Turing Tests to Stop Spam

cexy writes "The Register has a story about how Hotmail and Yahoo! are using Carnegie Mellon developed captcha technology (completely automated public Turing tests to tell computers and humans apart) to stop spammers from automating signups for accounts from which they can send spam. These guys are using captcha too, but to stop incoming spam."

CAPTCHA project

[nekdut]

For those who dont know, The CMU developed captcha project is great. Check out their work here:

http://www.captcha.net/

Re:CAPTCHA project

[Anonymous+Hack]

Coming up in version 2.0:

CAPTCHA: Hello. I am CAPTCHA. How can i help you?

SPAMMER: /\ \(.*\)@\(.*\)\ /

C: Please go on.

S: I would like your email address.

C: Can you elaborate on that?

S: I'm planning to spam you.

C: Does it please you to believe I am planning to spam i?

S: What the fuck?

C: Does that question interest you?

S: ARGH!

C: Please go on.

Re:CAPTCHA project

[js7a]

what are the terms of their license?

First of all, the largest sole source of CAPTCHA funding is the National Science Foundation, so if you are a U.S. taxpayer, you are paying for this work.

Having said that, the rights to and interests in NSF-sponsored work are very much up in the air, nowhere moreso than the Carnegie Mellon School of Computer Science. The Dean is said to have a somewhat different view than the Provost, who is probably not in agreement with the President, and the Board of Trustees are clearly all over the map on the issue, too. CMU is a study in contrasts when it comes to intellectual property opinions. CMU switched intellectual property policies exactly three days after I entered (yeay for freshman camp -- I knew it was worth the extra few bucks!) and the new (1985) one is draconian yet astoundingly vague. So, the authors might not even know the actual rights under which they are allowed to distribute their software. Noboday may know -- often an ajudication committee is required to make an arbitrary decision on a case-by-case basis.

However, principles of academic freedom have repeatedly trumped the Intellectual property policy, and that means that the researchers have the right to publish their code as sceintific research results, without restriction which is what they have apparently done. The scientific method requires absolutly no restrictions on such results (so as to allow for unimpeded replication), which means that the code is in the public domain. Even if it is released under copyright or GPL later, it is still in the public domain.

I am not a lawer, but years ago I paid a lawyer to answer a related question and I am faithfully repeating his answer above.

I find Yahoo to work much better though...

[saskboy]

I've only had my Yahoo account since last year and my Hotmail account since 1997, so this may not be a fair comparison:
Yahoo spam today:
0

Hotmail spam today:
18

Which is doing a better job at stopping spam you say?

The first step is stopping it from getting there

[PhreakinPenguin]

I would rather Yahoo stop spam from getting to my mail acocunt before they concentrate on stopping people from signing up automatically. I'm one of the few people who actually pay for Yahoo "additional" services. I thought I would get better anti-spam support. Not so far. I literally have 10 to 20 an hour and I can't block anymore because Yahoo only allows 100 addressed to be blocked. And considering the smammers are using 12374614187641874@optinmail.com along with other numerous addresses, it's impossible to block the majority of them. Hell I would even be happy if they would start allowing people to block entire domains. That would be a good first step.

****** SPAM ****** SpamAssassin Plug

[sulli]

I have SpamAssassin at my isp (Verio) and it kicks ass. Probably a false positive per week (and that's often a slashdot Daily Stories email), and a false negative every 3-4 days. Pretty damn good. Cut inbox crapola from 10-20 per day to, well, zero.

IRC needs Captmfa

[Boss,+Pointy+Haired]

"Completely automated public test to tell males and females apart".

a/s/l?

"18f,Florida"

Do you mind if I ask you to take a quick Captmfa?

"Sure, go ahead" .....

Test completed. Result = 34m, Detroit.

Think the editors could pass a no-repeat test?

[Froze]

Now if they could just come up with a turing test for slashdot
repeats!

http://developers.slashdot.org/article.pl?sid=02 /1 2/30/1740211&mode=thread&tid=111

Granted this is not a direct repeat but the articles are just different sources for the same story.

Re:Yahoo works, hotmail not

[b0r1s]

Even if I never ever send an email, the amount of spam grows approximately linearly with time... it only takes about 2 months to exhaust your 2MB quota daily....

You must have some bad luck. I've got a hotmail account I've used consistently for two years, and I'm typically around ~10% of my quota.

Either you're advertising your email address, or you've got some really easy to guess address, because the behavior you describe is far from typical.

I failed the Turing test!

[bcrowell]

I failed the Turing test!

I recently had to create an e-mail address that I could use for posting to a mailing list where the addresses are all public. I tried Hotmail first, and although I passed part 1 of their Turing test, the captcha test, I think I failed part 2: once I was all done filling in my personal information (retired female homemaker in Antarctica, born in 1891), I got some kind of mystifying error message saying something about my .NET account (which I don't have). I guess if I was human, I'd have been able to figure out what they meant.

Oh well, I passed Yahoo's captcha test, and they didn't have a part 2...

As a recipient of spam, I also don't see this having any benificial effects. I gets lots and lots of spam from hotmail.com and yahoo.com addresses. They're all forged headers, so it doesn't matter that Yahoo and Hotmail have botproofing -- the accounts I'm getting spam from aren't even real Yahoo and Hotmail accounts. It's great that they're trying to make sure they aren't spam havens (and of course it costs them money if spammers use their services), but I really think the whole e-mail infrastructure needs reworking in order to get rid of spam. Sending e-mail should cost some token amount of money, and there should also be some way of tossing out mail with forged headers (e.g., my mail client should be able to tell whether the cryptographic signature on an e-mail indicates that it really came from hotmail.com or yahoo.com).

Re:The first step is stopping it from getting ther

[geekoid]

click mail options:
go to
"Enter email address (or domain) to block:"
enter domain in text baox, such as
whatever.com

click, add block

The /. posting title is misleading

[theCat]

These Turing tests do not stop spam. They discourage spammers from using bogus Hotmail etc accounts to originate spam from. They do this by making it incrementally more expensive to create the accounts; rather than using a bot to create an account a second you have to use a human to create accounts by the minute. So 60 times the effort.

But I don't think that translates into 60 times the cost. The Turing tests are interesting but I don't think that the creation of the accounts ever was a bottleneck in the process in sending spam. You could get a high school kid to create all the accounts you would need for a month in about an hour, and pay him in pr0n.

If the truth were known, Hotmail and Yahoo are just trying to decrease server loads. I bet that when bots create accounts they create hundreds or thousands more than are used, which take up server resources during creation and later as the accounts eat up storage. With Turing tests it is more likely that not too many will be laying around waiting to be used.

Spam Tax

[Alien54]

My basic position these days is that there has to be a way to make it viable to "hunt" spammers, - say, by sending bill collectors after them.

This idea means licensing them so that they are properly registered, Meaning we know who they are and where they live.

Meaning that they can be billed for use of service, etc. and jail those not properly licensed.

Meaning that we can send bill collectors and tax collectors hunting after them.

The bottom line is that IF we can make it profitable to go after these guys, someone will make a business of it. We just go to figure a way how.

Then we get to use the scum of society, such as bill collectors and tax collectors, and turn them to some good, going after spammers.

And we can use the money collected to subsidise the cost of something useful.

Now Lessig has also proposed something similar to this:

http://www.cioinsight.com/article2/0,3959,533225,0 0.asp

Which essentially means that there are more eyeballs to track the scum down. And a financial reward to do so.

The twist in my proposal is to mach spam have a cost even if sent "legally" - [lots of states have finance problems], and make the penalties truly painful if done illegally. I want to set my own fees for receiving spam

Re:Yahoo works, hotmail not

[agentZ]

It's no secret, at least it shouldn't be, that Micro$oft is making money selling your hotmail address (yet then they spam you with advertisements for their spam-blocking software)...

Instead of just experimenting by setting up a Hotmail account, has anybody ever tried the other way around? That is, pose as an advertiser and approach Hotmail about e-mailing their users?

Re:Accessibility

[Meowing]

The graphics basically don't work with OCR.

I wrote Yahoo about this problem just about a year ago, after
finding no explanation in their online help on about how
visually impaired users were supposed to use their service,
and this is what they had to say.

I kind of thought this sucked, that apparently the solution
is to wait for a human operator to read the feedback
form and phone you back. Surely someone can come up with
a better system.

=-=-=-=

Hello,

Thank you for writing to Yahoo! Account Services.

If you are a visually impaired or blind user, please fill out the
feedback form at:

http://add.yahoo.com/fast/help/us/edit/cgi_access

A customer care representative will call you back, to assist you with
registering for a Yahoo! account.

If we can be of further assistance, please let us know.

Thank you again for contacting Yahoo! Customer Care.

Regards,

Yahoo! Customer Care

For assistance with all Yahoo! services, please visit:

http://help.yahoo.com/

Re:Ok here we go

[Frater+219]

SPAM WOULD DISAPPEAR IF BAYESIAN TECHNIQUES WERE APPLIED AT THE ISP LEVEL!!!!

Bayesian techniques depend on predicting which elements (usually, which words) are likely to indicate spam, and which are likely to indicate non-spam messages. This can vary highly from user to user, and so it should be done on a per-user basis.

For instance, I am a security administrator and receive a lot of legitimate mail about "antivirus software", and very little legitimate mail about "teenage lesbians." However, my girlfriend's crush, who is an activist lesbian, may well receive a lot of legitimate mail about "teenage lesbians" and only spam about "antivirus software." If we are on the same ISP, then it would be erroneous behavior for my reporting "teenage lesbians" as spam and "antivirus software" as nonspam to throw her spam-filtering out of whack, or vice versa. And yet it is a potential privacy violation for the ISP to be gathering statistics on which one of us gets virus bulletins, and which one is the lesbian.

(Moreover, there also isn't yet any standard mechanism for users to report spamminess or nonspamminess back to normal IMAP or POP mail hosts -- and Bayesian algorithms require sampling both spam and non-spam mail, not just spam reported to an abuse address.)

The filtering mechanisms that should be implemented on the server are general ones -- ones that do not rely on deep inspection into the content of the message. I don't really want ISPs to gather stats on common keywords in users' incoming mail -- do you? It is one thing to examine structural elements of the message, such as the IP address which sent it, or the presence of normal headers; or to statelessly scan the message for static patterns, such as virus signatures or "DISCOUNT HERBAL VIAGRA !!!" It would be quite another thing to gather the kind of data that Bayesian filters involve, for every user on a large end-user system.

Re:In Mozilla News..

[TheBishop]

I have been building the 1.3 from source routinely just to get access to the mozilla spam filter.

I have this to say about it

GET IT.

I trained it on a corpus of spam I've been keeping around for just such a purpose (about 300 messages, not a lot really). Since then I have been giving it minor corrections to tag new spam and it is nearly perfect. No false positives. The interface is easy to use.

If you use Mozilla now for Mail, you owe it to yourself to start using the 1.3a. If you're using something else, it's worth looking at Mozilla.

captcha stops blind people too

[mikey573]

From my understanding, the use of image recognition in the captcha test would make it nearly impossible for blind people to pass the test.