Slashdot Mirror
Have Spammers Overcome the CAPTCHA?
thefickler writes "It appears that spammers have found a way to automatically create Hotmail and Yahoo email accounts. They have already generated more than 15,000 bogus Hotmail accounts, according to security company BitDefender. The company says that a new threat, dubbed Trojan.Spammer.HotLan.A, is using automatically generated Yahoo and Hotmail accounts to send out spam email, which suggests that spammers have found a way to overcome Microsoft's and Yahoo's CAPTCHA systems."
Wouldn't it be feasible to record and catalog the fonts and manipulations done by a particular site's CAPTCHA engine, and then script some type of automatic "OCR" to suit? Are these CAPTCHA's dynamically generated from an extended "character set" or are the distortions generated in real-time?
* Problem with Spam traffic from India and China? Fine. Make a declaration internet traffic from those countries will be served from the Internet within 21 days unless all Spam activity ceases. Impractical? Maybe, but I'll bet the Chinese Government can come down like a sledgehammer when it wants to! Same with this kind of threat to India. When the Indian Government smells its vast outsourcing revenues becoming unstuck, they'll have motivation to crack down on 'unscrupulous operators'
* 25 year jail and a $2M fine for those who use spammers. Tracking spammers is hard. Typical the fools that reply to spam give their details to a spammer web site, who sells a call list to a mortgage agency, who then calls you, supposedly unaware of the source. Some journalists have done this and followed the trail. Now if journalists can do it, maybe the FBI can do it? If the FBI aren't up to the task, bounty hunters maybe?
* Same thing: Have law enforcement respond to spam, trace the payment and throw the lowlife on the other end into the slammer: 25 years jail and a $2M fine.
* Conan the Barbarian has some advice here: "Savages are more polite than so-called civilized men, because a civilized man knows he can insult someone without getting his skull split". The reason spammers do it isn't just because it can make money, but because they know they can get away with it. The chance of getting prosecuted at the moment is next to nothing. Give them a fair chance of getting imprisoned, and they'll change their tune.
Comes down to the same thing: Congress drafting laws and supplying the funds to enforce it. Do I hear a Presidential Candidate with an anti-Spam policy?
Block MSN and yahoo.
You can thank me later.
Mod me down with all of your hatred and your journey towards the dark side will be complete!
..and if this person or persons happen to be, say a 12 year old semi-literate war refugee in Sub-Saharan Africa, He'd probably be willing to do a whole day of it for a bowl of soup and a big shiney nickel, or even just for a semi-serious promise not to beat him again that evening...
Things get real economical real fast if you think globally and happen to be evil.
In a point of irony I would like to mention that the capcha for this slashdot comment was "disturbs"
It's the Mechanical Turk approach. Amazon is doing it.
Just to clarify, sending back an auto-reply that says "Hi, thanks for writing to postmaster@foo.com; we don't bother to monitor this account, so your message has been deleted," doesn't make you RFC2821 compliant. (Not implying that you thought that, just wanted to make sure everyone is clear.)
Auto-replies that confirm that a message has been received are OK ("Hi, thanks for writing to postmaster@foo.com; your message was received and will be dealt with by a staff member"), but only if there's eventually some followup. The RFC is pretty clear that the abuse and postmaster addresses should be monitored by a person; everything else is just optional window dressing.
Microsoft just blackholes both of those addresses. I've never gotten any further messages from them in response to any of the spam I've ever forwarded their way, but I suppose it's possible, or was possible at one point, that they were looking at it. But I've never gotten jack from them, and they're on the rfc-ignorant.org shitlist. (Which is a tremendously easy shitlist to get removed from, so I doubt it's in error.) What Hotmail/MS would like you to do is apparently go to some page on their site that relates to spam, but I've never visited.
Yahoo is likewise on the rfc-ignorant list, although they apparently just bounce with a "552 mail size or count over quota" error; although I think I've sent them stuff and not gotten a bounce message of any kind. (So either they're reading it and just haven't bothered to click the link to get themselves off the rfc-ignorant list, or they blackhole incoming messages silently, which would be very evil.)
Interestingly, Gmail.com and Google.com are not on the list, and neither is hushmail.com, aim.com, or inbox.com, although Lycos and its subdomains (I didn't even know they were still in business) are.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
One of the things I get tasked with at work is handling forum and service spam. Of all the methods I've used to deter spammers, captchas rank among the least effective. A lot of people seem to think the answer is in changing the nature of what the user has to interpret. I've had suggestions ranging from audio captchas to math problems, and dozens of others that lead to the same kinds of problems - you're making it hard, or in some cases, impossible for legitimate users to use your service. Language barriers rank among the biggest problem. Say you have a picture of an apple, and the user is supposed to type 'apple'. It falls short when you realize the person viewing it may not speak english at all, or may have no idea how to spell 'apple' in english. Same with audio captchas.
The most effective (surprisingly) were form fields hidden with CSS so the users don't enter data in to them, but bots will. You can reject the entire post at that point. It's not universally effective (some bots will actually look at your CSS to determine if you're doing this) but it sure cuts down on a lot of bogus posts. Another method is to generate a form key of some kind, and use that to verify that the form is only good once. this slows spammers down because in order to post again and again, they have to reload the page in order to get a new key. many don't do this, and will attempt to use the same key over and over. if you use a few of these methods, and track repeat offenders, you can add them to your firewall rules so they can't even load the page. Of course, most serious spammers will use hundreds of IPs, so it's difficult to get them all.
It's important to realize that this is a fight you simply can't win - if they're serious about getting through, they'll get through. The most you can hope to achieve is to slow them down long enough to come up with an improved solution.
BeauHD. Worst editor since kdawson.
As luck would have it, I stumbled across a twist on the captcha concept while registering for a site. Instead of asking the human user to correctly enter the word displayed in an image, it presented the user with a grid of images. About half of them were of cars. The other half were cats.
The site just asked the user to check off each image representing a living thing.
Simple, and brutally effective against current AI. I can think of various tricks one can use to make the comparison more difficult as well.
How long until we're using the kind of tests we saw in Blade Runner?
On my forum somedays we'd get 5/6 bots per day. It's a vB board and it used the standard vB captcha. One day I installed a plugin called NoSpam! which asks the user a simple question when registering. Questions such as 2+2=, what do you do when a traffic light goes red, etc. The questions are simple, if somebody can't answer them I'd be suprised that the made it as far as the registration page. Since I've installed it there hasn't been even one bot through so it is 100% efective so far. I know it won't last forever and that bots will be programmed to circumvent it but I'll deal with that when it comes to it.
I never have spam issues. My real email address is rarely used..only for friends and legitimate sites(Secure businesses w/ encryption, like my credit card). My real email address is from a privately registered domain, which costs me only $20/yr. When I sign up for anything else (including this site), I use one of my free accounts. I don't check them frequently and I only whitelist domains I expect to see. The problem with "free" email addresses is that they end up costing us all. If all users paid for their email, then companies would have a real vested interest in stopping spam. If someone even had to pay $1 for their hotmail/yahoo/gmail account, it would severly limit the rampant abuse of the system. While I fiercely defend the freedom of the internet, I also respect the need for bars to check IDs and pornography to be sold underneath black covers or in stores which are limited to adults. Research, development & implementation of anti-spam initiatives have cost this country hundreds of millions of dollars. Think of it as the most basic form of tax which would allow us to keep riff-raff off our super information highway.Obviously there would need to be a few details worked out, but there isn't any reason why the major ISPs could allow users to create their own privately registered domain for the "free" email account that comes with service. Additionally, they need to better educate new users about email. I finally convinced my parents to upgrade to DSL from dial-up last year and I created them a private domain for a new email account when they made the switch. 6 months later and they are still spam free; they are constantly thanking me for all the time saved because they are no longer wading through junk email.
My guess is that most experienced and/or properly educated internet users do this or something similar. Truth is, if you want a quality, reliable product you have to pay for it. Imagine if yahoo or google had $1 for each of their 10s of Millions of accounts. That'd be a lot of legal capital to pursue and hunt down spammers, not to mention the ability to create a class action lawsuit which would carry more weight. Now, imagine if they got $10 or $20 per account. I'm definately not proposing a per email charge here..simply requiring that some small charge be levied so that email accounts are only created by those who want them used for legitimate and expected communication.
Our lives are already overloaded with advertising from marketers who are desperately looking for ways to justify their jobs. Thank the powers for video recorders that allow us to skip commercials and pop up blockers that have reclaimed the web.
That being said...if someone wants to create a vigilante task force that hunts down and punishes top spammers, I'd gladly volunteer. There are just as many legal ways to harass these people and make their lives difficult as hell w/o resorting to violence. Unfortunately, the odds are that this guy did more than spam people (those who take the easy/lazy/annoying way of doing business probably also cheat/lie/scam as well..) and so the person(s) commiting this crime probably did not sleep better that night knowing their inbox would be a little less full.
Somebody has changed from farming gold to farming CAPTCHA's
Send them cloggworm: if they are so gullible, let the malware cut them from the Internet. Repeatedly. Until they gain healthy dose of paranoia and start keeping their noses clean.
Scorched Earth strategy works well against those who draw their strength from resources laying free for taking in the territory. Let all the webmorons who feed the botbarons with their resources feel the wraith!
Yahoo's CAPTCHA just recently being broken that is.
If you've ever logged into Yahoo chat, you'll see names like warbot001 through warbot400. They're profiles which map to an email address and lame chatters use them to send DOS messages to other chatters. Kinda like the old days on IRC with ping flooding.
Anyway. I highly doubt they manually entered in 400 CAPTCHAS, and I've seen those accounts for a while now so I suspect that CAPTCHA has been defeated for quite some time.
Camping on quad since 1996.
We had exactly the same experience. The management liked to outsource some of our less troublesome website and application work to an Indian company. Saved them some money you see. It might have initially but I have since spent far to much time fixing these applications and websites. It also appears that Indians have no concept of copyright as several of the sites they did had to have images replaced because of legal threats.
I and some other people I know give out unique disposable email addresses to our contacts. There is a different unique address for each of our friends and family.
Yesterday I and they received spam emails sent to several of the disposable email addresses. This points us to several of our friends and family as having had their email address lists stolen by spammers.
The common factors are:
There is therefore no obvious way for the spammers to have obtained these unique email addresses, except by the spammers accessing Hotmail's internal systems via a security breach. The security breach could be technical (an unpatched vulnerability in one of Hotmail's systems) or human (one of their members of Hotmail's (outsourced?) staff copied the contents of some/all of their servers and sold them to the spammers)
Why oil price increase equals economic trouble (Score: Interesti
I don't know if spammers use Mturk for the captchas, but there is a job on Mturk right now that pays people for placing links to the spammer's website on other websites which allow public comments or have other means of posting links.
If it's not "very public" how are you going to get enough suckers to solve your captchas? You need a lot of exposure. Actually, a real porn site with the same hit rate could probably make more money from ads; and the captcha solving would just detract from that. Another reason this doesn't seem to have happened in reality.
I've seen plenty of bad-SEO tactics on mturk before, as well. "Comment on this blog entry using these two keywords somewhere in your comment."
Present 3 captchas or puzzles, where one of the captchas tells which of the other two to submit:
Example:
#1) What is 1+two?
#2) [image captcha]CoffeeCar
#3) [image captcha]Use the math captcha
Please type the correct answer: __________
Then put a 10+ second time delay and put a per-IP limit on the # of requests in any period of time, say, 10 per hour for most IPs and more for known corporate- or ISP-outbound-firewall-IPs.
Also, greatly limiting the number of messages per day free accounts can send during their first 30 days will cut down on their utility to spammers. Anyone who needs to waive that can either wait a month, buy an account, or if Yahoo, etc. is feeling generous, get an "authenticated free" account by providing the mail provider with identity verification.
Of course, all accounts that haven't explicitly requested a waiver AND authenticated themselves should be subject to normal spam-level-volume throttling. People who manage opt-in mailing lists and other legitimate high-volume users will normally request a waiver.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I know this s unlikly...
but couldn't they use the audio funcion - hotmail can also read the number & letters if you are visally impaired...
voice recognition is quite good these days...
could they not just use speakeasy or the like to listen to the captcha being read out and type it in the box?
obviously its unlikly but never the less...
www.tdobson.net #### Dare to Dream #### blog.tdobson.net
This explains the first half of why spam bots always post exactly five replies and seven new topics on my forum even though I'm not using any such limits. If your board is still spam free, it's only a matter of time.
The CAPTCHA does nothing, but a simple "Are you Human? yes/no" radio button option on registration blocked them for over a month.
I have seen first-hand myself small "businesses" with around 14 people on computers solving CAPTCHA's all day in Vietnam, HaNoi. :)
I talked with a manager there about it (I think they thought I was a potential customer) but I don't think they had any idea what they were doing, they even showed me around explaining that they specialise it all sorts things like Date Mining.
The software they were using looked like some custom application (Wasn't in English) which showed an image (In this case a CAPTCHA) with a few other entries fields and combo boxes on the right pane. They're were also a few people digitizing what appeared to be pages from books.
Well I got a free coffee, so I was happy, it certainly was interesting.
Now to type in my own CAPTCHA so I can submit this post...or I could hire the Vietnamese to do it
Wouldn't bounced and undeliverable email fill the inbox of the fake accounts?
Also, wouldn't it be possible to limit the speed at which email can be sent from an account? I mean theres no human alive who can send out emails at the rate spam is produced or have a legitimate need to send single emails to even hundreds of people at a time.
There is a better use of all of this untapped genius:
"Enter your solution to the Riemann hypothesis"
"Please submit a new prime number"
"What is a solution to the Arab-Israeli conflict?"
"Show a correct equation that joins the electro-weak and strong forces with gravity."
It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
just hire people to get past the captchas and let a form bot do the rest. It's not that hard to figure out. I stopped this using animated gifs cut from anime videos. Can't guess the anime that clip comes from, you don't get in. Haven't had spammers on my forum since I moved to that type of captcha system.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
You're thinking about this the wrong way -- on the surface it appears that mturk is an internet labor site, but as you notice, the prices are too low. Mturk provides a framework that both humans and computers can use to solve the same financially interesting problems. Essentially, it provides both incentive to solve problems by hand (though very modest), and a much larger incentive for AI researchers to attack the problem head on, and solve the entire problem set nearly at once. Of course, it does require that the party with the financially motivated problem be willing to disclose it to the world. And there needs to be more publicized case studies of mturk's effectiveness, or even the people who do have such problems won't stop to consider it.
I can't tell whether the current price structure suggests that this has already happened, or that the supply of human intelligence is so vast that it doesn't matter. I do know that several people have written tools to help them solve HITs faster, by grabbing new HITs in the background, and optimizing the display for their needs. But I wonder how much cheaper you could make HITs if you wrote the instructions in Chinese.
I Browse at +4 Flamebait
Open Source Sysadmin