Spammers Targeting Microsoft's Revised CAPTCHA

toomuchtoomuchspam writes "According to Websense, Microsoft's CAPTCHA has been busted again. CAPTCHA was surely a logical move for different service providers to fight against spammers, but it seems to be melting down. 'Realizing the potential for massive abuse from spammers with anti-CAPTCHA capabilities, who could use the clean IP reputation to carry out various attacks over Email and Web space, Microsoft attempted to increase the complexity of their CAPTCHA system. The CAPTCHA system was revised in an attempt to both prevent automatic registrations from computer programs or automated bots, and preserve CAPTCHA's usability and reliability. As this attack shows, those efforts have failed,' says Websense security researcher Prasad. Could there be any better CAPTCHA? A better solution?"

Captchas are no longer good enough

[AaronLawrence]

It seems that the time when Captchas were an effective way to protect valuable resources is over. Where valuable means "anything of more than a tiny value that is available in large numbers". One email account isn't of value, but a million mail accounts is worth a lot to a spammer, and it's just as easy to get a million automatically as it is to get one.

Frankly, modern captchas are often past the point where I can read them; and the image recognition programs are good enough to get a useful correct recognition rate. This tells us that captcha is a dead end, AI in the form of image processing is now about the same "intelligence" as a human, so there is nowhere for captchas to go.

What to do instead? Well, looking at that report, the bot signup surely looks recognisable - the same IP constantly trying to sign up? But maybe big NAT networks mean that "same IP" isn't a safe bet to block?

If you can't recognise the bot, and it can answer simple questions as well as a human, then the only thing left is to provide another form of identification - like a real-life physical ID.

Re:Captchas are no longer good enough

[vux984]

1) Everyone I give my email address to is given a different alias, in the form 'myname-alias.validation@mydomain.com'. 'validation' is basically the hash of the salted alias, with different salting recipes for different pattern-matches just to make life difficult for spammers.

Ok. So you effectively made the most complicated whitelist imaginable. Except instead of whitelisting your contacts, you've added a layer of indirection and whitelist a code your contacts must send you instead.

I've seen the same thing implemented many times before by giving each contact a passcode and requiring them to include it in the subject line of all correspondence. I do give you props for embedding it into the address instead of the subject line, as that will let you use it for automated systems, like websites that 'extort' an address, etc.

Aside from the fact that some people and businesses get seriously weirded out when they're told to email you at 'myusername-theircompanyname.longhexstring@mydomain.org', it works BRILLIANTLY.

Yes, if torpedoing usability was your goal. What happens when you send something to someone and they reply? Do they have to use your unique address to reply? What do you do when you need write an email address out or give it over the phone? goofball-yourdomain-a23fbf32a4e544303... good times. Or if someone forwards your message to a 3rd person to reply to you...

My email has gone from "worthless due to the avalanche of spam" to "for all intents and purposes, spam-free", and has stayed that way for almost six years now.

I manage the same with spamassassin, amavisd etc and a couple custom rules. And my mail server processes some 30,000 messages a day as well, for a business with half a dozen employees. We get maybe 8 or so spam through a day, and less than half a dozen false positives a month. (Most of which are due to other people sending from domains that publish SPA records and then don't follow what they've published...ie their own damned fault.)

But for the world's Slashdot Elite, it's a nice, elegant solution (as long as you've got your own domain name or ten and have either a dedicated server or a hosting account somewhere with shell and script access so you can run Procmail.

I wouldn't call it elegant. Clever yes, but not elegant.

Anything sent to 'myname@mydomain.com' automatically bounces with message to go to my website and obtain an alias to use for contacting me. Ditto, for the first message addressed to a given 'alias' whose 'validation' is invalid (thereafter they're unceremoniously sent to /dev/null).

Do you even score it for spam at all or do you just generate a lot of needless backscatter?

At the end of the day, I'm not really seeing the advantage of your solution over a moderately sophisticated white-listing + grey-listing solution.

Re:Key exchange.

[AaronLawrence]

That form is amusing and enlightening for first-time proposals at solving spam. But as far as I can tell, it also rules out all solutions because it assumes there is a solution that doesn't have any cost or compromise.

The likely reality is that someone will have to pay or be inconvenienced to solve spam.

reCAPTCHA

[yincrash]

from the dude who coined CAPTCHA, comes reCAPTCHA. using words in old library books that existing OCR tech can't figure out, humans can help digitize books and stop spam at the same time!

http://recaptcha.net/

Captchas that humans can read, perhaps?

[Behrooz]

Am I the only one getting really really annoyed by captchas that use mixed-case letters and numbers that aren't distinguishable even to an actual human?

In the cruddy sans-serif fonts most captchas use, 0lRnBC looks like O1Rnl3C looks like 0lRnBC.

It's powers of 2, people! For each O or 0 in your captcha, the odds of a real person being able to correctly identify it are halved, and that's not even counting the other possible charspace collisions.

Re:Captchas that humans can read, perhaps?

[feepness]

Not to mention the $%@#$@#$@#% that don't realize 10% of the male population is colorblind.

That's right! Your light green letters with the swath of dark red across them are completely unbreakable... to me. I've literally abandoned websites after failing the capcha repeatedly.

Re:Saw on ubuntu forums and other sites

[WK2]

The main problem with those is that there are only so many questions you can ask. The spammer just needs a database with all of them, or just a significant portion. As for the simple math, that can easily be parsed and calculated.

Re:Saw on ubuntu forums and other sites

[zobier]

Because of the pr0n hole (people solving CAPTCHA for you, for free, by proxy).

1. Set up a site with something people want.
2. When they come to the site your server goes to the target site*.
3. The target site gives your server a CAPTCHA.
4. Your server gives the punter the CAPTCHA.
5. Punter tries to solve CAPTCHA.
6. Server passes response to target.
7. Profit!

*via proxies or bot net to avoid IP blacklisting.

Re:Key exchange.

[SanityInAnarchy]

First of all, stop calling it SPAM. It's not an acronym -- it's just named after the actual meat, used in a certain context.

But more importantly...

The most effective SPAM filter is a human, sitting in front of their e-mail client, deleting mail that they know is SPAM from the subject line.

Incorrect.

Firstly, I don't know about the rest of you, but I get far too much spam to read every subject line. It's already impractical, and getting to where it would be physically impossible without hiring people to read my email for me.

But also, a human is not necessarily the most accurate filter:

http://www.paulgraham.com/wsy.html

Granted, if you actually read every single email, rather than skimming through subject lines, you'd have a shot. But it's impractical, at this point, for me to even read subject lines. It's impossible for me to actually read the text of every single email.

In fact, that's why I use Bogofilter -- it's somewhat of a hybrid, that way. It uses reasonably sophisticated techniques to categorize spam, but it has an additional classification of "unsure". Last I checked, on any given day, I was getting maybe ten "unsure" messages to a hundred actual spams. There are quite often some false positives in unsure, and some that I'm not sure about myself. Most of it is spam, and I retrain it as such.

Net result: Roughly one or two messages per day make it through, and those come through Ruby Talk. Maybe once or twice a month, something will actually hit my inbox directly. And as far as I know, I've never had a false positive.

Re:Key exchange.

[gnick]

I believe the link I posted, in the comment to which you are actually replying, suggests otherwise. The number one spammer on the Spamhaus lists is a US citizen who uses Chinese servers to control his botnet.

I assumed that people would read the link I posed before replying. How silly of me.

You're correct. In the (alphabetically sorted) list you linked to, the #1 spammer is an American.

[But, using the same system, Americans only rank 2nd between Africans, Americans, Chinese, and Russians.]

But, with such credible and specific identifiers as "Alex Blood", "Bubba Catts", "Canadian Pharmacy", "emailspidereasy.com", "fairgamemail.us", "HerbalKing", "JingJing Wang", "MailTrain", "pur", "Stilbox Marketing", "Taiwan Media Ltd", "Trey Armstrong, the Flag Spammer", "Uncaged Marketing", "Yambo Financials", and "zombies", how could I possibly question the actual countries of origin of your link's sources?

Re:Key exchange.

[johannesg]

Why not cut it down to this:

"Your post advocates

[x] a solution

to the problem of spam. It won't work, because

[x] I am a spammer myself and I want to instill a sense of hopelessness in people
[x] I only care about problems, not solutions
[x] any solution that covers less than 100% of all cases is unacceptable to me
[x] I like spam"

Your post surely applies to the antispam measures taken by my provider, but between them they keep my mailbox pretty much free of unwanted messages. And by posting this every time any kind of potential solution is discussed, you are ruling out the possibility of a solution altogether.

Re:Key exchange.

[kesuki]

"What do we need to get this project off the ground?"

first, you need to weed out the pansies who say 'killing people, for trying to make a living sending commercial e-mail, that's horrible'

secondly, you need a large budget and specialized training in invading hostile territory and killing possibly armed men in ambushes and guerrilla tactics. remember not all spam originates from the united states.

since you'll never get both of the above, you're left with technical and legal counter measures... which ultimately just doesn't work.

how many times have you gotten a call from a telemarketer? during dinner? there are (or were) laws against machine dialing apparatus here in the USA, but then some wiener designed a computer modem, and the downfall was quick, it was now quick and easy to use stock parts to auto dial and even give people pre-recorded messages over telephone.

spam ultimately is suffering the problem that much to the technology involved has substantial other uses besides spamming, so spammers get free reign. captchas did make a difference in the arms race. for a while. but now captchas are obsolete. they don't work they can't be fixed, and you're never going to get a really good test for determining a human from a bot..

simple distorted words aren't good enough, what you need to do, is switch to something humans are insanely good at that machines can't even be coded for. puns and homonyms. so basically what you wind up with is say a paragraph of text, with a single sentence response from the end user.

but even this will wind up getting cracked, unless you come up with a way of distorting the paragraphs slightly without changing the response from users, so they can't just match the paragraph to the answer... but this is a lot of work, to get a sophisticated captcha system based on a database of giving one paragraph of text and expecting a one line response that is obvious to a human but not to bot and reuse them but always with something different done to the paragraph. and even with such a hard test, the free porn sites give free access to a porn site for answering 5 captchas, teenagers have a lot of hormones and loads of free time...

i know microsoft and yahoo and google don't like the fact that spam originates from their networks, because spammers broke their captchas... but the problem isn't going away. there is no way to make it better. compuserve tried to curtail spam by having 'electronic postage' on sending e-mail, compuserve eventually went under. but electronic postage is realistically the only way spam will ever be controllable without killing all the spammers, because if it costs $0.15 cents per e-mail recipient they're going to suddenly get very good at figuring out who responds to spam. just like bulk mail comes to people based on information companies can find out about them.

and there are countless people who would be angry at paying to e-mail people. so it's not going to happen.

Re:Key exchange.

[EdIII]

There IS an EXTREMELY simple technical solution to this very problem.

First let's define the problem:

1) Spammers desire the ability to send their messages through Microsoft's systems since the IP addresses are so clean and therefore usually possess a higher level of trust with remote MTA's.
2) Microsoft, like others, has its head up its ass on how to solve it.
3) Microsoft has determined the best method to stop it is to determine if it is a person, or a machine at the other end.

The solution is simple:

1) Limit the amount of new accounts that can be opened up at any single IP address within a 24 hour period. This need not be implemented blindly either. You can decide which IP blocks are the most problematic based on experience, and which of those generate the least amount of SPAM associated with a signup IP address. If the limit is reached, simply inform the user that new signups cannot be processed at this time, from that location.

2) Once an email account has been newly created, limit the number of email messages that can be sent within certain time periods. Slowly ramp up the number of messages. Most normal people do not need to send more than 100 emails per hour. If you think about it, that number itself is incredibly impressive. That is nearly 2 emails being constructed per minute. Now it might be important for this person to inform a large number of people that they have a new email address. Fine. Create a special email message that contains text that the USER CANNOT MODIFY that can be sent up to 50 contacts at a time. It MUST be a contact added to the address book as well.

2.B) To further the goal of #2, limit the number of CC and BCC destination addresses. Of course, you could simplify this further by a global limit on all parseable addresses present within the message. Slowly ramp up that number as well.

2.C) To also further the goal of #2, limit the rate at which new messages can be sent. Set a minimum of 120 seconds before new message creation windows can be spawned and to which also respond to the SENT button. This number can be slowly decreased as well.

3) INVESTIGATE reports of SPAM and agressively analyze which accounts are responsible, what IP address space is the most responsible for the signups, what IP address space is the most responsible for the message creation, and then UTILIZE that information accordingly.

You see it really is not all that hard to implement some of these simple policies right now. To do so would put serious speed bumps in place for the spammers right now. I dare say it could reduce the amount of spam by 90% in the first 48 hours. Probably more, since the real problem is THOUSANDS of SPAM messages being sent from these bogus accounts within the first few hours, or days of their creation.

That activity DOES NOT FIT THE PROFILE OF A NORMAL HUMAN BEING. You don't need a CAPTCHA to figure that out. So it is not nearly as bleak or impossible as you make out to be. At least not in the IT department. However, where the marketing execs and other useless suits get together they just plain don't give a fuck.

Re:Key exchange.

[EdIII]

Actually you are wrong. What you are saying has a certain logic to it, that is true, but you just don't have the numbers right.

1) Botnets are irrelevant. It is just an issue of IP addresses, pure and simple. Whether or not the signup is a zombie or a real person, the number is limited. The REAL issue is if the policy would prevent the signups of legitimate people. That is doubtful since most people tend not to have more than 10 different email accounts at one provider. I would say the *average* is far less than that. Legitimate signups just don't occur that frequently from an IP address that is being used in a normal way.

2) Remember what I said about linking abused accounts with their signup IP address and then analyzing that information? You could apply that to "throttle" the number of accounts that are created from an IP address period. The behavior of a zombie would stand out over a relatively short period of time.

3) Let's assume that they can still create 20,000 accounts per day from a single botnet. We can assume further, even with initial throttling present, that 100,000 messages are sent out the first hour. Believe it or not, that is far less than CURRENT numbers. A significant improvement considering that current estimates are in the double digit BILLIONS per day (with estimates as high as 150 billion). Now Microsoft cannot be responsible for all of that of course, but once again limiting their contribution to 2.4 million SPAM messages per day would seem to be an improvement considering the actual numbers here.

4) The effectiveness of analyzing the behavior of the IP address spaces would be quite high. Over time, you would could determine with a high degree of accuracy which IP addresses are currently participating in a Botnet, and which are not. Forward that information to other security research firms which are currently attempting to penetrate and analyze botnets.

5) Behavior analysis can let you determine which IP addresses need to be throttled more than others. Let's assume that you identified 100 million *confirmed* SPAM messages from those 20,000 accounts within the period of just a week. Of those accounts which do you think would have 99% SPAM in the outbox? More information to act on. Now you can remove those accounts, and then start to add weights to those IP addresses. Now they can only create new accounts at 1/5th the normal rate. Then 1/10th the normal rate, and so on and so forth.

The real problem here is not whether or not these policies will work, it is the management at Microsoft. They will never spend the resources to implement this.

Why should they? They KNOW they are so big that mail administrators such as myself just CANNOT AFFORD to blacklist their domains and IP addresses. To do so would be suicide in our business. Considering the amount of SPAM coming from Microsoft, Google, and Yahoo you don't find it suspicious that SpamHaus does not blacklist them?

There is your problem. We HAVE to accept email from the 3 biggest players PERIOD. The only thing we can do is apply filtering to the message content itself and hope that we are good enough to get the majority of it into your junk mail folder.

You want something more nefarious? More devious? Think about whether or not Microsoft relies on the number of email accounts it has, and how many signups occur per month, when dealing with it's advertising clients? The bottom line at Microsoft, is in part, affected by the current and projected number of email accounts it has. SPAM can actually be helping their bottom line and stock price here, not hurting it.

Re:Captcha: Thirteen = 4 + ? Ask questions??

[Ash-Fox]

Where I am currently:

What color is the sky?

Gray.

What color is the sun?

White.

What is seven plus three?

seventhree

What common pet barks?

a canine pet.

What animal meows?

A feline.

What animal does milk come from?

All of them?

Your comment has too few characters per line (currently 7.3).