Slashdot Mirror

← Back to Stories (view on slashdot.org)

Porn Rewards Users To Get Past Anti-Spam Captchas

Posted by timothy on from the pull-this-lever-a-few-times dept.

Stalke writes "Spammers are now usings a new technique to circumvent the 'captchas,' the distorted text in graphics, that users must input to receive the free email account. The spammers have cracked the system by displaying the 'captchas' on free porn sites in real time. Since there are always a large number of people signing up for free porn, they do the work of decripting the 'captchas' which is then replayed back into the spammers program to create a new email account. Who thought that porn could be a hacking technique!" Sure sounds plausible, though the link here says only "someone told me."

37 of 420 comments (clear)

  1. I am not looking at porn by hetairoi · · Score: 5, Funny

    I'm hacking ..... now go away, what I'm doing in here is private.

    --
    you're all figments of my deranged imagination
  2. Nifty by turbofisk · · Score: 5, Funny

    I'm not for spamming... But if I were a spammer... I would pat myself on my back... Pretty nifty... Bastards!

    1. Re:Nifty by acidtripp101 · · Score: 4, Interesting

      I thought this exact same thing. Every time I see a simple 'sollution' to a 'problem' like this, I always have to give the creator credit due to them... I don't care whether it's for the linux kernel or to send me pills for a larger penis, it's still ingenious.

      --
      Not Free(as in beer). Free(as in "I'm free to beat you over the head for being a dumbass")
    2. Re:Nifty by kramer2718 · · Score: 5, Interesting

      Sure, give credit, but not to spammers. Manuel Blum, who invented CAPTCHA, came to speak at my school. First, he explained CAPTCHA. Then he explained how to beat it. The idea is called 'stealing cycles'. In his version, the CAPTCHA tests would be part of games rather than porn sites, but the concept is the same.

      --
      http://yetanotherpoliticalrant.blogspot.com
  3. Proof! by RiscIt · · Score: 5, Funny


    Proof once again that porn (and it's usually associated activities... ahem) will NOT make you go blind!

    1. Re:Proof! by Scarblac · · Score: 4, Funny

      Oh yeah? So why do they do it only at the signup page?

      --
      I believe posters are recognized by their sig. So I made one.
  4. Spam spam spam spam SPAAM! by seidleroniman · · Score: 4, Insightful

    What is everyone in the Slashdot crowd gonna do? On one hand you dont want to get spammed, but on the other hand you NEED your pr0n. However, i think this will take care of itself because eventually people will be too busy deleting spam to look at pr0n online, reducing the amount of spam....Ok, i'm half kidding, but i really do think this is an ingenius way of spammers getting around certain barriers. Say what you will, but spammers have shown/proven that they can overcome many obstacles to continue their spamming.

    1. Re:Spam spam spam spam SPAAM! by thedillybar · · Score: 5, Insightful
      What are we going to do?

      How about type something other than what's in the box? I seriously doubt you have to sit there waiting while it verifies that what you entered is actually correct. They're probably just assuming most people will type it correctly.

    2. Re:Spam spam spam spam SPAAM! by Anonymous Coward · · Score: 5, Insightful

      Why sign up for porn? Damn, isn't there enough available without signing up? It's bad enough that they can match your IP address; why give them registration info too? It's hysterical that a bunch of geeks who won't sign up to read the New York Times will gladly give name, rank, and serial number for porn.

  5. Easily countered by Yggdrasil42 · · Score: 4, Interesting

    This can be easily countered if the free e-mail sites configure their servers, so that the 'captchas' can only be loaded into pages that they've served themselves.

    I'm not sure how that works, but I've seen it in action on some sites.

    Maybe someone else knows how it's done?

    1. Re:Easily countered by Violet+Null · · Score: 5, Informative

      Wouldn't matter.

      Automated spam script goes to sign up new email address, gets presented captcha. Downloads captcha -- as the server would expect any normal web browser to do.

      Captcha is copied to some location. Filename probably contains information that can identify the specific script that's running, since there'll undoubtedly be many going simultaneously.

      From that point, there's about 20 minutes, give or take, for the porn site to display the copy of the captcha and ask for the user's input. On a site seeing any amount of traffic at all, that should be more than enough.

      Once a user has given input, the spam script is notified, and sends the input back to the captcha server. The captcha server never sees the IP address of the human -- it only deals with the spam script -- so it'll never know anything's up.

  6. Re:Foundation by krumms · · Score: 5, Funny

    It has more uses then we can even imagine.

    And several uses that we just don't WANT to imagine :P

  7. Easy fix. by Black+Parrot · · Score: 4, Funny


    For your captcha, use a picture of a really ugly old woman with "click here to see more" written across it, and no one visiting a porn site will help with the decryption.

    --
    Sheesh, evil *and* a jerk. -- Jade
  8. Valid News Sources by akadruid · · Score: 4, Insightful

    Is it just me or are people becoming less critical about what a valid news sources is?
    'Someone told me...' on a 'blog'?

    That doesn't carry quite the weight of the BBC and Reuters to me, but I suppose there's a good chance no-one was threatened by a 'democratic' government during the production of the article, so maybe it's less biased than some.

    --
    "Those who cast the votes decide nothing; those who count the votes decide everything." (attrib. Joseph Stalin)
  9. In related news... by Black+Parrot · · Score: 5, Funny


    A million new Slashdot accounts were added today.

    --
    Sheesh, evil *and* a jerk. -- Jade
  10. Re:One thing leads to another by cyb97 · · Score: 4, Informative

    That method is already in use by several sites that get paid by the number of ad-clicks. To make *dead sure* that the patrons click the banners you have to fill in a missing word in a sentence collected from the banner-site or the 3rd word etc to get into the site.

    It's pretty lame, and I guess most ad-agencies frown upon it as the clickers aren't really producing any business..

  11. It really is true by The+Night+Watchman · · Score: 5, Funny

    Someone told me once that most technologies that have become successful are those technologies that assist in the dissemination of porn and/or voyeurism. Thinking about it, that's very true. Radio gave way quickly to television, which gave way to cable, and BAM! You get porn. Radio also gave way to the telephone, which gave way to party lines, and BAM! Advances in optics have brought us photography (BAM!), telescopes (BAM!), and eyeglasses (the... the porn is so CLEAR now!), to name a few. Look at the primary achievement of the 90s. The commercialization of the Internet. That's essentially a porn revolution!

    So porn is being used to break encryption. Personally, I feel there can be no other way. Porn will lead us to the greatest achievements of our day, and conversely, all roads lead to porn.

    It's our past, our present, and our future. Embrace it, or be left behind.

    --
    "Every jumbled pile of person has a thinking part that wonders what the part that isn't thinking isn't thinking of"-TMBG
  12. Re:Sounds like rubbish by superwiz · · Score: 5, Interesting

    Catchups are constantly designed to be undecodable by OCR. But the porn solution doesn't sound like rubbish at all. It actually sounds quite clever. Here's how it might work: 1.An automated script tries to sign up for public emails (yahoo, hotmail, etc.). 2.At some stage during sign up a page with a catchup is "presented" to the script. 3.The script gets the catchup out of the page and adds it to a pool of catchups to be associated with their perspective words. 4. At some point, shortly after, a visitor to a porn site is presented with a catchup and enters the correct word. THIS IS, BY THE WAY, A PERFECT WAY TO FOIL SPAMMERS AND TO STILL GET YOUR PORN -- since the porn site doesn't, in fact, know what the catchup is supposed to be and is only using you, enter a wrong one. 5. The word entered by the user on the porn site is used to submit a reply to the public email system.

    --
    Any guest worker system is indistinguishable from indentured servitude.
  13. Re:Sounds like rubbish by Z-MaxX · · Score: 5, Informative
    Two reasons this sounds like rubbish: The catchups are generated on a per session basis for the person trying to sign up for the email address . Surely if they then try and get a third party to do the decoding the session will be expired.
    Not neccesarily. From the writeup:
    by displaying the 'captchas' on free porn sites in real time.
    If you have thousands of visitors every hour, then you only have to wait a few seconds on average to have your image shown to a user and a few more seconds for the user to respond.
    --
    Dr Superlove 300ml. I use my powers for awesome
  14. Computer Program by UPAAntilles · · Score: 4, Interesting

    The computer science department at Berkeley has already broken the Yahoo-like Captcha. They use an algorithm to break it. They recommend "Gimpy" as a replacement, which their software has yet to crack. The blog is full of crap, the captcha is generated every session, so you can't make a link to the image like they would like because the session would end.

    1. Re:Computer Program by wedg · · Score: 4, Informative

      No. It's quite simple. You get the HTML (open a session), and instead of retrieving the image for the Captcha right away, you wait until someone's signing up for free porn (a few nanoseconds), then show *them* the inline image, which only needs to be loaded once in this case, they enter the code, which your script sends back as the form reply.

      I wish I'd thought of it first, I could've patented it. Or maybe someone should, so the spammers can't use it.

      --
      Jake
      Dating: while( 1 ){ call_girl(); get_rejected(); drink_40(); } return 0;
  15. Holy crap by osgeek · · Score: 5, Funny

    They've harnessed the power of horniness, but for evil. If only that unlimited power could be harnessed for good -- it would be like having controlable fusion and all of the heavy water we'd ever need.

    Amazingly clever, those evil spamming bastards.

    --
    Why are you letting these clowns ruin our country?
  16. Re:Foundation by Gogl · · Score: 4, Funny

    "Porn, the foundation of the internet. It will never go away or die. It has more uses then we can even imagine."

    Agreed. It is an energy field created by all living things. It surrounds us, penetrates us, and binds the galaxy together.

    Hrmm...

  17. Valid News sources... on a blog. by LinuxParanoid · · Score: 4, Insightful

    You're right. But. A) you're repeating what the editor already said, and B) you are overstating your case a bit for the following reasons:

    In fairness, the poster on the blog was Cory Doctorow, who is a long time, well-known net-citizen and isn't exactly some random guy, although you may not know him. For a sample of his work, see this piece in Salon which mentions that he won the John W. Campbell Award for best new science fiction writer at the 2000 Hugo Awards. He's not a journalist, he's a blogger, but it's an interesting tidbit nonetheless...

    And even if he was a random blogger, his credentials are much less important than the core concept he's disclosing: that someone seeking to generate email accounts (or open bank accounts or whatever) could have porn-seeking humans workaround the turing-ish test security measures. The story is less that someone is doing it, than that someone could be doing it. At least to me.

    Plus this is a hacker-type story... I wouldn't expect Reuters, etc. to carry it first.

    I actually was glad to see the Slashdot editor point out the "someone told me" caveat... it's a sign to me that the editors here are getting better. They're warning us about the weaknesses in the story, not just slapping stuff up here without a care.

    --LP

  18. Re:Countermeasure... by leoboiko · · Score: 4, Insightful

    The referrer field is easily forged.

    --
    Prescriptive grammar:linguistics :: alchemy:chemistry. Stop being a nazi and learn some science.
  19. Ok new "captcha" test... by tekiegreg · · Score: 4, Insightful

    Rather than guess a single image, how about a feature on the page at random? For example Yahoo Mail can ask "What is the menu to the immediate right of Addresses. (which according to my Yahoo Mail screen would be "Calendar"), Or even "What company is the banner ad up top advertising" which serves 2 purposes 1) Captcha Test and 2) Ensuring the advertising is looked at :-)

    Unless a Spammer plans on building a porno site exactly like Yahoo (and incur the wrath of a zillion lawyers consequently), this would be a difficult one to counter attack (unless someone here could prove otherwise). Thoughts?

    --
    ...in bed
  20. Re:Sounds like rubbish by JDevers · · Score: 4, Insightful

    Think about the same thing, but in reverse. Have the script run ONLY when someone signs up for the free porn, it automatically connects to the free e-mail provider and the glyph is just tranfered to the viewer in truly real time...

  21. Re:Foundation by dmayle · · Score: 4, Funny

    It had to be said...

    Imagine a beowulf cluster of porn viewers.

    (Which is basically what this is)

  22. Re:Sounds like rubbish by druske · · Score: 4, Insightful

    The porn site wouldn't know what the catchup was supposed to be, but the email signup page would, and if the wrong response was provided, it'd return a page saying so. The porn site could parse that page and reject the user's answer. No valid response, no naughty bits.

    Without any facts to back the story up, I don't know if this is really happening, but it sounds plausible. I wonder if anyone's filed a patent on the method? ;)

  23. The feeder bar approach by ericspinder · · Score: 4, Funny
    Do a little work, get a little porn.

    "Hey, I'm only seeing ugly people having sex!, guess I have to step up the quality of my work"

    --
    The grass is only greener, if you don't take care of your own lawn.
  24. just added captcha by jqh1 · · Score: 4, Interesting

    We *just* added captcha functionality at spamgourmet but we're using a random number at the end of each quizword, and we use a random filename for each image. The code just went up on sourceforge if you want to take a look.

    --
    who's moderating the meta-moderators?
  25. Re:Foundation by chaoticset · · Score: 5, Funny
    "Porn...is there anything it can't do?"

    Sorry.

    --

    -----------------------
    You are what you think.
  26. Re:Sounds like rubbish by Tim+Macinta · · Score: 4, Interesting
    I have been letting people set up free email accounts at kmfms.com for awhile, and there has been an abnormally large surge in new accounts recently (and the sign-up process does use the distorted letters). These have been junk accounts too. I had a huge number of sign-ups just last night and only 1 person actually came through my site first (the email service is provided by everyone.net, so somebody was evidently going straight there without hitting my site first). Once these junk accounts are created, spammers then send email from their own servers, but with the return address of the junk account. I don't know why they are doing this - I seriously doubt they are checking the accounts, and they aren't actually sending anything from the accounts, but they are doing it nonetheless and I have been getting a lot of complaints recently about spam even though all of the headers inidicate that my network and everyone.net's network wasn't involved.

    I have given up that this point and as of today I am switching the email system so that all new users must be paid users. These spammers are like a swarm of locust consuming everything in their path, and now they have destroyed the free service I had been offering for years. I wish they were in the US so I could pursue legal action.

    --

    -----

    Free P2P Backup, Windows & Linux

  27. Re:Sounds like rubbish by Imperator · · Score: 4, Insightful
    THIS IS, BY THE WAY, A PERFECT WAY TO FOIL SPAMMERS AND TO STILL GET YOUR PORN -- since the porn site doesn't, in fact, know what the catchup is supposed to be and is only using you, enter a wrong one.

    Uh, if the spammers are smart, they'll actually use the word you give them to submit the form, and if it doesn't work they'll make you enter another one. some of them are hiring smart people. Maybe if there weren't so many out-of-work programmers in the world...

    --

    Gates' Law: Every 18 months, the speed of software halves.
  28. Old news and incorrect data by shaftek · · Score: 5, Informative

    This is ancient news, it has been mentioned by me on the ASRG list in November and on my blog. The original new article was published by the Post Gazette, and found by Matt McCay in his blog. Liudvikas Bukys mentioned it in his blog also. You might also want to take a look at the W3C draft on why these visual tests do not work for disabled people. And to end this off, the basic premise of C/R is that the return address is valid. Even if spammers break these visual tests, in order to do that, they must have a valid return address - ergo, making them traceable.

  29. I'm afraid I disagree by fejikso · · Score: 5, Insightful

    I thought that'w why there's something called ethics, which tells you when an ingenious thing may be good or bad.

    IMHO, you can't applaud unethical uses of ingenuity.

  30. Re:Foundation by Dyolf+Knip · · Score: 5, Funny
    It surrounds us, penetrates us, and binds the galaxy together.

    Well, one out of three ain't bad.

    --
    Dyolf Knip