Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spammers Targeting Microsoft's Revised CAPTCHA

Posted by samzenpus on from the paint-a-bullseye-on-it dept.

toomuchtoomuchspam writes "According to Websense, Microsoft's CAPTCHA has been busted again. CAPTCHA was surely a logical move for different service providers to fight against spammers, but it seems to be melting down. 'Realizing the potential for massive abuse from spammers with anti-CAPTCHA capabilities, who could use the clean IP reputation to carry out various attacks over Email and Web space, Microsoft attempted to increase the complexity of their CAPTCHA system. The CAPTCHA system was revised in an attempt to both prevent automatic registrations from computer programs or automated bots, and preserve CAPTCHA's usability and reliability. As this attack shows, those efforts have failed,' says Websense security researcher Prasad. Could there be any better CAPTCHA? A better solution?"

3 of 303 comments (clear)

  1. The CAPTCHA isn't dead yet. by Fantastic+Lad · · Score: 4, Informative

    When going through the step-by-step in the article, (which is pretty awesome, btw), it appears that there is no character recognition being employed, but rather the security is being defeated by a fairly hacky work-around.

    Hacky work-arounds can be defeated simply by programming smarter, (less sloppily?). There's no graphic-reading AI involved, which means the basic fundamentals of the CAPTCHA system remain sound.

    While I find CAPTCHAs a little annoying when signing up for stuff, I recognize their necessity and actually kind of grin while doing them, thinking, "Hh ha! Look at this monkey, all smarter than a dumb computer. This must be frustrating for spammers. Ho ho!"

    -FL

  2. The article is almost 6 months old. by asserted · · Score: 3, Informative

    "04.10.2008 - 10:54 AM" - April 10th.

    this is the article mentioned in the original "Hotmail CAPTCHA sucks" slashdot post.

  3. Re:Key exchange. by gnick · · Score: 3, Informative

    Cut it out with the finger pointing at China and Russia. The vast majority of spam comes from the US, initiated by US citizens. It's not "the Russians" at fault. Anyway, what is this? The 80s?

    I don't buy that. Accuse me of over-indulging on Kool-Aid if you must. Most spam streams out of America - That's no surprise. We've got a helluva lot of computers with broad-band access and clueless users who basically bend over and hand lube to zombie-lords.

    I've seen cyber-intelligence numbers (disclaimer - collected by US intelligence) and they indicate pretty clearly that the bots are being controlled by people in Russia and China (Poland, Switzerland, and Holland house a surprising number too). Those people may be Russians, Chinese, Americans, whatever, but they're running their armies from overseas (relative to the US). I'm actually surprised fewer are operating out of Africa - It seems to be a relative safe-house.

    It's not paranoia once you've got data supporting it. (Let me be the first to criticize myself for not supplying a link...)

    --
    He's getting rather old, but he's a good mouse.