Have Spammers Overcome the CAPTCHA?

thefickler writes "It appears that spammers have found a way to automatically create Hotmail and Yahoo email accounts. They have already generated more than 15,000 bogus Hotmail accounts, according to security company BitDefender. The company says that a new threat, dubbed Trojan.Spammer.HotLan.A, is using automatically generated Yahoo and Hotmail accounts to send out spam email, which suggests that spammers have found a way to overcome Microsoft's and Yahoo's CAPTCHA systems."

Cataloging CAPTCHA info

[JonathanR]

Wouldn't it be feasible to record and catalog the fonts and manipulations done by a particular site's CAPTCHA engine, and then script some type of automatic "OCR" to suit? Are these CAPTCHA's dynamically generated from an extended "character set" or are the distortions generated in real-time?

Re:Cataloging CAPTCHA info

[Bearhouse]

Agreed. It's the 'myspace' of the 'free' email providers. The irony is that it had to be easy to use, and therefore abuse, so that kids can could use it. But now they all use MSN Messenger... Time for an update?

The time has surely passed when M$, Yahoo et al needed huge numbers of email subscribers to prove how important they were.

How about a self-policing system? Rather than the typical 'black hole' that 'abuse@...' normally leads to, one could have an automated voting system. If 'n' people complain about 'x' address, then wham, it's blocked. Could check for individual IPs, or make people mail respond to a challenge, to check that it was real people complaining, and not a botnet...

Would enough people participate, though? I know I don't try and get all the spam I receive blocked, just the ones that get through the filter, and even then, just when I have time or the mood takes me...

Re:Cataloging CAPTCHA info

[choongiri]

It wouldn't surprise me if this is a direct result of the work on open-source optical character recognition being done specifically to prevent the increased prevalence of captcha-style image spam. It would be rather ironic if the open source model meant the spammers are now turning our own anti-spam tools around and using them against us.

Re:500 accounts created every hour?

[bombastinator]

..and if this person or persons happen to be, say a 12 year old semi-literate war refugee in Sub-Saharan Africa, He'd probably be willing to do a whole day of it for a bowl of soup and a big shiney nickel, or even just for a semi-serious promise not to beat him again that evening...

Things get real economical real fast if you think globally and happen to be evil.

In a point of irony I would like to mention that the capcha for this slashdot comment was "disturbs"

Re:FREE PR0N!

[pchan-]

It's the Mechanical Turk approach. Amazon is doing it.

unsurprising

[kuzb]

One of the things I get tasked with at work is handling forum and service spam. Of all the methods I've used to deter spammers, captchas rank among the least effective. A lot of people seem to think the answer is in changing the nature of what the user has to interpret. I've had suggestions ranging from audio captchas to math problems, and dozens of others that lead to the same kinds of problems - you're making it hard, or in some cases, impossible for legitimate users to use your service. Language barriers rank among the biggest problem. Say you have a picture of an apple, and the user is supposed to type 'apple'. It falls short when you realize the person viewing it may not speak english at all, or may have no idea how to spell 'apple' in english. Same with audio captchas.

The most effective (surprisingly) were form fields hidden with CSS so the users don't enter data in to them, but bots will. You can reject the entire post at that point. It's not universally effective (some bots will actually look at your CSS to determine if you're doing this) but it sure cuts down on a lot of bogus posts. Another method is to generate a form key of some kind, and use that to verify that the form is only good once. this slows spammers down because in order to post again and again, they have to reload the page in order to get a new key. many don't do this, and will attempt to use the same key over and over. if you use a few of these methods, and track repeat offenders, you can add them to your firewall rules so they can't even load the page. Of course, most serious spammers will use hundreds of IPs, so it's difficult to get them all.

It's important to realize that this is a fight you simply can't win - if they're serious about getting through, they'll get through. The most you can hope to achieve is to slow them down long enough to come up with an improved solution.

Creative CAPTCHA

[QuoteMstr]

As luck would have it, I stumbled across a twist on the captcha concept while registering for a site. Instead of asking the human user to correctly enter the word displayed in an image, it presented the user with a grid of images. About half of them were of cars. The other half were cats.

The site just asked the user to check off each image representing a living thing.

Simple, and brutally effective against current AI. I can think of various tricks one can use to make the comparison more difficult as well.

How long until we're using the kind of tests we saw in Blade Runner?

Umm. You sure about Yahoo?

[lena_10326]

Yahoo's CAPTCHA just recently being broken that is.

If you've ever logged into Yahoo chat, you'll see names like warbot001 through warbot400. They're profiles which map to an email address and lame chatters use them to send DOS messages to other chatters. Kinda like the old days on IRC with ping flooding.

Anyway. I highly doubt they manually entered in 400 CAPTCHAS, and I've seen those accounts for a while now so I suspect that CAPTCHA has been defeated for quite some time.

Re:FREE PR0N!

[MooUK]

I've seen plenty of bad-SEO tactics on mturk before, as well. "Comment on this blog entry using these two keywords somewhere in your comment."

the solution was simple

[Khyber]

just hire people to get past the captchas and let a form bot do the rest. It's not that hard to figure out. I stopped this using animated gifs cut from anime videos. Can't guess the anime that clip comes from, you don't get in. Haven't had spammers on my forum since I moved to that type of captcha system.