Understanding How CAPTCHA Is Broken

An anonymous reader writes "Websense Security Labs explains the spammer Anti-CAPTCHA operations and mass-mailing strategies. Apparently spammers are using combination of different tactics — proper email accounts, visual social engineering, and fast-flux — representing a strategy, explains their resident CAPTCHA expert. It is evident that spammers are working towards defeating anti-spam filters with their tactics."

Really?

[Nimloth]

"It is evident that spammers are working towards defeating anti-spam filters with their tactics."
Sounds like news to me!

Re:Really?

[Hojima]

It's how the spammers are doing it that makes the news. I don't see why companies like yahoo just use a verification system that requires your correct first and last name with your corresponding SSN or some other permanent ID number. Then the user can have the option of changing their account name. Can anyone tell me why they haven't done this, because they obviously can.

Re:Really?

[SUB7IME]

Because people like me would never, ever use their service under those conditions?

Re:Really?

[Hojima]

I never said you'd be forced to input your data, I was thinking more along the lines of what davidwr replied. It's a method you can use to filter out spam. Also, its not impossible to keep your personal information secret. My guess is you're worried about the government knowing what you're doing, but your IP address gives you away anyways.

Re:Really?

[mstahl]

because they obviously can

. . . and if Yahoo and Google can match first/last names to SSNs then so can spammers.

Re:Really?

Your post advocates a

(X) technical ( ) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
(X) It will stop spam for two weeks and then we'll be stuck with it
(X) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
(X) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
(X) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
(X) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

(X) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
(X) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(X) Sorry dude, but I don't think it would work.
(X) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

Re:Really?

[SUB7IME]

No, I'm worried about a world in which I have to divulge my social security number to private corporations online to partake in services that should never require such information.

Would I give a bank my SS#? Sure.
Would I give my SS# to Yahoo? Not as long as there are other places where I can get free email and play fantasy sports.

Re:Really?

[debatem1]

I'll be using this in the future.

Re:Really?

Perhaps Websense could start up their own form of CAPTCHA - white text on white background... After all, their site is VIRTUALLY there...
God, how I hate these Web 2.0 retards who have to copy every other shite looking site on the internet, because it 'looks good' - what a shame they have never heard of the word CONTRAST. Arrogant wankers.

Re:Really?

[Hojima]

Once again I suggested it as a filtering method, not everyone will be required to do it. It's simple, if someone is fully registered, there's a smaller chance that they are spammers. Now as for identity theft, allow me to direct you to this page: http://www.freeidentityprotect.com/premium.php?gclid=CJPbxZrhrpMCFRYesgodpn1dow (and by the way there are tons more, and many for free, if you just Google it)

Re:Really?

[smartdreamer]

Where can I find those funny forms?

Re:Really?

[Elbow+Macaroni]

I don't get my formmail spammed when I put it under an https address. Why would that be?

Page design

Whose bright idea was it to use light grey text on a white background?

Re:Page design

[tepples]

Whose bright idea was it to use light grey text on a white background? At least the page is easier to read than several common CAPTCHAs that shut out blind people. You could try changing the black level on your monitor, installing a custom style sheet, or just copying the text to a text editor.

Re:Page design

Whose bright idea was it to use light grey text on a white background?

You're not missing much anyway, that article was so poorly written, I found myself cheering for the spammers by the time it was through.

Re:Page design

"You could try changing the black level on your monitor, installing a custom style sheet, or just copying the text to a text editor."

Asshole. Your first sentence - never heard of 'two wrongs don't make a right'?
Secondly - why don't Websense just hire a COMPETENT web designer who has heard of CONTRAST, and isn't a Web 2.0 parrot?
I am SICK of low contrast, grey text on white background asshole sites. So are MOST people, but these little dictators never bother to ask their CUSTOMERS what THEY want...

Re:Page design

[electrostatic]

I wish Firefox had a macro feature. I'd use it to do Tools/Options/Content/Colors [uncheck] Allow pages to chose their own colors.

Re:Page design

[dbitter1]

Try Prefbar: http://prefbar.mozdev.org/.

[Dis|En]able colors, images, animation, java, javascript, flash, popups, cookies, referrers, and a whole bunch more with a single click.

I guess I've gotten used to it

[Mordok-DestroyerOfWo]

Normally when I get spam I just delete it, by using trashmail and being somewhat safe about my browsing habits I've found that I only get one or two per week. However recently I've been getting spam through SMS on my phone and that's what I find really infuriating. Granted it is technically just another email, but the fact that I'm paying for this service is what really grinds my gears.

Re:I guess I've gotten used to it

You are PAYING to RECEIVE SMS?

What's to say that your phone company isn't paying people to send SMS to all their users?

Re:I guess I've gotten used to it

Most people pay $.10 per message, incoming or outgoing.

Re:I guess I've gotten used to it

[PontifexPrimus]

Most Americans pay $.10 per message, incoming or outgoing. There, fixed that for you. It's quite unheard of here in Germany.

Re:I guess I've gotten used to it

I had that same problem I asked my cell phone provider what I could do about it. Basicly it came down to the only option, if you don't open them you don't get charged... So try and see if you can see who the SMS is from or what the subject line is before opening.

Re:I guess I've gotten used to it

[Fred_A]

Most Americans pay $.10 per message, incoming or outgoing. There, fixed that for you. It's quite unheard of here in Germany. Or in any country with a mature wireless industry for that matter.

Re:I guess I've gotten used to it

[LeRandy]

Sounds like bullshit to me.

a. No SMS has a subject line, it is a "Short Message Service" (max 160 chars)

b. How the hell does the network know whether you have opened the message or not -- either it has been sent to your phone, or it has not. Any other way, and people would be publishing "free-SMS" hacks for phones.

Re:I guess I've gotten used to it

[Nushio]

Or in any country with a mature wireless industry for that matter.
Wooh! Mexico is a country with mature wireless industries! (We don't pay to receive SMS)

Re:I guess I've gotten used to it

[police+inkblotter]

That depends on the phone. I know for the Razr it is a tried and true method if you have gone past your data allowance (my girlfriend has a small allotment of SMS allowed, and the razr shows a preview of most of the message without opening it, I'm guessing the act of opening is sent back to the CO or whatever). Luckily I have unlimited data on my Blackberry :)

Re:I guess I've gotten used to it

[Yvan256]

I've never seen an charge on my phone bill for the SMS I receive. I'm in Canada.

Re:I guess I've gotten used to it

[carnalforge]

Indeed, i've been in a lot of european countries and usually i get a local sim for not spending much for calling. And in none of the the countries i've been was supposed to pay for recieving sms's

Re:I guess I've gotten used to it

[jargon82]

None of the Americans I know pay to recieve SMS. To send though, yes.

Re:I guess I've gotten used to it

[charlieman]

Most USIANS pay $.10 per message, incoming or outgoing. There, fixed that for you. It's quite unheard of here in Germany. Fixed the fix, since in most countries in America, it's also unheard of.

Re:I guess I've gotten used to it

Wooh! Mexico is a country with mature wireless industries! (We don't pay to receive SMS)

That logic is akin to: "There are lizards in Mexico. I am in Mexico. Therefore, I am a lizard."

Re:I guess I've gotten used to it

[dargaud]

As far as I know, the US is the only country where the SMS receiver pays up, which seems absurd to anybody else. Anyone cares to enlighten me as to the reason for that ?!?

Re:I guess I've gotten used to it

[Tony+Hoyle]

Hell, in a lot of countries now it's you don't even pay to send it on most packages.

Re:I guess I've gotten used to it

[steveg]

I set up the server to send me a message when there were certain problems with a peripheral.

Then campus IT shut down the network for a day, which caused problems with that peripheral. The *next* day I get about 300 messages, once the network came back online. That cost me about $30 to *receive* those messages.

This is in California, which, despite what some people may think, is definitely in the US. True, it was one of those fly-by-night wireless companies (called Cingular...)

Re:I guess I've gotten used to it

Probably because there aren't any termination fees between carriers, but I don't know for sure.

Here in NZ, we pay NZ$0.20 per SMS sent, and there is no fee to receive. However, there is a termination fee charged between carriers.

This is used to justify high fees to their application service providers, forcing them to have connections to each carrier to avoid the termination charges.

Re:I guess I've gotten used to it

[Phroggy]

Sure: it goes back to how telephone service developed in this country.

Originally, everyone had to pay to make a phone call, but it was free to receive a call. Local calls were less expensive than long-distance calls, but both charged by the minute. Decades ago, phone companies started offering a monthly flat rate for unlimited local calls, and it was so popular that it's all they offer now. Long distance calls are still a per-minute charge for the caller (free to the recipient), except for some newer companies like Vonage that include unlimited long distance calls.

Enter cellular phones. Early adopters (mostly businessmen) wanted the convenience of being able to take a telephone with them in their car, without the rest of the world necessarily needing to know anything about what technology they were using, or having to pay any extra fees. The owner of the cell phone pays per minute for both incoming and outgoing calls, because the only alternative would be to treat all cell phones as long-distance numbers (requiring a 1 dialed in front of the number, and adding a per-minute charge to the calller's bill). People wouldn't have wanted to do that. Remember, the vast majority of calls to cell phones were from land lines, not from other cell phones (because the vast majority of people didn't have cell phones yet).

So, the owner of the cell phone pays for the privilege of having a mobile phone, paying for both sending and receiving calls. Over time, calling between cell phones becomes increasingly popular, but if one person with a cell phone calls another person with a cell phone, BOTH people pay per minute for the call.

And if you're going to pay for sending and receiving phone calls, you're gonna pay for sending and receiving text messages.

Of course, the per-minute fees are exorbitant, so to soften the blow, companies start offering "free" minutes included with the monthly plan, along with a certain number of "free" text messages. The more money you pay per month, the more "free" minutes and text messages are included.

Enter the marketing department. In an attempt to differentiate themselves from the competition, somebody starts offering unlimited calls during non-peak hours (nights and weekends), and all their competitors jump on board. Then, as mobile-to-mobile calling becomes increasingly popular, companies start offering "free" mobile-to-mobile calls within their own network, to entice people to recommend that everyone they know sign up with the same company. But since most people don't even know how to use text messages (my first cell phone didn't support them), there's no marketing reason to offer free text messaging. It's much more profitable to charge $0.10 per message (after the first few hundred per month that are included with the plan).

We now have a new generation who has grown up with cell phones and is perfectly comfortable typing entire conversations on a keypad, abbreviating anywhere they can save keystrokes just as we did when chatting on computer bulletin boards and IRC in the late 80s and early 90s. Some people here remember the days before 300baud modems; abbreviating was essential.

As demand for text messaging increases among this new generation and improving technology reduces actual per-call and per-message costs, marketing departments will decide that they stand more to gain from offering unlimited calls and text messages (because they can advertise it to attract customers) in their standard monthly rate than then do from charging $0.10/message. They're already moving in this direction, offering unlimited calls and texts to/from a certain number of "favorite" people. Eventually we'll all have one flat monthly rate for unlimited usage, and the whole question of paying to receive calls and text messages will be irrelevant.

I was about to say it will be forgotten, but it has never occurred to most Americans that things could work differently in the rest of the world, so there's no question to forget.

Re:I guess I've gotten used to it

[Cardcaptor_RLH85]

Personally I remember that back on the 'original' AT&T Wireless (my first cellular provider) they offered free incoming text messages to all of their users. That deal unfortunately went by the way-side when Cingular bought the wireless department from the old AT&T unless you never wanted to get any more free phone upgrades. The Cingular SIM cards wouldn't work in old SIM-locked AT&T branded phones so, either you bought unlocked phones at retail or you had to change to a Cingular plan. It was a sad time for those of us in the US who didn't want to pay when someone sent us a text message against our will....

Re:I guess I've gotten used to it

[simmee]

Never heard of it in Austrlai either, unless it's PREMIUM sms, I just get the telco to block those

Re:I guess I've gotten used to it

[dargaud]

The owner of the cell phone pays per minute for both incoming and outgoing calls, because the only alternative would be to treat all cell phones as long-distance numbers Thanks for the detailed explanation... I have cell phones in 3 different countries, and in each the number starts very clearly with a different prefix, so everybody knows that they are calling a different number with different tarification: you have local, long distance and cell phone (and 800, 900, etc). I don't see anything strange with that, but I find it strange that some want to treat cells as if they were local numbers and have the callee eat the difference.

Re:I guess I've gotten used to it

[Phroggy]

Thanks for the detailed explanation... I have cell phones in 3 different countries, and in each the number starts very clearly with a different prefix, so everybody knows that they are calling a different number with different tarification: you have local, long distance and cell phone (and 800, 900, etc). I don't see anything strange with that, but I find it strange that some want to treat cells as if they were local numbers and have the callee eat the difference. Yeah, I failed to highlight this point in my excessively detailed post, but that's exactly it - we don't have a different prefix for cell phones here, so there's no way for the caller to know whether a particular number they're calling is a land line or a cell phone. Remember, by this time in the US, everyone had a flat monthly rate for local calls (the vast majority of calls most people ever made), while in the rest of the world, most people had to pay per minute for every call they made (with long distance calls just being billed at a higher rate). If you're paying per minute for every call anyway, then whether you're calling a local land line / cell phone / long distance number doesn't make so much difference - it's just a difference in cost per minute. If you have a flat rate for all local calls and only have to pay per minute for long-distance calls, then the psychological difference is huge - people avoid making long-distance calls because they want to avoid paying for them, but local calls are free so you can call as much as you want. Early cell phone adopters wanted people to feel comfortable calling them, and most Americans don't feel comfortable when they're paying by the minute.

I should also add that all of this is sheer speculation on my part, and I don't actually have any idea what I'm talking about. ;-)

Re:I guess I've gotten used to it

Most USIANS pay $.10 per message, incoming or outgoing.

    There, fixed that for you. It's quite unheard of here in Germany.

  Fixed the fix, since in most countries in America, it's also unheard of.

This "USian" obsession has got to be the most retarded thing on the entire Internet.

New Guinea is part of the continent of Australia. Do they get their panties in a wad when citizens of the country of Australia (which is also part of the continent of Australia) are called "Australians"? Do you call someone from New Guinea an "Australian", too? Perhaps we should call citizens of The Commonwealth of Australia "Commonwealthians" so as to not offend other people living on the Australian continent?

The country is called The United States of America, which describes a union of a bunch of states in a place called America. Hence, the citizens are called Americans. You don't call citizens of The People's Republic of China "PRians", do you?

Wrong title

[RiotingPacifist]

The article describes how the spammers are using their new found accounts, nothing to do with CAPTCHAs other than they had to (either automatically or manually) break them to get the accounts.

Im surprised they're not using them to break the spam filter of yahoo/hotmail/gmail though, I mean if they all started sending each other spam and marketing it as ham, wouldn't that pretty much break any feedback based system that their using to protect their users.

Re:Wrong title

[nbert]

"Understanding How CAPTCHA Is Broken" is catchier than "Anti-Captcha and spamming strategy well explained!", guess that's why this article was chosen. The article's summary itself shows that it's not mainly about CAPTCHAs, otherwise fast-flux wouldn't show up there.

Re:Wrong title

[stephanruby]

Im surprised they're not using them to break the spam filter of yahoo/hotmail/gmail though, I mean if they all started sending each other spam and marketing it as ham, wouldn't that pretty much break any feedback based system that their using to protect their users.

Wouldn't collaborative baysian filtering mitigate that problem? The preferences of people who actually enjoy receiving spam would be combined with the preference of other similar-minded individuals. So then the people who like spam get their spam and the people who do not -- don't.

Re:Wrong title

If half your users are marking something spam, while the other half are marking it ham, you're probably going to classify it mostly spam. If you're Google, you're going to let the ham-eaters have their hammed spam, and for everyone else, let spam be spam.

Sometimes It Comes as an Easy Fix

[morari]

A little less than one year ago I had put up a forum for my website; PHPBB (insert whatever the current version was). Anyway, all was fine for a few weeks until I noticed obvious spam accounts registering maybe once a day. Nothing ever came of them, no abusive posts or anything of that nature, but they were sitting there in my user list. I tried several common approaches, such as using a different CAPTCHA and also forcing a verification word to be typed in. Nothing worked. Eventually I noticed that the one commonality between all of the spam accounts was that they all chose Albanian as their language. Odd. I initially thought that perhaps the spammers were based in Albania, but quickly came to the conclusion that the bots were simply selecting the first available option in the language dropdown. I wrote up a script (which was painfully sloppy, I'm sure) that would not allow anyone to successfully register with the Albanian language. After filling everything out and hitting submit, it would take you to a page and say something to the extent of "Sorry, you have selected an unauthorized language. Please try again". I watched carefully as for weeks I didn't spot a single new spam account. Eventually I made a fake language to sit at the top of the list and block, just in case any actual Albanians wanted to use the board. It continued to work just fine. After several months I did get hit by one or two spam accounts that had set their language to English. After that, I wrote a similar script for the "personal website" field of the signup process, forcing legitimate users to add it to their profile after successfully registering. I haven't had any problems since.

Re:Sometimes It Comes as an Easy Fix

[flerchin]

These solutions are quite elegant for your situation. However, you are not much of a target.

Re:Sometimes It Comes as an Easy Fix

I took down forms and still get spam to them.

The spammers aren't going through the formmail forms posted on the Internet anymore.

I noticed all my forms listed under https://etc...

Did not get spammed. So now I'm just going to put all forms under a secure certificate. Hope that works for a while.

Why are the spammers intent on breaking the Internet?

Re:Sometimes It Comes as an Easy Fix

[hostyle]

Why are the spammers intent on breaking the Internet? Some people refer to it as capitalism. In short: greed, short term views and the almighty buck.

Re:Sometimes It Comes as an Easy Fix

[Dwedit]

Why on earth would a spambot care about a robots.txt file? Only reason I could think of was something popular a while ago, where people stuck a non-very-visible link on a website which generated loads of fake linked web pages, and garbage email addresses to try to trap harvesters in that section of the website.

Re:Sometimes It Comes as an Easy Fix

Those bots tend to fill post values for every form field. Someone here on slashdot recommended an approach where you would hide a form field via css or the hidden attribute.

If it was submitted in the post, it is most likely a bot on the client side.

Re:Sometimes It Comes as an Easy Fix

[Elshar]

One of the boards I'm on does something similar. Except instead of throwing an error message for not choosing the right language, it lets you register and then silently discards your account.

So the spammer thinks they've beaten the system when in reality they haven't. :)

Re:Sometimes It Comes as an Easy Fix

Sure, but it works, because it relies on peoples' bad qualities (greed) instead of good (social participation/communism). It'd be nice if there was another system that relied on another bad quality, but there aren't many as predictable (and therefore controllable/stable) as greed.

Re:Sometimes It Comes as an Easy Fix

[amRadioHed]

Unfortunately those easy fixes only work for you because you are a low profile site. If it was worthwhile to someone to specifically target your site they wouldn't have any problems working around those defenses.

Re:Sometimes It Comes as an Easy Fix

[DavidTC]

Don't use a hidden form field, some bots are smart enough to pass those straight through. (Often, they have to as part of the signup anyway.)

It's worth pointing out that this only works for widespread software that gets targeted automatically. Spammers software googles a certain filepath or whatever and get a list of all phpbbs out there, and it runs fully automatically. It won't help at all if you've been specifically targeted, the spammer will suck in the actual form and specify values for each field.

This is more about subverting CAPTCHA

[paratiritis]

The article does not really talk about how the spammers defeat CAPTCHA, which would be more interesting to me. It focuses instead on how once they defeat the CAPTCHA test (manually or automatically) they take advantage of the added credibility their new accounts have (because of that very test) for their purposes.

This is the scam part, not the technology part of their operations, which would actually tell us about the possible weakenesses for the CAPTCHA tests and give hints how to fix them.

My spam rules--

I have determined that:

If the message is not in english or lojban, I don't want to see it.
If the message is in caps, I don't want to see it.
If the message was sent to more than ten people, I don't want to see it.
If more than 10% of the message text is not valid and correctly
spelled english or lojban, I don't want to see it.
If the message has anything to do with a lottery, I don't want to see
it-- I don't gamble, period.
If the message has anything to do with sex, I don't want to see it.
(for various reasons)
If the message has anything to do with drugs, pharmaceutical or
otherwise, I don't want to see it.
If the message was sent from africa, I don't want to see it. I don't
know anyone in africa.
If the message was sent from asia, with the exception of south korea
and the one guy in the UAE, I don't want to see it either.
If the message was sent from central or south america, with the
exception of one guy in argentina, same thing.
If the message /contains/ more than ten email addresses, I don't want
to see it. Death to chain mail.

If anyone knows of an email provider where I can set rules that
detailed and flexible that currently exists, please let me know.

ethana2@gmail.com

Re:My spam rules--

[Yvan256]

Wow.... all of those rules, and you end your post with your email address.

Re:My spam rules--

Wait, Anonymous Coward here again, I made a typo. It's actually malda@slashdot.org

Re:My spam rules--

[Cedric+Tsui]

Maybe that's the point. s/he doesn't want to have to hide his e-mail address from the world.

WRONG TITLE!

I get the idea that the editor failed to RTFA.

Good article nonetheless, but c'mon.

Animated CAPTCHAs?

[MasaMuneCyrus]

Every time I see an article about CAPTCHAs being broken, I always think, "Why not try animated CAPTCHAs?" Surely something this simple has been thought of before and tried; is there any reason it wouldn't work? Or would it just have the same effectiveness as a static-image CAPTCHA, and so there's just no reason to put forth the effort to make one?

Re:Animated CAPTCHAs?

Animated captchas exist and are used but not too often. The only example I can think of is: https://www.e-gold.com/acct/login.html

Re:Animated CAPTCHAs?

[apt-get+moo]

I don't know how you think they should work, but as only the noise may be changed during an animation (unless you want to be make the CAPTCHA even more inaccessible to ordinary users), a machine might even have an easier time to retrieve the signal (which has to remain constant in some way to be discerned by humans, at least in form and probably in colour), i.e. the text to entered to bypass the CAPTCHA.

Re:Animated CAPTCHAs?

[Yvan256]

Yes, but what if you ask the person to type the word/identify the picture/whatever in a specific, random frame of said animation?

Or even something like "please check the objects you see in the animation", followed by, say, 10 radio buttons?

Re:Animated CAPTCHAs?

[Fred_A]

Yes, but what if you ask the person to type the word/identify the picture/whatever in a specific, random frame of said animation?

Or even something like "please check the objects you see in the animation", followed by, say, 10 radio buttons? Very language specific. And not easy to generalise. You need to write one set of rules per animation, presumably by hand. Captchas can be machine generated from a dictionary or random characters.
Which is the point.

Re:Animated CAPTCHAs?

[apt-get+moo]

Yes, but what if you ask the person to type the word/identify the picture/whatever in a specific, random frame of said animation? Or even something like "please check the objects you see in the animation", followed by, say, 10 radio buttons? Presenting multiple words might work, but for a machine this would just multiply the complexity of one CAPTCHA with the number of frames, while a human takes significantly more time to solve it compared to a flat one. And radio buttons are out of question, they would produce too many false positives. Tick boxes might be slightly better, but still not as good as text input. Except may to distract some bots.

Re:Animated CAPTCHAs?

[Yvan256]

Machine-generated captchas generated from dictionaries are already very language-specific.

The animations can also be machine generated from a dictionary of images, with a random number of frames and a random frame position for each image.

This is all pointless, however, since spammers probably pay people to register new accounts for them.

Re:Animated CAPTCHAs?

[xmpcray]

Every time I see an article about CAPTCHAs being broken, I always think, "Why not try animated CAPTCHAs?" Surely something this simple has been thought of before and tried; is there any reason it wouldn't work? Or would it just have the same effectiveness as a static-image CAPTCHA, and so there's just no reason to put forth the effort to make one? Animated GIFs are simply multiple images(frames) saved in one file. It would be easier to break it since the bots can "see" the same text in multiple images and interpret it better when you have multiple images showing the same text.

Re:Animated CAPTCHAs?

[mstahl]

But that captcha on e-gold would be trivial to break. Over the course of the animation all parts of all numbers are visible with no variation or noise around them. If they rotated, though, and were slightly larger than the image, it might just work. That would be such a pain in the ass for humans to read I don't think it would be used at all.

The most likely captcha technologies to win, I think, are the ones that require some amount of contextual knowledge about our world. Nobody's really created an anti-captcha bot that can distinguish a kitten from a tiger, for instance. Tests like these, even though they're also obnoxious to humans, are much more effective.

Re:Animated CAPTCHAs?

One method used to beat CAPTCHAs is social networking - i.e. using a farm of users (either with or without their knowledge/consent) to put in the CAPTCHA for them. This means that obfuscating a CAPTCHA to make it more difficult for a machine is pointless. Perhaps if CAPTCHAs weren't redirectable - maybe using unique, automatically-generated CSS and image obfuscation (although this would also require framing obfuscation, so a bot couldn't even say where the CAPTCHA was in order to redirect a screenshot'ed copy). If this idea isn't as worthless as I suspect it is, feel free to take it :\

Re:Animated CAPTCHAs?

You know, i've never thought of that.

What if you made it an animated GIF where each frame would show a random character in the sequence. Set the speed where it goes through the frames fast enough where normal users may just see a minor flicker across the image (as the letters appear and dissappear between frames)

Would make it little more of a pain in the butt for a bot to read it.

Re:Animated CAPTCHAs?

[rjames13]

Better to do something like what you see on a CRT image. Where the picture is built up over time but instead of using interleaving use random sections of the picture. Throw them all together and a human can see a letter where there is none and a bot will see a letter where the human does not.

Re:Animated CAPTCHAs?

>The most likely captcha technologies to win, I think, are the ones that require some amount of contextual knowledge about our world.

The only problem is you could never automatically generate CAPTHAs like that because you need a human knowledge database. Which, again, can be learned by the bot; so the system is defeated. Logic implies that any test a computer could generate could always be solved by a computer, so no CAPTCHA technology will ever "win". Sorry :)

Re:Animated CAPTCHAs?

[DavidTC]

Yeah, that's actually how animated gifs work. They can draw just part of the image (Any rectangular part, that is), and they can also draw transparent pixels over existing images so only update part of it.

I don't think it would be very good by itself, but it might be a clever idea to generate CAPTCHA images that piece together the end image out of three or four frames. And perhaps starting off with a full image with easily OCRable text...that's only up there for a split second, then overwritten, designed to catch OCR software.

CAPTCHA sucks

[thetoadwarrior]

They keep trying to make it harder to read which isn't accessible but some places (like rapidshare) have made it nearly impossible for even normal people to guess.

Re:CAPTCHA sucks

[Paradise+Pete]

some places (like rapidshare) have made it nearly impossible for even normal people to guess.

I think rapidshare does that knowingly, to get people to sign up for the paid version.

Re:CAPTCHA sucks

[thetoadwarrior]

That's crossed my mind as well especially since it seems like you get fewer tries these days than before.

This article is an advertisement

[Omnifarious]

This article links to what is basically an infomercial. What it links to is filled with pictures and seeming explanations, but it's written in scare-mongering language and not written with an eye towards the reader understanding it. It as an advertisement telling you that Websense is a fantastic company because they understand all this terribly scary stuff and already have the technology to defeat it for you.

Re:This article is an advertisement

[owlnation]

This article links to what is basically an infomercial.

Quite correct. It does. There's also no news here whatsoever. It's good to know that it's not only readers that don't read TFA, the editors -- and even Taco -- don't always read it either.

Re:This article is an advertisement

[Omnifarious]

It would be really nice if people would tag articles like this with 'slashvertisement'. :-)

Captchas

I was going to post an insightful comment about the article, but I've wasted so much time trying to figure out Slashdot's captcha to post this message, that I no longer have the time.

Fighting spam will either succeed or it will fail

[davidwr]

Either the spam-fighters will keep spam down to an acceptable level or they won't.

Mail services that don't provide good spam protection will fail.

If it becomes too hard to fight spam, mail as we know it will end and be replaced by something else, much like USENET was for most purposes replaced by other, less-spam-prone media.

This is getting silly.

[Asztal_]

Next time I'm just going to demand that anyone who wants to register for my site will have to send me a formal written request, signed and dated, with at least two good references and a registration history.

That should keep the bots out, right?

Re:This is getting silly.

[gnud]

If it does not, it's time to go pay our respects to our new robotic overlords.

Understanding How CAPTCHA Is Broken

[JackSpratts]

Hmmm. Nothing in TFA about it really.

Why are we so helpless?

[Chemisor]

It ought to be obvious to everyone that spam is a property violation crime. Putting unrequested email in my account is the same as dumping used tires on my front lawn. Sure I have an address, but that doesn't mean I want just anyone to deliver anything to it without my permission. Why aren't we making this explicitly illegal, just like dumping and vandalism already are? Why are we putting up with these people?

Re:Why are we so helpless?

[gsgriffin]

Unfortunately, it is not that simple. Your analogy is not correct. Email is more like snail-mail. And yes, anyone can send email to your mailbox via snail-mail and not go to jail. The difference is that snail-mail costs them something. The real solution is to get all the stupid people off the web that actually make purchases from companies that they received a spam email from. They keep spammers continuing to spam. If the idiot purchaser got off the web, the spam would quickly dry up. Ultimately, this battle will never end...there will always be idoits that can get on the web.

Re:Why are we so helpless?

No it's not obvious.

How on earth would you actually request each individual email you want to receive? Fax your dad and tell him he's authorized to send you an email detailing his vacation cruise? Have people call you up, where you give them an ID number that must be in the subject line?

Even if you went as far as white-listing email addresses (which you actually can do now) you'd miss out when your buddy gave your email to someone who was looking to offer you a job at twice your current salary, or that girl who really dug you at that party.

I don't see how you could propose a law that requires permission to send an email without destroying most of email's practical benefits as well.

Re:Why are we so helpless?

Your plan is brilliant. Please tell us how someone can know whether there particular email is wanted or not.

Re:Why are we so helpless?

[Chemisor]

> How on earth would you actually request each individual email you want to receive?

By explicitly giving the sender your email address. You can also publish it for use of a specific audience. For example, I have my sourceforge address in the header of each source file I write. This is clearly intended for people to report problems with software. There is some gray area, of course, but any email sent with the intent of selling me something definitely violates the criteria.

> I don't see how you could propose a law that requires permission to send an email

One possibility is to pass a law requiring each email to be encrypted with your public key. Anyone trying to contact you legitimately would know what it is, because you'd give it out with your email address, in whatever manner. It also makes bulk mail impossible, especially if you choose a long key.

Re:Why are we so helpless?

[Chemisor]

> Your analogy is not correct. Email is more like snail-mail. And yes, anyone
> can send email to your mailbox via snail-mail and not go to jail.

I would instead apply the same analogy to snail mail.
It really is not difficult to differentiate between personal mail and spam. The former is written for a single recipient - you. Its intent is conversation. Spam is written generically, and its intent is to get you to buy something. Spam should be illegal in any form. Period. Be it email, phone calls, snail mail, door-to-door salesmen, or street hustlers. There is to be no "push" advertising whatsoever. If I want advertising, I MUST ask for it explicitly. Every time!. Only genuine personal communications should be allowed without explicit permission. Where's the difficulty here?

Re:Why are we so helpless?

One possibility is to pass a law requiring each email to be encrypted with your public key. Anyone trying to contact you legitimately would know what it is, because you'd give it out with your email address, in whatever manner. It also makes bulk mail impossible, especially if you choose a long key.

Your post advocates a

(X) technical (X) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
(X) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(X) Users of email will not put up with it
(X) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
(X) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
(X) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(X) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
(X) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

(X) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(X) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

Re:Why are we so helpless?

[Chemisor]

> Your post advocates a
> (X) technical (X) legislative ( ) market-based ( ) vigilante

If my approach is tried, it obviously has a chance of success. If it is summarily dismissed as "not gonna work", then of course it won't.

> (X) Mailing lists and other legitimate email uses would be affected

Mailing lists are not a good use of email. Use discussion forum software or usenet, which are far more appropriate venues for this type of communication.

> (X) Users of email will not put up with it

Why won't they put up with it? Users hate spam, and would certainly welcome anything that removes it. Yes, there are some morons who actually read spam and buy stuff advertised in it, but that is not really relevant here. We're a democracy, and sacrificing the wants of the few for the needs of the many is what we do.

> (X) Microsoft will not put up with it

Microsoft will love it. It runs hotmail, and would certainly appreciate the enormous increase in available capacity that will result from eliminating spam. Spam does not benefit Microsoft. Spam hurts Microsoft.

> (X) Many email users cannot afford to lose business or alienate potential employers

You mean spammers "cannot afford to lose business". Destroying their business is precisely what's needed.

> (X) Lack of centrally controlling authority for email

No central authority for email is needed. What is needed is the ability to pursue legal action against spammers for spamming. This could be done simply by forwarding the spam message to the police, who could then arrest the spammer, if he can be tracked down. Currently, sending spam is not illegal, so the authorities can do nothing.

> (X) Armies of worm riddled broadband-connected Windows boxes

If spam were illegal, the police could track down the people who create these boxes. How? By following the money. Spam exists to sell stuff, so it is trivial to find the company responsible for sending it. If it wasn't possible, the company wouldn't be making any money, would it?

> (X) Technically illiterate politicians

Even politicians these days use email. And anybody who uses email eventually receives an offer to enlarge his penis. Any questions?

> (X) Ideas similar to yours are easy to come up with, yet none have ever been shown practical

If the idea isn't tried, how can it be shown practical?

> (X) Sorry dude, but I don't think it would work.

Sorry dude. It will work.

Re:Why are we so helpless?

[Renraku]

I suspect that when all the major ISPs start setting bandwidth limits and thus putting a cash value on the byte, that spammers will start to dwindle. You can prosecute text message, SMS, and spam calls over cell phone..because they all have cash values.

Bytes on an unlimited service have no obvious cash value.

Re:Why are we so helpless?

[gsgriffin]

I wish what you state could be true, but in a free market society of the US, we cannot avoid it. You would have to drive down the highways and not look left or right and see a billboard. You would never watch television with commericals and not listen to radio either. You really can't read the newspaper or even browse news media websites. For that matter, don't look to the top or right on a Google search. Advertisements are everywhere. You have the right to look at it or listen to it, but you cannot always tune it out or stop it before it comes to you. If you personally were in the business of making a product and selling it, you're glad that your advertisments are seen by many and make sales by a few. (Do you work for a company that advertizes?) If none of this happened, you wouldn't have much to purchase from. Businesses would see less sales and have less incentive to make new products (if nobody see or hears about them and then buys their products). Half of the time I see something that I want to purchase because of a ad. I didn't even know it existed until the ad showed it. There are benefits to counter the annoyance.

Re:Why are we so helpless?

Email is more like snail-mail. And yes, anyone can send email to your mailbox via snail-mail and not go to jail. The difference is that snail-mail costs them something. The real solution is to get all the stupid people off the web that actually make purchases from companies that they received a spam email from. They keep spammers continuing to spam. If the idiot purchaser got off the web, the spam would quickly dry up. Ultimately, this battle will never end...there will always be idoits that can get on the web.

IMO, nothing is as bad as snail mail. If UPS/FedEx/DHL comes to my house or facility (business), any package can be refused. If they leave the package, kick it out the curb. Mail cannot be refused and the USPS will not pick up unwanted junk. With email, rules can be set up. With regular mail, it would be nice to be able to auto-refuse anything without my name or not my address or below a certain class - et cetera. If "penny saver" then "do not deliver" et cetera. That we don't have that with OUR OWN MAILBOXES, is one reason the government will never solve the spam issue.

Re:Why are we so helpless?

[amRadioHed]

One difficulty is that some people like some of the unrequested mail they get. For instance when I new restaurant in my neighborhood I don't know about sends me a coupon I am always glad to give them a try. I do however wish I could opt out of the mailings. It's a terrible waste to get weekly fliers from three supermarkets that I never frequent.

Re:Why are we so helpless?

[amRadioHed]

One primary difference between email spam and postal spam is that email spam costs the provider a lot of money whereas postal spam makes it possible for the USPS to charge low rates for your first class mail. That's probably the reason why snail mail spam is impossible to avoid.

Re:Why are we so helpless?

> (X) Mailing lists and other legitimate email uses would be affected

Mailing lists are not a good use of email. Use discussion forum software or usenet, which are far more appropriate venues for this type of communication.

Who the hell are you to decide what is a good use of *my* e-mail? I happen to *like* mailing lists, and there certainly are legitimate reasons to process large volumes of e-mail.

> (X) Users of email will not put up with it

Why won't they put up with it? Users hate spam, and would certainly welcome anything that removes it. Yes, there are some morons who actually read spam and buy stuff advertised in it, but that is not really relevant here. We're a democracy, and sacrificing the wants of the few for the needs of the many is what we do.

What you describe is a tyrrany by majority, or mob rule -- not a democracy.

But most importantly, it'd greatly complicate sending an e-mail. I'd have to find the public key of the person I want to e-mail as well as his e-mail address. I can just imagine the process of giving out a public key over the telephone...

> (X) Microsoft will not put up with it

Microsoft will love it. It runs hotmail, and would certainly appreciate the enormous increase in available capacity that will result from eliminating spam. Spam does not benefit Microsoft. Spam hurts Microsoft.

Lots of CPU power would be required to do the requisite cryptographic checks. Even though the total throughput of e-mail might decrease, the CPU time per e-mail would go throug the roof.

> (X) Lack of centrally controlling authority for email

No central authority for email is needed. What is needed is the ability to pursue legal action against spammers for spamming. This could be done simply by forwarding the spam message to the police, who could then arrest the spammer, if he can be tracked down. Currently, sending spam is not illegal, so the authorities can do nothing.

You know, the world is a big place, and is larger than any single country.

Any legislative solution will be useless unless it's world-wide. That should adress any issues of practicality.

> (X) Ideas similar to yours are easy to come up with, yet none have ever been shown practical

If the idea isn't tried, how can it be shown practical?

Through logic. See above.

> (X) Armies of worm riddled broadband-connected Windows boxes

If spam were illegal, the police could track down the people who create these boxes. How? By following the money. Spam exists to sell stuff, so it is trivial to find the company responsible for sending it. If it wasn't possible, the company wouldn't be making any money, would it?

Sorry. Doesn't work that way. If it did, anybody who wanted to create trouble for a business would send out spam in their name. Trying to follow the money by seeing who gets the money for the orders doesn't work, since the spammers wouldn't be the same poeple as the business owners.

Anyway, my point was that said armies of worm riddled broadband-connected Windows boxes have way more CPU power than what's good for them. Sending e-mail isn't CPU bound as it is, but even if some kind of public-key cryptography were used, you should never underestimate the amount of CPU power available to spammers.

By the way, I'm pretty sure that breaking into another person's computer for the purpose of using their network connection and CPU time for sending spam is... well... illegal in most locales. Making it more illegal won't help here.

> (X) Technically illiterate politicians

Even politicians these days use email. And anybody who uses email eventually receives an offer to enlarge his penis. Any questions?

Just because a politician knows what spam is, doesn't mean he's qualified in the area of fighting spam.

Re:Why are we so helpless?

[Chemisor]

> Advertisements are everywhere. You have the right to look at it or listen to it

This is a different situation. Passive ads on web pages are just something that comes with the page; they are not sent to me personally. I just happen to come across them as I browse. This is fine, since I do not own the sites, and should not dictate the owners what they can not do with them. With email, I own my email box and I have the right to some control of what goes in there.

Re:Why are we so helpless?

[DavidTC]

Mail cannot be refused and the USPS will not pick up unwanted junk.

What are you talking about? It's easy to refuse mail. Have you ever asked the post office to block mail to you before? Maybe you should try that before you sound off about it. You can block mail from any sender, although you can't block by class. It's called Form 1500, ask for it at the post office. You have to inform them that the mail has pornographic material you find offensive...but don't worry, the law specifically says that you have the sole discretion to decide it is so. (In other words, you can make up your own definitions of what the words mean.) The post office hates this law, because once you file a single one they are require by law to compare all incoming senders against the list, but it has held up in court to be able to block any mailing you want, regardless of how unpornographic it may seem to others.

For third class mail without your name on it, to return it, the best trick to tell the post office that someone doesn't reside at your house. Specifically, tell them that 'Current Resident' doesn't live there. I don't know anyone with that rather strange name, and they certainly don't live here! So write 'Does not reside' or 'Not at this address' and circle 'Current resident' and stick it back in the mailbox.(1) You may also want to draw a line through the scannable address because otherwise you risk it falling back into the automated system and coming back to you.

Even if they don't honor that, you still don't have to deal with that package, and you can just keep doing it over and over to get rid of junk mail. As the letter carrier is one of the people who is supposed to catch mail to 'invalid residents', eventually he will figure out that you're serious about this 'Does not reside' bit and stop delivering 'Current Resident' mail because he's just going to have to take it back.

You can actually 'Return to Sender' first class mail the same way, by writing 'Return to Sender' on it and sticking it back in the box, but only first class mail, so that's not that helpful.

1) Important note: Legally, mail addressed to 'Current resident' or 'Any resident' is addressed to anyone at your address, and if you assert they don't live there you are technically committing mail fraud unless they all agree they are not the named person. So get the permission of all residents at your property before you do that trick.

Re:Why are we so helpless?

[Jeff+Molby]

Nobody "pushes" to your email box. Your email box periodically "pulls" from the mail server. Feel free to program your email box so that it only pulls emails that fit your criteria.

That is the only part of the process that you own.

Re:Why are we so helpless?

[gsgriffin]

I see where you are coming from. I'll play devils advocate to see where our thinking leads us...At least we're having an intelligent discussion that doesn't have to lead to calling each others names...which is usually what people do when they have nothing intelligent left to say. If you own a television in the US, active ads are pushed into and interrupt your viewing (at least much of time in the US...I realize not everywhere in the world). We don't have a right to not have them pushed in front of us, but you can find tools to get around it like TIVO. Rather than demand commercials be banned, we find a way to avoid them. I'd also be interested to hear your thoughts on the radio advertisements, since they tend to be very annoying to me but hard to tune out as you drive down the road. We did finally make a move against telemarketers a few years back, but that became an extreme inconvenience when eating dinner and wasting your time telling someone to go shove it! The other fact, that might be interesting for discussion sake, is that most people don't "own" an email address. Most, it seems, get their email for free from either Gmail or Yahoo or something. If you are given something for free to use, how far are they allowed to go with their advertisements? At least in the States, I think we confuse freedom of speech with freedom FROM speech. You have the right to say what you want, but I don't necessarily have the right to stop you from saying it (unless what you are saying is hateful in race or sexual preference...then you can go to jail). We don't have freedom from advertisements and marketing. We do have freedom to make any false statements and exaggerated claims through advertising, though.

Re:Why are we so helpless?

[Chemisor]

> If you own a television in the US, active ads are pushed into and interrupt your viewing

Yes, but that's still not the same thing. TV ads are served by the TV station and are used to subsidize the shows you watch. Yes, you also pay for your cable subscription, but there you are paying for content delivery, not the content itself. I can put up with TV ads (even though I never actually watch them) because they are used to pay for the content. Same situation with ad-supported web pages. The ads help pay for content. Yes, I always block the ads, and no, I would never buy something I saw in an ad (I would, in fact, avoid it, to not encourage more advertising). Nevertheless, the advertisers still think for some reason that what they do generates profits, and it's their business if that turns out not to be the case.

With email, the situation is different because the ads are not connected to anything. They do not help pay for my email account (unless you use gmail) and they do not help my ISP. Spam is, in fact, is the main cause of problems for email providers and ISPs. The purchases, if any suckers can be found to make them, will go to the spammers alone, and I get no benefit at all from viewing (or ignoring) them, like I do with TV ads or ad-supported web pages. Furthermore, spam generally advertises illegal or fraudulent products anyway, so even if the recipient of spam buys the product, he is worse off.

> The other fact, that might be interesting for discussion sake, is that most people don't "own" an email address.

As in the TV example, if you use a free email address, you generally get banner ads to "pay" for it. Banner ads are not spam; they are used to subsidize the cost of hosting your account.

> You have the right to say what you want, but I don't necessarily have the right to stop you from saying it

Sure I do. If you come to my house and say things I don't like, I am fully within my rights to throw you out. I can also post a "No soliciting" or "No trespassing" sign, and expect not to be bothered by anyone.

> We don't have freedom from advertisements and marketing.

And that's precisely the problem. To reiterate, ads are ok if you are looking for them, or if you accept them as payment for something. It is the ads that waste your time without paying for it in some way that must be illegal. Your time is money. Make the bastards pay.

Re:Why are we so helpless?

[Chemisor]

> Who the hell are you to decide what is a good use of *my* e-mail?

Oh? So some people are allowed to decide how you use your email and others aren't? I can never understand statements like this. "Who the hell are you" is simply not a relevant question at any time.

> I happen to *like* mailing lists

Nobody's perfect.

> and there certainly are legitimate reasons to process large volumes of e-mail.

And what might those reasons be, except for mailing lists?

> What you describe is a tyrrany by majority, or mob rule -- not a democracy.

What do you think democracy is? "Majority rule is a characteristic feature of democracy, though many democratic systems do not adhere to this strictly." -- wikipedia. You might not like it, but you have to call it democracy. What should the alternative be? Tyranny by your personal opinion? "Who the hell are you to decide"? That very question implies majority rule, by implying that no single person is fit to decide anything, and only the majority is fit for it.

> But most importantly, it'd greatly complicate sending an e-mail. I'd have to
> find the public key of the person I want to e-mail as well as his e-mail address.

I was simply proposing this as a potential means of determining an email's legitimacy. If it doesn't work, fine. You can still make spam illegal, it will just take a little more effort to determine if it is spam. Not that it's hard. Any human can tell within a few seconds. The key requirement is the ability to do something about it, e.g. to report it to the police for prosecution.

> Any legislative solution will be useless unless it's world-wide.

Not at all. We currently have trade embargoes against countries that we dislike. We could add countries that support spammers to that list.

> If it did, anybody who wanted to create trouble for a business would send out
> spam in their name. Trying to follow the money by seeing who gets the money for
> the orders doesn't work, since the spammers wouldn't be the same poeple as the business owners.

Spam is mainly sent for economic reasons. If there was no profit in it, there wouldn't be any spam. Yes, it may create trouble for a business, but this trouble is easily resolved by a quick audit of the business' advertising expenses, which is what you'd do anyway to track down spammers.

> Just because a politician knows what spam is, doesn't mean he's qualified in the area of fighting spam.

He might not be qualified to propose technical solutions, but he certainly is qualified to propose legal ones.

Re:Why are we so helpless?

I have never form-1500'd something - but am tempted (e.g., Best Buy only provides a 'mail to' unsubscribe option). Personally, I think that is far too burdonsome and it is not the same as a refusal or being able to call up UPS and have them return (at their expense). 1500 is somewhat 'after the fact' as it only applies to future deliveries. Preferably, mail could be refused at great expense to the sender or USPS so that they self-curb their abuses of the system. My carrier may actually be 'trained' without my active effort. Since I only pick up mail once per week (it is a communal/townhouse lockbox but not a PO box) and have had most junk mail stopped, it seems like even stuff I haven't stopped has decreased (like 'wrong address' (lots of neighbors' mail) material or 'postal customer' - it used to all get crammed in). Thanks for the 1500 reminder - one of these days I'll use it...

Web page redirection may have to go

[Animats]

We're seeing the need for some limits on web page redirection. Most of these attacks involve putting something on a trusted place which redirects to an untrusted place. Google, with incredible sloppyness, allows Blogspot accounts to do this, and as a result, they are heavily exploited by spammers. (Try, for example, "nikaluti21040.blogspot.com", which will redirect, via some iframes and other tricks, to "selissia.com", which is hosted on "secureserver.net").

Exploitation of legitimate sites to get through spam filters is a problem, but it can be dealt with if you're willing to take a hard line. Our first step in that direction was our list of major domains being exploited by active phishing scams. Our position is that one phishing attack from within a domain blacklists the whole domain. But within three hours after the problem is fixed, they're off the list. Major sites make the list now and then; Google, Dell, MSN, and Yahoo have all been on the list at one time or another. But they now know to take steps to get themselves off within hours. The Anti-Phishing Working Group and PhishTank have been helpful with this effort. We're down to 47 such domains today. It was about 175 when we started last fall. Most of the remaining entries are free web hosting services or DSL providers.

We and others have observed that there's an inverse relationship between the number of redirects and the legitimacy of a web page. We've been looking at this at SiteTruth. For things like AdWords ads, where some sites use redirection as part of a tracking systems, it's typically the bottom-feeders who are using redirection. An advertiser promoting their own product or service doesn't need it; it's brokers, intermediaries, and made-for-Adwords sites that use redirection. Anything with more than one redirect is almost bad. We expect to use redirection as part of our legitimacy metric in the future.

It's thus time for browsers to limit their acceptance of redirection. One HTTP-level redirect, OK. Beyond that, put up a popup warning of suspicious redirection behavior. Redirects via META tags and Javascript should produce a popup. Sure, some site operators will look bad, but they will adapt.

Re:Web page redirection may have to go

[kipin]

Sure, some site operators will look bad, but they will adapt.

Unfortunately, so will the spammers.

Re:Web page redirection may have to go

[Animats]

Unfortunately, so will the spammers.

Every time we close off another way to hide business identity, filtering gets better. We can't actually stop the spam, but we can fix it so few humans ever see it.

Re:Web page redirection may have to go

It's thus time for browsers to limit their acceptance of redirection. One HTTP-level redirect, OK. Beyond that, put up a popup warning of suspicious redirection behavior. Redirects via META tags and Javascript should produce a popup. Sure, some site operators will look bad, but they will adapt.

Multiple redirects and redirects via JavaScript are the standard mode of operation for Verified by Visa and MasterCard SecureCode. In an effort to block spam, you'd end up warning users to not enter their card information in a secure manner.

Disclaimer: I didn't design the verification system this way and I don't like that it involves so many JavaScript redirections.

A more practical approach - 3 grades of service

[davidwr]

I'd prefer 2, or better yet, 3 grades of service:

* verified user, someone using a credit card or providing some other ID that, if faked, can be prosecuted criminally
* established regular user, a person with a reasonably long and regular history, say, at least 10 logins a month, at least 10 outbound messages a month, and at least 10 inbound messages a month, for 3 of the past 6 months, and a minimal history of complaints.
* other - anyone else

On outbound messages, include a tag that the recipient's mail provider can use as part of its trust-assessment.

The "minimal history of complaints" is a potential problem due to false allegations and joe-jobbing.

Lack of ID could be a problem for users from countries whose IDs are not deemed trustworthy. If I give Yahoo my Nigerian passport number....

Re:A more practical approach - 3 grades of service

* verified user, someone using a credit card or providing some other ID that, if faked, can be prosecuted criminally This is a good idea, since spammers and other criminals don't have access to a large number of credit card numbers.

Re:A more practical approach - 3 grades of service

[ya+really]

verified user, someone using a credit card or providing some other ID that, if faked, can be prosecuted criminally

In order for this to be worth anything, the sites would have to charge some ammount to your card via a merchant account. Otherwise, performing a mod 10 check on the card number is worthless, anyone can defeat that. Aside from that, considering a large percentage of online criminals reside outside the US and in countries that scuff at our extradition policies, how many are going to be prosecuting upon using an unauthorized number?

Re:A more practical approach - 3 grades of service

[ya+really]

I almost forgot to add, many of the driver's license numbers in the US are also not random numbers. States such as Michigan and Florida generate their numbers through the soundex system, which also easy to duplicate and there are programs out there that do just that. The number is generated from your DOB and full name.

Re:A more practical approach - 3 grades of service

[rdebath]

Worthless, you bet! 4111111111111111

That reminds me of 111-1111111
...

Re:A more practical approach - 3 grades of service

Yep. And, we have their fake identity, so they can be tracked down and prosecuted swifty!

Spammers trick - REuseable captcha

[fastgood]

Find somewhere with 1000s of pageviews (eg. pr0n site)
Present Captcha image to 2 users (agreement = correct)

So the monkeys pull the right lever and get the reward
of viewing the next adult video, and the spammer gets
a near-realtime solution to even the best of captchas.

Re:Spammers trick - REuseable captcha

[chifut]

You don't need to give the captcha to two users, give each user one captcha, so what if one of them is wrong.. You'd have one captcha solved and another not. The web site will tell you that you got it wrong..

Comment removed

[account_deleted]

Comment removed based on user account deletion

What about a CAPTCHA made in flash?

I made a CAPTCHA using flash and PHP. It seems as if the spammers might have a hard time reading flash content, no?

Re:What about a CAPTCHA made in flash?

[Dwedit]

The only thing really protecting you is that your solution is not standard, so bot writers have to treat your website differently, so they won't be as easily able to post there. The instant your solution becomes more commonplace, bot writers will be able to parse your SWF files, read the images, or do whatever else it takes to solve it.

It's a classic case of Security through Obscurity, and this time it works.

However, SWF files have accessibility issues, and there are always people who love to block them.

Comment removed

[account_deleted]

Comment removed based on user account deletion

incoherent TFA

[ralphdaugherty]

      This is the most incoherent TFA I've ever seen linked by slashdot. We just went through CAPTCHA breaking a few days ago and here we go again with the dancing images and worse suggestions.

      Sheesh, there's this underlying assumption that the CAPTCHA image is automatically being broken by spambots using OCR, but all it takes is CAPTCHA images where the letters are not cleanly separated to keep all but some as yet univented world class OCR from identifying the characters. Anyway, no one has presented a case for automatic OCR breaking anyway.

      It'd be nice to see some more basic examinations of the technologies involved in attack and defend of websites. We deal with this in adminning our websites day in and day out so this is an important subject.

  rd

Phone-based varification

[Tablizer]

I think its time to use phone-based sign-up verification. An automated dialing system would call a user within about 5 minutes of signing up for an account to confirm via phone push-button that they indeed did sign up. Yes, it is fairly expensive, but who said good security is cheap.

It is possible to trick such a system, but very difficult on a scale of hundreds of thousands, which is what spammers need. Phone calls are better tracked than HTTP messages because of the costing infrastructure that underlies phones.

Re:Phone-based varification

[dargaud]

Yeah, right, with the spammer putting your own phone number on the form and registering for the account at 3am... I don't think so.

Re:Phone-based varification

[/dev/trash]

1and1 did this when they were offering they're free service years ago.

Re:Phone-based varification

[Tony+Hoyle]

Enjoy paying for all those peak rate calls to russia...

It would be so easy to bankcrupt a site that tried this (phone number generator, script) that no sane site owner would try it.

Re:Phone-based varification

Sites primarily of interest to Americans and Western Europeans (i.e. most of those of commercial value) need never make a verification call to Russia, China, Costa Rica, or any other spam haven. Those legitimately in those countries with interest could pay for forwarding. Of course, this doesn't address that a spammer could get a huge block of U.S. phone numbers on the cheap to take verification calls one per site implementing such a scheme.

Re:Phone-based varification

[Tablizer]

Yeah, right, with the spammer putting your own phone number on the form and registering for the account at 3am... I don't think so.

Huh? Please clarify. How is the spammer going to answer your phone and press the confirm digit? If you mean they will call you with ads, that is illegal and fairly trace-able if done to lots of people. Phone calls are traced far easier than individual HTTP messages. Spammers need high quantities to make a profit.

Re:Phone-based varification

[Tablizer]

Enjoy paying for all those peak rate calls to russia...

No no no. Email account confirmation calls you. When you sign up for say Hotmail, you give your phone number and a service calls you and you press a confirmation digit.

Email is broken, captcha is pointless

The spammer problem wouldn't exist if email wasn't so hopelessly broken. It wasn't designed from the ground up to prevent assholes from abusing it.

Ditch email, design something else. This is slashdot for crying out loud, surely we can come up with a solution!

Re:Email is broken, captcha is pointless

[Dwedit]

It's not just email, it's also message boards, blog posts, and wikis. Those also have bots crapflooding them with spam.
Bots don't even need to post a URL to get people to visit, they'll just stick in a stock ticker symbol for pump and dump scams, so methods involving blocking new users from posting URLs will still fail.

Stupid question about stupid people

[religious+freak]

Ok, so I've got to say, I just don't GET (understand) spam. Who the hell is still clicking on the links?

Does anyone fall for a Nigerian scam anymore? Or buy pills? Or want a bigger schlong?

Don't people get it already?! How do these spammers make money?

Re:Stupid question about stupid people

[Tony+Hoyle]

They don't need to any more.. it's self sustaining. People are paying for lists of 'verified' email addresses, they're paying for spammers to send the messages... the spammers have already made their money - off stupid management of so-called 'legitimate' business. There are enough stupid people around to sustain that industry for many, many years.

Nobody needs to reply.. there's no comeback for the companies paying the spammers so they keep doing it on the offchance someone might buy their crap. That's where the law needs tightening up - paying for spam services should have punitive fines (a million dollars or so... basically any company that tries it gets wiped out, if not by the fine, by their shareholders when they find out).

This is a job for...TinySMS !

[justthinkit]

(1) Create TinySMS.com
(2) People type in their message and are given a helpful TinySMS string like &Ee*3#9-! to text to their SO, cleverly avoiding the cost of receiving an SMS by just recording the preview string
(3) People smash their phones trying to text strings like "&Ee*3#9-!" until they realize it isn't possible
(4) TinySMS ends up selling the unread text messages to the highest bidder
(5) E! buys an unread TinySMS and learns of Britney's latest accident 12 minutes sooner
(6) ...For If When Do loop While...
(7) Profit!

captcha = discrimination

Captcha is discrimination against scixelsyd!

Captcha proxies

[chrysalis]

I once received a spam for a p0rn site. Accessing that site required to enter a Captcha code "in order to avoid bandwidth steal".

A Captcha for a p0rn site?! How much do you bet that the Captcha was actually proxied from another site, like a webmail?

I feel...

[das_magpie]

Like I just got scammed by web sense! RSS Spam Its a new type of advertising scam, writing slightly interesting articles and posting them on news for nerd sites with a little wrap about your self at the end.

privacy

[tacocat]

If people could successfully get legislatures to support privacy rights then any spammer would be considered a criminal. But businesses consider the ability to send cold call email a vital necessity to many of their business models and as such, promote spamming as a right of the free market, thereby eroding personal privacy

Can it break RapidShare's upcoming CAPTCHA? ;)

[antdude]

Digg shares several amusing doctored screen shots of RapidShare's CAPTCHAs that might be shown in the future.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Even Easy Countermeasures Are Unavailable

[Doc+Ruby]

How come Evolution still doesn't have a white/blacklist against the addressbook? How come it doesn't have a spam filter that traps even whitelisted spam that's bayesian-similar to marked spam?

How come big email servers like at ISPs don't flag as spam messages that have identical bodies but different senders and recipients?

How come ISPs don't pretend to be spammers in the market for spamming SW, then reverse engineer what the spam engineers sell them into filters, like virus honeypots have proven works?

Marketing

[schoschie]

Interesting, and clever marketing by Websense. This is the third /. post linking to an article on their website in the past three weeks, iirc.

Use a protocol designed for what you want to do

[szodjo]

It's amazing how we try solve solve problems like these. Instead of looking at protocols designed pre-spam and before massive automated attacks as being the problem, we see the attacks as the problem. If we continue to latch on to poorly authenticated, plain-text protocols, we'll continue to face these attacks. The solution is to rewrite email, ftp and other insecure and inadequate protocols to meet the modern age. If we continue to 'duct tape' our solutions, spammers and hackers will continue to outpace our development.