Slashdot Mirror
Have Spammers Overcome the CAPTCHA?
thefickler writes "It appears that spammers have found a way to automatically create Hotmail and Yahoo email accounts. They have already generated more than 15,000 bogus Hotmail accounts, according to security company BitDefender. The company says that a new threat, dubbed Trojan.Spammer.HotLan.A, is using automatically generated Yahoo and Hotmail accounts to send out spam email, which suggests that spammers have found a way to overcome Microsoft's and Yahoo's CAPTCHA systems."
Get the rest of the difficult AI problems into CAPTCHAs. We've finally figured out a way to finance AI research!
How we know is more important than what we know.
Wouldn't it be feasible to record and catalog the fonts and manipulations done by a particular site's CAPTCHA engine, and then script some type of automatic "OCR" to suit? Are these CAPTCHA's dynamically generated from an extended "character set" or are the distortions generated in real-time?
Make a porn site that give you credit to download smut in exchange for solving captchas. Have your automatic account creator redirect the captcha to a human user of your porn site, and if you're lucky and it gets solved within the time period for which te captcha is valid, you're set.
That doesn't sound like a CAPCHA has been broken, except perhaps by the sophisticated AI device known as a human being. 8 and a half CAPCHAs a minute? No problem for one person with a tolerance for boredom and CTS. Heck, you can even put the job up on Amazon Turk and charge a penny an account for the signups, or use cheap labor in any of a number of countries to do it.
Help poke pirates in the eyepatch, arr.
Not really.
The way they've worked around it probably goes like this: "Free pr0n sets! See more of this hot chick! We don't want automated downloads of these sets, so you need to solve this code to get the download. What? It looks just like the hotmail cpachas? Yeah, we're using the same advanced technology here."
So I guess this approach would also solve other AI problems - by having bored RIs solve them. Maybe not such a bad solution after all?
"I will take the Ring," he said, "though I do not know the way."
Indians are fast, accurate and cheap:
s sing-Data-Entry/Data-Entry-Solve-CAPTCHA.html
h oo-ocr-bypass-captcha.157160.html
http://www.getafreelancer.com/projects/Data-Proce
Of course, there are those who seek to use the IT talent of the sub-continent for a more direct attack:
http://www.getafreelancer.com/projects/PHP-ASP/ya
And as an upstream poster pointed out, there's always the old "Free Porn - solve this CAPTCHA for access" approach.
http://sam.zoy.org/pwntcha/
If a human is used to read the captcha then there is not much that can be done as that is what a captcha is for: to make sure a human only will be able to bypass it....
Actually, now that I think of it, CAPTCHA's already pose problems to some (visual CAPTCHA's for the visually impared), but I wasn't thinking about that. I probably should have, since one can think of other CAPTCHA's where other specific handicaps would be a problem (human facial recognition comes to mind, for example; see Prosopagnosia).
Since brain damage can cause very peculiar and specific cognitive problems, probably every kind of CAPTCHA will give trouble to someone. So I suppose there will be a variety of choices, just like there is sometimes an auditory choice given now.
One of the (many) things I hate about Hotmail is that Microsoft blatantly ignores anything sent to its postmaster and abuse addresses, so there's really no way to notify them of spam being spewed from their system. In fact, if you send a message to postmaster@hotmail.com, they send back a pretty snarky response telling you that nobody reads it.
What a cesspool. Hotmail has always been the ghetto of the internet, but now it's clear that it's infested with criminals, as well as just the technologically illiterate.
Time to blackhole it.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
I think this was basically the idea behind BlueFrog; they had a pretty nice, aggressive system for going after the sites that profit from spam, by bouncing spam emails back at them and generally causing them a lot of grief.
It was obviously working, as demonstrated by the concentrated fire they started to take from spammers. Unfortunately, they didn't have the resources (at least, I'd prefer to think it was a resource issue and not one of will) to fight the spammers, and after getting some really terrible legal advice, they got crushed.
Short of brutal vigilante justice (which I'm not opposed to here and there, but it tends to not scale very well), Blue Frog's approach seemed to be the only "supply-side" approach to spam that ever seemed to show a bit of effectiveness.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Judging by the amount of spammers I get on my Invision Power Board forums, which have been through two different styles of CAPTCHA, I'd file this one under the "No Shit" department.
Let's stop dilly-dallying and just change "-1: Overrated" to "-1: Disagree" or "-1: Doesn't Subscribe to Groupthink".
Block MSN and yahoo.
You can thank me later.
Mod me down with all of your hatred and your journey towards the dark side will be complete!
I think you're right about it not stopping spammers; I don't think it's even going to be much of a speed bump. It doesn't take a brilliant programmer to feed the output of an OCR program into a command-line calculator to evaluate simple mathematical expressions.
You might be able to trip some calculators up by using complex math or logic problems that aren't easily parseable by machines*, but this would also trip up a lot of humans. (Whether that's a bug or a feature I'll leave up to you.)
CAPTCHAs were, and still are, a neat hack, but as you increase their complexity beyond what's trivially solvable by an army of 'mechanical turk' keypunch monkies (either for real money or porn), you start to eliminate broader and broader swaths of humanity from the content. There's no good problem to use, because the criteria conflict with each other. On one hand, you want something that only takes a person a few seconds to figure out, because otherwise, people aren't going to want to go through them all the time. On the other hand, you want something that's non-trivial, because otherwise a spammer can just use an army of people to cut through them as if they weren't there.
I'm not sure that the CAPTCHA avenue has a lot left in it as a general solution.
* E.g., you could write flowery word problems that only involve basic arithmetic, so that the challenge is in natural language processing. This knocks out a lot of non-native language speakers, however. (Which again, could be acceptable if it's a regional website in a monolingual area; it also narrows the pool of 'mechanical turk' workers that can be hired to solve them as well.) But I'm not sure this is anything but a temporary setback, and it would come at too high a cost to be generally useful.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
* Problem with Spam traffic from India and China? Fine. Make a declaration internet traffic from those countries will be served from the Internet within 21 days unless all Spam activity ceases.
There are problems with this approach.
1. the allocation of IP addresses has been (and is continuing to be) done in a manner that makes it difficult to quickly block a whole country. AP-NIC allocates blocks of addresses in the entire Asian-Pacific region nearly sequentially and at very funny boundaries.
2. the spam source country varies a lot. you may have a problem with spam from China, but I have a lot more spam from the USA so I need to block that. While I already blocked many DSL/Cable provider netblocks to reduce the crap from infected Windows PCs a bit, there is an increasing risk of collateral damage.
It wouldn't surprise me if the Capchas were overcomes simply by showing the graphics to some underpaid person who just types in the actual responses.
A sophisticaed enough system could easily "pipe" these graphics to someone who just sits and types all day. At one capcha every 10 seconds, that's about 8000 in a day working 24/7.
Not everything these spammers do has to be automated.
-David
One of the things I get tasked with at work is handling forum and service spam. Of all the methods I've used to deter spammers, captchas rank among the least effective. A lot of people seem to think the answer is in changing the nature of what the user has to interpret. I've had suggestions ranging from audio captchas to math problems, and dozens of others that lead to the same kinds of problems - you're making it hard, or in some cases, impossible for legitimate users to use your service. Language barriers rank among the biggest problem. Say you have a picture of an apple, and the user is supposed to type 'apple'. It falls short when you realize the person viewing it may not speak english at all, or may have no idea how to spell 'apple' in english. Same with audio captchas.
The most effective (surprisingly) were form fields hidden with CSS so the users don't enter data in to them, but bots will. You can reject the entire post at that point. It's not universally effective (some bots will actually look at your CSS to determine if you're doing this) but it sure cuts down on a lot of bogus posts. Another method is to generate a form key of some kind, and use that to verify that the form is only good once. this slows spammers down because in order to post again and again, they have to reload the page in order to get a new key. many don't do this, and will attempt to use the same key over and over. if you use a few of these methods, and track repeat offenders, you can add them to your firewall rules so they can't even load the page. Of course, most serious spammers will use hundreds of IPs, so it's difficult to get them all.
It's important to realize that this is a fight you simply can't win - if they're serious about getting through, they'll get through. The most you can hope to achieve is to slow them down long enough to come up with an improved solution.
BeauHD. Worst editor since kdawson.
As luck would have it, I stumbled across a twist on the captcha concept while registering for a site. Instead of asking the human user to correctly enter the word displayed in an image, it presented the user with a grid of images. About half of them were of cars. The other half were cats.
The site just asked the user to check off each image representing a living thing.
Simple, and brutally effective against current AI. I can think of various tricks one can use to make the comparison more difficult as well.
How long until we're using the kind of tests we saw in Blade Runner?
That's great, but the United States will have to be cut off from the Internet first. The USA is the world's biggest spam source, according to Spamhaus.
o
http://www.spamhaus.org/statistics/countries.lass
The United States emits *four* times as much spam as its nearest competitor, China.
Verizon is the world's spammiest ISP.
Oolite: Elite-like game. For Mac, Linux and Windows
Ever heard of proxies?
Also, have a look at the ROKSO list. Most spam originates in the USA. They may route it through Russia or China or Korea, but its source is the USA. Block China, say, and next week it'll be coming via Brazil, or .... faster than you can reconfigure.
If the USA wants to take decisive action, something the government has actively avoided doing, it could shut down spammers in a week. How many spammers have been prosecuted and gone to jail? It's big news when they do, but only a handful have been prosecuted. The feds just don't care enough to build cases, even when the evidence is handed to them. Only if AOL or Microsoft push does anything happen.
Spammers have to make money. Credit card companies do that for them, and they are all based in the USA. As for the pump-and-dump spammers, that's a bit harder, but the stock exchanges should be able to block suspicious activity based on that. Thay don't care now because it's just foolish home investors losing money when they try to "take advantage" of the tips.
On my forum somedays we'd get 5/6 bots per day. It's a vB board and it used the standard vB captcha. One day I installed a plugin called NoSpam! which asks the user a simple question when registering. Questions such as 2+2=, what do you do when a traffic light goes red, etc. The questions are simple, if somebody can't answer them I'd be suprised that the made it as far as the registration page. Since I've installed it there hasn't been even one bot through so it is 100% efective so far. I know it won't last forever and that bots will be programmed to circumvent it but I'll deal with that when it comes to it.
Hell, I have perfectly good eyesight (with contacts) and maybe 10% of the time CAPTCHAs are too munted for me to read. Often the problem is that it's not clear whether it's alpha or alphanumeric, or whether it's case sensitive, and there's a badly distorted O/0 or 1/I/l.
:P
Regardless, CAPTCHAs will obviously have to evolve* to cover current 'hard problems' in AI as state of the art improves and 'hard' turns into 'not so hard'.
* or wait, should that be 'be intelligently designed'?
Rampant carbon sequestration destroyed the Dinosaurs' tropical paradise. I'm here to help repair the damage.
I never have spam issues. My real email address is rarely used..only for friends and legitimate sites(Secure businesses w/ encryption, like my credit card). My real email address is from a privately registered domain, which costs me only $20/yr. When I sign up for anything else (including this site), I use one of my free accounts. I don't check them frequently and I only whitelist domains I expect to see. The problem with "free" email addresses is that they end up costing us all. If all users paid for their email, then companies would have a real vested interest in stopping spam. If someone even had to pay $1 for their hotmail/yahoo/gmail account, it would severly limit the rampant abuse of the system. While I fiercely defend the freedom of the internet, I also respect the need for bars to check IDs and pornography to be sold underneath black covers or in stores which are limited to adults. Research, development & implementation of anti-spam initiatives have cost this country hundreds of millions of dollars. Think of it as the most basic form of tax which would allow us to keep riff-raff off our super information highway.Obviously there would need to be a few details worked out, but there isn't any reason why the major ISPs could allow users to create their own privately registered domain for the "free" email account that comes with service. Additionally, they need to better educate new users about email. I finally convinced my parents to upgrade to DSL from dial-up last year and I created them a private domain for a new email account when they made the switch. 6 months later and they are still spam free; they are constantly thanking me for all the time saved because they are no longer wading through junk email.
My guess is that most experienced and/or properly educated internet users do this or something similar. Truth is, if you want a quality, reliable product you have to pay for it. Imagine if yahoo or google had $1 for each of their 10s of Millions of accounts. That'd be a lot of legal capital to pursue and hunt down spammers, not to mention the ability to create a class action lawsuit which would carry more weight. Now, imagine if they got $10 or $20 per account. I'm definately not proposing a per email charge here..simply requiring that some small charge be levied so that email accounts are only created by those who want them used for legitimate and expected communication.
Our lives are already overloaded with advertising from marketers who are desperately looking for ways to justify their jobs. Thank the powers for video recorders that allow us to skip commercials and pop up blockers that have reclaimed the web.
That being said...if someone wants to create a vigilante task force that hunts down and punishes top spammers, I'd gladly volunteer. There are just as many legal ways to harass these people and make their lives difficult as hell w/o resorting to violence. Unfortunately, the odds are that this guy did more than spam people (those who take the easy/lazy/annoying way of doing business probably also cheat/lie/scam as well..) and so the person(s) commiting this crime probably did not sleep better that night knowing their inbox would be a little less full.
Or is it just that making new hotmail accounts is being outsourced to china/india/?
Yahoo's CAPTCHA just recently being broken that is.
If you've ever logged into Yahoo chat, you'll see names like warbot001 through warbot400. They're profiles which map to an email address and lame chatters use them to send DOS messages to other chatters. Kinda like the old days on IRC with ping flooding.
Anyway. I highly doubt they manually entered in 400 CAPTCHAS, and I've seen those accounts for a while now so I suspect that CAPTCHA has been defeated for quite some time.
Camping on quad since 1996.
Hopefully this spells the begininng of the end for the web plague known as CAPTCHA. I am heartily sick of having to squint at barely recognisable characters, only to be informed that I've got it wrong, and then have to enter all my details again.
So bye-bye CAPTCHA, I won't miss you.
Spam behaves like a flood caused by heavy thunderstorms and rain. It will start to flood your basement no matter what. You can start to build a little dam here, put some sandbags there, board up your windows, etc. The sad fact ist, it won't help much. You will only save your home if you stop the rain.
That being said, as long as spam does not really hurt large corporations or governments, in terms of more and more expensive resources (machines, energy, air conditioning, administrators etc.) being used to just process the amount of spam coming in, nothing is going to change. Still, these entities are only going to protect themselves, not the public.
Me, I'm going to filter all hotmail and yahoo generated mail to /dev/null. Sorry folks, but just get another mail provider if you want to talk to me.
Mind you, if you filter mail by any means (like spam or virus filtering), never send auto replies. You will only hit innocent bystanders and generate lots of bounces, and run the risk of getting blacklisted by Spamcop or somebody else (if you autoreply to a spamtrap address, for example). I've been using Linux exclusively for more than 14 years on my mail server @ home, and I cannot count the number of autoreplies saying my machine sent this or that W32...blablabla thing, with no Windows client attached or anything. The better part of spam and virus mails uses fake From: addresses.
open (SIG, "</dev/zero"); $sig = <SIG>; close SIG;
I and some other people I know give out unique disposable email addresses to our contacts. There is a different unique address for each of our friends and family.
Yesterday I and they received spam emails sent to several of the disposable email addresses. This points us to several of our friends and family as having had their email address lists stolen by spammers.
The common factors are:
There is therefore no obvious way for the spammers to have obtained these unique email addresses, except by the spammers accessing Hotmail's internal systems via a security breach. The security breach could be technical (an unpatched vulnerability in one of Hotmail's systems) or human (one of their members of Hotmail's (outsourced?) staff copied the contents of some/all of their servers and sold them to the spammers)
Why oil price increase equals economic trouble (Score: Interesti
Spammers Learn To Outsource Their Captcha Needs
Posted by Zonk on Saturday November 25, @05:36AM
from the hearing-some-ominous-muttering dept.
lukeknipe writes
"Guardian Unlimited reporter Charles Arthur speaks with a spammer, discussing the possibility that his colleagues may be paying people in developing countries to fill in captchas. In his report, Arthur discusses Nicholas Negroponte's gift of hand-powered laptops to developing nations and the wide array of troubles that could arise as the world's exploitable poor go online."From the article:
"I've no doubt it will radically alter the life of many in the developing world for the better. I also expect that once a few have got into the hands of people aching to make a dollar, with time on their hands and an internet connection provided one way or another, we'll see a significant rise in captcha-solved spam. But, as my spammer contact pointed out, it's nothing personal. You have to understand: it's just business."Quoted from this article. No wonder someone used it for a worm.
Also discussed here on
Evolution of the 'Captcha'
Posted by CmdrTaco on Monday June 11, @08:36AM
from the why-can't-i-even-read-them-half-the-time dept.
FireballX301 writes
"The New York Times is running an article about the small word puzzles various sites use in order to defeat automated script registration while still letting humans through. It seems many people can't actually solve them anymore, so new alternatives (image recognition) are being created. This, of course, seems breakable as well -- is there a feasible alternative to the captcha, or are we stuck jumping through more and more hoops to register at places?"Present 3 captchas or puzzles, where one of the captchas tells which of the other two to submit:
Example:
#1) What is 1+two?
#2) [image captcha]CoffeeCar
#3) [image captcha]Use the math captcha
Please type the correct answer: __________
Then put a 10+ second time delay and put a per-IP limit on the # of requests in any period of time, say, 10 per hour for most IPs and more for known corporate- or ISP-outbound-firewall-IPs.
Also, greatly limiting the number of messages per day free accounts can send during their first 30 days will cut down on their utility to spammers. Anyone who needs to waive that can either wait a month, buy an account, or if Yahoo, etc. is feeling generous, get an "authenticated free" account by providing the mail provider with identity verification.
Of course, all accounts that haven't explicitly requested a waiver AND authenticated themselves should be subject to normal spam-level-volume throttling. People who manage opt-in mailing lists and other legitimate high-volume users will normally request a waiver.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I have seen first-hand myself small "businesses" with around 14 people on computers solving CAPTCHA's all day in Vietnam, HaNoi. :)
I talked with a manager there about it (I think they thought I was a potential customer) but I don't think they had any idea what they were doing, they even showed me around explaining that they specialise it all sorts things like Date Mining.
The software they were using looked like some custom application (Wasn't in English) which showed an image (In this case a CAPTCHA) with a few other entries fields and combo boxes on the right pane. They're were also a few people digitizing what appeared to be pages from books.
Well I got a free coffee, so I was happy, it certainly was interesting.
Now to type in my own CAPTCHA so I can submit this post...or I could hire the Vietnamese to do it
just hire people to get past the captchas and let a form bot do the rest. It's not that hard to figure out. I stopped this using animated gifs cut from anime videos. Can't guess the anime that clip comes from, you don't get in. Haven't had spammers on my forum since I moved to that type of captcha system.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
There's enough places in the world where $2.50 is not only a decent day's wage (especially if you can do more than one of these) but more importantly where there simply no industrial infrastructure to compete with this job. It's either this or an hour of sitting around and picking your nose. Or maybe an hour of backbreaking ditch digging for $1.
We're all born with nothing.
If you die in debt, you're ahead.
When I grow up, I'm going to be the best damn ditch digger I can be!