Slashdot Mirror

← Back to Stories (view on slashdot.org)

Porn Rewards Users To Get Past Anti-Spam Captchas

Posted by timothy on from the pull-this-lever-a-few-times dept.

Stalke writes "Spammers are now usings a new technique to circumvent the 'captchas,' the distorted text in graphics, that users must input to receive the free email account. The spammers have cracked the system by displaying the 'captchas' on free porn sites in real time. Since there are always a large number of people signing up for free porn, they do the work of decripting the 'captchas' which is then replayed back into the spammers program to create a new email account. Who thought that porn could be a hacking technique!" Sure sounds plausible, though the link here says only "someone told me."

14 of 420 comments (clear)

  1. Foundation by millahtime · · Score: 3, Insightful

    Porn, the foundation of the internet. It will never go away or die. It has more uses then we can even imagine.

    --
    Evolution or ID?
  2. Spam spam spam spam SPAAM! by seidleroniman · · Score: 4, Insightful

    What is everyone in the Slashdot crowd gonna do? On one hand you dont want to get spammed, but on the other hand you NEED your pr0n. However, i think this will take care of itself because eventually people will be too busy deleting spam to look at pr0n online, reducing the amount of spam....Ok, i'm half kidding, but i really do think this is an ingenius way of spammers getting around certain barriers. Say what you will, but spammers have shown/proven that they can overcome many obstacles to continue their spamming.

    1. Re:Spam spam spam spam SPAAM! by thedillybar · · Score: 5, Insightful
      What are we going to do?

      How about type something other than what's in the box? I seriously doubt you have to sit there waiting while it verifies that what you entered is actually correct. They're probably just assuming most people will type it correctly.

    2. Re:Spam spam spam spam SPAAM! by Anonymous Coward · · Score: 5, Insightful

      Why sign up for porn? Damn, isn't there enough available without signing up? It's bad enough that they can match your IP address; why give them registration info too? It's hysterical that a bunch of geeks who won't sign up to read the New York Times will gladly give name, rank, and serial number for porn.

  3. Sounds like rubbish by Snipet · · Score: 3, Insightful

    Two reasons this sounds like rubbish: The catchups are generated on a per session basis for the person trying to sign up for the email address . Surely if they then try and get a third party to do the decoding the session will be expired. Also The article points out that Optical Character recognition is more than adequate to break this so I can not see a situation that spammers would do this elaborate probably unworkable method over OCR. No facts and a friend of a friend source makes this sound like total BS.

    --
    The internet makes me stupid.
    1. Re:Sounds like rubbish by JDevers · · Score: 4, Insightful

      Think about the same thing, but in reverse. Have the script run ONLY when someone signs up for the free porn, it automatically connects to the free e-mail provider and the glyph is just tranfered to the viewer in truly real time...

    2. Re:Sounds like rubbish by druske · · Score: 4, Insightful

      The porn site wouldn't know what the catchup was supposed to be, but the email signup page would, and if the wrong response was provided, it'd return a page saying so. The porn site could parse that page and reject the user's answer. No valid response, no naughty bits.

      Without any facts to back the story up, I don't know if this is really happening, but it sounds plausible. I wonder if anyone's filed a patent on the method? ;)

    3. Re:Sounds like rubbish by Imperator · · Score: 4, Insightful
      THIS IS, BY THE WAY, A PERFECT WAY TO FOIL SPAMMERS AND TO STILL GET YOUR PORN -- since the porn site doesn't, in fact, know what the catchup is supposed to be and is only using you, enter a wrong one.

      Uh, if the spammers are smart, they'll actually use the word you give them to submit the form, and if it doesn't work they'll make you enter another one. some of them are hiring smart people. Maybe if there weren't so many out-of-work programmers in the world...

      --

      Gates' Law: Every 18 months, the speed of software halves.
  4. Valid News Sources by akadruid · · Score: 4, Insightful

    Is it just me or are people becoming less critical about what a valid news sources is?
    'Someone told me...' on a 'blog'?

    That doesn't carry quite the weight of the BBC and Reuters to me, but I suppose there's a good chance no-one was threatened by a 'democratic' government during the production of the article, so maybe it's less biased than some.

    --
    "Those who cast the votes decide nothing; those who count the votes decide everything." (attrib. Joseph Stalin)
  5. Valid News sources... on a blog. by LinuxParanoid · · Score: 4, Insightful

    You're right. But. A) you're repeating what the editor already said, and B) you are overstating your case a bit for the following reasons:

    In fairness, the poster on the blog was Cory Doctorow, who is a long time, well-known net-citizen and isn't exactly some random guy, although you may not know him. For a sample of his work, see this piece in Salon which mentions that he won the John W. Campbell Award for best new science fiction writer at the 2000 Hugo Awards. He's not a journalist, he's a blogger, but it's an interesting tidbit nonetheless...

    And even if he was a random blogger, his credentials are much less important than the core concept he's disclosing: that someone seeking to generate email accounts (or open bank accounts or whatever) could have porn-seeking humans workaround the turing-ish test security measures. The story is less that someone is doing it, than that someone could be doing it. At least to me.

    Plus this is a hacker-type story... I wouldn't expect Reuters, etc. to carry it first.

    I actually was glad to see the Slashdot editor point out the "someone told me" caveat... it's a sign to me that the editors here are getting better. They're warning us about the weaknesses in the story, not just slapping stuff up here without a care.

    --LP

  6. Re:Countermeasure... by leoboiko · · Score: 4, Insightful

    The referrer field is easily forged.

    --
    Prescriptive grammar:linguistics :: alchemy:chemistry. Stop being a nazi and learn some science.
  7. Ok new "captcha" test... by tekiegreg · · Score: 4, Insightful

    Rather than guess a single image, how about a feature on the page at random? For example Yahoo Mail can ask "What is the menu to the immediate right of Addresses. (which according to my Yahoo Mail screen would be "Calendar"), Or even "What company is the banner ad up top advertising" which serves 2 purposes 1) Captcha Test and 2) Ensuring the advertising is looked at :-)

    Unless a Spammer plans on building a porno site exactly like Yahoo (and incur the wrath of a zillion lawyers consequently), this would be a difficult one to counter attack (unless someone here could prove otherwise). Thoughts?

    --
    ...in bed
  8. I'm afraid I disagree by fejikso · · Score: 5, Insightful

    I thought that'w why there's something called ethics, which tells you when an ingenious thing may be good or bad.

    IMHO, you can't applaud unethical uses of ingenuity.

  9. Captchas can only prove human-ness by AnotherBlackHat · · Score: 3, Insightful

    It's a clever idea (even if nobody has actually done it yet) but I think Captchas will always be ahead in the arms race.

    Cut and paste my Captchas? Ok, I'll embed it in a java program.
    Screen capture? I'll make it dependant on the web-site you're visiting.
    (which of these objects starts with the same letter as the third letter of my website?)

    In the end though, the best a captchas can do is prove there's a human somewhere in the loop.
    A spammer (or anyone else for that matter) could hire real people to answer them.
    Automate the non-captcha part of the signup, and you could generate several hundred accounts per hour.

    -- this is not a .sig