Spammers Targeting Microsoft's Revised CAPTCHA

toomuchtoomuchspam writes "According to Websense, Microsoft's CAPTCHA has been busted again. CAPTCHA was surely a logical move for different service providers to fight against spammers, but it seems to be melting down. 'Realizing the potential for massive abuse from spammers with anti-CAPTCHA capabilities, who could use the clean IP reputation to carry out various attacks over Email and Web space, Microsoft attempted to increase the complexity of their CAPTCHA system. The CAPTCHA system was revised in an attempt to both prevent automatic registrations from computer programs or automated bots, and preserve CAPTCHA's usability and reliability. As this attack shows, those efforts have failed,' says Websense security researcher Prasad. Could there be any better CAPTCHA? A better solution?"

Captchas are no longer good enough

[AaronLawrence]

It seems that the time when Captchas were an effective way to protect valuable resources is over. Where valuable means "anything of more than a tiny value that is available in large numbers". One email account isn't of value, but a million mail accounts is worth a lot to a spammer, and it's just as easy to get a million automatically as it is to get one.

Frankly, modern captchas are often past the point where I can read them; and the image recognition programs are good enough to get a useful correct recognition rate. This tells us that captcha is a dead end, AI in the form of image processing is now about the same "intelligence" as a human, so there is nowhere for captchas to go.

What to do instead? Well, looking at that report, the bot signup surely looks recognisable - the same IP constantly trying to sign up? But maybe big NAT networks mean that "same IP" isn't a safe bet to block?

If you can't recognise the bot, and it can answer simple questions as well as a human, then the only thing left is to provide another form of identification - like a real-life physical ID.

Re:Captchas are no longer good enough

[vux984]

1) Everyone I give my email address to is given a different alias, in the form 'myname-alias.validation@mydomain.com'. 'validation' is basically the hash of the salted alias, with different salting recipes for different pattern-matches just to make life difficult for spammers.

Ok. So you effectively made the most complicated whitelist imaginable. Except instead of whitelisting your contacts, you've added a layer of indirection and whitelist a code your contacts must send you instead.

I've seen the same thing implemented many times before by giving each contact a passcode and requiring them to include it in the subject line of all correspondence. I do give you props for embedding it into the address instead of the subject line, as that will let you use it for automated systems, like websites that 'extort' an address, etc.

Aside from the fact that some people and businesses get seriously weirded out when they're told to email you at 'myusername-theircompanyname.longhexstring@mydomain.org', it works BRILLIANTLY.

Yes, if torpedoing usability was your goal. What happens when you send something to someone and they reply? Do they have to use your unique address to reply? What do you do when you need write an email address out or give it over the phone? goofball-yourdomain-a23fbf32a4e544303... good times. Or if someone forwards your message to a 3rd person to reply to you...

My email has gone from "worthless due to the avalanche of spam" to "for all intents and purposes, spam-free", and has stayed that way for almost six years now.

I manage the same with spamassassin, amavisd etc and a couple custom rules. And my mail server processes some 30,000 messages a day as well, for a business with half a dozen employees. We get maybe 8 or so spam through a day, and less than half a dozen false positives a month. (Most of which are due to other people sending from domains that publish SPA records and then don't follow what they've published...ie their own damned fault.)

But for the world's Slashdot Elite, it's a nice, elegant solution (as long as you've got your own domain name or ten and have either a dedicated server or a hosting account somewhere with shell and script access so you can run Procmail.

I wouldn't call it elegant. Clever yes, but not elegant.

Anything sent to 'myname@mydomain.com' automatically bounces with message to go to my website and obtain an alias to use for contacting me. Ditto, for the first message addressed to a given 'alias' whose 'validation' is invalid (thereafter they're unceremoniously sent to /dev/null).

Do you even score it for spam at all or do you just generate a lot of needless backscatter?

At the end of the day, I'm not really seeing the advantage of your solution over a moderately sophisticated white-listing + grey-listing solution.

Re:Key exchange.

[AaronLawrence]

That form is amusing and enlightening for first-time proposals at solving spam. But as far as I can tell, it also rules out all solutions because it assumes there is a solution that doesn't have any cost or compromise.

The likely reality is that someone will have to pay or be inconvenienced to solve spam.

reCAPTCHA

[yincrash]

from the dude who coined CAPTCHA, comes reCAPTCHA. using words in old library books that existing OCR tech can't figure out, humans can help digitize books and stop spam at the same time!

http://recaptcha.net/

Captchas that humans can read, perhaps?

[Behrooz]

Am I the only one getting really really annoyed by captchas that use mixed-case letters and numbers that aren't distinguishable even to an actual human?

In the cruddy sans-serif fonts most captchas use, 0lRnBC looks like O1Rnl3C looks like 0lRnBC.

It's powers of 2, people! For each O or 0 in your captcha, the odds of a real person being able to correctly identify it are halved, and that's not even counting the other possible charspace collisions.

Re:Captchas that humans can read, perhaps?

[feepness]

Not to mention the $%@#$@#$@#% that don't realize 10% of the male population is colorblind.

That's right! Your light green letters with the swath of dark red across them are completely unbreakable... to me. I've literally abandoned websites after failing the capcha repeatedly.

Re:Saw on ubuntu forums and other sites

[zobier]

Because of the pr0n hole (people solving CAPTCHA for you, for free, by proxy).

1. Set up a site with something people want.
2. When they come to the site your server goes to the target site*.
3. The target site gives your server a CAPTCHA.
4. Your server gives the punter the CAPTCHA.
5. Punter tries to solve CAPTCHA.
6. Server passes response to target.
7. Profit!

*via proxies or bot net to avoid IP blacklisting.

Re:Key exchange.

[johannesg]

Why not cut it down to this:

"Your post advocates

[x] a solution

to the problem of spam. It won't work, because

[x] I am a spammer myself and I want to instill a sense of hopelessness in people
[x] I only care about problems, not solutions
[x] any solution that covers less than 100% of all cases is unacceptable to me
[x] I like spam"

Your post surely applies to the antispam measures taken by my provider, but between them they keep my mailbox pretty much free of unwanted messages. And by posting this every time any kind of potential solution is discussed, you are ruling out the possibility of a solution altogether.