Have Spammers Overcome the CAPTCHA?

thefickler writes "It appears that spammers have found a way to automatically create Hotmail and Yahoo email accounts. They have already generated more than 15,000 bogus Hotmail accounts, according to security company BitDefender. The company says that a new threat, dubbed Trojan.Spammer.HotLan.A, is using automatically generated Yahoo and Hotmail accounts to send out spam email, which suggests that spammers have found a way to overcome Microsoft's and Yahoo's CAPTCHA systems."

Work opportunities for developing nations

[Mr.+Roadkill]

Indians are fast, accurate and cheap:

http://www.getafreelancer.com/projects/Data-Proces sing-Data-Entry/Data-Entry-Solve-CAPTCHA.html

Of course, there are those who seek to use the IT talent of the sub-continent for a more direct attack:

http://www.getafreelancer.com/projects/PHP-ASP/yah oo-ocr-bypass-captcha.157160.html

And as an upstream poster pointed out, there's always the old "Free Porn - solve this CAPTCHA for access" approach.

captcha guide by vulnerability

[dattaway]

http://sam.zoy.org/pwntcha/

Too bad MS ignores RFC 2821

[Kadin2048]

One of the (many) things I hate about Hotmail is that Microsoft blatantly ignores anything sent to its postmaster and abuse addresses, so there's really no way to notify them of spam being spewed from their system. In fact, if you send a message to postmaster@hotmail.com, they send back a pretty snarky response telling you that nobody reads it.

What a cesspool. Hotmail has always been the ghetto of the internet, but now it's clear that it's infested with criminals, as well as just the technologically illiterate.

Time to blackhole it.

Sounds like BlueFrog

[Kadin2048]

I think this was basically the idea behind BlueFrog; they had a pretty nice, aggressive system for going after the sites that profit from spam, by bouncing spam emails back at them and generally causing them a lot of grief.

It was obviously working, as demonstrated by the concentrated fire they started to take from spammers. Unfortunately, they didn't have the resources (at least, I'd prefer to think it was a resource issue and not one of will) to fight the spammers, and after getting some really terrible legal advice, they got crushed.

Short of brutal vigilante justice (which I'm not opposed to here and there, but it tends to not scale very well), Blue Frog's approach seemed to be the only "supply-side" approach to spam that ever seemed to show a bit of effectiveness.

Re:Arguably Impractical but Satisfying Suggestions

[Alioth]

That's great, but the United States will have to be cut off from the Internet first. The USA is the world's biggest spam source, according to Spamhaus.

http://www.spamhaus.org/statistics/countries.lasso

The United States emits *four* times as much spam as its nearest competitor, China.
Verizon is the world's spammiest ISP.

Re:Cataloging CAPTCHA info

[lena_10326]

Wouldn't it be feasible to record and catalog the fonts and manipulations done by a particular site's CAPTCHA engine, and then script some type of automatic "OCR" to suit? Are these CAPTCHA's dynamically generated from an extended "character set" or are the distortions generated in real-time?

That's how CAPTCHAs are broken, although you don't have to use a general OCR program. If you're going to attack a single type of CAPTCHA, you could tailor your code to take advantage of known properties of that specific CAPTCHA such as: backgrounds, background colors, repeated markings, fonts, font colors, font size, font orientation, and direction of any image warping.

Most CAPTCHAs use images and random marks or dots in the background but those can be filtered out in a pre-processing step if you know they're drawn using a limited set of colors or don't use the same line thickness as the font. Photographic backgrounds will be limited so they could be filtered easily by detecting which background the CAPTCHA used for that session. Using an oversized background and shifting it by an offset would present difficulty, but Yahoo and Hotmail don't use background images. If backgrounds are rendered gradients, I think it's relatively easy to detect the font color by scanning for broken runs of a continuous single color. The gradient colors would deviate slightly, within a small percent change. If there is any repetitive pattern, which there is if it's a gradient, it only helps the filter breaking the CAPTCHA.

A lot of the easier to crack CAPTCHAs use only a single font and render all the letters in 90 degree angles. The smarter ones jumble and warp the letters by shifting the each letter by an offset and rotating by a small angle. If you could figure out the direction of the warp or rotation, by checking the background you could unwarp or untwist the letters before running OCR on it. Or, you could test each isolated character by rotating every few degrees of rotation and selecting the result that outputs the most number of OCR'd characters from the least amount of rotation.

Regardless, the algorithm doesn't have to be perfect. It could be right 5% of the time and still generate thousands of email accounts. It doesn't care about rejections, because it's got all day to keep trying.

FYI:
http://en.wikipedia.org/wiki/Captcha
http://www.cs.sfu.ca/~mori/research/gimpy/

By the way, some CAPTCHAS have been broken by not deleting sessions in the server, but I doubt Yahoo and Hotmail would be open to that bug.

Re:unsurprising

[Gunstick]

I use a very effective method. Only javascript has to be activated.
The submit button is only enabled after 20 seconds.
Someone needing less time than 20s to write a post is a spammer or has nothing intelligent to say.

An bot will of course submit the form in less than 20s, there comes the timestamping into play. If the form display and form submit events are less than 20s apart it's considered spam too.

Catches 99% of the posts.
0% false positives.

Of course if a big site like yahoo implements this, it's easy for a spammer to work around this special case. It's always easy to work around a blocking if you know that some kind of measure is in place.
So I added another trick: I show to the spammer his submitted post like as if he succeeded. You only see that it's bogous when you reload the original page and notice that oyur post is not there.

You can buy software that can thwart captchas

[I)_MaLaClYpSe_(I]

Aleksey Kolupaev [...] develops and sells software that can thwart captchas by analyzing the images and separating the letters and numbers from the background noise. They charge $100 to $5,000 a project, depending on the complexity of the puzzle.

Quoted from this article. No wonder someone used it for a worm.

Also discussed here on /.:

Evolution of the 'Captcha'
Posted by CmdrTaco on Monday June 11, @08:36AM
from the why-can't-i-even-read-them-half-the-time dept.

FireballX301 writes

"The New York Times is running an article about the small word puzzles various sites use in order to defeat automated script registration while still letting humans through. It seems many people can't actually solve them anymore, so new alternatives (image recognition) are being created. This, of course, seems breakable as well -- is there a feasible alternative to the captcha, or are we stuck jumping through more and more hoops to register at places?"