Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spammers Targeting Microsoft's Revised CAPTCHA

Posted by samzenpus on from the paint-a-bullseye-on-it dept.

toomuchtoomuchspam writes "According to Websense, Microsoft's CAPTCHA has been busted again. CAPTCHA was surely a logical move for different service providers to fight against spammers, but it seems to be melting down. 'Realizing the potential for massive abuse from spammers with anti-CAPTCHA capabilities, who could use the clean IP reputation to carry out various attacks over Email and Web space, Microsoft attempted to increase the complexity of their CAPTCHA system. The CAPTCHA system was revised in an attempt to both prevent automatic registrations from computer programs or automated bots, and preserve CAPTCHA's usability and reliability. As this attack shows, those efforts have failed,' says Websense security researcher Prasad. Could there be any better CAPTCHA? A better solution?"

9 of 303 comments (clear)

  1. Captchas are no longer good enough by AaronLawrence · · Score: 5, Insightful

    It seems that the time when Captchas were an effective way to protect valuable resources is over. Where valuable means "anything of more than a tiny value that is available in large numbers". One email account isn't of value, but a million mail accounts is worth a lot to a spammer, and it's just as easy to get a million automatically as it is to get one.

    Frankly, modern captchas are often past the point where I can read them; and the image recognition programs are good enough to get a useful correct recognition rate. This tells us that captcha is a dead end, AI in the form of image processing is now about the same "intelligence" as a human, so there is nowhere for captchas to go.

    What to do instead? Well, looking at that report, the bot signup surely looks recognisable - the same IP constantly trying to sign up? But maybe big NAT networks mean that "same IP" isn't a safe bet to block?

    If you can't recognise the bot, and it can answer simple questions as well as a human, then the only thing left is to provide another form of identification - like a real-life physical ID.

    --
    For every expert, there is an equal and opposite expert. - Arthur C. Clarke
    1. Re:Captchas are no longer good enough by vux984 · · Score: 4, Insightful

      1) Everyone I give my email address to is given a different alias, in the form 'myname-alias.validation@mydomain.com'. 'validation' is basically the hash of the salted alias, with different salting recipes for different pattern-matches just to make life difficult for spammers.

      Ok. So you effectively made the most complicated whitelist imaginable. Except instead of whitelisting your contacts, you've added a layer of indirection and whitelist a code your contacts must send you instead.

      I've seen the same thing implemented many times before by giving each contact a passcode and requiring them to include it in the subject line of all correspondence. I do give you props for embedding it into the address instead of the subject line, as that will let you use it for automated systems, like websites that 'extort' an address, etc.

      Aside from the fact that some people and businesses get seriously weirded out when they're told to email you at 'myusername-theircompanyname.longhexstring@mydomain.org', it works BRILLIANTLY.

      Yes, if torpedoing usability was your goal. What happens when you send something to someone and they reply? Do they have to use your unique address to reply? What do you do when you need write an email address out or give it over the phone? goofball-yourdomain-a23fbf32a4e544303... good times. Or if someone forwards your message to a 3rd person to reply to you...

      My email has gone from "worthless due to the avalanche of spam" to "for all intents and purposes, spam-free", and has stayed that way for almost six years now.

      I manage the same with spamassassin, amavisd etc and a couple custom rules. And my mail server processes some 30,000 messages a day as well, for a business with half a dozen employees. We get maybe 8 or so spam through a day, and less than half a dozen false positives a month. (Most of which are due to other people sending from domains that publish SPA records and then don't follow what they've published...ie their own damned fault.)

      But for the world's Slashdot Elite, it's a nice, elegant solution (as long as you've got your own domain name or ten and have either a dedicated server or a hosting account somewhere with shell and script access so you can run Procmail.

      I wouldn't call it elegant. Clever yes, but not elegant.

      Anything sent to 'myname@mydomain.com' automatically bounces with message to go to my website and obtain an alias to use for contacting me. Ditto, for the first message addressed to a given 'alias' whose 'validation' is invalid (thereafter they're unceremoniously sent to /dev/null).

      Do you even score it for spam at all or do you just generate a lot of needless backscatter?

      At the end of the day, I'm not really seeing the advantage of your solution over a moderately sophisticated white-listing + grey-listing solution.

  2. Re:Key exchange. by AaronLawrence · · Score: 5, Insightful

    That form is amusing and enlightening for first-time proposals at solving spam. But as far as I can tell, it also rules out all solutions because it assumes there is a solution that doesn't have any cost or compromise.

    The likely reality is that someone will have to pay or be inconvenienced to solve spam.

    --
    For every expert, there is an equal and opposite expert. - Arthur C. Clarke
  3. reCAPTCHA by yincrash · · Score: 4, Insightful

    from the dude who coined CAPTCHA, comes reCAPTCHA. using words in old library books that existing OCR tech can't figure out, humans can help digitize books and stop spam at the same time!

    http://recaptcha.net/

  4. Captchas that humans can read, perhaps? by Behrooz · · Score: 5, Insightful

    Am I the only one getting really really annoyed by captchas that use mixed-case letters and numbers that aren't distinguishable even to an actual human?

    In the cruddy sans-serif fonts most captchas use, 0lRnBC looks like O1Rnl3C looks like 0lRnBC.

    It's powers of 2, people! For each O or 0 in your captcha, the odds of a real person being able to correctly identify it are halved, and that's not even counting the other possible charspace collisions.

    --
    "We have to go forth and crush every world view that doesn't believe in tolerance and free speech." - David Brin
    1. Re:Captchas that humans can read, perhaps? by feepness · · Score: 5, Insightful

      Not to mention the $%@#$@#$@#% that don't realize 10% of the male population is colorblind.

      That's right! Your light green letters with the swath of dark red across them are completely unbreakable... to me. I've literally abandoned websites after failing the capcha repeatedly.

  5. Re:Saw on ubuntu forums and other sites by zobier · · Score: 5, Insightful

    Because of the pr0n hole (people solving CAPTCHA for you, for free, by proxy).

    1. Set up a site with something people want.
    2. When they come to the site your server goes to the target site*.
    3. The target site gives your server a CAPTCHA.
    4. Your server gives the punter the CAPTCHA.
    5. Punter tries to solve CAPTCHA.
    6. Server passes response to target.
    7. Profit!

    *via proxies or bot net to avoid IP blacklisting.

    --
    Me lost me cookie at the disco.
  6. Re:Key exchange. by johannesg · · Score: 4, Insightful

    Why not cut it down to this:

    "Your post advocates

    [x] a solution

    to the problem of spam. It won't work, because

    [x] I am a spammer myself and I want to instill a sense of hopelessness in people
    [x] I only care about problems, not solutions
    [x] any solution that covers less than 100% of all cases is unacceptable to me
    [x] I like spam"

    Your post surely applies to the antispam measures taken by my provider, but between them they keep my mailbox pretty much free of unwanted messages. And by posting this every time any kind of potential solution is discussed, you are ruling out the possibility of a solution altogether.

  7. Re:Key exchange. by kesuki · · Score: 3, Insightful

    "What do we need to get this project off the ground?"

    first, you need to weed out the pansies who say 'killing people, for trying to make a living sending commercial e-mail, that's horrible'

    secondly, you need a large budget and specialized training in invading hostile territory and killing possibly armed men in ambushes and guerrilla tactics. remember not all spam originates from the united states.

    since you'll never get both of the above, you're left with technical and legal counter measures... which ultimately just doesn't work.

    how many times have you gotten a call from a telemarketer? during dinner? there are (or were) laws against machine dialing apparatus here in the USA, but then some wiener designed a computer modem, and the downfall was quick, it was now quick and easy to use stock parts to auto dial and even give people pre-recorded messages over telephone.

    spam ultimately is suffering the problem that much to the technology involved has substantial other uses besides spamming, so spammers get free reign. captchas did make a difference in the arms race. for a while. but now captchas are obsolete. they don't work they can't be fixed, and you're never going to get a really good test for determining a human from a bot..

    simple distorted words aren't good enough, what you need to do, is switch to something humans are insanely good at that machines can't even be coded for. puns and homonyms. so basically what you wind up with is say a paragraph of text, with a single sentence response from the end user.

    but even this will wind up getting cracked, unless you come up with a way of distorting the paragraphs slightly without changing the response from users, so they can't just match the paragraph to the answer... but this is a lot of work, to get a sophisticated captcha system based on a database of giving one paragraph of text and expecting a one line response that is obvious to a human but not to bot and reuse them but always with something different done to the paragraph. and even with such a hard test, the free porn sites give free access to a porn site for answering 5 captchas, teenagers have a lot of hormones and loads of free time...

    i know microsoft and yahoo and google don't like the fact that spam originates from their networks, because spammers broke their captchas... but the problem isn't going away. there is no way to make it better. compuserve tried to curtail spam by having 'electronic postage' on sending e-mail, compuserve eventually went under. but electronic postage is realistically the only way spam will ever be controllable without killing all the spammers, because if it costs $0.15 cents per e-mail recipient they're going to suddenly get very good at figuring out who responds to spam. just like bulk mail comes to people based on information companies can find out about them.

    and there are countless people who would be angry at paying to e-mail people. so it's not going to happen.

    --
    https://www.gnu.org/philosophy/free-sw.html