Slashdot Mirror
Windows Live Hotmail CAPTCHA Cracked, Exploited
eldavojohn passes along what may be the last nail in the coffin for CAPTCHA technology. Coming on the heels of credible accounts of the downfall of first Yahoo's and then Gmail's CAPTCHA, Ars Technica is reporting on Websense Security Labs' deconstruction of the cracking and tuning / exploitation of the Live Hotmail CAPTCHA. Ars calculates that a single zombie computer can sign up over 1400 Live Hotmail accounts in a day, and alternate account creation with spamming. Time to dust off Kitten Auth?
One of the best 'exploit' related articles I've seen on /. for awhile. There is actual evidence, and actual screenshots of the exploit in action! No journalists here referring to "magic interweb programs". I wish there was more of this kind of stuff in the news, frankly I'm tired of articles full of statistics but nothing on the tech.
Obligatory blog plug: http://www.caseybanner.ca/
Who's killing kittens?
/.ed.
Cutest kitten
Absolute power corrupts absolutely. indymedia
KittenAuth, Hot or Not, simple math, word tests, anything to get rid of those pain in the ass CAPTCHAs.
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
What we need is a reliable way of determining the age of an account. I would like to refuse mail from any account created less than a week ago. Same for domains. Maybe have a way for finding out that a domain has moved to 10 different IP addresses in the last year as a negative score in spamassassin.
Intron: the portion of DNA which expresses nothing useful.
WTF!!
http://serendipity.lascribe.net/images/wtf.png
http://www.johnmwillis.com/other/top-10-worst-captchas/
Pretty soon we'll realize that anything a human can discern on the internet a computer can discern. For about the last year I've noticed that CAPTCHA's have gotten so bad that I can barely read them and they've become an impediment to my surfing. It's ridiculous and it's the same way that studios use DRM: you stop the illegitimate use by making it harder on everyone, including legitimate users.
While kitten auth is an interesting concept, it won't last forever, and it's still a pain in the ass for the users. What happens when a computer learns the difference between a cat and a kitten? Are they going to start pushing the relative ages closer? distorting the image? Put a wav file of a "meow" on the page and make you tell them the cat's last meal? Have a customer service agent chat with you for a few minutes?
They need to start banning based on use and patterns. 1400 accounts created from the same IP on the same day? Cat knowledge or no, that's suspicious behavior. 90% of the emails from that gmail account are getting marked as spam on the other end? Send them an email and ask them what's going on. Every single one of their emails is to 1000 recipients, don't pass a spell check on any words at all, send these five or more times a day and they're suspiciously familiar? Block it.
1) Doesn't it potentially take up a LOT more room on a page than captcha? That might clutter up pages even more than they are already. I guess they could use tiny icon pictures to fix that part.
2) Is there a way that spammers could figure out a way to divert the images to a human's malwared computer and have them do the choosing for the program? I thought I read about this somewhere as one way botnets were getting by captchas as well.
3) Seems something like this would have to catch on in nerd communities first and I loved the kitten idea personally. It's the cutest thing ever, but wouldn't you nerds rather find the Halo guy or Linus Torvalds or something...?
*iza
p.s. (Direct link to test kitten auth, but now I think it is /.ed)
Careful What You Wish For....
Once upon a time we at least could rely on Microsoft solutions to be the first to give in. Now it's Apple and Google.
Oh noes! We slashdotted teh kittenz!
Excuse me while I gather the virgin sacrifice and assemble the pentagram required to solve your problem
No one has cracked ReCAPTCHA yet. (This CAPTCHA had a Slashdot article a few months ago.) As it uses text digitized from old books that the best OCR technology couldn't read, it's continually different and already demonstrated to be unintelligible to machines.
Plus, using ReCAPTCHA instead of other solutions also helps Carnegie-Mellon digitize old books for posterity.
From TFA: Microsoft, Google, and all other websites that currently use CAPTCHA, need to find a solution that puts them a step ahead of the spammers. This may well be it.
-- Insert witty one-liner here. --
I call it HAKTCHA -- where you put in all your usernames and passwords in a text file and password-protect the directory with the same code I use on my luggage, "1234" The HAKTCHA then proceeds to download the file from your computer, store it into a database, and verify that you are an actual real-live id10t...which qualifies you to use hotmail.
Why are they allowing the same computer multiple accounts in the same day?
Why are they allowing the same account creation attempt to fail over three times?
Still... I guess as computers get smarter, this is unstoppable.
All my accounts are white-listed. If I don't know you, I don't see your email.
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
And Microsoft simply allow a new account to be registered every single minute of the day from a single IP address? Even when you cater to multiple users behind proxies you don't have to let that many through.
I suspect the 1400 estimate is the theoretical maximum, assuming no other countermeasures whatsoever. That's an unwarranted assumption, and the real figure is probably significantly lower.
Bogtha Bogtha Bogtha
Domain age checking has already been implemented in SpamAssassin. Search on "Day Old Bread".
I guess the author of TFA didn't read /. today. Otherwise he would have known to black-out and not just blur those images.
credit: this comment from the SSN leak article earlier today.
Great. I guess this means I'll start getting a bunch of spam from fake Hotmail accounts.
Oh, wait...
GMail started by having invitation-only subscription. Perhaps it's time Google reconsiders the decision to move away from it?
For as long as I can think, hotmail has been a spam source. "not blacklisted"? My ass.
Assorted stuff I do sometimes: Lemuria.org
forgive me, but I do not see how these images prove that the captcha has been cracked.
When a product is released you can usually assume it WILL be cracked. Why not use this for the good of all?
I certain there are many things in the field of AI where human input is needed. Maybe image recognition or something. When a project is thought up use THAT as the captcha. I'm sure captchas have helped propel text reading applications. I can barely read them sometimes, if they have been cracked this code can be easily applied to text readers. Lets move on to something else.
If it holds you win, if it gets cracked you win and switch projects.
People's legitimate activities are being hindered in a coercive manner by criminal activity on a massive scale. Large numbers of people are affected.
The problem is increasing.
Defensive strategies have failed.
Governments are unwilling or unable to take steps to apprehend and/or deter the perpetrators.
This is a classic example of the conditions that inspire vigilante action.
I wonder how much longer until we begin to see it.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Oh Boy - here come the endless "we should do THIS" scenarios.... we should pay for each e-mail... we should all whitelist... we should throttle how many messages a person can send each day... we should outlaw webmail like Yahoo or Gmail...
Problem is that none of them really will work in the Real World (RW).
In the RW people like webmail. In the RW people like to change e-mail addresses, or create new ones for specific needs. In the RW some people like "real" e-mail, downloaded to a local PC, and others like Google or Yahoo or Hotmail and keeping everything on the host server.
In the RW a lot of people and businesses send a lot of bulk e-mail, very legitimate opted-in e-mail. In the RW a lot of people get important messages from entirely new people, people who haven't been whitelisted, and who are unlikely to bother going through the whole "If you want to e-mail me you need to click the link below and prove that you exist" process. After all, clicking links in e-mail is something that we teach people to NOT do.
And in the RW the spammers always stay one step ahead of the ISPs and mail providers anyhow.
No, what's needed is a real ground-up redesign of how e-mail works. we need something that encompasses the ease of current POP/IMAP/Webmail services, but which somehow includes ways to authenticate and/or block mail without user intervention, and which does so with near perfect reliability. And which maintains some backwards compatibility for at least a few years.
Adding more hoops or captchas or whitlelists to the existing mail sysytems just isn't going to solve the problem.
Three Squirrels
From what I can understand, it simply stores what people have already submitted when presented with the image. Generating brand new images with random nonsensical words would solve the problem, no?
Ha anyone tinkered with video form of captcha? Is there any benefit?
The world is made by those who show up for the job.
The point is to have different tactics to fight spam from different sources.
With Hotmail (and Gmail and such), I allow them to skip a lot of the checks that other domains go through. There's no need to waste processor cycles or net queries on those domains themselves.
Instead, they go straight to SpamAssassin where checks are run against ALL the addresses in the headers. And the content in the body. The mail admins at Hotmail and Gmail and such have a vested interest in reducing the spam in their systems. So simply rejecting the message at SMTP time should give them enough notice to shut down compromised accounts on their system.
It was only a matter of time after Yahoo and Gmail were cracked. What make this newsworthy now? I think the real story woudl be why didn't MSN Hotmail develop a better defense in the time since the first system was cracked?
We've seen technical solutions supposedly "solving spam" fail for more than a decade, ruining access from character terminals, mobile devices, screen readers, and many other reasonable things more in the process - while making every little contribution to discussions a time-consuming issue of solving captchas, waiting for confirmation mails, and signing up everywhere, over and over again.
If all the organizations that have been eroding our privacy allegedly for fighting whatever happens to be the Horseman of the day (and want to keep the surveillance society that way) can actually catch anyone, let them prove it by putting scores of spammers, malware makers and bot herders behind bars - within a few weeks of course, because they (say) they can.
Good idea. My prediction is that you will not receive spam for exactly one week.
Better known as 318230.
I'm actually surpried no one uses this. Google was close with their SMS registration but this could work just as well.
when you register, it gives you 2 easy to read captcha's (a verification number and password if you will), a simple picture and a 1-900 number thats $1.00 a call. When you dial it, it asks you to enter your verification number. then it asks for the password, which you would have to decode from the phone. (IE the password is vndka and you would have to enter 86352) finally it asks you what the picture is and you would have to say it (if the picture is a cat, you would say Cat, the 1-900 number then says "did you say cat?" in which you say yes or no. if it's a cat you're registered if not it says sorry, asks you to refresh your registration page to get a new challenge password and picture and hangs up.
The big advantage to this is it would be hard to script the phone conversation since you can change the prompt timing with random hold times and other voice information, and no spammer would want to pay the $1.00 a registration via script especially if there's any chance the script could fail. Of course a problem with this is a bot using your PC to ram up your phone bill, But it's not anything new in the spyware business since dialers have been around for years and if their already in your box dialing, they might as well skip spamming altogether and have you dial an offshore 1-900 in the middle of the night for $99.95 a minute.
In Soviet Russia, Trojan exploits YOU!
You heard it here first!
(Disclaimer: There may be people who have suggested this, I haven't looked around. And it would be a remote derivative of BoA's SiteKey.)
This arms race with captchas and their associated cracks has great implications for an area that is sorely lacking: OCR technology.
/. captchas please be formatted tables? Thanks.
Think about it; captchas are designed to be as noisy, distorted and generally hard for a machine to read as possible while still being human-readable. Much like a lot of handwriting and poorly-photocopied documents. Now if we can get the source that these spammers are using to break captchas we have the makings of a quantum leap in OCR technology.
Now to fill in some missing cases, can the next set of
"Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
... And hotmail has taken it offline: "We are working to fix a temporary problem with our sign-up service. Please try again."
"Service Unavailable"
Who will save us now??
Unbreakable CAPTCHA Replacement: Which of the following would you most prefer? A: a puppy, B: a pretty flower from your sweety, or C: a large properly formatted data file?
Yawn. 1400 accounts per day could be achieved by a human being creating accounts at the rate of 3 per minute. Not exactly a low-stress task but certainly achievable. Get back to me when the CAPTCHA "crack" is capable of speeds an order of magnitude faster than a measly human.
How about some kind of incremental cooldown period for all newly created email account?
Ie on the first day an account is created it can send a single email. On the second day it can send 2. At that rate it will take 3 years before it can be used to send ~1000 spams in a day and probably wouldn't affect normal use too much.
If a user wants the limit increased/removed they could optionally interact with a customer service rep in some way to prove they are human.
It's getting to the point where all mail will have to go through a gatekeeper:
I receive mail from a previously-unknown sender who I haven't sent to recently. If it doesn't look spammish on its face, the recipient will get a challenge question. If he replies with the correct answer, the mail is green-lighted.
Otherwise, it's yellow-lighted.
What the challenge question and answers are and what a yellow light actually means is up to me. A challenge question might be "What city do I live in," "What is my favorite hobby," or "What is my MySpace page?"
A yellow light might mean a special "new sender" icon and when I open the message I only see the first 5 lines of text, with no HTML or attachments. If I like what I see, I can green-light the message to see the message or green-light the sender to receive all future messages from him. I can also red-light the sender or flag the message as spam to train my spam-filters.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
How hard is it to disallow more than a certain number of emails from a single account per hour (perhaps 4 per hour or so) while the account is still new, say newer than 30 days or so, and if the email account isn't being used for anything in that time (ie the person doesn't log in to check email at least once every 14 days or so), simply delete it?
File under 'M' for 'Manic ranting'
Spammers are already using cheap labor to have "human bots" figure out captchas for them. So the battle to try to figure out the difference between a computer and a human is already a lost cause. I've heard that spammers are offering free pr0n to those willing to complete a captcha.
We instead need invest efforts in different approaches, such as quickly identifying mass account creations or quickly shutting down the ones that send out spam.
Captchas will continue to be useful for small sites, but not the major ones.
There is no real detail on *how* this is done, at least that I saw. What does this imply for OCR tech?
1. Service providers find something humans can do that computers can't do well, and exploit it as a means of distinguishing real people from bots.
2. Spammers work on improving their computer's ability to perform whatever task is required. Eventually, they do it well enough to be indistinguishable from humans.
3. Service providers find something else computers don't do well. Goto line 1.
Iterate this enough times. We will have true AI -- and it will have been created by spammers.
I'm not sure whether to be overjoyed or scared shitless...
"Convictions are more dangerous enemies of truth than lies."
Writing a new CAPTCHA should be much easier than cracking it. Yes, it's an arms race, but doesn't this just indicate laziness of those whose CAPTCHA has been cracked? Why don't they change their algorithm every month?
thegodmovie.com - watch it
Isn't there some sense in limiting the number of new accounts created by a single IP address in some specific amount of time? Assuming a single bot could generate 1400 accounts in a 24 hour period, wouldn't Microsoft clue into this number at some point in time?
I've always kind of wanted a CAPTCHA scheme like this. Provide the user/bot with an email, and ask the user/bot to flag the email as "legitimate email" or "spam". All data collected is fed to some machine learning algorithm to better SpamAssassin, etc.
In effect, you're getting spammers to help you defeat spam.
The downside is you'd need volunteers to give up their email :P
Remember Gmail invites back in 2004? Bring it back.
2 invites per account, one month before the new accounts get new invites. Ban the parent account if they invite a spammer and remove invite permission from all the children created.
You could probably do better but off the top of my head this would dent the 1400 accounts/day per computer.
Does anyone know what the articles mean when they say the malware 'hooks on' to Internet Explorer? How are they automating these browser requests?
I think I see a wonderful circle here. The basic problem is spam. It's a problem, because we can't seem to make a computer program which can reliably determine whether an email is spam.
Wait a second. We can't make a computer program which can reliably tell if an email is spam. So that's your CAPTCHA right there -- present the user with a selection of emails, approximately half of which are spam, and ask them to identify which is which. Since computers are not good at this task (thus the entire problem!) it seems this would be the ideal challenge.
What is absolutely wondrous about this, is that if the spammers try to solve this problem, what they will create is basically a program which can reliably distinguish spam from non-spam. No spammer would ever do that, because if that piece of miracle technology ever got out in the wild, it would render the spam problem obsolete.
Here is an excellent presentation on the sort of human computation that you're refering to. Indeed it is cool stuff. Unfortunately, if you watch the entire presentation, you'll realize that this technique is also effective against CAPTCHA-like tests, including the kitten test. Basically all spammers would need to do is capture the images, forward them to porn consumers who are frantic to the next titillating image, capture the response, and send it back to the webmail provider. It has already been done in the wild against CAPTCHAs.
The "cue the foo posts in 3, 2, 1..." posts will commence with no subsequent foo posts in 3, 2, 1...
I think it was Project Gutenburg, but it may hav been Google. Anyway, someone proposed using unreadable OCR scans for CAPTCHAs. You present two of them in a random order, one's already been solved, one hasn't. If the answer for the solved one is correct, you increment a counter for the unsolved one in your database. When a hundred people agree on what it says, you mark it as solved. Eventually, you've solve a bunch of stuff that conventional OCR couldn't touch.
A related idea would be to use the Mechanical Turk as a CAPTCHA. For instance, you show a satelite photo and ask if Steve Fossett's plane is visible. Well, not that exactly, but you get the idea.
Nothing for 6-digit uids?
I don't have these problems, because I'm not Gmail, Yahoo Mail or Hotmail. I use a little known captcha system. I'm not a target because it would not be profitable for a spammer to write the OCR software or use any of the other methods. So I think it's a problem for the big guys.
The big guns should deploy multiple, rotating captcha systems, each expiring after some time, to be replaced by new ones. They probably already do that to some extend, but I don't keep track. I don't think there's a generic captcha beating OCR system, they are aimed at specific implementations. The thought is that it takes longer to write software to beat a captcha, than to make an alternative captcha in the first place. If it takes 1 smart hacker 1 month to write software to beat a particular captcha (I don't know how long it really takes), then Microsoft should expire a type after for instance two weeks.
If they beat that with automated OCR, well at least humanity can dispose of captcha and we'll have perfect OCR.
If I remember correctly it hasn't been cracked, they are simply funneling the captchas over to REAL HUMANS who then decipher them and type the input.
I could easily do 1400 a day myself, no problem, especially if I got paid for it.
If it was truly 'cracked' then a simple script could easily register literally tens or hundreds of thousands a day, not a paltry 1400.
Sheesh.
How about adding a nominal anti-spam fee of 0.1$ to hotmail, gmail, ymail etc?
Presumably then using these adresses to spam becomes to expensive impossible?
No kitty, this is my pot pie!
How about a CAPTCHA which was an animated gif?
I don't know much about the tech used to break CAPTCHAs, so apologies if that is obviously decipherable by a spambot.
You know, if people complain about the static nature of Kitten Auth, why not take it to the next level? Realtime webcam pics of the official Google/Yahoo/Live captcha kitten herd. Defeats the static image issue that could get gamed by brute force image collection, well, except when the kittens are napping. Sure, it would live a caged existence, and the ASPCA would scream bloody murder, but as a corporate icon you can't lose.
Here's the perfect use for lolcats!
;)
Give the user an image of a cat with some text on it. Either it will be a lolcat caption (of which you can find many easily), or it will be a bunch of slightly misspelled and capitalized words, to the point where the only way to discern the two is (hopefully) reading comprehension.
To prevent the spammers from doing a known-funny attack, you can move the text around, and to hinder text recognition, apply transformations to the image (like, say, blurring).
Then the server can give a better answer to "I can has email?"
One potential weakness: it's, ironically, vulnerable to bayesian analysis---captions containing "cheezburger", "monorail", "cookie" or "can has" are most likely "for ur lols".
It will be a reply from me, with a subject line related to the original, with a note saying
"Hi, this is davidwr's email robotic secretary. If you want him to read your message, reply and put the answer to the following question somewhere in the reply:
What city does davidwr live in?
You can also just give him a call. You know the number.
Original message follows:"
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I agree with some. If it is a human creating a puzzle, another will find a way to solve it. To make matters worst, the solver has the brute force of the computer's computational powers at hand when solving, same can't be said about the puzzles being generated in this instance. Furthermore, this reminds of almost of an epidemic virus such as HIV. Its constant dynamic mutation is the main obstacle when it comes to finding a cure. I think this would be one path to take when trying to avoid spammers; make a puzzle that is ever mutating. If cracked, at least this might cast some foresight on possible cures for HIV. Inter-disciplinary is the wave of the future.
The only thing I can think of is that you may have misunderstood the test to be "choose the 1 kitten from the 9" (which would, of course, have a 11.1% chance of success). The chance of randomly choosing 3 kittens from the 9 would be 1 in 84.
Even 1 in 84 is not that great, but kittenauth is only a general concept. To minimize the chance of random success even more, choose 4 kittens from the 9, a 1 in 126 chance. (Choosing 5 or more kittens than that would not help minimize the chances.) Or you could increase the choices to 3 kittens from 10 animals (1 in 120 chance). Or you could separate the choices into: choose 2 cute kittens and 1 fierce kitten, in that order.
I can see that you'd need to have a large library of images of kittens, though.
I rather like the 3-D randomly generated diagram of a sitting stick figure and a standing one, and naming what body parts are closest to the vase, or tabletop, or something like that. Can't remember the keywords to do a Google, but it was featured on a Slashdot article once.
404555974007725459910684486621289147856453481154 in hex is "You sank my Battleship?"
[GPG key in journal]
Which of these pictures of cutesy-wutey kittens is lolcat and which is just a cat?
If you're using a human to brute force all possible captcha presentations (!) how does blurring help? If it's blurred bad enough that one can't see the image then noone can get in.
...
Also the half-a-million images on flickr of kittens* might take a while for a human to page through and catalogue (thumbnails would be fair use I'd think). I think you might get your IP blocked after you'd clicked refresh about a thousand times too?
---
Search for kittens, there really are half a million plus! Then hit up google images, deviantart, etc.. Then do spot the puppy, then babies,
We never had to worry about things like CAPTCHA. The Internet was such a free place back then. We never had to worry about losing our ISP or trying to come up some unique algorithim to overcome barriers. Of course this was in 1993 when there were only about eight people surfing the web and Mr. T eating balls was as high tech as it got. Back then everyone loved spam, it was about the only email we got. In fact we didn't even call it spam back then, we called it spurkey. The only problem we had was trying to figure out how to use the key to get the lid off.
ed duval the very last person
Comment removed based on user account deletion
+5 points for the first one who gets it ;)
The obvious solution is to stop offering free email accounts or arrest those offering free email accounts when they assist in fraud.
no?
No one would waste time cracking a captcha if they had to pay $0.50 to activate the account.
It came to my attention recently from the people I know who use Hotmail (I try not to judge) that all mail they receive from other Hotmail users (even replies to their own messages) give a "WARNING: THIS EMAIL MAY BE DANGEROUS CLICK HERE TO OPEN" preamble.
Seriously, if hotmail BY DEFAULT does not trust hotmail, doesn't that tell you something anyway???
1. Ban all mailing lists (make them switch to something other than SMTP). Only send emails which go to a few addresses (e.g. less than 10).
2. Allow one email per five minutes per sending address, and ten emails per day.
3. Make contract with e.g. Post Office (USPS in the USA) and only allow new account creation by personally visiting the local post office, paying a fee, and having them create the account for you.
4. Record how many outgoing emails bounce. If more than a few per year then ban the account.
5. Run span filtering on outgoing email. If catch any, ban the account.
6. Most importantly, pass the bill that makes spam not only illegal but punishable by long prison term and do not hesitate to use military force to extract spammers from any nation whether via invasion, covert ops or direct assassination if extraction is impossible. I am serious BTW, if some moron decides to label this funny. Brute force is key here.
Perhaps I'm being too logical, but if they're worried about a botted machine creating thousands of spam accounts per day, why not limit each IP to 3 to 5 new registrations ?
It's not like a normal user will be creating a thousand mailboxes for themselves. Those folks would spring for $5 mail hosting instead.
-Billco, Fnarg.com
Ok, so assuming they can crack one capcha with an accuracy of 10%, why not use multiple capchas on signup - say 5 in sequence?
The next capcha should only be generated and loaded once the previous one has been entered ( or passed? ).If an invalid entry is entered at any stage, all of them are invalidated and have to be regenerated and re-entered.
thus the probability of cracking the entire thing goes from 0.1 to 0.1^5 = 0.00001.
If this is something thats only done once - at signup it shouldnt be massively inconvenient for people as its not something they will encounter every day. After all, there isnt as far as i can see a mass public backlash to the entering of serial numbers for game installs.
Its not a perfect solution but it should act as a stop-gap measure until something better is devised, that is implementable relatively easily using the current tech used for generating capchas
Sure, you can only have a limited number of unique kitten/non-kitten pictures. But you can have an inifinite amount of lolcat text that you can embed on top of the image before outputting it...
I'd be willing to bet this will make it more than a little harder for the bot to figure out which is the kitten based on previous attempts
That Kitten Auth got me thinking. With all the talk of human computation, why not make a little human computation part of the authentication.
For instance: identify all the images containing airplanes or select all images that are predominantly blue. Images that have already been learned would be presented with new images. And the new images could be learned by majority vote.
The images should of course be slightly randomized or random sections of the images be removed.
Think about it. You get authentication and some valuable data at the same time. And even if the exploiters find a way to "break" this, you still get the data.
My UID is prime. Hah!
My point is that the police should get out at last from 19th century, learn something about modern technologies, and get the spammers locked up.
They should hold international conferences, seminars, and learn to protect us in the real world from the real crimes.
People around the world are losing billions of hours of the working time to delete spam, by this working for free for spammers. It is the slavery of the modern days. And what the Interpol does about it? Nothing.
Look, it's obvious that any captcha type method will eventually be cracked, be it based on audio, video, math, kittens (omg, is that the best we can do in the 21st century ?).
... they don't get an account and then start mass mailing 1 million people.
Most "normal" people get a gmail or hotmail to exchange amusing anecdotes and trivia with their friends
Surely gmail, hotmail et al would be better served analyzing the usage on the accounts themselves, and autobanning anyone sending more than say 10 or 20 emails within 24 hours ?
For Gmail/YMail/Hotmail they could impose account limits for a while. Slowly allow the user to send more email as the email they send is not reported as spam by known good accounts (again older accounts). Never let a user send more than 100 messages/day until their account is 1 year old.
I think that by mining usage patterns you could come up with some good metrics for "is this a spammer".
Several hours of escrow could also be used (queue up, but don't actually send if you suspect spam).
Also, since GMail reads your mail anyway, make sure the user has at least 1 long conversation (reply text included in the email, email parses as having somewhat valid sentences). It's a heuristic, but maybe a decent one.
Hello son, I can t get into my yahoo webmail, so I got another yahoo webmail account...
Hello? hellooo??!!
1. HEYA. Leisure Suit Larry never allowed minors to play the game, by asking trivia questions that only adults would know, like:
"Who lost a daughter but gained a 'meathead?'"
Of course, make the user type in the answer, instead of giving multiple choice.
2. KNOWYA. Only allow new users recommended by existing users. Secure the recommendation process, like asking for confirmation using carrier pigeons with one-time pads.
There always can be a bunch of chinese sitting in some basement internet cafe behind that "captcha decoding service" solving them online
What's purple and commutes? An Abelian grape.
It would have to be flash or something but just imagine if the text was swirling around or something. Might make life harder as they would have to do a screen capture of the CAPTCHA and then work on that as opposed to the conveniently suplied image file. Then if the image was larger than the viewport onto it (but moved randomly so as to reveal the whole thing) you would have to watch the whole animation to get the correct phrase.
I have excellent Karma and I am not afraid to Troll it.
The problem with Kitten Auth is the finite number of images. That's part of the CAPTCHA's strength that systems like KA don't take into account. Once just a single kitten image is identified, then everytime it shows up the odds of getting the correct solution drastically increase. And don't forget the flip side, every non-kitten image identified helps too.
If you use the solve-for-porn method, then you'll solve 9 images for every successful use. Eventually, and probably not long after opening, you don't need the porn portal. Hell, you could probably do it yourself in a day. And save the porn for another.
I doubt there's anything that can done to those pictures to make it any harder. Rotation doesn't matter. Especially if the black background is there, come on, how hard is it to automatically rotate that back? There'll be a little image loss, but identifying an image from a fuzzier version of itself is a solved problem.
This is NOT the case now. In fact, I hear people meet each other all the time with the question "Did you get that thing I sent you?" How many pieces of mail did you send that you assumed went through without acknowledgment? If I mail you, who I've never mailed before, and don't hear a human reply, has it gone through?
I certainly don't assume so. In fact, why didn't I hear back? Probably got blocked somewhere....
So if that's your definition of usable email, email hasn't been usable for almost 10 years.
I've found a solution that seems to work. You create a text field that's labeled "Don't fill this out", give it a common name like "name" or "email", hide it in your CSS, and then name all your other fields in Spanish. The bots will trip up every time.
If you really want to have fun with it, ramp up the statistical improbability, and create a whole massive form of spamcatcher fields, which are hidden from most by CSS, and have a warning for those who aren't affected. Bye bye, spambots!
I'm waiting for a "-1 somepeoplejustshouldn'tgetmodprivileges" meta-moderation.
Comment removed based on user account deletion
rapidshare.com has a good captcha that requires more complex things than just entering words. For example, it asks to enter letters that have an animal attached to them.