Slashdot Mirror
Spammers Targeting Microsoft's Revised CAPTCHA
toomuchtoomuchspam writes "According to Websense, Microsoft's CAPTCHA has been busted again. CAPTCHA was surely a logical move for different service providers to fight against spammers, but it seems to be melting down. 'Realizing the potential for massive abuse from spammers with anti-CAPTCHA capabilities, who could use the clean IP reputation to carry out various attacks over Email and Web space, Microsoft attempted to increase the complexity of their CAPTCHA system. The CAPTCHA system was revised in an attempt to both prevent automatic registrations from computer programs or automated bots, and preserve CAPTCHA's usability and reliability. As this attack shows, those efforts have failed,' says Websense security researcher Prasad. Could there be any better CAPTCHA? A better solution?"
I suppose it would make sense if you had to make an exchange of keys with someone before initiating communication. Thus, when you give out your email to people, you could give them a key that they would need in order to send you an email, and similar methods would apply to other communication mechanisms. Now the spammers will need to waste inordinate amounts of computer time computing all kinds of keys, and the practice of spamming will (hopefully) disappear. Now this being /., someone will tell me why such a scheme is impossible. :-)
McCain/Palin '08. Now THAT's hope and change!
Akismet is great for comments and such. Basically, it's a neural net using user submissions to determine whether or not a submission (sent automatically from your site for checking) is spam or not.
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
It seems that the time when Captchas were an effective way to protect valuable resources is over. Where valuable means "anything of more than a tiny value that is available in large numbers". One email account isn't of value, but a million mail accounts is worth a lot to a spammer, and it's just as easy to get a million automatically as it is to get one.
Frankly, modern captchas are often past the point where I can read them; and the image recognition programs are good enough to get a useful correct recognition rate. This tells us that captcha is a dead end, AI in the form of image processing is now about the same "intelligence" as a human, so there is nowhere for captchas to go.
What to do instead? Well, looking at that report, the bot signup surely looks recognisable - the same IP constantly trying to sign up? But maybe big NAT networks mean that "same IP" isn't a safe bet to block?
If you can't recognise the bot, and it can answer simple questions as well as a human, then the only thing left is to provide another form of identification - like a real-life physical ID.
For every expert, there is an equal and opposite expert. - Arthur C. Clarke
This was from back in April, and was already discussed on Slashdot (the "tuning / exploitation" link).
Just out of curiosity, why doesn't the Slashdot software simply check to see if a submitted story contains the same url as an existing story? Wouldn't that stop a lot of dupes?
Better known as 318230.
ALL the time, motha-humpas.... SOMEbody's gonna captcha yo flag...
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
from the dude who coined CAPTCHA, comes reCAPTCHA. using words in old library books that existing OCR tech can't figure out, humans can help digitize books and stop spam at the same time!
http://recaptcha.net/
Thus, when you give out your email to people, you could give them a key that they would need in order to send you an email, and similar methods would apply to other communication mechanisms.
Under your system, when one opens a means of contact for sales or support of his products or services, I'd assume he would give out the key for that. So how would he prevent that name:key@host from getting spammed?
Am I the only one getting really really annoyed by captchas that use mixed-case letters and numbers that aren't distinguishable even to an actual human?
In the cruddy sans-serif fonts most captchas use, 0lRnBC looks like O1Rnl3C looks like 0lRnBC.
It's powers of 2, people! For each O or 0 in your captcha, the odds of a real person being able to correctly identify it are halved, and that's not even counting the other possible charspace collisions.
"We have to go forth and crush every world view that doesn't believe in tolerance and free speech." - David Brin
"Could there be any better CAPTCHA, a better solution?"
Base them all on Goatse.
We use a fingerprint jquery library to record the timestamps for every keystroke made by the submitter and inject them in to the form. You can then determine if the form submission is legitimate or not if the timestamp for key down and timestamp for key up events fall between a certain time. I guess the down sides to using this method is that the form submission won't work if javascript is disabled or if malicious people figure out your algorithm. Seems to work okay to help prevent spam bots for us though. http://narcvs.com/javascript/fingerprint/
...charge them a penny per e-mail sent.
Have gnu, will travel.
Why not have the captcha ask a question?
"2 + 2 = ?"
or
"What color is a firetruck?"
etc.
When going through the step-by-step in the article, (which is pretty awesome, btw), it appears that there is no character recognition being employed, but rather the security is being defeated by a fairly hacky work-around.
Hacky work-arounds can be defeated simply by programming smarter, (less sloppily?). There's no graphic-reading AI involved, which means the basic fundamentals of the CAPTCHA system remain sound.
While I find CAPTCHAs a little annoying when signing up for stuff, I recognize their necessity and actually kind of grin while doing them, thinking, "Hh ha! Look at this monkey, all smarter than a dumb computer. This must be frustrating for spammers. Ho ho!"
-FL
I can't help it but every time I use re-captcha I like to type things slightly incorrectly, just one or two letters for example:
It is obviously "to shouted" I will type "to chouted" and it still works fine...
Try it out if you like:
http://recaptcha.net/learnmore.html
Everyone who does anything gets scanned. Your scan matches or it doesn't.
I had played with this idea a bit a few months back and came up with an idea I think could work - but only ever got around to coding the most basic example of it. For those on /. who are interested, find it here. Each reload will produce the image of a new challenge.
In a closer to final version I had envisioned instructions in multiple fonts and colors involving shapes, letters, etc., and much more flexibility.
In the example I've shown above, pure random clicking will produce a correct response to the challenge 1 time in 30 approximately. So - make them solve three in a row and there you are - 1 chance in 27,000.
"04.10.2008 - 10:54 AM" - April 10th.
this is the article mentioned in the original "Hotmail CAPTCHA sucks" slashdot post.
Does OpenID help solve this (spamming) problem?
The main problem with Captchas is it's generated by a machine based on a set of algorithm. Therefore it's just a matter of time before another machine can understand it.
What we need is not a better algorithms. Instead..........
-AM
How about aesthetics? Put up several hot-or-not comparisons, asking the user to select amongst several different pictures, some hideously ugly, one beautiful. Yeah, yeah, some people think the fat lady with a hairy mole is more beautiful than the fake skinny girl with big boobs, so put text that says "select from the following pictures which image society at large would find most visually attractive".
With extremely varied composition (profile shots, portraits, etc.) you could mix things up to the point where computers couldn't figure it out. Microsoft and many other companies already have license-free picture repositories for use for this (flikr and the like). It would be faster than reading the weird image, as "who is prettier" is an extremely quick, intuitive decision for most. "Training" would be done by asking the user to do an additional comparison that didn't have an "answer" yet, only using it as a valid test when you have a statistically-significant margin.
I haven't posted in so long, my sig is out of date.
How about something interactive?
Use some javascript/css/etc to make a box where depending on the position of you mouse in the box, little images/icons/whatever move around in the box till they overlap and create a bigger picture, then send the mouse position (x,y) to an AJAX server and have it validated.
This won't be a be all and end all to spam, but maybe for new accounts that are freshly created, have an escalating delay for each message sent out? This would go away after some certain rules are matched (date of account creation.)
One can add and subtract modifiers. For example, multiple E-mails sent out to many recipients will have a longer delay than messages sent to the same person, a longer delay if the outgoing content is flagged spam through a heuristic filter, etc.
This in no means would stop spam, but a delay of 10-15 seconds won't affect users much, but will definitely put a crimp on spammers.
They should use Lycos' CAPTCHA. It was pretty effective with me. http://img255.imageshack.us/img255/9947/picture3ga6.png
What makes you think a spammer won't just send fake keystroke times? Never trust the client.
Yes there's a better solution. All smtp servers should all have mandatory per-email charges for RECEIVING, all the way to the email account-holder ( ie I charge my ISP for each email I receive ). Then each account holder would be responsible for refunding this charge when they have read the email, if they are satisfied that it's not spam. If it is spam, then I would of course not refund this amount. My ISP would in turn not refund their amount to the upstream smtp server, and so on, right up to the original sender, who would not get his charge refunded. This would make all legitimate email free, and would make spam too expensive to be worthwhile.
Check out ASIRRA: http://research.microsoft.com/asirra/
It's a better user experience as well - I'd much rather tell the server where all the cats are instead of trying to parse out barely recognizable characters.
>>
AI in the form of image processing is now about the same "intelligence" as a human
>>
Not even close, but it doesn't need to be.
What useful work could you do with an OCR program which was correct only 25% of the time? Nothing -- any book you read would look like one of those Babblefish English-by-way-of-Russian-by-way-of-English monstrosities. But a 25% accurate OCR is a 100% solution to the captcha, because you have a big freaking botnet and can generate additional requests for free.
Aside from botnets, the cloud-based outsourced captcha busting business model ($1 per 1,000 captchas done by a subcontractor of a subcontractor in a place where paying people to get a repetitive-stress injury makes excellent economic sense as long as they have an automated assistant to keep the queue full, like a factory line) is also doing some severe damage. Forget the old "Ahh, we'll give you porn for breaking a captcha you didn't even realize was Yahoo's" exploit, which was mostly theoretical. This gives you a *controllable, constantly available, scaleable* level of whatever the resource protected by the captcha is.
Captchas: pretty much screwed.
Help poke pirates in the eyepatch, arr.
Captchas alone don't solve the problem, but maybe combined with some kind of behaviour blocking, or add more human/machine detection (i.e. sometimes require an answer to be able to send the Nth email) after the account was created could make things a bit less profitable for spammers.. Or other kind of solution.
spammers could break Rapidshare's CAPTCHAS....
proud caffeine whore
The reCAPTCHA strategy is that one of the following two things will happen:
1) No improvement in OCR happens and the CAPTCHA remains effective
2) Spammers improve OCR substantially and we get books digitized for free
It fails to account for the 3rd option
3) Spammers improve OCR marginally, achieve a 20 ~ 25% success rate on reCAPTCHA. There is no penalty for getting it wrong if you can generate requests for free and only care about maximizing successes! Its a multiple choice test with infinite questions and a fixed bar for passing! As soon as this happens, spammers will flood the legitimate users out of the system, because they can generate infinite requests and legitimate users can not. Its usefulness as a CAPTCHA is compromised and its usefulness for text digitization is zero, because the "multiple users checking each other" becomes multiple instances of the same lobotomized spam OCR program vouching for its own accuracy, with an infintessimal portion of humans being drowned out by sheer numbers.
Help poke pirates in the eyepatch, arr.
I will provide my own rifle, bullets, and bayonet.
Hail Eris, full of mischief...
E pluribus sanguinem
Since CAPTCHAs are frequently an indirect anti-spam measure, somebody may have already mentioned HashCash. It was designed as a mechanism to put a computational cost on sending email, to discourage spamming in a standard market solution type way; but without having to wait for a viable micropayment system.
It strikes me that, with the rise of javascript and xmlhttprequest, and so on, the hashcash concept could be trivially adjusted to serve as a CAPTCHA like mechanism. All one would have to do is include a little javascript implementation of the hash calculator and a random challenge string into the form being protected. The client would then compute the hash, and submit it along with all the other information. The user would notice nothing, other than a short CPU spike; but it would be easy enough to make the computational demands too high to be paid 10s or hundreds of thousands of times without significant cost.
One possibility is call-back phone calls. It's harder to master both web hacking and phone hacking. Plus, there are more regulations for phones, making it easier to prosecute. Pay phones are known and would not be allowed.
Another approach is an "ID center" where you physically visit a small office and your driver's license (ID) and signature are checked and photocopied for a small fee. The verification could be used by multiple web services.
Table-ized A.I.
Microsoft and many other companies already have license-free picture repositories for use for this (flikr and the like).
This is the problem, is that unless you had near infinite amounts of pictures (which is why we currently use "random" data), it would soon be cracked to the point of perfection.
Why not make Captchas math problems. Or ask questions that have obvious answers.
What color is the sky?
What color is the sun?
What is seven plus three?
What common pet barks?
What animal meows?
What animal does milk come from?
Three college interns and 3 months and you've got like 2300230023 million of them.
We are one consciousness experiencing itself subjectively. Back to you with the weather, Bob!
Oh. I didn't realize that.
Then I guess my suggestion of asking simple questions or showing pictures and asking people to name what they see don't matter.
My suggestion would still be easier than deciphering the nonsense the put out now. Show a picture of the sun, "What is this?" sun. Show a picture of a cat, "What is this animal?" cat.
We are one consciousness experiencing itself subjectively. Back to you with the weather, Bob!
I vote for "hot chicks" version of this approach. Like 'which one is topless?'. I'd use the signup form all day long.. (sorry, can't determine looking at this set of pics, please show another one!)
Your post advocates a
(X) technical ( ) legislative ( ) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(X) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
(X) Bandwidth costs that are unaffected by client filtering
( ) Outlook
and the following philosophical objections may also apply:
( ) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
(X) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
( ) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!
Note two things:
Akismet actually does work, mostly. Huh. The Form isn't infallible, especially when it applies to things other than email.
And, all plans fail to account for asshats.
Don't thank God, thank a doctor!
One way to take yourself off the "target list" is to limit the value of free accounts.
An obvious way is to limit the number of outgoing message-recipients per day.
If instead of registering 10,000 free accounts per month to do effective spamming, you had to register a million to send the same amount of spam, all the sudden your effort goes way up. You'll start targeting email services that don't have these limits.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
It in fact doesn't assume that any solution exists. Maybe there is none.
Put a CAPTCHA together at
http://stephansmap.org/sign_up
Why not hire some programmers to come up with a new CAPTCHA distortion every few weeks? It's definitely not easy to produce a distortion that leaves text still easy to read.
Stephan
http://stephan.sugarmotor.org
Problem is spammers are using HUMANS to do the dirty work for them. They basically employ thousands of poor Chinese folks as cheap labor.
So CAPTCHA doesn't work anymore.
Waiting for that guy with a form to post for this. Pick a random word from /usr/dict/words.
Search for it on google images, return one of the first 5-10 results.
Ask the user to identify the term in the image.
Admittedly it would be slightly annoying because if it searched for "Aardvark" and you wrote "anteater" it wouldn't work, but i reckon something along those lines might work.
...for email registration.
... |_ ... |_|
You know, like at those IQ test websites where you have a series of polygons
and you have to pick which one comes next.
You could conceivably create millions of these fairly quickly,
but even the best bot in the world could never solve it.
1) Which one is next: |
_
a) |_|
b) _|
_
c) (_)
The solution doesn't have to be multiple choice. You could have the user draw the answer
with some flash app, and then just compare the drawing to the answer. A human would pass
most of the time. A machine not so much.
It would be very expensive, computationally to have bots solve problems like these.
Considering all you have to do is change the shapes (trivial) to stump a bot, but
a ten year old could easily solve one of these.
And let's face it no spammer is going to pay to solve captchas. The whole point
of a botnet is that somebody else pays for it.
If it cost spammers even a few pennies for each spam message, it would be gone overnight.
This Sig does not Exist.
CAPTCHA can be very annoying to people, and you can't just throw them in everyplace. But there are other solutions nearly as effective, and I'm surprised that more exploration isn't being done in alternatives to less and less legible CAPTCHAs.
On one site we had a simple form, a pair of fields for submitting URLs with a description. We started getting spammed through the form, so to reduce it I implemented a simpler option. When the form is submitted, it puts up a javascript prompt that asks the user to type in a pair of words. The words are combined together, a suffix is added, the whole thing is MD5'ed, and the MD% checksum is submitted with the form. This stopped all SPAM completely.
On another site I use PHPBB, and whatever CAPTCHA it is that PHPBB uses has been vulnerable for quite a while. So we were getting a half-dozen automated fake registrations every day. Rather than dump the CAPTCHA altogether I just changed the instructions and the logic for validation. The user is instructed to type "PRE-" followed by the CAPTCHA text. This eliminated almost all our fake registrations.
There must be a thousand other ideas. For example...
* You could use Javascript / AJAX to produce the CAPTCHA, or to open it up in a separate window.
* As browsers improve static images can be replaced by SVG.
* Why not Flash? A Flash solution would work for the majority of users, and could include special instructions in both text and audio. The letters could be animated and overlapping.
* Insisting on an email confirmation before accepting submitted data can also eliminate a huge amount of abuse.
* If you're really into static CAPTCHAs perhaps another layout can work better. For example, arrange the letters in a circle with some special indicator of which letter to start with and whether to proceed clockwise or counter-clockwise. "Start with the blue letter... Start with the letter at 7 o'clock... Begin with the numeric character and proceed clockwise... etc. etc."
Certainly the clever minds of Slashdot can come up with several more.
-- thinkyhead software and media
Create a number sequence with a missing value. Rather than use numeral such as 2,4,6,_?_, use shapes and objects.
Or use an object like a book, car, bike, etc., and ask the user to confirm what it is.
Sue them.
Over. Done. Fini
Under the DMCA, my site gets killed from a false accusation or spoofed address.
Under your approach to spam, I get killed from a false accusation or spoofed address.
I can't wait.
Suicide by spam patrol!
VLC FOR MAC IS DYING! IF YOU DEVELOP, PLEASE SAVE IT!!
How about a script that requires the movement of an element over another element via CSS and Javascript to a certain position? Kinda like... inserting a key into a keyhole. Maybe? Yes? No?
Just as porn ushered in VCR age, spam advances AI.
Fuck systemd. Fuck Redhat. Fuck Soylent, too. Wait, scratch the last one.
I'm familiar with The Form, thank you very much.
Set up a facility that can accept micropayments and forward them to various charities. To email me for the first time, you have to transfer say 10 cents (or more, if you wish) to one of the charities that I approve. If I ever reply to your mail, I return you your 10 cents.
I know this isn't new, but it is extremely simple. Ask simple questions instead of captcha.
who is buried in grant's tomb?
1+1?
3-2?
There are 50 stars on an American flag. How many stars are on the American flag?
ymmv
Why not just randomly vary the number and identity of click-through pages to register? In other words to solve a CAPTCHA you must handle an unexpected number of preliminary pages. Bots = confused.
Those are my principles, and if you don't like them... well, I have others.
More sites should use reCaptcha. If the spammers break that, they'll have advanced computer science and the freeing of knowledge.
(Wikimedia considered reCaptcha, but insists on running on all-free software. ReCaptcha won't release any of their software or data, so it's out of the running. I suppose we could reimplement it if anyone cares enough to spend time doing so.)
[We used a bit of Java before it was entirely free - e.g. the Lucene search, which sucks much less than it used to and is pretty much usable now - but were reasonably sure Sun would proceed with their program to free it and we wouldn't be embarrassed by it. Which is just as well, 'cos we tried a Mono version of the Lucene search and it ran at about half the speed.]
http://rocknerd.co.uk
Microsoft's revised CAPTCHA busted. This is the latest publication on Websense's blogs. The spammers certainly seem to improve their attacks with every move. Authorities have to be more strict and more rigid in terms of punishing such spammers. Also, the domain registrars if spammers should be treated in the same way...hunt them and burst them!!!
Of course it can be beaten by a human but for quite a while it should deter the automatons: http://spamfizzle.com/CAPTCHA.aspx Oh, and I can't believe I'm the first to post this. It's been mentioned recently here or on Wired.
Death to spammers and total shut down of companies using them including oppressive fines to the directors.
As long as there is a market, it will continue to exist.
---- Booth was a patriot ----
Comment removed based on user account deletion
Where I am currently:
Gray.
White.
seventhree
a canine pet.
A feline.
All of them?
Your comment has too few characters per line (currently 7.3).
Change is certain; progress is not obligatory.
I just want to register to post a comment, not take my PhD exams.
Well, maybe the quality of internet forums will finally improve once all the "Fr1st ps0t", "me too", and other trolls are weeded out.
Hey, I think we finally found a solution against the never ending september
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
KILL THE INTERNET!
Eventually, computers will pass any captcha we can create and thereby pass the turing test. Then we can just put them to work filtering spam for us.
I do not see a good reason why a third-party (as opposed to using ISP services, already payed for) email service should not be payed for?
spam emanating from hotmail accounts.
Do you see a large amount of spam coming from actual hotmail accounts? I know I have in the past, but lately my own experience is most spam comes from (bogus-name)@(bogus-domain). I don't see much spam that is routed through hotmail servers, either.
Not that I want to defend hotmail or their overlord Microsoft, but by my experience they have a pretty negligible role in spam propagation.
Actually, looking through my mail logs I would say that yahoo mail is probably a bigger problem in the spam and phishing epidemic. I have five different phishing emails pretending to be either IRS or FBI, all with yahoo.com return addresses that yahoo support won't do anything about.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
So, what is this CAPTCHA? "ILUVBILLGATE$" or "MAC$UXX"? Grow up Microsoft, CAPTCHA is soooo 2004.
nonconformity at work
How effective are spammer bots at deciphering captchas? If they are only 20% effective then why not have 5 pictures to solve. 0.2 * 0.2 * 0.2 * 0.2 * 0.2 = 0.032% which might be small enough to minimize the problem.
There are a million technical solutions proposed here but curbing spam should simply be left to politicians and lawyers. We know who the spammers are: they always want money and we can track that.
We just can't get at them because they are in different jurisdictions. But that can be solved by the UN by simply setting up an "international criminal court" like the one we now have for war crimes.
This sig is just as redundant as the rest of this posting
If you are being paid to interpret this captcha, we will pay $1104 USD for aid in the arrest of spammers. Please contact _some email address_ and if your information helps us arrest your employers, we will pay you $1104 USD.
How much money could a person be paid to rat out their spammer-employer? [ ]
secondly, you need a large budget and specialized training in invading hostile territory and killing possibly armed men in ambushes and guerrilla tactics.
So we can send the CIA?
I've been wondering if the arms race between spammers and people trying to stop them may be what eventually leads to a true artificial intelligence.
Consider: We want to distinguish between a machine and a human (presumably intelligent). The spammers are motivated to make their machines act more and more intelligent. We also want to distinguish between valid, meaningful messages and spam.
So, on both fronts there is pressure to increase the intelligence of the machine.
Ultimately, there will be one set of AIs sending messages to another set of AIs offering to improve body parts that the AIs don't have.
un-ALTERED reproduction and dissimination of this IMPORTANT information is ENCOURAGED
Do you see a large amount of spam coming from actual hotmail accounts? I know I have in the past, but lately my own experience is most spam comes from (bogus-name)@(bogus-domain). I don't see much spam that is routed through hotmail servers, either.
yes, that's my experience as well. Hotmail now comprises a small portion of my incoming.
I think most spam is coming from PC's with forged from addresses, and I can attest that my email address or some from my domain are used in that forging periodically, including recently. I get all the spam rejection emails from it, but Postini catches most of them so not a problem.
rd
I honestly think strong identity verification such as XMPP additional headers or even the "who is allowed to send from my address" dns extentions are absolutely critical in getting anywhere. From there it provides the recievers more control in hard filtering
First of all, stop calling it SPAM. It's not an acronym
It's at least a backronym: "shit posing as mail".
Fixed dictionary.
Items will be reused and therefore the more known answers the higher the odds are that will be asked a known. One doesn't need to use humans that much to get a reasonable result--- setup a website that mirrors the problems to get people to solve it for free for you. Something people will be motivated to do it...
Democracy Now! - uncensored, anti-establishment news
I am not a programmer (in fact a 78 year old ex-sailor), but I do waste my time doing puzzles like those on jigzone. It seems to me in my ignorance, that it may be possible to have a Captcha like a puzzle that has two or more pieces that can be simply put together with a mouse. Does that sound stupid?
At http://www.mondor.org/captcha.aspx there is a very good (and free!) ASP.NET component which shows what sophisticated CAPTCHA may look like. For example, it can display a mathematical equation, like "35 + 7" and expect "42" as an answer.
NB: Math equation is available in 2nd version, which is downloaded in forum area of that site.
One method of security I've seen on forums and such is image matching - you have a field of 9 to 16 somewhat random pictures, and have to pick out the three or four ones that have "a car" or "a cat" in them... This is pretty good human security, especially if you try to make as many pics and only few picture combos.
Wouldn't work on email, of course.
I am not devoid of humor.