Slashdot Mirror

← Back to Stories (view on slashdot.org)

Understanding How CAPTCHA Is Broken

Posted by ryuzaki0 on from the stuff-to-think-about dept.

An anonymous reader writes "Websense Security Labs explains the spammer Anti-CAPTCHA operations and mass-mailing strategies. Apparently spammers are using combination of different tactics — proper email accounts, visual social engineering, and fast-flux — representing a strategy, explains their resident CAPTCHA expert. It is evident that spammers are working towards defeating anti-spam filters with their tactics."

18 of 148 comments (clear)

  1. Page design by Anonymous Coward · · Score: 2, Insightful

    Whose bright idea was it to use light grey text on a white background?

  2. This article is an advertisement by Omnifarious · · Score: 5, Insightful

    This article links to what is basically an infomercial. What it links to is filled with pictures and seeming explanations, but it's written in scare-mongering language and not written with an eye towards the reader understanding it. It as an advertisement telling you that Websense is a fantastic company because they understand all this terribly scary stuff and already have the technology to defeat it for you.

    --
    Need a Python, C++, Unix, Linux develop
    1. Re:This article is an advertisement by Omnifarious · · Score: 3, Insightful

      It would be really nice if people would tag articles like this with 'slashvertisement'. :-)

      --
      Need a Python, C++, Unix, Linux develop
  3. Re:Really? by SUB7IME · · Score: 4, Insightful

    Because people like me would never, ever use their service under those conditions?

  4. Fighting spam will either succeed or it will fail by davidwr · · Score: 2, Insightful

    Either the spam-fighters will keep spam down to an acceptable level or they won't.

    Mail services that don't provide good spam protection will fail.

    If it becomes too hard to fight spam, mail as we know it will end and be replaced by something else, much like USENET was for most purposes replaced by other, less-spam-prone media.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  5. Why are we so helpless? by Chemisor · · Score: 3, Insightful

    It ought to be obvious to everyone that spam is a property violation crime. Putting unrequested email in my account is the same as dumping used tires on my front lawn. Sure I have an address, but that doesn't mean I want just anyone to deliver anything to it without my permission. Why aren't we making this explicitly illegal, just like dumping and vandalism already are? Why are we putting up with these people?

    1. Re:Why are we so helpless? by gsgriffin · · Score: 3, Insightful

      Unfortunately, it is not that simple. Your analogy is not correct. Email is more like snail-mail. And yes, anyone can send email to your mailbox via snail-mail and not go to jail. The difference is that snail-mail costs them something. The real solution is to get all the stupid people off the web that actually make purchases from companies that they received a spam email from. They keep spammers continuing to spam. If the idiot purchaser got off the web, the spam would quickly dry up. Ultimately, this battle will never end...there will always be idoits that can get on the web.

      --
      jsut athnoer menagiensls ltitle psrhae for you to dcoede. Why do we wtsae our tmie dnoig tihs?
    2. Re:Why are we so helpless? by Anonymous Coward · · Score: 3, Insightful

      No it's not obvious.

      How on earth would you actually request each individual email you want to receive? Fax your dad and tell him he's authorized to send you an email detailing his vacation cruise? Have people call you up, where you give them an ID number that must be in the subject line?

      Even if you went as far as white-listing email addresses (which you actually can do now) you'd miss out when your buddy gave your email to someone who was looking to offer you a job at twice your current salary, or that girl who really dug you at that party.

      I don't see how you could propose a law that requires permission to send an email without destroying most of email's practical benefits as well.

  6. Re:A more practical approach - 3 grades of service by Anonymous Coward · · Score: 5, Insightful

    * verified user, someone using a credit card or providing some other ID that, if faked, can be prosecuted criminally This is a good idea, since spammers and other criminals don't have access to a large number of credit card numbers.
  7. Re:I guess I've gotten used to it by Fred_A · · Score: 3, Insightful

    Most Americans pay $.10 per message, incoming or outgoing. There, fixed that for you. It's quite unheard of here in Germany. Or in any country with a mature wireless industry for that matter.
    --

    May contain traces of nut.
    Made from the freshest electrons.
  8. Re:I guess I've gotten used to it by dargaud · · Score: 3, Insightful

    As far as I know, the US is the only country where the SMS receiver pays up, which seems absurd to anybody else. Anyone cares to enlighten me as to the reason for that ?!?

    --
    Non-Linux Penguins ?
  9. Re:Really? by SUB7IME · · Score: 3, Insightful

    No, I'm worried about a world in which I have to divulge my social security number to private corporations online to partake in services that should never require such information.

    Would I give a bank my SS#? Sure.
    Would I give my SS# to Yahoo? Not as long as there are other places where I can get free email and play fantasy sports.

  10. Re:Phone-based varification by dargaud · · Score: 2, Insightful

    Yeah, right, with the spammer putting your own phone number on the form and registering for the account at 3am... I don't think so.

    --
    Non-Linux Penguins ?
  11. Re:What about a CAPTCHA made in flash? by Dwedit · · Score: 2, Insightful

    The only thing really protecting you is that your solution is not standard, so bot writers have to treat your website differently, so they won't be as easily able to post there. The instant your solution becomes more commonplace, bot writers will be able to parse your SWF files, read the images, or do whatever else it takes to solve it.

    It's a classic case of Security through Obscurity, and this time it works.

    However, SWF files have accessibility issues, and there are always people who love to block them.

  12. Re:Phone-based varification by Tony+Hoyle · · Score: 2, Insightful

    Enjoy paying for all those peak rate calls to russia...

    It would be so easy to bankcrupt a site that tried this (phone number generator, script) that no sane site owner would try it.

  13. Re:My spam rules-- by Cedric+Tsui · · Score: 2, Insightful

    Maybe that's the point. s/he doesn't want to have to hide his e-mail address from the world.

  14. Re:Animated CAPTCHAs? by Anonymous Coward · · Score: 1, Insightful

    >The most likely captcha technologies to win, I think, are the ones that require some amount of contextual knowledge about our world.

    The only problem is you could never automatically generate CAPTHAs like that because you need a human knowledge database. Which, again, can be learned by the bot; so the system is defeated. Logic implies that any test a computer could generate could always be solved by a computer, so no CAPTCHA technology will ever "win". Sorry :)

  15. Comment removed by account_deleted · · Score: 2, Insightful

    Comment removed based on user account deletion