Understanding How CAPTCHA Is Broken

An anonymous reader writes "Websense Security Labs explains the spammer Anti-CAPTCHA operations and mass-mailing strategies. Apparently spammers are using combination of different tactics — proper email accounts, visual social engineering, and fast-flux — representing a strategy, explains their resident CAPTCHA expert. It is evident that spammers are working towards defeating anti-spam filters with their tactics."

Really?

[Nimloth]

"It is evident that spammers are working towards defeating anti-spam filters with their tactics."
Sounds like news to me!

Re:Really?

[SUB7IME]

Because people like me would never, ever use their service under those conditions?

Re:Really?

Your post advocates a

(X) technical ( ) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
(X) It will stop spam for two weeks and then we'll be stuck with it
(X) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
(X) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
(X) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
(X) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

(X) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
(X) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(X) Sorry dude, but I don't think it would work.
(X) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

Re:Really?

[SUB7IME]

No, I'm worried about a world in which I have to divulge my social security number to private corporations online to partake in services that should never require such information.

Would I give a bank my SS#? Sure.
Would I give my SS# to Yahoo? Not as long as there are other places where I can get free email and play fantasy sports.

Page design

Whose bright idea was it to use light grey text on a white background?

Re:Page design

[tepples]

Whose bright idea was it to use light grey text on a white background? At least the page is easier to read than several common CAPTCHAs that shut out blind people. You could try changing the black level on your monitor, installing a custom style sheet, or just copying the text to a text editor.

I guess I've gotten used to it

[Mordok-DestroyerOfWo]

Normally when I get spam I just delete it, by using trashmail and being somewhat safe about my browsing habits I've found that I only get one or two per week. However recently I've been getting spam through SMS on my phone and that's what I find really infuriating. Granted it is technically just another email, but the fact that I'm paying for this service is what really grinds my gears.

Re:I guess I've gotten used to it

[PontifexPrimus]

Most Americans pay $.10 per message, incoming or outgoing. There, fixed that for you. It's quite unheard of here in Germany.

Re:I guess I've gotten used to it

[Fred_A]

Most Americans pay $.10 per message, incoming or outgoing. There, fixed that for you. It's quite unheard of here in Germany. Or in any country with a mature wireless industry for that matter.

Re:I guess I've gotten used to it

[LeRandy]

Sounds like bullshit to me.

a. No SMS has a subject line, it is a "Short Message Service" (max 160 chars)

b. How the hell does the network know whether you have opened the message or not -- either it has been sent to your phone, or it has not. Any other way, and people would be publishing "free-SMS" hacks for phones.

Re:I guess I've gotten used to it

[Nushio]

Or in any country with a mature wireless industry for that matter.
Wooh! Mexico is a country with mature wireless industries! (We don't pay to receive SMS)

Re:I guess I've gotten used to it

[dargaud]

As far as I know, the US is the only country where the SMS receiver pays up, which seems absurd to anybody else. Anyone cares to enlighten me as to the reason for that ?!?

Re:I guess I've gotten used to it

[Phroggy]

Sure: it goes back to how telephone service developed in this country.

Originally, everyone had to pay to make a phone call, but it was free to receive a call. Local calls were less expensive than long-distance calls, but both charged by the minute. Decades ago, phone companies started offering a monthly flat rate for unlimited local calls, and it was so popular that it's all they offer now. Long distance calls are still a per-minute charge for the caller (free to the recipient), except for some newer companies like Vonage that include unlimited long distance calls.

Enter cellular phones. Early adopters (mostly businessmen) wanted the convenience of being able to take a telephone with them in their car, without the rest of the world necessarily needing to know anything about what technology they were using, or having to pay any extra fees. The owner of the cell phone pays per minute for both incoming and outgoing calls, because the only alternative would be to treat all cell phones as long-distance numbers (requiring a 1 dialed in front of the number, and adding a per-minute charge to the calller's bill). People wouldn't have wanted to do that. Remember, the vast majority of calls to cell phones were from land lines, not from other cell phones (because the vast majority of people didn't have cell phones yet).

So, the owner of the cell phone pays for the privilege of having a mobile phone, paying for both sending and receiving calls. Over time, calling between cell phones becomes increasingly popular, but if one person with a cell phone calls another person with a cell phone, BOTH people pay per minute for the call.

And if you're going to pay for sending and receiving phone calls, you're gonna pay for sending and receiving text messages.

Of course, the per-minute fees are exorbitant, so to soften the blow, companies start offering "free" minutes included with the monthly plan, along with a certain number of "free" text messages. The more money you pay per month, the more "free" minutes and text messages are included.

Enter the marketing department. In an attempt to differentiate themselves from the competition, somebody starts offering unlimited calls during non-peak hours (nights and weekends), and all their competitors jump on board. Then, as mobile-to-mobile calling becomes increasingly popular, companies start offering "free" mobile-to-mobile calls within their own network, to entice people to recommend that everyone they know sign up with the same company. But since most people don't even know how to use text messages (my first cell phone didn't support them), there's no marketing reason to offer free text messaging. It's much more profitable to charge $0.10 per message (after the first few hundred per month that are included with the plan).

We now have a new generation who has grown up with cell phones and is perfectly comfortable typing entire conversations on a keypad, abbreviating anywhere they can save keystrokes just as we did when chatting on computer bulletin boards and IRC in the late 80s and early 90s. Some people here remember the days before 300baud modems; abbreviating was essential.

As demand for text messaging increases among this new generation and improving technology reduces actual per-call and per-message costs, marketing departments will decide that they stand more to gain from offering unlimited calls and text messages (because they can advertise it to attract customers) in their standard monthly rate than then do from charging $0.10/message. They're already moving in this direction, offering unlimited calls and texts to/from a certain number of "favorite" people. Eventually we'll all have one flat monthly rate for unlimited usage, and the whole question of paying to receive calls and text messages will be irrelevant.

I was about to say it will be forgotten, but it has never occurred to most Americans that things could work differently in the rest of the world, so there's no question to forget.

Re:I guess I've gotten used to it

[Cardcaptor_RLH85]

Personally I remember that back on the 'original' AT&T Wireless (my first cellular provider) they offered free incoming text messages to all of their users. That deal unfortunately went by the way-side when Cingular bought the wireless department from the old AT&T unless you never wanted to get any more free phone upgrades. The Cingular SIM cards wouldn't work in old SIM-locked AT&T branded phones so, either you bought unlocked phones at retail or you had to change to a Cingular plan. It was a sad time for those of us in the US who didn't want to pay when someone sent us a text message against our will....

Wrong title

[RiotingPacifist]

The article describes how the spammers are using their new found accounts, nothing to do with CAPTCHAs other than they had to (either automatically or manually) break them to get the accounts.

Im surprised they're not using them to break the spam filter of yahoo/hotmail/gmail though, I mean if they all started sending each other spam and marketing it as ham, wouldn't that pretty much break any feedback based system that their using to protect their users.

Re:Wrong title

[nbert]

"Understanding How CAPTCHA Is Broken" is catchier than "Anti-Captcha and spamming strategy well explained!", guess that's why this article was chosen. The article's summary itself shows that it's not mainly about CAPTCHAs, otherwise fast-flux wouldn't show up there.

Sometimes It Comes as an Easy Fix

[morari]

A little less than one year ago I had put up a forum for my website; PHPBB (insert whatever the current version was). Anyway, all was fine for a few weeks until I noticed obvious spam accounts registering maybe once a day. Nothing ever came of them, no abusive posts or anything of that nature, but they were sitting there in my user list. I tried several common approaches, such as using a different CAPTCHA and also forcing a verification word to be typed in. Nothing worked. Eventually I noticed that the one commonality between all of the spam accounts was that they all chose Albanian as their language. Odd. I initially thought that perhaps the spammers were based in Albania, but quickly came to the conclusion that the bots were simply selecting the first available option in the language dropdown. I wrote up a script (which was painfully sloppy, I'm sure) that would not allow anyone to successfully register with the Albanian language. After filling everything out and hitting submit, it would take you to a page and say something to the extent of "Sorry, you have selected an unauthorized language. Please try again". I watched carefully as for weeks I didn't spot a single new spam account. Eventually I made a fake language to sit at the top of the list and block, just in case any actual Albanians wanted to use the board. It continued to work just fine. After several months I did get hit by one or two spam accounts that had set their language to English. After that, I wrote a similar script for the "personal website" field of the signup process, forcing legitimate users to add it to their profile after successfully registering. I haven't had any problems since.

This is more about subverting CAPTCHA

[paratiritis]

The article does not really talk about how the spammers defeat CAPTCHA, which would be more interesting to me. It focuses instead on how once they defeat the CAPTCHA test (manually or automatically) they take advantage of the added credibility their new accounts have (because of that very test) for their purposes.

This is the scam part, not the technology part of their operations, which would actually tell us about the possible weakenesses for the CAPTCHA tests and give hints how to fix them.

Animated CAPTCHAs?

[MasaMuneCyrus]

Every time I see an article about CAPTCHAs being broken, I always think, "Why not try animated CAPTCHAs?" Surely something this simple has been thought of before and tried; is there any reason it wouldn't work? Or would it just have the same effectiveness as a static-image CAPTCHA, and so there's just no reason to put forth the effort to make one?

Re:Animated CAPTCHAs?

Animated captchas exist and are used but not too often. The only example I can think of is: https://www.e-gold.com/acct/login.html

Re:Animated CAPTCHAs?

[mstahl]

But that captcha on e-gold would be trivial to break. Over the course of the animation all parts of all numbers are visible with no variation or noise around them. If they rotated, though, and were slightly larger than the image, it might just work. That would be such a pain in the ass for humans to read I don't think it would be used at all.

The most likely captcha technologies to win, I think, are the ones that require some amount of contextual knowledge about our world. Nobody's really created an anti-captcha bot that can distinguish a kitten from a tiger, for instance. Tests like these, even though they're also obnoxious to humans, are much more effective.

CAPTCHA sucks

[thetoadwarrior]

They keep trying to make it harder to read which isn't accessible but some places (like rapidshare) have made it nearly impossible for even normal people to guess.

This article is an advertisement

[Omnifarious]

This article links to what is basically an infomercial. What it links to is filled with pictures and seeming explanations, but it's written in scare-mongering language and not written with an eye towards the reader understanding it. It as an advertisement telling you that Websense is a fantastic company because they understand all this terribly scary stuff and already have the technology to defeat it for you.

Re:This article is an advertisement

[owlnation]

This article links to what is basically an infomercial.

Quite correct. It does. There's also no news here whatsoever. It's good to know that it's not only readers that don't read TFA, the editors -- and even Taco -- don't always read it either.

Re:This article is an advertisement

[Omnifarious]

It would be really nice if people would tag articles like this with 'slashvertisement'. :-)

Captchas

I was going to post an insightful comment about the article, but I've wasted so much time trying to figure out Slashdot's captcha to post this message, that I no longer have the time.

Fighting spam will either succeed or it will fail

[davidwr]

Either the spam-fighters will keep spam down to an acceptable level or they won't.

Mail services that don't provide good spam protection will fail.

If it becomes too hard to fight spam, mail as we know it will end and be replaced by something else, much like USENET was for most purposes replaced by other, less-spam-prone media.

This is getting silly.

[Asztal_]

Next time I'm just going to demand that anyone who wants to register for my site will have to send me a formal written request, signed and dated, with at least two good references and a registration history.

That should keep the bots out, right?

Why are we so helpless?

[Chemisor]

It ought to be obvious to everyone that spam is a property violation crime. Putting unrequested email in my account is the same as dumping used tires on my front lawn. Sure I have an address, but that doesn't mean I want just anyone to deliver anything to it without my permission. Why aren't we making this explicitly illegal, just like dumping and vandalism already are? Why are we putting up with these people?

Re:Why are we so helpless?

[gsgriffin]

Unfortunately, it is not that simple. Your analogy is not correct. Email is more like snail-mail. And yes, anyone can send email to your mailbox via snail-mail and not go to jail. The difference is that snail-mail costs them something. The real solution is to get all the stupid people off the web that actually make purchases from companies that they received a spam email from. They keep spammers continuing to spam. If the idiot purchaser got off the web, the spam would quickly dry up. Ultimately, this battle will never end...there will always be idoits that can get on the web.

Re:Why are we so helpless?

No it's not obvious.

How on earth would you actually request each individual email you want to receive? Fax your dad and tell him he's authorized to send you an email detailing his vacation cruise? Have people call you up, where you give them an ID number that must be in the subject line?

Even if you went as far as white-listing email addresses (which you actually can do now) you'd miss out when your buddy gave your email to someone who was looking to offer you a job at twice your current salary, or that girl who really dug you at that party.

I don't see how you could propose a law that requires permission to send an email without destroying most of email's practical benefits as well.

Web page redirection may have to go

[Animats]

We're seeing the need for some limits on web page redirection. Most of these attacks involve putting something on a trusted place which redirects to an untrusted place. Google, with incredible sloppyness, allows Blogspot accounts to do this, and as a result, they are heavily exploited by spammers. (Try, for example, "nikaluti21040.blogspot.com", which will redirect, via some iframes and other tricks, to "selissia.com", which is hosted on "secureserver.net").

Exploitation of legitimate sites to get through spam filters is a problem, but it can be dealt with if you're willing to take a hard line. Our first step in that direction was our list of major domains being exploited by active phishing scams. Our position is that one phishing attack from within a domain blacklists the whole domain. But within three hours after the problem is fixed, they're off the list. Major sites make the list now and then; Google, Dell, MSN, and Yahoo have all been on the list at one time or another. But they now know to take steps to get themselves off within hours. The Anti-Phishing Working Group and PhishTank have been helpful with this effort. We're down to 47 such domains today. It was about 175 when we started last fall. Most of the remaining entries are free web hosting services or DSL providers.

We and others have observed that there's an inverse relationship between the number of redirects and the legitimacy of a web page. We've been looking at this at SiteTruth. For things like AdWords ads, where some sites use redirection as part of a tracking systems, it's typically the bottom-feeders who are using redirection. An advertiser promoting their own product or service doesn't need it; it's brokers, intermediaries, and made-for-Adwords sites that use redirection. Anything with more than one redirect is almost bad. We expect to use redirection as part of our legitimacy metric in the future.

It's thus time for browsers to limit their acceptance of redirection. One HTTP-level redirect, OK. Beyond that, put up a popup warning of suspicious redirection behavior. Redirects via META tags and Javascript should produce a popup. Sure, some site operators will look bad, but they will adapt.

A more practical approach - 3 grades of service

[davidwr]

I'd prefer 2, or better yet, 3 grades of service:

* verified user, someone using a credit card or providing some other ID that, if faked, can be prosecuted criminally
* established regular user, a person with a reasonably long and regular history, say, at least 10 logins a month, at least 10 outbound messages a month, and at least 10 inbound messages a month, for 3 of the past 6 months, and a minimal history of complaints.
* other - anyone else

On outbound messages, include a tag that the recipient's mail provider can use as part of its trust-assessment.

The "minimal history of complaints" is a potential problem due to false allegations and joe-jobbing.

Lack of ID could be a problem for users from countries whose IDs are not deemed trustworthy. If I give Yahoo my Nigerian passport number....

Re:A more practical approach - 3 grades of service

* verified user, someone using a credit card or providing some other ID that, if faked, can be prosecuted criminally This is a good idea, since spammers and other criminals don't have access to a large number of credit card numbers.

Re:My spam rules--

[Yvan256]

Wow.... all of those rules, and you end your post with your email address.

Spammers trick - REuseable captcha

[fastgood]

Find somewhere with 1000s of pageviews (eg. pr0n site)
Present Captcha image to 2 users (agreement = correct)

So the monkeys pull the right lever and get the reward
of viewing the next adult video, and the spammer gets
a near-realtime solution to even the best of captchas.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:My spam rules--

Wait, Anonymous Coward here again, I made a typo. It's actually malda@slashdot.org

Re:Phone-based varification

[dargaud]

Yeah, right, with the spammer putting your own phone number on the form and registering for the account at 3am... I don't think so.

Re:What about a CAPTCHA made in flash?

[Dwedit]

The only thing really protecting you is that your solution is not standard, so bot writers have to treat your website differently, so they won't be as easily able to post there. The instant your solution becomes more commonplace, bot writers will be able to parse your SWF files, read the images, or do whatever else it takes to solve it.

It's a classic case of Security through Obscurity, and this time it works.

However, SWF files have accessibility issues, and there are always people who love to block them.

Re:Phone-based varification

[Tony+Hoyle]

Enjoy paying for all those peak rate calls to russia...

It would be so easy to bankcrupt a site that tried this (phone number generator, script) that no sane site owner would try it.

Re:My spam rules--

[Cedric+Tsui]

Maybe that's the point. s/he doesn't want to have to hide his e-mail address from the world.

Can it break RapidShare's upcoming CAPTCHA? ;)

[antdude]

Digg shares several amusing doctored screen shots of RapidShare's CAPTCHAs that might be shown in the future.

Comment removed

[account_deleted]

Comment removed based on user account deletion