Understanding How CAPTCHA Is Broken

An anonymous reader writes "Websense Security Labs explains the spammer Anti-CAPTCHA operations and mass-mailing strategies. Apparently spammers are using combination of different tactics — proper email accounts, visual social engineering, and fast-flux — representing a strategy, explains their resident CAPTCHA expert. It is evident that spammers are working towards defeating anti-spam filters with their tactics."

I guess I've gotten used to it

[Mordok-DestroyerOfWo]

Normally when I get spam I just delete it, by using trashmail and being somewhat safe about my browsing habits I've found that I only get one or two per week. However recently I've been getting spam through SMS on my phone and that's what I find really infuriating. Granted it is technically just another email, but the fact that I'm paying for this service is what really grinds my gears.

Animated CAPTCHAs?

[MasaMuneCyrus]

Every time I see an article about CAPTCHAs being broken, I always think, "Why not try animated CAPTCHAs?" Surely something this simple has been thought of before and tried; is there any reason it wouldn't work? Or would it just have the same effectiveness as a static-image CAPTCHA, and so there's just no reason to put forth the effort to make one?

Re:Animated CAPTCHAs?

Animated captchas exist and are used but not too often. The only example I can think of is: https://www.e-gold.com/acct/login.html

Web page redirection may have to go

[Animats]

We're seeing the need for some limits on web page redirection. Most of these attacks involve putting something on a trusted place which redirects to an untrusted place. Google, with incredible sloppyness, allows Blogspot accounts to do this, and as a result, they are heavily exploited by spammers. (Try, for example, "nikaluti21040.blogspot.com", which will redirect, via some iframes and other tricks, to "selissia.com", which is hosted on "secureserver.net").

Exploitation of legitimate sites to get through spam filters is a problem, but it can be dealt with if you're willing to take a hard line. Our first step in that direction was our list of major domains being exploited by active phishing scams. Our position is that one phishing attack from within a domain blacklists the whole domain. But within three hours after the problem is fixed, they're off the list. Major sites make the list now and then; Google, Dell, MSN, and Yahoo have all been on the list at one time or another. But they now know to take steps to get themselves off within hours. The Anti-Phishing Working Group and PhishTank have been helpful with this effort. We're down to 47 such domains today. It was about 175 when we started last fall. Most of the remaining entries are free web hosting services or DSL providers.

We and others have observed that there's an inverse relationship between the number of redirects and the legitimacy of a web page. We've been looking at this at SiteTruth. For things like AdWords ads, where some sites use redirection as part of a tracking systems, it's typically the bottom-feeders who are using redirection. An advertiser promoting their own product or service doesn't need it; it's brokers, intermediaries, and made-for-Adwords sites that use redirection. Anything with more than one redirect is almost bad. We expect to use redirection as part of our legitimacy metric in the future.

It's thus time for browsers to limit their acceptance of redirection. One HTTP-level redirect, OK. Beyond that, put up a popup warning of suspicious redirection behavior. Redirects via META tags and Javascript should produce a popup. Sure, some site operators will look bad, but they will adapt.

A more practical approach - 3 grades of service

[davidwr]

I'd prefer 2, or better yet, 3 grades of service:

* verified user, someone using a credit card or providing some other ID that, if faked, can be prosecuted criminally
* established regular user, a person with a reasonably long and regular history, say, at least 10 logins a month, at least 10 outbound messages a month, and at least 10 inbound messages a month, for 3 of the past 6 months, and a minimal history of complaints.
* other - anyone else

On outbound messages, include a tag that the recipient's mail provider can use as part of its trust-assessment.

The "minimal history of complaints" is a potential problem due to false allegations and joe-jobbing.

Lack of ID could be a problem for users from countries whose IDs are not deemed trustworthy. If I give Yahoo my Nigerian passport number....