Windows Live Hotmail CAPTCHA Cracked, Exploited
eldavojohn passes along what may be the last nail in the coffin for CAPTCHA technology. Coming on the heels of credible accounts of the downfall of first Yahoo's and then Gmail's CAPTCHA, Ars Technica is reporting on Websense Security Labs' deconstruction of the cracking and tuning / exploitation of the Live Hotmail CAPTCHA. Ars calculates that a single zombie computer can sign up over 1400 Live Hotmail accounts in a day, and alternate account creation with spamming. Time to dust off Kitten Auth?
One of the best 'exploit' related articles I've seen on /. for awhile. There is actual evidence, and actual screenshots of the exploit in action! No journalists here referring to "magic interweb programs". I wish there was more of this kind of stuff in the news, frankly I'm tired of articles full of statistics but nothing on the tech.
Obligatory blog plug: http://www.caseybanner.ca/
What we need is a reliable way of determining the age of an account. I would like to refuse mail from any account created less than a week ago. Same for domains. Maybe have a way for finding out that a domain has moved to 10 different IP addresses in the last year as a negative score in spamassassin.
Intron: the portion of DNA which expresses nothing useful.
Here's an alternate site explaining it. (Sorry for the blog, but everywhere else redirects to pcspy.
If you're too lazy to click it, all it does is ask you to select the kittens from a grouping of photos of animals to verify you're human. Hey, maybe the Turing test could be implemented, then again I wonder how many humans would actually fail it.
Absolute power corrupts absolutely. indymedia
The point is to have different tactics to fight spam from different sources.
With Hotmail (and Gmail and such), I allow them to skip a lot of the checks that other domains go through. There's no need to waste processor cycles or net queries on those domains themselves.
Instead, they go straight to SpamAssassin where checks are run against ALL the addresses in the headers. And the content in the body. The mail admins at Hotmail and Gmail and such have a vested interest in reducing the spam in their systems. So simply rejecting the message at SMTP time should give them enough notice to shut down compromised accounts on their system.
I'm actually surpried no one uses this. Google was close with their SMS registration but this could work just as well.
when you register, it gives you 2 easy to read captcha's (a verification number and password if you will), a simple picture and a 1-900 number thats $1.00 a call. When you dial it, it asks you to enter your verification number. then it asks for the password, which you would have to decode from the phone. (IE the password is vndka and you would have to enter 86352) finally it asks you what the picture is and you would have to say it (if the picture is a cat, you would say Cat, the 1-900 number then says "did you say cat?" in which you say yes or no. if it's a cat you're registered if not it says sorry, asks you to refresh your registration page to get a new challenge password and picture and hangs up.
The big advantage to this is it would be hard to script the phone conversation since you can change the prompt timing with random hold times and other voice information, and no spammer would want to pay the $1.00 a registration via script especially if there's any chance the script could fail. Of course a problem with this is a bot using your PC to ram up your phone bill, But it's not anything new in the spyware business since dialers have been around for years and if their already in your box dialing, they might as well skip spamming altogether and have you dial an offshore 1-900 in the middle of the night for $99.95 a minute.
In Soviet Russia, Trojan exploits YOU!