Slashdot Mirror
Have Spammers Overcome the CAPTCHA?
thefickler writes "It appears that spammers have found a way to automatically create Hotmail and Yahoo email accounts. They have already generated more than 15,000 bogus Hotmail accounts, according to security company BitDefender. The company says that a new threat, dubbed Trojan.Spammer.HotLan.A, is using automatically generated Yahoo and Hotmail accounts to send out spam email, which suggests that spammers have found a way to overcome Microsoft's and Yahoo's CAPTCHA systems."
Get the rest of the difficult AI problems into CAPTCHAs. We've finally figured out a way to finance AI research!
How we know is more important than what we know.
Wouldn't it be feasible to record and catalog the fonts and manipulations done by a particular site's CAPTCHA engine, and then script some type of automatic "OCR" to suit? Are these CAPTCHA's dynamically generated from an extended "character set" or are the distortions generated in real-time?
Make a porn site that give you credit to download smut in exchange for solving captchas. Have your automatic account creator redirect the captcha to a human user of your porn site, and if you're lucky and it gets solved within the time period for which te captcha is valid, you're set.
Surely this was only a matter of time? If anti-spam companies can read those graphics telling you about hot stock tips, that technology was eventually going to find its way into the hands of said spammers, right?
That doesn't sound like a CAPCHA has been broken, except perhaps by the sophisticated AI device known as a human being. 8 and a half CAPCHAs a minute? No problem for one person with a tolerance for boredom and CTS. Heck, you can even put the job up on Amazon Turk and charge a penny an account for the signups, or use cheap labor in any of a number of countries to do it.
Help poke pirates in the eyepatch, arr.
Not really.
The way they've worked around it probably goes like this: "Free pr0n sets! See more of this hot chick! We don't want automated downloads of these sets, so you need to solve this code to get the download. What? It looks just like the hotmail cpachas? Yeah, we're using the same advanced technology here."
So I guess this approach would also solve other AI problems - by having bored RIs solve them. Maybe not such a bad solution after all?
"I will take the Ring," he said, "though I do not know the way."
How about paying people to solve CAPTCHA. I am sure you can get thousands of them done for a few dollars by people in low wage countries. Why do they need complex OCR technology?
Who needs CAPTCHA breaking software - they can just outsource creating the accounts to China, India or some other country.
I wouldn't imagine creating 15.000 accounts would be very expensive.
Eventually (but don't hold your breath) the arms race for solving CAPTCHA's will start to cause problems for significant numbers of humans who are otherwise capable of browsing the Internet, and at that point we can say that AI has solved a kind of limited version of the Turing test.
Indians are fast, accurate and cheap:
s sing-Data-Entry/Data-Entry-Solve-CAPTCHA.html
h oo-ocr-bypass-captcha.157160.html
http://www.getafreelancer.com/projects/Data-Proce
Of course, there are those who seek to use the IT talent of the sub-continent for a more direct attack:
http://www.getafreelancer.com/projects/PHP-ASP/ya
And as an upstream poster pointed out, there's always the old "Free Porn - solve this CAPTCHA for access" approach.
http://sam.zoy.org/pwntcha/
If a human is used to read the captcha then there is not much that can be done as that is what a captcha is for: to make sure a human only will be able to bypass it....
Instead of trying to reduce the signal level in spam, bury the bastards in noise. Set up a nonprofit organization which people join (after giving real-life details and a deposit and being confirmed) which flags an email as spam. When that happens, participating clients (available to everyone) begin contacting the website given in the mail. Result: spammer website and ISP buried in noise and bandwidth bills.
Either that, or someone needs to write the next massive-spread virus and have it break your computer and force you to have it serviced. That'll break the botnets...
Actually, now that I think of it, CAPTCHA's already pose problems to some (visual CAPTCHA's for the visually impared), but I wasn't thinking about that. I probably should have, since one can think of other CAPTCHA's where other specific handicaps would be a problem (human facial recognition comes to mind, for example; see Prosopagnosia).
Since brain damage can cause very peculiar and specific cognitive problems, probably every kind of CAPTCHA will give trouble to someone. So I suppose there will be a variety of choices, just like there is sometimes an auditory choice given now.
One of the (many) things I hate about Hotmail is that Microsoft blatantly ignores anything sent to its postmaster and abuse addresses, so there's really no way to notify them of spam being spewed from their system. In fact, if you send a message to postmaster@hotmail.com, they send back a pretty snarky response telling you that nobody reads it.
What a cesspool. Hotmail has always been the ghetto of the internet, but now it's clear that it's infested with criminals, as well as just the technologically illiterate.
Time to blackhole it.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Are the spamming b.st.rds reusing the images for blog comments, or something like that? Do that for a hundred blog readers and they could get fast feedback.
Karma: Excellent (My Karma? I wish...:-( )
I think this was basically the idea behind BlueFrog; they had a pretty nice, aggressive system for going after the sites that profit from spam, by bouncing spam emails back at them and generally causing them a lot of grief.
It was obviously working, as demonstrated by the concentrated fire they started to take from spammers. Unfortunately, they didn't have the resources (at least, I'd prefer to think it was a resource issue and not one of will) to fight the spammers, and after getting some really terrible legal advice, they got crushed.
Short of brutal vigilante justice (which I'm not opposed to here and there, but it tends to not scale very well), Blue Frog's approach seemed to be the only "supply-side" approach to spam that ever seemed to show a bit of effectiveness.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Bogus hotmail accounts!?!?! I don't believe it!!!
There are 0x40000000 types of people: those who understand 32-bit IEEE 754 floating point, and those who don't.
Judging by the amount of spammers I get on my Invision Power Board forums, which have been through two different styles of CAPTCHA, I'd file this one under the "No Shit" department.
Let's stop dilly-dallying and just change "-1: Overrated" to "-1: Disagree" or "-1: Doesn't Subscribe to Groupthink".
* Problem with Spam traffic from India and China? Fine. Make a declaration internet traffic from those countries will be served from the Internet within 21 days unless all Spam activity ceases. Impractical? Maybe, but I'll bet the Chinese Government can come down like a sledgehammer when it wants to! Same with this kind of threat to India. When the Indian Government smells its vast outsourcing revenues becoming unstuck, they'll have motivation to crack down on 'unscrupulous operators'
* 25 year jail and a $2M fine for those who use spammers. Tracking spammers is hard. Typical the fools that reply to spam give their details to a spammer web site, who sells a call list to a mortgage agency, who then calls you, supposedly unaware of the source. Some journalists have done this and followed the trail. Now if journalists can do it, maybe the FBI can do it? If the FBI aren't up to the task, bounty hunters maybe?
* Same thing: Have law enforcement respond to spam, trace the payment and throw the lowlife on the other end into the slammer: 25 years jail and a $2M fine.
* Conan the Barbarian has some advice here: "Savages are more polite than so-called civilized men, because a civilized man knows he can insult someone without getting his skull split". The reason spammers do it isn't just because it can make money, but because they know they can get away with it. The chance of getting prosecuted at the moment is next to nothing. Give them a fair chance of getting imprisoned, and they'll change their tune.
Comes down to the same thing: Congress drafting laws and supplying the funds to enforce it. Do I hear a Presidential Candidate with an anti-Spam policy?
The only good coming from this spam-war, is better AI.
Not only will OCR get better, but soon the captchas will contain questions, so natural language processing will become necessary. And this is happening on both sides of the fence:
- anti-spam needs to ocr images from spam mail
- spam needs to ocr captchas
- anti-spam needs natural language processing of email, now that they contain random pieces of the internet
- spam needs natural language processing to answer captchas questions, and writing spam emails without hitting a spam filter.
The only problem I see on the horizon (next to the problems that spam is causing), is that the captchas become to complicated for humans to answer and maybe get self aware. But I for one welcome our captcha overlords.
Block MSN and yahoo.
You can thank me later.
Mod me down with all of your hatred and your journey towards the dark side will be complete!
But how much of the spam these bogus accounts are sending out is going to other bogus accounts? Eventually hotmail will eat itself... We can only hope.
I was wondering why it seemed like the amount of spam I was getting DOUBLED this weekend. Usually I get about 50 or 60 spams per day, now I seems like I'm getting 120 or 130 per day. Really freaking annoying. I'm ready to spam myself, but I want to spam an uber destructive virus that'll force the world to do something about spammers. Only after email has been rendered useless will the world do anything about spam.
If telephones are outlawed, then only outlaws will have telephones.
I think you're right about it not stopping spammers; I don't think it's even going to be much of a speed bump. It doesn't take a brilliant programmer to feed the output of an OCR program into a command-line calculator to evaluate simple mathematical expressions.
You might be able to trip some calculators up by using complex math or logic problems that aren't easily parseable by machines*, but this would also trip up a lot of humans. (Whether that's a bug or a feature I'll leave up to you.)
CAPTCHAs were, and still are, a neat hack, but as you increase their complexity beyond what's trivially solvable by an army of 'mechanical turk' keypunch monkies (either for real money or porn), you start to eliminate broader and broader swaths of humanity from the content. There's no good problem to use, because the criteria conflict with each other. On one hand, you want something that only takes a person a few seconds to figure out, because otherwise, people aren't going to want to go through them all the time. On the other hand, you want something that's non-trivial, because otherwise a spammer can just use an army of people to cut through them as if they weren't there.
I'm not sure that the CAPTCHA avenue has a lot left in it as a general solution.
* E.g., you could write flowery word problems that only involve basic arithmetic, so that the challenge is in natural language processing. This knocks out a lot of non-native language speakers, however. (Which again, could be acceptable if it's a regional website in a monolingual area; it also narrows the pool of 'mechanical turk' workers that can be hired to solve them as well.) But I'm not sure this is anything but a temporary setback, and it would come at too high a cost to be generally useful.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Why would you want to attach the captcha to gain 15000 accounts? That seems to not be the easiest way ... I would rather believe they have sent out a moderately successful trojan/virus that sniffs and steals peoples hotmail and yahoo accounts. With a large scale virus I would imagine that you'd get ALOT more accounts, but maybe they have just used a first batch - so they have more when the current ones gets blocked. //fatal
It wouldn't surprise me if the Capchas were overcomes simply by showing the graphics to some underpaid person who just types in the actual responses.
A sophisticaed enough system could easily "pipe" these graphics to someone who just sits and types all day. At one capcha every 10 seconds, that's about 8000 in a day working 24/7.
Not everything these spammers do has to be automated.
-David
Hey! That's the first time I've been sent to a goatse image from slashdot for a long long time! Ah, the memories.
Don't scroll down too far on that page if you are of a sensitive nature.
One of the things I get tasked with at work is handling forum and service spam. Of all the methods I've used to deter spammers, captchas rank among the least effective. A lot of people seem to think the answer is in changing the nature of what the user has to interpret. I've had suggestions ranging from audio captchas to math problems, and dozens of others that lead to the same kinds of problems - you're making it hard, or in some cases, impossible for legitimate users to use your service. Language barriers rank among the biggest problem. Say you have a picture of an apple, and the user is supposed to type 'apple'. It falls short when you realize the person viewing it may not speak english at all, or may have no idea how to spell 'apple' in english. Same with audio captchas.
The most effective (surprisingly) were form fields hidden with CSS so the users don't enter data in to them, but bots will. You can reject the entire post at that point. It's not universally effective (some bots will actually look at your CSS to determine if you're doing this) but it sure cuts down on a lot of bogus posts. Another method is to generate a form key of some kind, and use that to verify that the form is only good once. this slows spammers down because in order to post again and again, they have to reload the page in order to get a new key. many don't do this, and will attempt to use the same key over and over. if you use a few of these methods, and track repeat offenders, you can add them to your firewall rules so they can't even load the page. Of course, most serious spammers will use hundreds of IPs, so it's difficult to get them all.
It's important to realize that this is a fight you simply can't win - if they're serious about getting through, they'll get through. The most you can hope to achieve is to slow them down long enough to come up with an improved solution.
BeauHD. Worst editor since kdawson.
In the underworld that is the grey/black economy of yahoo accounts accounts are traded in the thousands. Programs are readily available that will allow you to prefil the details and just allow you to enter the verification codes in bulk. Even me, by my slow ass standard can knock out 3000 a day no problem.
Also as someone has point out farming the work out to india for manual creation, you can get a lot more. I think its like 3 cents a fully customisable account. (There are programs that allow you to modify every modifiable setting within an account in bulk. You can easily modify thousands at once(assuming you have enough proxies)
Spammers are like that Simpsons episode where all the ad billboards come alive - if you ignore them, they'll go away. But everyone has to ignore them.
We're pouring so many resources into fighting them... it just strikes me that if we just tried to ignore the bastards, they'd find something better (or more profitable) to do than spam.
== Jez ==
Do you miss Firefox? Try Pale Moon.
Yahoo! and Hotmail are both USA companies, which is also where most spam originates, so the solution is simple.
Route-around the United States, and the problem is solved for most of us. They can rejoin the world when lawmakers take spam seriously.
Reduce, reuse, cycle
As luck would have it, I stumbled across a twist on the captcha concept while registering for a site. Instead of asking the human user to correctly enter the word displayed in an image, it presented the user with a grid of images. About half of them were of cars. The other half were cats.
The site just asked the user to check off each image representing a living thing.
Simple, and brutally effective against current AI. I can think of various tricks one can use to make the comparison more difficult as well.
How long until we're using the kind of tests we saw in Blade Runner?
On my forum somedays we'd get 5/6 bots per day. It's a vB board and it used the standard vB captcha. One day I installed a plugin called NoSpam! which asks the user a simple question when registering. Questions such as 2+2=, what do you do when a traffic light goes red, etc. The questions are simple, if somebody can't answer them I'd be suprised that the made it as far as the registration page. Since I've installed it there hasn't been even one bot through so it is 100% efective so far. I know it won't last forever and that bots will be programmed to circumvent it but I'll deal with that when it comes to it.
I never have spam issues. My real email address is rarely used..only for friends and legitimate sites(Secure businesses w/ encryption, like my credit card). My real email address is from a privately registered domain, which costs me only $20/yr. When I sign up for anything else (including this site), I use one of my free accounts. I don't check them frequently and I only whitelist domains I expect to see. The problem with "free" email addresses is that they end up costing us all. If all users paid for their email, then companies would have a real vested interest in stopping spam. If someone even had to pay $1 for their hotmail/yahoo/gmail account, it would severly limit the rampant abuse of the system. While I fiercely defend the freedom of the internet, I also respect the need for bars to check IDs and pornography to be sold underneath black covers or in stores which are limited to adults. Research, development & implementation of anti-spam initiatives have cost this country hundreds of millions of dollars. Think of it as the most basic form of tax which would allow us to keep riff-raff off our super information highway.Obviously there would need to be a few details worked out, but there isn't any reason why the major ISPs could allow users to create their own privately registered domain for the "free" email account that comes with service. Additionally, they need to better educate new users about email. I finally convinced my parents to upgrade to DSL from dial-up last year and I created them a private domain for a new email account when they made the switch. 6 months later and they are still spam free; they are constantly thanking me for all the time saved because they are no longer wading through junk email.
My guess is that most experienced and/or properly educated internet users do this or something similar. Truth is, if you want a quality, reliable product you have to pay for it. Imagine if yahoo or google had $1 for each of their 10s of Millions of accounts. That'd be a lot of legal capital to pursue and hunt down spammers, not to mention the ability to create a class action lawsuit which would carry more weight. Now, imagine if they got $10 or $20 per account. I'm definately not proposing a per email charge here..simply requiring that some small charge be levied so that email accounts are only created by those who want them used for legitimate and expected communication.
Our lives are already overloaded with advertising from marketers who are desperately looking for ways to justify their jobs. Thank the powers for video recorders that allow us to skip commercials and pop up blockers that have reclaimed the web.
That being said...if someone wants to create a vigilante task force that hunts down and punishes top spammers, I'd gladly volunteer. There are just as many legal ways to harass these people and make their lives difficult as hell w/o resorting to violence. Unfortunately, the odds are that this guy did more than spam people (those who take the easy/lazy/annoying way of doing business probably also cheat/lie/scam as well..) and so the person(s) commiting this crime probably did not sleep better that night knowing their inbox would be a little less full.
If Google or some other internet company came up with a portal system, which charged you $0.0001 rather than entering a captcha, it would cost you nothing until you reached the first cent, and probalby wouldn't take any more till the first $10 but it would cost spammers money to do so, not mentioning having their creditcards blacklisted. The only problem I can think of is stolen card numbers, so people would have to register their details so noone else can use it.
Or is it just that making new hotmail accounts is being outsourced to china/india/?
- Time limit the amount of subscriptions from a single IP.. start with 1/2 hour, exponentially upping the delays between subscriptions. Greylist IP addresses with known abuses. Add CAPTCHA to remove greylisting with delays built in. - Change the enrolment process around, e.g. move enrolment fields between different signup pages. - Obfusticate the naming and location of the CAPTCHA file > give it a URL with a different pattern each time) - Put in false positives for the CAPTCHA pictures > fifty one-pixel semi-equivalent URL embedded GIFS - Put in false positives for the signup form at the top/bottom of the page, hide them with color=white. - Enforce invite-only subscriptions, like Gmail used to do. - Use out of band methods such as SMS messaging for signup.
Somebody has changed from farming gold to farming CAPTCHA's
The spammer is selling marketing channels to companies. These companies sell on to other companies and then through a few more unitl the US corporation can buy the marketing channel with no provable link from them to the spammer.
It will only stop when marketing teams ignore them.
Or BlueFrog@Home, maybe.
People sign up for a DDoS under BlueFrog's auspices. If the courts are interested in the actions of the spammers (I.e. they are a real problem) then the spammer cannot easily go to court to get redress.
15.000 is an extremly small number. when one has thousands of of zombies under his control, making those mail accounts with a program would take a couple of hours at most. come back when you report millions of bogus email accounts
funny pics
Send them cloggworm: if they are so gullible, let the malware cut them from the Internet. Repeatedly. Until they gain healthy dose of paranoia and start keeping their noses clean.
Scorched Earth strategy works well against those who draw their strength from resources laying free for taking in the territory. Let all the webmorons who feed the botbarons with their resources feel the wraith!
We're taling small GIFs here. It does not take much to do a fopen(img) == fopen(known images)
Yahoo's CAPTCHA just recently being broken that is.
If you've ever logged into Yahoo chat, you'll see names like warbot001 through warbot400. They're profiles which map to an email address and lame chatters use them to send DOS messages to other chatters. Kinda like the old days on IRC with ping flooding.
Anyway. I highly doubt they manually entered in 400 CAPTCHAS, and I've seen those accounts for a while now so I suspect that CAPTCHA has been defeated for quite some time.
Camping on quad since 1996.
It's obvious. They're only creating 500 accounts per hour, that means they're probably paying people to create the accounts.
Hopefully this spells the begininng of the end for the web plague known as CAPTCHA. I am heartily sick of having to squint at barely recognisable characters, only to be informed that I've got it wrong, and then have to enter all my details again.
So bye-bye CAPTCHA, I won't miss you.
Spam behaves like a flood caused by heavy thunderstorms and rain. It will start to flood your basement no matter what. You can start to build a little dam here, put some sandbags there, board up your windows, etc. The sad fact ist, it won't help much. You will only save your home if you stop the rain.
That being said, as long as spam does not really hurt large corporations or governments, in terms of more and more expensive resources (machines, energy, air conditioning, administrators etc.) being used to just process the amount of spam coming in, nothing is going to change. Still, these entities are only going to protect themselves, not the public.
Me, I'm going to filter all hotmail and yahoo generated mail to /dev/null. Sorry folks, but just get another mail provider if you want to talk to me.
Mind you, if you filter mail by any means (like spam or virus filtering), never send auto replies. You will only hit innocent bystanders and generate lots of bounces, and run the risk of getting blacklisted by Spamcop or somebody else (if you autoreply to a spamtrap address, for example). I've been using Linux exclusively for more than 14 years on my mail server @ home, and I cannot count the number of autoreplies saying my machine sent this or that W32...blablabla thing, with no Windows client attached or anything. The better part of spam and virus mails uses fake From: addresses.
open (SIG, "</dev/zero"); $sig = <SIG>; close SIG;
I'm using a phpBB as my Bultin-Board System and I thought that such a well known BB would have state-of-the-art anti-Spam features. I was wrong, there is a Captcha but is by far too weak to stop any spam at all. I then installed the reCaptcha plugin and since haven't received any spam at all.
I and some other people I know give out unique disposable email addresses to our contacts. There is a different unique address for each of our friends and family.
Yesterday I and they received spam emails sent to several of the disposable email addresses. This points us to several of our friends and family as having had their email address lists stolen by spammers.
The common factors are:
There is therefore no obvious way for the spammers to have obtained these unique email addresses, except by the spammers accessing Hotmail's internal systems via a security breach. The security breach could be technical (an unpatched vulnerability in one of Hotmail's systems) or human (one of their members of Hotmail's (outsourced?) staff copied the contents of some/all of their servers and sold them to the spammers)
Why oil price increase equals economic trouble (Score: Interesti
Warnings about such shocksites are legitimate.
don't you people see this site:
http://ocr-research.org.ua/list.html
Q: What does this list include?
A: This is the list of CAPTCHAs we found, which are easy to break, and we are either already broke it or we are absolutely sure we can do this.
Spammers Learn To Outsource Their Captcha Needs
Posted by Zonk on Saturday November 25, @05:36AM
from the hearing-some-ominous-muttering dept.
lukeknipe writes
"Guardian Unlimited reporter Charles Arthur speaks with a spammer, discussing the possibility that his colleagues may be paying people in developing countries to fill in captchas. In his report, Arthur discusses Nicholas Negroponte's gift of hand-powered laptops to developing nations and the wide array of troubles that could arise as the world's exploitable poor go online."From the article:
"I've no doubt it will radically alter the life of many in the developing world for the better. I also expect that once a few have got into the hands of people aching to make a dollar, with time on their hands and an internet connection provided one way or another, we'll see a significant rise in captcha-solved spam. But, as my spammer contact pointed out, it's nothing personal. You have to understand: it's just business."It's not a shock site...
True confidence comes not from realising you are as good as your peers, but that your peers are as bad as you are.
Quoted from this article. No wonder someone used it for a worm.
Also discussed here on
Evolution of the 'Captcha'
Posted by CmdrTaco on Monday June 11, @08:36AM
from the why-can't-i-even-read-them-half-the-time dept.
FireballX301 writes
"The New York Times is running an article about the small word puzzles various sites use in order to defeat automated script registration while still letting humans through. It seems many people can't actually solve them anymore, so new alternatives (image recognition) are being created. This, of course, seems breakable as well -- is there a feasible alternative to the captcha, or are we stuck jumping through more and more hoops to register at places?"I wonder if the spammers are hiring Indian firms to create the bogus hotmail accounts.
Present 3 captchas or puzzles, where one of the captchas tells which of the other two to submit:
Example:
#1) What is 1+two?
#2) [image captcha]CoffeeCar
#3) [image captcha]Use the math captcha
Please type the correct answer: __________
Then put a 10+ second time delay and put a per-IP limit on the # of requests in any period of time, say, 10 per hour for most IPs and more for known corporate- or ISP-outbound-firewall-IPs.
Also, greatly limiting the number of messages per day free accounts can send during their first 30 days will cut down on their utility to spammers. Anyone who needs to waive that can either wait a month, buy an account, or if Yahoo, etc. is feeling generous, get an "authenticated free" account by providing the mail provider with identity verification.
Of course, all accounts that haven't explicitly requested a waiver AND authenticated themselves should be subject to normal spam-level-volume throttling. People who manage opt-in mailing lists and other legitimate high-volume users will normally request a waiver.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
that Hotmail and Yahoo accounts are being created. Couldn't it just be a low level spoof that makes mail look like it's coming from Hotmail or Yahoo accounts, or worse still, someone has found a way to override whatever security MS and Yahoo have on their SMTP servers?
I moderate a 3300-person mailing list with its share of spam. (It's on Yahoo Groups, for reasons too convoluted to list, but what the hey, it's working there so why break it?)
To manage it, all new posters are set to 'moderated' status. I or another moderator review their first post. If it's on topic for the group, we set them to unmoderated status and approve it. If it's spam, we nuke it (and them.)
I've only ever had two people go 'sour' and start spamming after posting an on-topic post, and I can't tell if their email's been compromised or they simply decided to post off-topic. Rules are that they get one warning and then they go back on moderation. That's never happened.
Mit der Dummheit kämpfen Götter selbst vergebens.
Sorry, can't hear you...
IANAL but write like a drunk one.
I've done it automatically. With enough effort even the difficult hotmail and yahoo ones can be done. It is just simple shape matching and fast search through a database. It isn't really difficult and slashdot is worse for assuming it was purely human.
I never have spam issues. My real email address is rarely used..only for friends and legitimate sites(Secure businesses w/ encryption, like my credit card). My real email address is from a privately registered domain, which costs me only $20/yr. When I sign up for anything else (including this site), I use one of my free accounts.
Horse puckies. This might have worked 5 years ago, and it might work if you have a very complicated username on your email address, but dictionary-attack spamming has long since made your "advice" into a lie. I have email addresses that have never once been used anywhere on the Internet (created specifically for this purpose), that get 100+ spam messages a day at this point.
Your advice is along the lines of "only open email from people you know". ie: great advice, if this was still 1999 and the bad folks hadn't long since thought past that one.
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
it may not be, but it contains the goatse image.
Corporation, n. An ingenious device for obtaining individual profit without individual responsibility. - Ambrose Bierce
If the success level is that low, then they are probably using simple dictionary attacks, otherwise there would have been millions of bogus accounts already.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
$2.50 to transcribe a 60 minute lecture? WTF?
I have seen first-hand myself small "businesses" with around 14 people on computers solving CAPTCHA's all day in Vietnam, HaNoi. :)
I talked with a manager there about it (I think they thought I was a potential customer) but I don't think they had any idea what they were doing, they even showed me around explaining that they specialise it all sorts things like Date Mining.
The software they were using looked like some custom application (Wasn't in English) which showed an image (In this case a CAPTCHA) with a few other entries fields and combo boxes on the right pane. They're were also a few people digitizing what appeared to be pages from books.
Well I got a free coffee, so I was happy, it certainly was interesting.
Now to type in my own CAPTCHA so I can submit this post...or I could hire the Vietnamese to do it
This might not be popular but it would solve the problem for Yahoo and other big targets.... require a credit card. Use if just for verification. This would also help in keeping parents in the loop about what their kids are doing (at least on the big boards).
A fool throws a stone into a well and a thousand sages can not remove it.
Wouldn't bounced and undeliverable email fill the inbox of the fake accounts?
Also, wouldn't it be possible to limit the speed at which email can be sent from an account? I mean theres no human alive who can send out emails at the rate spam is produced or have a legitimate need to send single emails to even hundreds of people at a time.
The crazy thing is it is hurting businesses but they don't care much.
Management kept shooting down out requests for anti-spam appliances until the CEO got some highly offensive spam.
Then they came screaming asking why we don't have better anti-spam systems.. Simple.. you keep cutting it out of the budget.
Within the week we had PO's signed for new systems.
Now we pay for support on 2 anti spam solutions to have a double layer defense.
We get 5 million message a pr week. 90% is spam.. Thats a big chunk of bandwidth
Half the support tickets I get each week are either I got spam or the filters ate my mail.
All this adds up to a good chunk of $$.. probably enough to hire 2 more people.
Management does not see it as a big issue.. they think the small amount that gets through is "the big problem"
I think once a month we should have spam Friday.. Turn off all the filters for 24 hours so they can get a feel for the true nightmare we hold back for them every day.
If you think it's expensive to hire a professional to do the job, wait until you hire an amateur. --Red Adair
Why don't they setup the accounts so that the first 10-15 messages that are sent from the account require some user intervention?
(Or, better yet, execute the CFO of businesses that use spam to try to sell their products, or individuals that are running phishing scams!)
For email accounts they need to require a deposit. You get it back when you cancel your account but you must wait x number of days minimum. If they find out the account was used for spamming or phishing then you lose the account deposit. Make it something like $20 which would make opening thousands of accounts financially unviable.
It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
All this does is move us one step closer to having some sort of system that validates people as who they really are. There ARE systems out there that work fairly well but are not cost effective. At some point I'd pay for some sort of encrypted certificate that PROVED that I am who I say I am and an organization on the web could use it to validate.
Yes, there are all sorts of privacy questions and "well I could just bla bla bla" to get around it. But at some point it's GOING to have to be addressed.
just hire people to get past the captchas and let a form bot do the rest. It's not that hard to figure out. I stopped this using animated gifs cut from anime videos. Can't guess the anime that clip comes from, you don't get in. Haven't had spammers on my forum since I moved to that type of captcha system.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
That's pretty impressive, considering I can only make out about half the damn things I come across.
Unfortunately, they didn't have the resources
I have heard, from a moderately credible source in the security industry, that the people behind BlueFrog stopped because they were sent threats, along with pictures of their home and children, by the spammers they were attacking.
Someone may try this again, but it may have to be one of the security companies that handle lethal threats, like Blackwater or the Kroll division of Garda.
How about something along the lines of Kitten Auth. http://www.thepcspy.com/kittenauth Try it out here. http://www.thepcspy.com/contact
I don't even look at it, its deleted. So if everyone else is doing the same and their ISP is helping, where are the spammers getting their financial support from?
I switched to recaptcha, which uses OCR'ed texts to validate. Ever since I switched I don't get the automated spammers signing up. There are plugins for various languages and bulletin board sytsems (such as phpbb). It has a side-benefit of correcting OCRed public domain books.
IM A CHILD OHHH NOOO, I JUST SAW A DISTORTED GOATSE, ITS ALMOST AS BAD AS SEEING AN EXPOSED HUMAN BREAST!!!!!
Reason: Don't use so many caps. It's like YELLING.
Reason: Don't use so many caps. It's like YELLING.
Reason: Don't use so many caps. It's like YELLING.
With all the other problems in the world, why not spend this energy overcoming IED's and leftover land mines, rather than capchas.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Me too, I have broken SHA. Given an SHA hash I can find you the password. In 1 minute. Really. If you visit my home page you will see a list of SHA -> password pairs, all of which were broken with my program. But I will not show you the source code. You can't even download binaries.
Really people, this is a big hoax. Hopefuly some idiotic spammer may give money to this person to buy his captcha breaking program. And after a while it will stop working when the web sites change their captcha engines. So spammer loses money. Good.
And remember: a captcha that seems confusing to a human and a captcha that is confusing for a computer program are two completely different things.
The weakest point in those systems is the random numbers that generate the codes. Eventually the seed number and formula can be guessed from the output alone. Make them more random! Or change the formulas and seeds daily!
One thing I havn't seen in all this discussion is that quite a few of the CAPTCHA systems out there also generate a short sound bite for people with disabilities that's only a quick link away. It's a lot easier to use speech recognition routines on the .wav file than bother with the image.
If you generate the form, you can include a key and keep track of when the key was generated. When the form data is submitted, check the key generation time stored on the server to see if it the elapsed time was too quick for a human response. I may do this on one of my forms.
Most of the systems I have seen are something relatively easy to crack. A lot are five character images where the image name is the MD5 hash of the characters appearing in the image, and the code is case-insensitive. Well, 5 alphanumeric characters is only 60,466,176 combinations. Make a MySQL table with all possible combinations of letters and numbers and their associated MD5 hash. All you have to do then is lookup the name of the image being displayed and return the corresponding characters. Even on a lowly system the lookup takes about 15 seconds.
/.'s system is not that easy right off the bat.
Note:
I have been following only one Israeli spammer, so my statistics are perhaps not as good as Spamhaus statistics, but out of 270 pieces of spam received over more than a year, sent by the same spammer using 268 different IP addresses in 40 different countries, 79 unique pieces of spam (29%) came from IP addresses of US providers. Western Europe (Spain, France, Germany etc.) came in second with 27%, Eastern Europe with 14.5%, South America with 13%, Midle east with 7% (within it 4% from Israel) and the far east came last with 6% (about half from China, which is 10 times less than the USA). Detail (alas in Hebrew) are here: http://israblog.nana10.co.il/blogread.asp?blog=383 074&blogcode=6741471 and the IP addresses themselves (webpage in Hebrew, but IP addresses and links to dnsstuff still usable) are here: http://israblog.nana10.co.il/blogread.asp?blog=383 074&blogcode=5950596 .
Now all this shows quite definitely that this spam operation is botnet-based, so can law enforcement get this spammer and put him in jail? I didn't think so, so for several months I have been asking ISPs to check and confirm that the machines are actually infected machines that are sending out spam without the owner's permission. Only one ISP replied. First reply said:
> I can confirm that I have other reports from this system, including what
> appears to be german stock pump spam.
Reply to my further inquiry said:
> It will take a few days. There's no way for sure to verify outside of asking the
> customer. However, we've not had any issues with this customer sending spam in
> the past. They are also located in a small rural town in Oklahoma. I will try
> and get the customer to report to me which viruses and trojans are removed by
> A/V supposing they don't reformat.
>
> I guess I'm saying that the spam is sent without their permission. I'm just not
> completely sure how to prove it.
and then:
> I'm not sure if the customer will get me the proper virus/trojan information,
> but I can attest to them being infected. They were caught scanning 137 and 445.
> They also had 2 open ports which were handing out binary code, most likely the
> payload of the virus.
>
> 5468/tcp open unknown
> 50507/tcp open unknown
>
> This machine is definitely compromised, we just don't know by what.
Now with this I went to the computer crime division of the Israeli police (and with the spammer's contact info - cellphone number, list of some of the spammer's customers, including publicly traded companies and a government agency, samples of spam with forged headers etc.) and they said they are not sure there's a lot they can do with it, but they will investigate to see if perhaps there can do something. In particular having the information that an abuse team of an ISP from another country say that it looks like an unknown virus is an indication, but practically they need someone that they can call to testify in a court, so what they really need is a local infected machine that they can actually check and link to the spammer (that is: they need evidence that can be brought to the court that this particular person accessed and used another person's PC and the other person can actually say it was without permission). They did ask me and I provided all the particular pieces of spam that were sent from local (Israeli) IP addresses.
This is an example to the problem faced by law enforcement: they need to establish a direct link between the abused machine and the abuser, and actually prove it was without permission. They cannot just say that using so many IP addresses show that it is illegal. And there are many other hurdles, including definitions in the laws defining computer based cri
I would suggest 1 second in jail, for each single piece of spam, non-overlapping.
And I would suggest that the spammer allowed to appeal (each term individually. That is, they would be able to opt-out of being punished using the provided "removal mechanism").
Or perhaps they can even be provided with a release order, that they would have to find in a mailbox full of millions of pieces of spam. They would need to "just hit delete" for everything except the release order.
"A Turing machine with a black box, called an oracle, which is able to decide certain decision problems in a single step" (http://en.wikipedia.org/wiki/Oracle_machine)
The solution to the problem of bypassing Captcha tests was known before they were introduced, and is taught in almost any reasonable undergraduate textbook on computational models. Spammers just did their homework...
mod parent interesting.
Fascinating numbers!
How funny! If that much spam (29%) originates within the boundaries of the US, then the US has everything it needs to be able to fix it! Whether the spammer has a dynamic or static IP address, they will have records of which customer was using which line at that time. In the event that they're using dial up, there are phone records to go to as well. Now back that up with huge fines and jail terms.
Even a 29% cut in spam is worth pursuing. Re: Europe. The US has strong-armed much of the world into signing its absurd DMCA into their own law. They can do this for Spam too! Add that up... wow. That's a big cut in spam!
So there you have it. US Congressmen and Senators could stop this if they wanted to. Surely in this set of pork-barrelling lazy asses, there must be one or two with the brains to latch onto a sure vote winner? Now the direct marketing bodies would do the best to sink the bill a-la The CAN-SPAM Act. How do you deal with them?
It's not that simple!
The IP address doesn't lead to the spammer. The IP address leads to the victim whose computer was infected by malware that allows a criminal (spammer or worse) to use the computer. The fast that 29% of the IP addresses used by a spammer (that was not US-based) were in the USA reflects the fact that approximately 29% of the computers the botnet operator managed to take over are in the USA. So you cannot just come to the PC owner and jail her.
But it doesn't mean that the US law authorities don't have an "advantage" in having 29% of the botnet US-based. It means that they can probably get physical access to enough machines to have hard evidence that can be used to get to the spammer. The problem as I described it is of how to enable the law enforcement people to get this info: how to let them get to the compromised machines in time to be able to watch them being abused, how let people know they can help law enforcement catch the criminals that take their PCs over and make the process as smooth as possible, and how to cooperate across jurisdictions.
So somehow people should be educated that if their PC is found sending out spam and they are not the ones doing it, then they should not run and hide so they are not caught sending spam. Instead they should know they can cooperate by having the info on their infected machine available to law enforcement and be content that at least they contributed something that can help stop the criminals, just as they would if a burglar entered their house.
Re: Botnets. You raise a good point. Ok: So once the lusers computer is infected and if botmasters have done their homework they are more or less untracable. They can go through enough proxies, servers and countries that they're more or less untracable. This answered my next question: Most Spam is from Botnets. http://news.zdnet.co.uk/security/0,1000000189,3916 7561,00.htm No reason not to try tracing them do. Criminals, at some point, drop the ball. That's when they get caught. If law enforcement is uninterested as they are now, the criminals don't have to be careful. If they were smart, they'd be doing something else. You'll get some of them (the dumb ones anyway).
Lusers: Education helps, but that applies with everything. Heard a thing recently on the radio about botnets. The journalist doing the story said he figured he had two botnets running on his PC. Now at that stage I'd scream and yank my comms cable out of its socket, but this guy was ambivalent. Can you educate the public? Surgeon General has been warning for years on the dangers of smoking and many people still smoke. Let's forget education.
ISPs: I was trojaned once. Called the ISP. They have customers PCs getting hijacked all the time: packets flying everywhere. Their care factor is low. Judging what I read of most ISPs customer service, you have no chance of motivating them to also police this sort of thing. They just don't care. Forget that.
Commerce: This has to be the best link in the chain to attack. They spam because they want your money. The flaw in spam is they *always* have to leave a way for you to contact them. Now they might do this through shady companies (like the companies that sell 'cold called' lists to mortgage brokers). At some point they have to get in touch with you to take your money. So get the feds to put a transaction through and see where the money trail leads. Or wait for the mortgage broker to call the agent who arrests them with using 'stolen contact details' or whatever the legislators want to call it.
Prosecution: If it's intra-country, easy. If it's in a country with a real legal system and extradition agreement, ok, there's the possibility. It could be done, but there would need to be a real political will. Can you imagine a European extradited to the US on spam charges? Yes. An American extradicted to Europe? Possible, or they'd prosecute them locally. Again, assumes a political will absent at the moment. (A Buddy wrote to his congressman via email. Congressman's gopher asked for a postal address to send the reply.) A Russian extradited to Britain. Yeah. Exactly.
Lobbyists: These guys sank the CAN-SPAM act. http://en.wikipedia.org/wiki/Can_Spam_Act_of_2003 Lobbyists are part of the problem. You'll never stop spam while these guys are buying Congressmen. They make all the above discussion is moot.
Conclusion: Can't stop all spammers, but you can't stop all crime either. There are things the authorities could do if they were willing. At the moment, they're not. Let me phrase it this way: Spam isn't a technical problem. It's a political one.
I see it now. The spam is the lobbyist. The lobbyist is the spam.
Botnet herders are there for the money, and spam is "good money". So most spam is sent using botnets and sending spam is the major income for botnet herders. See the very recent two article series called "Botconomics" on Cnet: Part 1 (http://reviews.cnet.com/4520-3513_7-6748100-1.htm l), Part 2 (http://reviews.cnet.com/4520-3513_7-6749973-1.htm l).
Now the botnet herders might be hard to reach, behind multiple layers of proxies or whatever, and the money trail perhaps would not lead all the way to them, but stopping much of the flow of money can suffocate them, or at least keep them from growing. You cannot easily stop them from sending spam advertising illegal things like porn' gambling etc. But you can keep the big money out, and the big money is in legitimate businesses. If they can get away from being accused of crimes they paid to commit (using trojaned machines to send their spam) by saying they got the service on the internet from someone unreachable and unidentifiable then it's very bad. It's like someone who bought a stolen TV set going away unpunished because he says he bought it "from this guy in this van and there's no way he can identify the seller because the seller was wearing a mask". So if an business gets spamming services from an unidentifiable provider and it turns out it was sent using trojaned machines that business owner should pay a price (jail time) because it's not much different from buying a TV set from a masked man in a van. If they can lead to the service provider then they might be able to claim that they have been tricked into buying this service. The spammer I am folowing has sold his services to legitimate businesses: big businesses that require their service providers to work legally, provide paperwork such as receipts that show that tax was paid etc. The spammer works openly and looks like a legitimate business. So the only problem is to get the data that can be used to prove the use of trojaned machines in a way accepted by a court of law (and statistics showing hundreds of spam messages coming from any corner of planet Earth that has some kind of internet connection is not enough, it seems).
So if a "luser" got trojaned", the thing to do is exactly what that journalist did: not panick, and see what evidence about the people abusing the computer can be retrieved from the computer. If they wanted your personal info stored on the computer they already got it by the time you found out you've been trojaned. You shouldn't store it openly on your PC anyway. A burglar can take the PC and then get the info out of the stolen PC. On the other hand a trojan that's part of a botnet has no interest in harming your PC. The trojan's interests are keeping a low profile and not being discovered so they can do their work. Lately some trojans have been seen to install anti-virus software on the machines they infected to keep out other (competing) malware. So it seems you do not have to worry too much about the damage a trojan will do to your computer nowadays, at least if you don't store sensitive information and have backups. You can watch what the trijan does and since it's there to be hired out to real people eentually you'd find out who hired it, and hiring it is just as illegal as controlling it, or at least should be illegal.