Spammers Targeting Microsoft's Revised CAPTCHA

toomuchtoomuchspam writes "According to Websense, Microsoft's CAPTCHA has been busted again. CAPTCHA was surely a logical move for different service providers to fight against spammers, but it seems to be melting down. 'Realizing the potential for massive abuse from spammers with anti-CAPTCHA capabilities, who could use the clean IP reputation to carry out various attacks over Email and Web space, Microsoft attempted to increase the complexity of their CAPTCHA system. The CAPTCHA system was revised in an attempt to both prevent automatic registrations from computer programs or automated bots, and preserve CAPTCHA's usability and reliability. As this attack shows, those efforts have failed,' says Websense security researcher Prasad. Could there be any better CAPTCHA? A better solution?"

Re:Captchas are no longer good enough

[Miamicanes]

> I agree all these things are difficult. So what solution do you suggest?

I personally applied a multi-pronged approach, and my spam problem has been negligible for YEARS.

1) Everyone I give my email address to is given a different alias, in the form 'myname-alias.validation@mydomain.com'. 'validation' is basically the hash of the salted alias, with different salting recipes for different pattern-matches just to make life difficult for spammers. In theory I could generate the aliases by hand, but I wrote a program that runs on my HTC Touch to generate them for me as necessary. Anything sent to 'myname@mydomain.com' automatically bounces with message to go to my website and obtain an alias to use for contacting me. Ditto, for the first message addressed to a given 'alias' whose 'validation' is invalid (thereafter they're unceremoniously sent to /dev/null).

2) I wrote an app to generate time-limited aliases in the form 'myname-yyyymmdd.validation@mydomain.com', but for now it ended up being gross overkill since nobody has ever tried reverse-engineering it so I just automatically accept all incoming mail sent to 'myname-yyyymmdd@mydomain.net' (where 'yyyymmdd' is today's date, or at least a date within the past week or so). But if spammers ever caught on, the generator app goes back up, and the rules get tightened.

Aside from the fact that some people and businesses get seriously weirded out when they're told to email you at 'myusername-theircompanyname.longhexstring@mydomain.org', it works BRILLIANTLY. How brilliantly? On a typical day, procmail chucks, bounces, or otherwise blackholes about 18,000 to 25,000 spam emails addressed to an outright nonexistent address, roughly 8,000-12,000 spams addressed to an alias that fell into spammer hands, and maybe a half-dozen that are in the right form, but have an invalid hashcode (they get sent to another account on the server that I check occasionally). Every few days, I have to spend a couple of minutes adding another blackhole rule to .procmailrc, but I've never really had enough to make it worth my time to actually write an administration program to manage it for me.

Would this work for Joe Sixpack or Sally Soccermom? Of course not. They have a hard enough time keeping one email address at aol.com straight, let alone generating salty-checksum-validated adhoc aliases unique to everyone who emails them (and every website that extorts their email address, etc). But for the world's Slashdot Elite, it's a nice, elegant solution (as long as you've got your own domain name or ten and have either a dedicated server or a hosting account somewhere with shell and script access so you can run Procmail. My email has gone from "worthless due to the avalanche of spam" to "for all intents and purposes, spam-free", and has stayed that way for almost six years now.