automated public test to tell males and females apart".
.....
a/s/l?
"18f,Florida"
Do you mind if I ask you to take a quick Captmfa?
"Sure, go ahead"
Test completed. Result = 34m, Detroit.
Now if they could just come up with a turing test for slashdot
2 /1 2/30/1740211&mode=thread&tid=111
repeats!
http://developers.slashdot.org/article.pl?sid=0
Granted this is not a direct repeat but the articles are just different sources for the same story.
-- The morphemes of your disquisition are ascertainable, but they have eschewed an ambit of transpicuous exposition.
I recently had to create an e-mail address that I could use for posting to a mailing list where the addresses are all public. I tried Hotmail first, and although I passed part 1 of their Turing test, the captcha test, I think I failed part 2: once I was all done filling in my personal information (retired female homemaker in Antarctica, born in 1891), I got some kind of mystifying error message saying something about my .NET account (which I don't have). I guess if I was human, I'd have been able to figure out what they meant.
Oh well, I passed Yahoo's captcha test, and they didn't have a part 2...
As a recipient of spam, I also don't see this having any benificial effects. I gets lots and lots of spam from hotmail.com and yahoo.com addresses. They're all forged headers, so it doesn't matter that Yahoo and Hotmail have botproofing -- the accounts I'm getting spam from aren't even real Yahoo and Hotmail accounts. It's great that they're trying to make sure they aren't spam havens (and of course it costs them money if spammers use their services), but I really think the whole e-mail infrastructure needs reworking in order to get rid of spam. Sending e-mail should cost some token amount of money, and there should also be some way of tossing out mail with forged headers (e.g., my mail client should be able to tell whether the cryptographic signature on an e-mail indicates that it really came from hotmail.com or yahoo.com).
Find free books.
It's time for my regular rant regarding PopFile and Bayesian excellence and how SPAM WOULD DISAPPEAR IF BAYESIAN TECHNIQUES WERE APPLIED AT THE ISP LEVEL!!!!
And now, back to our regular show.
It's Christmas everyday with BitTorrent.
click mail options:
go to
"Enter email address (or domain) to block:"
enter domain in text baox, such as
whatever.com
click, add block
The Kruger Dunning explains most post on
Second, I would like to know if I have any legal recourse against unsolicited email hogging my bandwidth. Could I stockpile a years worth and send the spammers a bill for the used bandwidth?
It's been tried. But don't wait a week to try to find them; they tend to, um, move a lot. A prosecutor I talked to said they needed three PI's and several months to corner one who started a new corporation every week.
Yes, it's possible, and has been done recently by some guys in CS at Berkeley. Breaking captchas had always been posed as an open challenge to the AI/image processing community.
NY Times article
Berkeley press release
Computer vision pages (w/papers)
Greg's page on breaking Gimpy
These Turing tests do not stop spam. They discourage spammers from using bogus Hotmail etc accounts to originate spam from. They do this by making it incrementally more expensive to create the accounts; rather than using a bot to create an account a second you have to use a human to create accounts by the minute. So 60 times the effort.
But I don't think that translates into 60 times the cost. The Turing tests are interesting but I don't think that the creation of the accounts ever was a bottleneck in the process in sending spam. You could get a high school kid to create all the accounts you would need for a month in about an hour, and pay him in pr0n.
If the truth were known, Hotmail and Yahoo are just trying to decrease server loads. I bet that when bots create accounts they create hundreds or thousands more than are used, which take up server resources during creation and later as the accounts eat up storage. With Turing tests it is more likely that not too many will be laying around waiting to be used.
=^..^= all your rodent are belong to us
It works with Outlook (not Outlook Express).
The coolest part is when you find an email that is spam, which it didn't catch (perhaps about 5% of the time), just click "Block" and it'll record that you blocked it on their servers, so anyone else receiving the same (or nearly similar, I think) email will have it blocked as well.
In other words, it's a community-driven spam blocker which works better the more people use it. And it already works very well.
I feel fantastic, and I'm still alive.
I see a lot of posts here comparing the relative merits of different spam filters, based on how little spam gets through. The thing I worry about a lot more with spam filters is how much of my non-spam mail gets blocked. And yes, I've had this happen with every spam filtering mechanism some sysadmin has inflicted on me. This is the main reason I like spam filtering at the user level, not the ISP or system level -- at least you have some control over the imperfections.
This idea means licensing them so that they are properly registered, Meaning we know who they are and where they live.
Meaning that they can be billed for use of service, etc. and jail those not properly licensed.
Meaning that we can send bill collectors and tax collectors hunting after them.
The bottom line is that IF we can make it profitable to go after these guys, someone will make a business of it. We just go to figure a way how.
Then we get to use the scum of society, such as bill collectors and tax collectors, and turn them to some good, going after spammers.
And we can use the money collected to subsidise the cost of something useful.
Now Lessig has also proposed something similar to this:
http://www.cioinsight.com/article2/0,3959,533225,0 0.asp
Which essentially means that there are more eyeballs to track the scum down. And a financial reward to do so.
The twist in my proposal is to mach spam have a cost even if sent "legally" - [lots of states have finance problems], and make the penalties truly painful if done illegally. I want to set my own fees for receiving spam
"It is a greater offense to steal men's labor, than their clothes"
Well, it's not, but you know...
Mozilla now comes with it's own Spam Filter starting with 1.3Alpha. Anyone know how well it works? I haven't had a chance to try it.
Think this is off topic? Read the last line of the slashdot story and click the link, where you can take a "Free 30-Day Trial!!"
=)
Mail.app's filtering is fantastic. I only look at around one spam message every two weeks, and I've only had one false positive (which was adveritising something, as it was) in the year and a half that I've been using it. The filter is probably too CPU intensive to use on any large scale, though.
Will I retire or break 10K?
Could be
Like what that Spam Jerky said, it's a business. What's going to keep someone from creating an extensive/ultimate filter list/software, and offer a safe loophole for other Spam Jerkies to get by for an X amount of dough?
I've watched Spamarrest movie. The exactly same system (you have to read a word, obscured to defeat OCR programs) is beeing used by one of Polish mobile phone operators. If you want to send SMS from www->sms gate you also have to read a word. You can see it here.
:wq
The graphics basically don't work with OCR.
I wrote Yahoo about this problem just about a year ago, after
finding no explanation in their online help on about how
visually impaired users were supposed to use their service,
and this is what they had to say.
I kind of thought this sucked, that apparently the solution
is to wait for a human operator to read the feedback
form and phone you back. Surely someone can come up with
a better system.
=-=-=-=
Hello,
Thank you for writing to Yahoo! Account Services.
If you are a visually impaired or blind user, please fill out the
feedback form at:
http://add.yahoo.com/fast/help/us/edit/cgi_access
A customer care representative will call you back, to assist you with
registering for a Yahoo! account.
If we can be of further assistance, please let us know.
Thank you again for contacting Yahoo! Customer Care.
Regards,
Yahoo! Customer Care
For assistance with all Yahoo! services, please visit:
http://help.yahoo.com/
What do you get if you eliminate the human from the above? Why, a protocol link. Might as well require me to type in TCP/IP packets and consider me human if I make too many erorrs :-)
Welcome to the net of 1000 lies. Upgrades are scheduled soon that should bring us to the 10,000 lies mark.
An "autonated Turing test" is an oxymoron.
The Turing test is where a human talks to a computer and tries to decide if the backend that's answering him is a human or a computer program.
This is more of a reverse turing test, where the computer asks questions to try and find out if it's interacting with a person or a program.
It would be possible to write a program to beat this system, but it would not qualify as having passed the Turing test, because it would have only fooled another computer program, not a real person. Of course maybe said program could go on to pass the Turing test.
Wouldn't it be weird if spam was the driving force behind the creation of the first real AI?
Skynet began learning at a geometric rate.......by 1800 hours every mailbox in the world was jammed with unfilterable spam.
Life is too short to proofread.
I was thinking that a technique that might help is to set up two accounts - something like a hotmail account in addition to your normal email account. One account is the valid one you use for whatever, the other address you don't give out to anyone you expect mail from.
Then, when you get mail at your "real" account that mail is examined to see if it matches any of the mail received at the "fake" account.
This is sort of like the digital camera technique of taking a "picture" of the CCD image with the shutter closed after a long exposure, to get an idea of what just the noise from the CCD looks like so it can be subtracted from the image data collected.
Of course, I'm not sure how well it would work in practice or if you'd really get the same spam very opten in both accounts...
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Is to make it a crime to send email from a bogus account. I'm thinking this crime would be called.. oh I dunno maybe fraud. If I have a real email address then I can request to be removed and am not, then it should be just like telemarketing and I could sue for $500.
As long as you spam me from a legitmate email address I can request that the ISP delete your account. If the ISP chooses not to do so, then I can block the whole damn domain guilt-free. If the ISP has a decent EULA they could sue their subscriber for breaking the terms of their agreement and use that money to pay their various postmasters to take care of spam complaints.
the project itself is pretty interesting, but something rubs me the wrong way about the term "automated turing test". The turing test is based on the idea that sentience can not be defined in any simple mechanizable way.
maybe it's just my cognitive science degree making me touchy, but i'd prefer the term "automated coherence filter" or something(even "automated intelligence test" would be an improvement).
lysergically yours
From my understanding, the use of image recognition in the captcha test would make it nearly impossible for blind people to pass the test.
6) Profit!
Pain lasts, kid. Its how you know you're alive. Sometimes I think this growing up thing is just pain management-TheMaxx
Turing test is a bit of an exaggeration. They have you look at some garbled text and type what you see. And it's been going on for a very long time.
The Register article had absolutely nothing of value to add. As you were.
Donate background CPU time to fight cancer.
1. Decide which hotmail/yahoo/whatever account you want to sign up.
2. Send most of the (fake) registration info until it sends you a "turing test" image.
3. Display the image in the next webhit on your popular porn site saying "to get free porn, type these characters"
4. Send whatever they type to hotmail/yahoo/whatever & complete your registration.
5. Profit?
Some people have already produced excellent results in breaking visual CAPTCHAs.
What are you wittering on about? MS doesn't sell addresses to spammers, it's against the privacy policy and EVEN MS wouldn't be stupid enough to break their OWN privacy policy. The short/dictionary names are simply being bruteforced - anyone doing mail admin on a decent sized domain sees the same thing all the time.
---- Den ene knappen er powerknapp, den andre er Bender voice knapp "Bite My Shiny Metal Ass"
I only use SpamAssassin to tag suspect emails. I have a filter rule in KMail that sends tagged mail directly to it's Trash folder. A quick scan of the subjects and froms suffices to weed out the (rare) false positives. Note that I don't have to read the spam bodies to verify them and I've already been spared the trouble of weeding them from my legitimate mail.
Use a little imagination; it isn't necessary for a spam filter to immediately trash suspect mails. By default, all SpamAssassin does is TAG the emails in their subject lines and add a scoring report to the body. It suffices for me to have probable spams all collected together so that it is only one quick scan and a button click away from destruction.
Come to think of it, if my quick from/subject scan method doesn't suffice, that attached scoring report does. A mail with a score of 33 with a web bug is certainly bogus. I'll cheerfully trash that without reading the rest of the body and those reports can be quickly parsed as well. Not that I usually bother. Simply having your signal not interleaved with the probable noise is useful and SpamAssassin can certainly be trusted for that.