Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spammers Targeting Microsoft's Revised CAPTCHA

Posted by samzenpus on from the paint-a-bullseye-on-it dept.

toomuchtoomuchspam writes "According to Websense, Microsoft's CAPTCHA has been busted again. CAPTCHA was surely a logical move for different service providers to fight against spammers, but it seems to be melting down. 'Realizing the potential for massive abuse from spammers with anti-CAPTCHA capabilities, who could use the clean IP reputation to carry out various attacks over Email and Web space, Microsoft attempted to increase the complexity of their CAPTCHA system. The CAPTCHA system was revised in an attempt to both prevent automatic registrations from computer programs or automated bots, and preserve CAPTCHA's usability and reliability. As this attack shows, those efforts have failed,' says Websense security researcher Prasad. Could there be any better CAPTCHA? A better solution?"

19 of 303 comments (clear)

  1. Key exchange. by suck_burners_rice · · Score: 4, Funny

    I suppose it would make sense if you had to make an exchange of keys with someone before initiating communication. Thus, when you give out your email to people, you could give them a key that they would need in order to send you an email, and similar methods would apply to other communication mechanisms. Now the spammers will need to waste inordinate amounts of computer time computing all kinds of keys, and the practice of spamming will (hopefully) disappear. Now this being /., someone will tell me why such a scheme is impossible. :-)

    --
    McCain/Palin '08. Now THAT's hope and change!
    1. Re:Key exchange. by TheSpoom · · Score: 5, Funny

      Your post advocates a

      (X) technical ( ) legislative ( ) market-based ( ) vigilante

      approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

      ( ) Spammers can easily use it to harvest email addresses
      (X) Mailing lists and other legitimate email uses would be affected
      ( ) No one will be able to find the guy or collect the money
      ( ) It is defenseless against brute force attacks
      ( ) It will stop spam for two weeks and then we'll be stuck with it
      (X) Users of email will not put up with it
      ( ) Microsoft will not put up with it
      ( ) The police will not put up with it
      ( ) Requires too much cooperation from spammers
      (X) Requires immediate total cooperation from everybody at once
      ( ) Many email users cannot afford to lose business or alienate potential employers
      ( ) Spammers don't care about invalid addresses in their lists
      ( ) Anyone could anonymously destroy anyone else's career or business

      Specifically, your plan fails to account for

      ( ) Laws expressly prohibiting it
      ( ) Lack of centrally controlling authority for email
      ( ) Open relays in foreign countries
      ( ) Ease of searching tiny alphanumeric address space of all email addresses
      ( ) Asshats
      ( ) Jurisdictional problems
      ( ) Unpopularity of weird new taxes
      ( ) Public reluctance to accept weird new forms of money
      (X) Huge existing software investment in SMTP
      ( ) Susceptibility of protocols other than SMTP to attack
      ( ) Willingness of users to install OS patches received by email
      (X) Armies of worm riddled broadband-connected Windows boxes
      (X) Eternal arms race involved in all filtering approaches
      ( ) Extreme profitability of spam
      ( ) Joe jobs and/or identity theft
      ( ) Technically illiterate politicians
      ( ) Extreme stupidity on the part of people who do business with spammers
      ( ) Dishonesty on the part of spammers themselves
      ( ) Bandwidth costs that are unaffected by client filtering
      (X) Outlook

      and the following philosophical objections may also apply:

      ( ) Ideas similar to yours are easy to come up with, yet none have ever
      been shown practical
      ( ) Any scheme based on opt-out is unacceptable
      ( ) SMTP headers should not be the subject of legislation
      ( ) Blacklists suck
      ( ) Whitelists suck
      ( ) We should be able to talk about Viagra without being censored
      ( ) Countermeasures should not involve wire fraud or credit card fraud
      ( ) Countermeasures should not involve sabotage of public networks
      ( ) Countermeasures must work if phased in gradually
      (X) Sending email should be free
      ( ) Why should we have to trust you and your servers?
      ( ) Incompatiblity with open source or open source licenses
      ( ) Feel-good measures do nothing to solve the problem
      ( ) Temporary/one-time email addresses are cumbersome
      ( ) I don't want the government reading my email
      ( ) Killing them that way is not slow and painful enough

      Furthermore, this is what I think about you:

      (X) Sorry dude, but I don't think it would work.
      ( ) This is a stupid idea, and you're a stupid person for suggesting it.
      ( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!

      --
      It's better to vote for what you want and not get it than to vote for what you don't want and get it.
      - E. Debs
    2. Re:Key exchange. by TheSpoom · · Score: 4, Funny

      The form doesn't assume there is a solution without cost or compromise.

      It just assumes it's really, really easy to make fun of other ones. ;^)

      --
      It's better to vote for what you want and not get it than to vote for what you don't want and get it.
      - E. Debs
    3. Re:Key exchange. by MrNaz · · Score: 5, Funny

      Personally I think the form would be fine if you just took off the vigilante box. Spam can be solved by a few guys with a list of names, free air travel for a month and a box of bullets.

      --
      I hate printers.
    4. Re:Key exchange. by TheSpoom · · Score: 1, Funny

      But as far as I can tell, it also rules out all solutions because it assumes there isn't a solution that doesn't have any cost or compromise.

      There, fixed that for ya.

      There, fixed that for ya.

      --
      It's better to vote for what you want and not get it than to vote for what you don't want and get it.
      - E. Debs
    5. Re:Key exchange. by Anonymous Coward · · Score: 4, Funny

      SpammerAssassin.org? What do we need to get this project off the ground?

    6. Re:Key exchange. by RiotingPacifist · · Score: 3, Funny

      But as far as I can tell, it also rules out all solutions because it assumes there isn't a solution that doesn't have any cost or compromise.

      There, fixed that for you.

      There, fixed that for you.

      There, fixed that for you both.

      --
      IranAir Flight 655 never forget!
    7. Re:Key exchange. by TheSpoom · · Score: 1, Funny

      I fixed your mom last night.

      --
      It's better to vote for what you want and not get it than to vote for what you don't want and get it.
      - E. Debs
    8. Re:Key exchange. by SanityInAnarchy · · Score: 2, Funny

      ctrl+c. ctrl+v.

      Or you can find the definitive version here.

      --
      Don't thank God, thank a doctor!
    9. Re:Key exchange. by Tubal-Cain · · Score: 2, Funny

      The Form has already accounted for this:

      (X) No one will be able to find the guy or collect the money
      (X) The police will not put up with it
      (X) Anyone could anonymously destroy anyone else's career or business
      (X) Laws expressly prohibiting it
      (X) Jurisdictional problems
      (X) Feel-good measures do nothing to solve the problem
      (X) Killing them that way is not slow and painful enough

    10. Re:Key exchange. by houghi · · Score: 3, Funny

      Hello,

      I am a veteran mercenary of the civil war in Nigeria and heard of your problems with spammers. I have worked out a way to solve this. I will just shoot them dead in the head. I will see to it that any financial loss ddone to you is payed in full in your bank account.

      Please just give me your bank details, social security number and details and I will see that you get your money and I will see that you will not recieve any spam from that person again.

      --
      Don't fight for your country, if your country does not fight for you.
    11. Re:Key exchange. by MrNaz · · Score: 2, Funny

      (X) No one will be able to find the guy or collect the money

      Hire good enough PIs, we'll find the guy. And collect all his money too.

      (X) The police will not put up with it

      Get geeky cops to explain it to the rest of them.

      (X) Anyone could anonymously destroy anyone else's career or business

      No, they'd be dead, so their business would be left in tact for their next of kin who would now be less inclined to spam.

      (X) Laws expressly prohibiting it

      Just get George Bush to declare a War on Spam.

      (X) Jurisdictional problems

      A *global* War on Spam.

      (X) Feel-good measures do nothing to solve the problem

      Eh? How is a dead spammer not a solution to the problem?

      (X) Killing them that way is not slow and painful enough

      Hire the members of the Russian mafia who *don't* spam to help on that one.

      --
      I hate printers.
  2. Re:Dupe by denmarkw00t · · Score: 3, Funny

    Wouldn't that stop a lot of dupes?

    Yes, but the editors would work out a system to get around this - actually, I read a story on /. about CAPTCHAS thats along the same lines as what you're talking about.

  3. Re:Saw on ubuntu forums and other sites by ozphx · · Score: 2, Funny

    Good call. You can type in the first thousand questions, and anyone that agrees with you can add another thousand.

    --
    3laws: No freebies, no backsies, GTFO.
  4. Re:Sales or support by lysergic.acid · · Score: 3, Funny

    easy, you just need to encrypt the first key with a second key. surely, there's no way for a spammer to get a hold of all 3 pieces of vital info now needed to send an e-mail.

    but if by some off chance that spammers manage to get a hold of all 3 pieces of info (because users have to give out these keys just as they would an e-mail address), we'll just add another key to the system, and another...

    we'll all need to get bigger business cards.

  5. Lycos has the solution by Ofenza · · Score: 4, Funny

    They should use Lycos' CAPTCHA. It was pretty effective with me. http://img255.imageshack.us/img255/9947/picture3ga6.png

  6. Where do I sign up? by Nimey · · Score: 4, Funny

    I will provide my own rifle, bullets, and bayonet.

    --
    Hail Eris, full of mischief...

    E pluribus sanguinem
  7. Re:The article is almost 6 months old. by Anonymous Coward · · Score: 1, Funny

    That's a European date. The article will be written the day after tomorrow.

  8. Artificial Intelligence by not-my-real-name · · Score: 2, Funny

    I've been wondering if the arms race between spammers and people trying to stop them may be what eventually leads to a true artificial intelligence.

    Consider: We want to distinguish between a machine and a human (presumably intelligent). The spammers are motivated to make their machines act more and more intelligent. We also want to distinguish between valid, meaningful messages and spam.

    So, on both fronts there is pressure to increase the intelligence of the machine.

    Ultimately, there will be one set of AIs sending messages to another set of AIs offering to improve body parts that the AIs don't have.

    --
    un-ALTERED reproduction and dissimination of this IMPORTANT information is ENCOURAGED