Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spammers Targeting Microsoft's Revised CAPTCHA

Posted by samzenpus on from the paint-a-bullseye-on-it dept.

toomuchtoomuchspam writes "According to Websense, Microsoft's CAPTCHA has been busted again. CAPTCHA was surely a logical move for different service providers to fight against spammers, but it seems to be melting down. 'Realizing the potential for massive abuse from spammers with anti-CAPTCHA capabilities, who could use the clean IP reputation to carry out various attacks over Email and Web space, Microsoft attempted to increase the complexity of their CAPTCHA system. The CAPTCHA system was revised in an attempt to both prevent automatic registrations from computer programs or automated bots, and preserve CAPTCHA's usability and reliability. As this attack shows, those efforts have failed,' says Websense security researcher Prasad. Could there be any better CAPTCHA? A better solution?"

4 of 303 comments (clear)

  1. A revised CAPTCHA? by Panaqqa · · Score: 4, Interesting

    I had played with this idea a bit a few months back and came up with an idea I think could work - but only ever got around to coding the most basic example of it. For those on /. who are interested, find it here. Each reload will produce the image of a new challenge.

    In a closer to final version I had envisioned instructions in multiple fonts and colors involving shapes, letters, etc., and much more flexibility.

    In the example I've shown above, pure random clicking will produce a correct response to the challenge 1 time in 30 approximately. So - make them solve three in a row and there you are - 1 chance in 27,000.

  2. Re:Captchas are no longer good enough by Miamicanes · · Score: 5, Interesting

    > I agree all these things are difficult. So what solution do you suggest?

    I personally applied a multi-pronged approach, and my spam problem has been negligible for YEARS.

    1) Everyone I give my email address to is given a different alias, in the form 'myname-alias.validation@mydomain.com'. 'validation' is basically the hash of the salted alias, with different salting recipes for different pattern-matches just to make life difficult for spammers. In theory I could generate the aliases by hand, but I wrote a program that runs on my HTC Touch to generate them for me as necessary. Anything sent to 'myname@mydomain.com' automatically bounces with message to go to my website and obtain an alias to use for contacting me. Ditto, for the first message addressed to a given 'alias' whose 'validation' is invalid (thereafter they're unceremoniously sent to /dev/null).

    2) I wrote an app to generate time-limited aliases in the form 'myname-yyyymmdd.validation@mydomain.com', but for now it ended up being gross overkill since nobody has ever tried reverse-engineering it so I just automatically accept all incoming mail sent to 'myname-yyyymmdd@mydomain.net' (where 'yyyymmdd' is today's date, or at least a date within the past week or so). But if spammers ever caught on, the generator app goes back up, and the rules get tightened.

    Aside from the fact that some people and businesses get seriously weirded out when they're told to email you at 'myusername-theircompanyname.longhexstring@mydomain.org', it works BRILLIANTLY. How brilliantly? On a typical day, procmail chucks, bounces, or otherwise blackholes about 18,000 to 25,000 spam emails addressed to an outright nonexistent address, roughly 8,000-12,000 spams addressed to an alias that fell into spammer hands, and maybe a half-dozen that are in the right form, but have an invalid hashcode (they get sent to another account on the server that I check occasionally). Every few days, I have to spend a couple of minutes adding another blackhole rule to .procmailrc, but I've never really had enough to make it worth my time to actually write an administration program to manage it for me.

    Would this work for Joe Sixpack or Sally Soccermom? Of course not. They have a hard enough time keeping one email address at aol.com straight, let alone generating salty-checksum-validated adhoc aliases unique to everyone who emails them (and every website that extorts their email address, etc). But for the world's Slashdot Elite, it's a nice, elegant solution (as long as you've got your own domain name or ten and have either a dedicated server or a hosting account somewhere with shell and script access so you can run Procmail. My email has gone from "worthless due to the avalanche of spam" to "for all intents and purposes, spam-free", and has stayed that way for almost six years now.

  3. Re:Captchas are no longer good enough by Miamicanes · · Score: 4, Interesting

    Oh, I forgot to mention... the fundamental reason why everyone who emails me is given a unique generated alias is to protect myself against trojans/worms/malware that might harvest the contents of a trusted friend's addressbook. If it happens (like to my dad 3 times already. Sigh. He's actually the reason I came up with this scheme... he kept getting my addresses harvested and ruining them forever), all I have to do is nuke that one specific alias, and tell that one person to use a different address to reach me at going forward. It's a lot easier to nuke an incoming address used by ONE person, and notify that ONE person if something changes, than it is to notify everyone (including banks, websites, etc) that they need to use a new address to reach you.

  4. Re:Captchas are no longer good enough by lysergic.acid · · Score: 4, Interesting

    requiring a physical ID for internet accounts is a bad idea.

    i like the reCAPTCHA approach. if spammers want to abuse a reCAPTCHA system, at least they'll be making a positive contribution to society by helping to digitize printed literature. maybe Project Gutenberg or the Google Books Library Project can launch a reCAPTCHA service to put those botnets to good use. if you can't stop them, at least this helps to recover some utility from the problem.

    there's also the issue of CAPTCHA porn and the related phenomena of outsourcing CAPTCHA solutions. as long as there are people willing to solve CAPTCHAs for porn, or money to feed their families, then no reverse turing test will ever be foolproof. so the best thing to do is to exploit this CAPTCHA-solving machinery.

    why not make CAPTCHAs educational? instead of random words or random excerpts from books, make them arithmetic word problems, geometry proofs, SAT analogy questions, stoichiometry equations, spelling quizzes, etc. this way, the CAPTCHA solvers gain an education from their labors instead of just some cheap porn or a couple of bucks a day. and after solving CAPTCHAs for a few years, they'll be educated enough to land a real job and/or afford to pay for better porn.

    this way you turn the spam problem into a way of educating horny teenagers and underprivileged poor in 3rd world countries.