Slashdot Mirror
Have Spammers Overcome the CAPTCHA?
thefickler writes "It appears that spammers have found a way to automatically create Hotmail and Yahoo email accounts. They have already generated more than 15,000 bogus Hotmail accounts, according to security company BitDefender. The company says that a new threat, dubbed Trojan.Spammer.HotLan.A, is using automatically generated Yahoo and Hotmail accounts to send out spam email, which suggests that spammers have found a way to overcome Microsoft's and Yahoo's CAPTCHA systems."
Get the rest of the difficult AI problems into CAPTCHAs. We've finally figured out a way to finance AI research!
How we know is more important than what we know.
Make a porn site that give you credit to download smut in exchange for solving captchas. Have your automatic account creator redirect the captcha to a human user of your porn site, and if you're lucky and it gets solved within the time period for which te captcha is valid, you're set.
That doesn't sound like a CAPCHA has been broken, except perhaps by the sophisticated AI device known as a human being. 8 and a half CAPCHAs a minute? No problem for one person with a tolerance for boredom and CTS. Heck, you can even put the job up on Amazon Turk and charge a penny an account for the signups, or use cheap labor in any of a number of countries to do it.
Help poke pirates in the eyepatch, arr.
Not really.
The way they've worked around it probably goes like this: "Free pr0n sets! See more of this hot chick! We don't want automated downloads of these sets, so you need to solve this code to get the download. What? It looks just like the hotmail cpachas? Yeah, we're using the same advanced technology here."
So I guess this approach would also solve other AI problems - by having bored RIs solve them. Maybe not such a bad solution after all?
"I will take the Ring," he said, "though I do not know the way."
One of the (many) things I hate about Hotmail is that Microsoft blatantly ignores anything sent to its postmaster and abuse addresses, so there's really no way to notify them of spam being spewed from their system. In fact, if you send a message to postmaster@hotmail.com, they send back a pretty snarky response telling you that nobody reads it.
What a cesspool. Hotmail has always been the ghetto of the internet, but now it's clear that it's infested with criminals, as well as just the technologically illiterate.
Time to blackhole it.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
I think this was basically the idea behind BlueFrog; they had a pretty nice, aggressive system for going after the sites that profit from spam, by bouncing spam emails back at them and generally causing them a lot of grief.
It was obviously working, as demonstrated by the concentrated fire they started to take from spammers. Unfortunately, they didn't have the resources (at least, I'd prefer to think it was a resource issue and not one of will) to fight the spammers, and after getting some really terrible legal advice, they got crushed.
Short of brutal vigilante justice (which I'm not opposed to here and there, but it tends to not scale very well), Blue Frog's approach seemed to be the only "supply-side" approach to spam that ever seemed to show a bit of effectiveness.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Judging by the amount of spammers I get on my Invision Power Board forums, which have been through two different styles of CAPTCHA, I'd file this one under the "No Shit" department.
Let's stop dilly-dallying and just change "-1: Overrated" to "-1: Disagree" or "-1: Doesn't Subscribe to Groupthink".
How do I make questions that are simple enough to be obvious to legitimate members, but obscure for outsourced human spammers?
I then wondered exactly WHY I'd want to use simple questions anyway, surely I'd want people posting intelligently, so why not moderate at the first access point! Elitism, sure, but I don't think that asking for some mathematically obscure reference for a forum catering to that userbase is Evil, nor any other purpose-specific odd questions. The truly determined can always google the answers.
Launchy.net changed my world.
Agreed. It's the 'myspace' of the 'free' email providers. The irony is that it had to be easy to use, and therefore abuse, so that kids can could use it. But now they all use MSN Messenger... Time for an update?
The time has surely passed when M$, Yahoo et al needed huge numbers of email subscribers to prove how important they were.
How about a self-policing system? Rather than the typical 'black hole' that 'abuse@...' normally leads to, one could have an automated voting system. If 'n' people complain about 'x' address, then wham, it's blocked. Could check for individual IPs, or make people mail respond to a challenge, to check that it was real people complaining, and not a botnet...
Would enough people participate, though? I know I don't try and get all the spam I receive blocked, just the ones that get through the filter, and even then, just when I have time or the mood takes me...
One of the things I get tasked with at work is handling forum and service spam. Of all the methods I've used to deter spammers, captchas rank among the least effective. A lot of people seem to think the answer is in changing the nature of what the user has to interpret. I've had suggestions ranging from audio captchas to math problems, and dozens of others that lead to the same kinds of problems - you're making it hard, or in some cases, impossible for legitimate users to use your service. Language barriers rank among the biggest problem. Say you have a picture of an apple, and the user is supposed to type 'apple'. It falls short when you realize the person viewing it may not speak english at all, or may have no idea how to spell 'apple' in english. Same with audio captchas.
The most effective (surprisingly) were form fields hidden with CSS so the users don't enter data in to them, but bots will. You can reject the entire post at that point. It's not universally effective (some bots will actually look at your CSS to determine if you're doing this) but it sure cuts down on a lot of bogus posts. Another method is to generate a form key of some kind, and use that to verify that the form is only good once. this slows spammers down because in order to post again and again, they have to reload the page in order to get a new key. many don't do this, and will attempt to use the same key over and over. if you use a few of these methods, and track repeat offenders, you can add them to your firewall rules so they can't even load the page. Of course, most serious spammers will use hundreds of IPs, so it's difficult to get them all.
It's important to realize that this is a fight you simply can't win - if they're serious about getting through, they'll get through. The most you can hope to achieve is to slow them down long enough to come up with an improved solution.
BeauHD. Worst editor since kdawson.
You mean a captcha like this one?
:/- spoon(_).
"It's too bad that stupidity isn't painful." - Anton LaVey
As luck would have it, I stumbled across a twist on the captcha concept while registering for a site. Instead of asking the human user to correctly enter the word displayed in an image, it presented the user with a grid of images. About half of them were of cars. The other half were cats.
The site just asked the user to check off each image representing a living thing.
Simple, and brutally effective against current AI. I can think of various tricks one can use to make the comparison more difficult as well.
How long until we're using the kind of tests we saw in Blade Runner?
Ever heard of proxies?
Also, have a look at the ROKSO list. Most spam originates in the USA. They may route it through Russia or China or Korea, but its source is the USA. Block China, say, and next week it'll be coming via Brazil, or .... faster than you can reconfigure.
If the USA wants to take decisive action, something the government has actively avoided doing, it could shut down spammers in a week. How many spammers have been prosecuted and gone to jail? It's big news when they do, but only a handful have been prosecuted. The feds just don't care enough to build cases, even when the evidence is handed to them. Only if AOL or Microsoft push does anything happen.
Spammers have to make money. Credit card companies do that for them, and they are all based in the USA. As for the pump-and-dump spammers, that's a bit harder, but the stock exchanges should be able to block suspicious activity based on that. Thay don't care now because it's just foolish home investors losing money when they try to "take advantage" of the tips.
Or is it just that making new hotmail accounts is being outsourced to china/india/?
Spammers Learn To Outsource Their Captcha Needs
Posted by Zonk on Saturday November 25, @05:36AM
from the hearing-some-ominous-muttering dept.
lukeknipe writes
"Guardian Unlimited reporter Charles Arthur speaks with a spammer, discussing the possibility that his colleagues may be paying people in developing countries to fill in captchas. In his report, Arthur discusses Nicholas Negroponte's gift of hand-powered laptops to developing nations and the wide array of troubles that could arise as the world's exploitable poor go online."From the article:
"I've no doubt it will radically alter the life of many in the developing world for the better. I also expect that once a few have got into the hands of people aching to make a dollar, with time on their hands and an internet connection provided one way or another, we'll see a significant rise in captcha-solved spam. But, as my spammer contact pointed out, it's nothing personal. You have to understand: it's just business."