Spammers Targeting Microsoft's Revised CAPTCHA

toomuchtoomuchspam writes "According to Websense, Microsoft's CAPTCHA has been busted again. CAPTCHA was surely a logical move for different service providers to fight against spammers, but it seems to be melting down. 'Realizing the potential for massive abuse from spammers with anti-CAPTCHA capabilities, who could use the clean IP reputation to carry out various attacks over Email and Web space, Microsoft attempted to increase the complexity of their CAPTCHA system. The CAPTCHA system was revised in an attempt to both prevent automatic registrations from computer programs or automated bots, and preserve CAPTCHA's usability and reliability. As this attack shows, those efforts have failed,' says Websense security researcher Prasad. Could there be any better CAPTCHA? A better solution?"

Key exchange.

[suck_burners_rice]

I suppose it would make sense if you had to make an exchange of keys with someone before initiating communication. Thus, when you give out your email to people, you could give them a key that they would need in order to send you an email, and similar methods would apply to other communication mechanisms. Now the spammers will need to waste inordinate amounts of computer time computing all kinds of keys, and the practice of spamming will (hopefully) disappear. Now this being /., someone will tell me why such a scheme is impossible. :-)

Re:Key exchange.

[TheSpoom]

Your post advocates a

(X) technical ( ) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
(X) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(X) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
(X) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
(X) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(X) Armies of worm riddled broadband-connected Windows boxes
(X) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
(X) Outlook

and the following philosophical objections may also apply:

( ) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
(X) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(X) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!

Re:Key exchange.

[AaronLawrence]

That form is amusing and enlightening for first-time proposals at solving spam. But as far as I can tell, it also rules out all solutions because it assumes there is a solution that doesn't have any cost or compromise.

The likely reality is that someone will have to pay or be inconvenienced to solve spam.

Re:Key exchange.

[TheSpoom]

The form doesn't assume there is a solution without cost or compromise.

It just assumes it's really, really easy to make fun of other ones. ;^)

Re:Key exchange.

[MrNaz]

Personally I think the form would be fine if you just took off the vigilante box. Spam can be solved by a few guys with a list of names, free air travel for a month and a box of bullets.

Re:Key exchange.

SpammerAssassin.org? What do we need to get this project off the ground?

Re:Key exchange.

[RiotingPacifist]

But as far as I can tell, it also rules out all solutions because it assumes there isn't a solution that doesn't have any cost or compromise.

There, fixed that for you.

There, fixed that for you.

There, fixed that for you both.

Re:Key exchange.

[gnick]

Cut it out with the finger pointing at China and Russia. The vast majority of spam comes from the US, initiated by US citizens. It's not "the Russians" at fault. Anyway, what is this? The 80s?

I don't buy that. Accuse me of over-indulging on Kool-Aid if you must. Most spam streams out of America - That's no surprise. We've got a helluva lot of computers with broad-band access and clueless users who basically bend over and hand lube to zombie-lords.

I've seen cyber-intelligence numbers (disclaimer - collected by US intelligence) and they indicate pretty clearly that the bots are being controlled by people in Russia and China (Poland, Switzerland, and Holland house a surprising number too). Those people may be Russians, Chinese, Americans, whatever, but they're running their armies from overseas (relative to the US). I'm actually surprised fewer are operating out of Africa - It seems to be a relative safe-house.

It's not paranoia once you've got data supporting it. (Let me be the first to criticize myself for not supplying a link...)

Re:Key exchange.

[hairyfeet]

Well,the problem as I see it with the whole CAPTCHA thing is this: even if they manage to find a version of it that is so good that no bot can ever be built that can break it(considering how good some of these bots writers are that is doubtful) then the spammer can either use social engineering or good old cheap labor in countries where you can pay them pennies.

Of course they wouldn't even have to hire anyone with social engineering,just fill an old server with a bunch of porntube style clips(and get extra cash from link sharing) and have them prove they aren't a bot with a little cross side scripting. Then you have plenty of guys happy to do the work for you in exchange for a chance at getting some free pr0n. For extra efficiency you could have their answer "fail" the first couple of times so each user has to give you the answer to three or four CAPTCHAS for each entrance. If they don't want to go to thr trouble then they simply hire day laborers in third world countries and pay them a few pennies per CAPTCHA. I am sure there are still quite a few countries were the cost/benefit ratio of doing so would come out in the spammers favor.

So as long as the spammers can make money off of hErb@l V!@gra and other crappy spam schemes then they WILL find a way around it. Because as long as there are fools willing to part with their money there will be someone with no scruples who will be more than happy to take it from them. So I think in the long run it will be better if the effort was concentrated more on fighting botnets and getting rid of crappy domain registrars than making more and more difficult CAPTCHAS. Because it is getting to the point that some of them are so horribly screwed up that I as a human can't figure the damned things out.

Re:Key exchange.

[SanityInAnarchy]

First of all, stop calling it SPAM. It's not an acronym -- it's just named after the actual meat, used in a certain context.

But more importantly...

The most effective SPAM filter is a human, sitting in front of their e-mail client, deleting mail that they know is SPAM from the subject line.

Incorrect.

Firstly, I don't know about the rest of you, but I get far too much spam to read every subject line. It's already impractical, and getting to where it would be physically impossible without hiring people to read my email for me.

But also, a human is not necessarily the most accurate filter:

http://www.paulgraham.com/wsy.html

Granted, if you actually read every single email, rather than skimming through subject lines, you'd have a shot. But it's impractical, at this point, for me to even read subject lines. It's impossible for me to actually read the text of every single email.

In fact, that's why I use Bogofilter -- it's somewhat of a hybrid, that way. It uses reasonably sophisticated techniques to categorize spam, but it has an additional classification of "unsure". Last I checked, on any given day, I was getting maybe ten "unsure" messages to a hundred actual spams. There are quite often some false positives in unsure, and some that I'm not sure about myself. Most of it is spam, and I retrain it as such.

Net result: Roughly one or two messages per day make it through, and those come through Ruby Talk. Maybe once or twice a month, something will actually hit my inbox directly. And as far as I know, I've never had a false positive.

Re:Key exchange.

[SanityInAnarchy]

ctrl+c. ctrl+v.

Or you can find the definitive version here.

Re:Key exchange.

[gnick]

I believe the link I posted, in the comment to which you are actually replying, suggests otherwise. The number one spammer on the Spamhaus lists is a US citizen who uses Chinese servers to control his botnet.

I assumed that people would read the link I posed before replying. How silly of me.

You're correct. In the (alphabetically sorted) list you linked to, the #1 spammer is an American.

[But, using the same system, Americans only rank 2nd between Africans, Americans, Chinese, and Russians.]

But, with such credible and specific identifiers as "Alex Blood", "Bubba Catts", "Canadian Pharmacy", "emailspidereasy.com", "fairgamemail.us", "HerbalKing", "JingJing Wang", "MailTrain", "pur", "Stilbox Marketing", "Taiwan Media Ltd", "Trey Armstrong, the Flag Spammer", "Uncaged Marketing", "Yambo Financials", and "zombies", how could I possibly question the actual countries of origin of your link's sources?

Re:Key exchange.

[Tubal-Cain]

The Form has already accounted for this:

(X) No one will be able to find the guy or collect the money
(X) The police will not put up with it
(X) Anyone could anonymously destroy anyone else's career or business
(X) Laws expressly prohibiting it
(X) Jurisdictional problems
(X) Feel-good measures do nothing to solve the problem
(X) Killing them that way is not slow and painful enough

Re:Key exchange.

[johannesg]

Why not cut it down to this:

"Your post advocates

[x] a solution

to the problem of spam. It won't work, because

[x] I am a spammer myself and I want to instill a sense of hopelessness in people
[x] I only care about problems, not solutions
[x] any solution that covers less than 100% of all cases is unacceptable to me
[x] I like spam"

Your post surely applies to the antispam measures taken by my provider, but between them they keep my mailbox pretty much free of unwanted messages. And by posting this every time any kind of potential solution is discussed, you are ruling out the possibility of a solution altogether.

Re:Key exchange.

[kesuki]

"What do we need to get this project off the ground?"

first, you need to weed out the pansies who say 'killing people, for trying to make a living sending commercial e-mail, that's horrible'

secondly, you need a large budget and specialized training in invading hostile territory and killing possibly armed men in ambushes and guerrilla tactics. remember not all spam originates from the united states.

since you'll never get both of the above, you're left with technical and legal counter measures... which ultimately just doesn't work.

how many times have you gotten a call from a telemarketer? during dinner? there are (or were) laws against machine dialing apparatus here in the USA, but then some wiener designed a computer modem, and the downfall was quick, it was now quick and easy to use stock parts to auto dial and even give people pre-recorded messages over telephone.

spam ultimately is suffering the problem that much to the technology involved has substantial other uses besides spamming, so spammers get free reign. captchas did make a difference in the arms race. for a while. but now captchas are obsolete. they don't work they can't be fixed, and you're never going to get a really good test for determining a human from a bot..

simple distorted words aren't good enough, what you need to do, is switch to something humans are insanely good at that machines can't even be coded for. puns and homonyms. so basically what you wind up with is say a paragraph of text, with a single sentence response from the end user.

but even this will wind up getting cracked, unless you come up with a way of distorting the paragraphs slightly without changing the response from users, so they can't just match the paragraph to the answer... but this is a lot of work, to get a sophisticated captcha system based on a database of giving one paragraph of text and expecting a one line response that is obvious to a human but not to bot and reuse them but always with something different done to the paragraph. and even with such a hard test, the free porn sites give free access to a porn site for answering 5 captchas, teenagers have a lot of hormones and loads of free time...

i know microsoft and yahoo and google don't like the fact that spam originates from their networks, because spammers broke their captchas... but the problem isn't going away. there is no way to make it better. compuserve tried to curtail spam by having 'electronic postage' on sending e-mail, compuserve eventually went under. but electronic postage is realistically the only way spam will ever be controllable without killing all the spammers, because if it costs $0.15 cents per e-mail recipient they're going to suddenly get very good at figuring out who responds to spam. just like bulk mail comes to people based on information companies can find out about them.

and there are countless people who would be angry at paying to e-mail people. so it's not going to happen.

Re:Key exchange.

[EdIII]

There IS an EXTREMELY simple technical solution to this very problem.

First let's define the problem:

1) Spammers desire the ability to send their messages through Microsoft's systems since the IP addresses are so clean and therefore usually possess a higher level of trust with remote MTA's.
2) Microsoft, like others, has its head up its ass on how to solve it.
3) Microsoft has determined the best method to stop it is to determine if it is a person, or a machine at the other end.

The solution is simple:

1) Limit the amount of new accounts that can be opened up at any single IP address within a 24 hour period. This need not be implemented blindly either. You can decide which IP blocks are the most problematic based on experience, and which of those generate the least amount of SPAM associated with a signup IP address. If the limit is reached, simply inform the user that new signups cannot be processed at this time, from that location.

2) Once an email account has been newly created, limit the number of email messages that can be sent within certain time periods. Slowly ramp up the number of messages. Most normal people do not need to send more than 100 emails per hour. If you think about it, that number itself is incredibly impressive. That is nearly 2 emails being constructed per minute. Now it might be important for this person to inform a large number of people that they have a new email address. Fine. Create a special email message that contains text that the USER CANNOT MODIFY that can be sent up to 50 contacts at a time. It MUST be a contact added to the address book as well.

2.B) To further the goal of #2, limit the number of CC and BCC destination addresses. Of course, you could simplify this further by a global limit on all parseable addresses present within the message. Slowly ramp up that number as well.

2.C) To also further the goal of #2, limit the rate at which new messages can be sent. Set a minimum of 120 seconds before new message creation windows can be spawned and to which also respond to the SENT button. This number can be slowly decreased as well.

3) INVESTIGATE reports of SPAM and agressively analyze which accounts are responsible, what IP address space is the most responsible for the signups, what IP address space is the most responsible for the message creation, and then UTILIZE that information accordingly.

You see it really is not all that hard to implement some of these simple policies right now. To do so would put serious speed bumps in place for the spammers right now. I dare say it could reduce the amount of spam by 90% in the first 48 hours. Probably more, since the real problem is THOUSANDS of SPAM messages being sent from these bogus accounts within the first few hours, or days of their creation.

That activity DOES NOT FIT THE PROFILE OF A NORMAL HUMAN BEING. You don't need a CAPTCHA to figure that out. So it is not nearly as bleak or impossible as you make out to be. At least not in the IT department. However, where the marketing execs and other useless suits get together they just plain don't give a fuck.

Re:Key exchange.

[EdIII]

Actually you are wrong. What you are saying has a certain logic to it, that is true, but you just don't have the numbers right.

1) Botnets are irrelevant. It is just an issue of IP addresses, pure and simple. Whether or not the signup is a zombie or a real person, the number is limited. The REAL issue is if the policy would prevent the signups of legitimate people. That is doubtful since most people tend not to have more than 10 different email accounts at one provider. I would say the *average* is far less than that. Legitimate signups just don't occur that frequently from an IP address that is being used in a normal way.

2) Remember what I said about linking abused accounts with their signup IP address and then analyzing that information? You could apply that to "throttle" the number of accounts that are created from an IP address period. The behavior of a zombie would stand out over a relatively short period of time.

3) Let's assume that they can still create 20,000 accounts per day from a single botnet. We can assume further, even with initial throttling present, that 100,000 messages are sent out the first hour. Believe it or not, that is far less than CURRENT numbers. A significant improvement considering that current estimates are in the double digit BILLIONS per day (with estimates as high as 150 billion). Now Microsoft cannot be responsible for all of that of course, but once again limiting their contribution to 2.4 million SPAM messages per day would seem to be an improvement considering the actual numbers here.

4) The effectiveness of analyzing the behavior of the IP address spaces would be quite high. Over time, you would could determine with a high degree of accuracy which IP addresses are currently participating in a Botnet, and which are not. Forward that information to other security research firms which are currently attempting to penetrate and analyze botnets.

5) Behavior analysis can let you determine which IP addresses need to be throttled more than others. Let's assume that you identified 100 million *confirmed* SPAM messages from those 20,000 accounts within the period of just a week. Of those accounts which do you think would have 99% SPAM in the outbox? More information to act on. Now you can remove those accounts, and then start to add weights to those IP addresses. Now they can only create new accounts at 1/5th the normal rate. Then 1/10th the normal rate, and so on and so forth.

The real problem here is not whether or not these policies will work, it is the management at Microsoft. They will never spend the resources to implement this.

Why should they? They KNOW they are so big that mail administrators such as myself just CANNOT AFFORD to blacklist their domains and IP addresses. To do so would be suicide in our business. Considering the amount of SPAM coming from Microsoft, Google, and Yahoo you don't find it suspicious that SpamHaus does not blacklist them?

There is your problem. We HAVE to accept email from the 3 biggest players PERIOD. The only thing we can do is apply filtering to the message content itself and hope that we are good enough to get the majority of it into your junk mail folder.

You want something more nefarious? More devious? Think about whether or not Microsoft relies on the number of email accounts it has, and how many signups occur per month, when dealing with it's advertising clients? The bottom line at Microsoft, is in part, affected by the current and projected number of email accounts it has. SPAM can actually be helping their bottom line and stock price here, not hurting it.

Re:Key exchange.

[houghi]

Hello,

I am a veteran mercenary of the civil war in Nigeria and heard of your problems with spammers. I have worked out a way to solve this. I will just shoot them dead in the head. I will see to it that any financial loss ddone to you is payed in full in your bank account.

Please just give me your bank details, social security number and details and I will see that you get your money and I will see that you will not recieve any spam from that person again.

Re:Key exchange.

[MrNaz]

(X) No one will be able to find the guy or collect the money

Hire good enough PIs, we'll find the guy. And collect all his money too.

(X) The police will not put up with it

Get geeky cops to explain it to the rest of them.

(X) Anyone could anonymously destroy anyone else's career or business

No, they'd be dead, so their business would be left in tact for their next of kin who would now be less inclined to spam.

(X) Laws expressly prohibiting it

Just get George Bush to declare a War on Spam.

(X) Jurisdictional problems

A *global* War on Spam.

(X) Feel-good measures do nothing to solve the problem

Eh? How is a dead spammer not a solution to the problem?

(X) Killing them that way is not slow and painful enough

Hire the members of the Russian mafia who *don't* spam to help on that one.

Akismet

[TheSpoom]

Akismet is great for comments and such. Basically, it's a neural net using user submissions to determine whether or not a submission (sent automatically from your site for checking) is spam or not.

Captchas are no longer good enough

[AaronLawrence]

It seems that the time when Captchas were an effective way to protect valuable resources is over. Where valuable means "anything of more than a tiny value that is available in large numbers". One email account isn't of value, but a million mail accounts is worth a lot to a spammer, and it's just as easy to get a million automatically as it is to get one.

Frankly, modern captchas are often past the point where I can read them; and the image recognition programs are good enough to get a useful correct recognition rate. This tells us that captcha is a dead end, AI in the form of image processing is now about the same "intelligence" as a human, so there is nowhere for captchas to go.

What to do instead? Well, looking at that report, the bot signup surely looks recognisable - the same IP constantly trying to sign up? But maybe big NAT networks mean that "same IP" isn't a safe bet to block?

If you can't recognise the bot, and it can answer simple questions as well as a human, then the only thing left is to provide another form of identification - like a real-life physical ID.

Re:Captchas are no longer good enough

[Miamicanes]

> I agree all these things are difficult. So what solution do you suggest?

I personally applied a multi-pronged approach, and my spam problem has been negligible for YEARS.

1) Everyone I give my email address to is given a different alias, in the form 'myname-alias.validation@mydomain.com'. 'validation' is basically the hash of the salted alias, with different salting recipes for different pattern-matches just to make life difficult for spammers. In theory I could generate the aliases by hand, but I wrote a program that runs on my HTC Touch to generate them for me as necessary. Anything sent to 'myname@mydomain.com' automatically bounces with message to go to my website and obtain an alias to use for contacting me. Ditto, for the first message addressed to a given 'alias' whose 'validation' is invalid (thereafter they're unceremoniously sent to /dev/null).

2) I wrote an app to generate time-limited aliases in the form 'myname-yyyymmdd.validation@mydomain.com', but for now it ended up being gross overkill since nobody has ever tried reverse-engineering it so I just automatically accept all incoming mail sent to 'myname-yyyymmdd@mydomain.net' (where 'yyyymmdd' is today's date, or at least a date within the past week or so). But if spammers ever caught on, the generator app goes back up, and the rules get tightened.

Aside from the fact that some people and businesses get seriously weirded out when they're told to email you at 'myusername-theircompanyname.longhexstring@mydomain.org', it works BRILLIANTLY. How brilliantly? On a typical day, procmail chucks, bounces, or otherwise blackholes about 18,000 to 25,000 spam emails addressed to an outright nonexistent address, roughly 8,000-12,000 spams addressed to an alias that fell into spammer hands, and maybe a half-dozen that are in the right form, but have an invalid hashcode (they get sent to another account on the server that I check occasionally). Every few days, I have to spend a couple of minutes adding another blackhole rule to .procmailrc, but I've never really had enough to make it worth my time to actually write an administration program to manage it for me.

Would this work for Joe Sixpack or Sally Soccermom? Of course not. They have a hard enough time keeping one email address at aol.com straight, let alone generating salty-checksum-validated adhoc aliases unique to everyone who emails them (and every website that extorts their email address, etc). But for the world's Slashdot Elite, it's a nice, elegant solution (as long as you've got your own domain name or ten and have either a dedicated server or a hosting account somewhere with shell and script access so you can run Procmail. My email has gone from "worthless due to the avalanche of spam" to "for all intents and purposes, spam-free", and has stayed that way for almost six years now.

Re:Captchas are no longer good enough

[Miamicanes]

Oh, I forgot to mention... the fundamental reason why everyone who emails me is given a unique generated alias is to protect myself against trojans/worms/malware that might harvest the contents of a trusted friend's addressbook. If it happens (like to my dad 3 times already. Sigh. He's actually the reason I came up with this scheme... he kept getting my addresses harvested and ruining them forever), all I have to do is nuke that one specific alias, and tell that one person to use a different address to reach me at going forward. It's a lot easier to nuke an incoming address used by ONE person, and notify that ONE person if something changes, than it is to notify everyone (including banks, websites, etc) that they need to use a new address to reach you.

Re:Captchas are no longer good enough

[lysergic.acid]

requiring a physical ID for internet accounts is a bad idea.

i like the reCAPTCHA approach. if spammers want to abuse a reCAPTCHA system, at least they'll be making a positive contribution to society by helping to digitize printed literature. maybe Project Gutenberg or the Google Books Library Project can launch a reCAPTCHA service to put those botnets to good use. if you can't stop them, at least this helps to recover some utility from the problem.

there's also the issue of CAPTCHA porn and the related phenomena of outsourcing CAPTCHA solutions. as long as there are people willing to solve CAPTCHAs for porn, or money to feed their families, then no reverse turing test will ever be foolproof. so the best thing to do is to exploit this CAPTCHA-solving machinery.

why not make CAPTCHAs educational? instead of random words or random excerpts from books, make them arithmetic word problems, geometry proofs, SAT analogy questions, stoichiometry equations, spelling quizzes, etc. this way, the CAPTCHA solvers gain an education from their labors instead of just some cheap porn or a couple of bucks a day. and after solving CAPTCHAs for a few years, they'll be educated enough to land a real job and/or afford to pay for better porn.

this way you turn the spam problem into a way of educating horny teenagers and underprivileged poor in 3rd world countries.

Re:Captchas are no longer good enough

[vux984]

1) Everyone I give my email address to is given a different alias, in the form 'myname-alias.validation@mydomain.com'. 'validation' is basically the hash of the salted alias, with different salting recipes for different pattern-matches just to make life difficult for spammers.

Ok. So you effectively made the most complicated whitelist imaginable. Except instead of whitelisting your contacts, you've added a layer of indirection and whitelist a code your contacts must send you instead.

I've seen the same thing implemented many times before by giving each contact a passcode and requiring them to include it in the subject line of all correspondence. I do give you props for embedding it into the address instead of the subject line, as that will let you use it for automated systems, like websites that 'extort' an address, etc.

Aside from the fact that some people and businesses get seriously weirded out when they're told to email you at 'myusername-theircompanyname.longhexstring@mydomain.org', it works BRILLIANTLY.

Yes, if torpedoing usability was your goal. What happens when you send something to someone and they reply? Do they have to use your unique address to reply? What do you do when you need write an email address out or give it over the phone? goofball-yourdomain-a23fbf32a4e544303... good times. Or if someone forwards your message to a 3rd person to reply to you...

My email has gone from "worthless due to the avalanche of spam" to "for all intents and purposes, spam-free", and has stayed that way for almost six years now.

I manage the same with spamassassin, amavisd etc and a couple custom rules. And my mail server processes some 30,000 messages a day as well, for a business with half a dozen employees. We get maybe 8 or so spam through a day, and less than half a dozen false positives a month. (Most of which are due to other people sending from domains that publish SPA records and then don't follow what they've published...ie their own damned fault.)

But for the world's Slashdot Elite, it's a nice, elegant solution (as long as you've got your own domain name or ten and have either a dedicated server or a hosting account somewhere with shell and script access so you can run Procmail.

I wouldn't call it elegant. Clever yes, but not elegant.

Anything sent to 'myname@mydomain.com' automatically bounces with message to go to my website and obtain an alias to use for contacting me. Ditto, for the first message addressed to a given 'alias' whose 'validation' is invalid (thereafter they're unceremoniously sent to /dev/null).

Do you even score it for spam at all or do you just generate a lot of needless backscatter?

At the end of the day, I'm not really seeing the advantage of your solution over a moderately sophisticated white-listing + grey-listing solution.

Re:Captchas are no longer good enough

[RareButSeriousSideEf]

That's a good start, but I'm not convinced that simple automation is dead here. This doesn't seem that difficult to me. I've put up live forms that have invalidated 100% of bot submissions, even without CAPTCHA. Granted, impressions are only in the tens of thousands, but still, *combined* with CAPTCHA, a few simple principles ought to suffice, even against concerted, distributed attacks:

0) Obviously, limit submission attempts per session to a humanly achievable rate. Sticky session IDs can be packed into hidden form fields, query strings, cookies, etc.

1) Anything that's worth guarding with a CAPTCHA should require a modern browser (CSS, cookies, javascript, DHTML). In my experience, over half of attempts can be weeded out by using a segregated approach with cookies: user submits -> set some server-encrypted cookie value -> modify value in client-side js -> repost in client-side js -> inspect during next http post.

2) You can still provide accessibility accommodations; just make sure *all* form submissions have frequency limitations that increase in severity with every failed attempt in a single session. What you can't do in cookies or js can still be done in hidden form fields and query string params. For a surprising majority of submissions (i.e. modern browsers or bots trying to imitate them), the simple requirement of a compliant js VM to modify form/cookie/querystring variables before submitting rules out bots right away.

3) For the modern browser version of the form, add numerous honeypot fields; use modern browser techniques to hide them by overlaying them. Making the overlaying element distant from the real one in the DOM tree, and/or add the real element (or all of them, or half of them, or a random assortment) using DHTML.

4) Randomize the IDs & DOM location of both real and honeypot inputs (store a distinguishing hash code or the like in a hidden form field, cookie, or on the query string).

5) Include hidden honeypot CAPTCHA images as well. Observe step 4 here. Also, use large images containing multiple CAPTCHA phrases, and use CSS to crop the image.

6) Vary the obfuscation techniques used in CAPTCHAs, e.g., sometimes fuzzy match on "name the object in the picture" (duck, DUCK, Duck, goose, swan, bird ok, everything else fails), or sometimes use animated gifs and display the challenge progressively instead of in a single frame, or sometimes ask the question in the image and put the answer right there with it! (Cheesy, but that one alone takes most current bots out of the running.)

7) Values in hidden honeypot fields are almost certainly from bots. Ditto for correctly decoded honeypot CAPTCHAs. Log this fact, and record it in a required cookie or hidden form field.

Yes, this is security by obscurity, and it's technically far from foolproof. Still, I would venture that a combination of techniques like this would bring the vast majority of bots' success rates well below the usability threshold. It's not hard to add complexity to a system like this, either. Nor is it hard to accumulate increasingly useful clues as to whether a submission is likely to be human or not.

I need to shut up now; this simple rant is more than enough for a software patent nowadays. Speaking of which, if anyone wants to codify this "method and system of Turing challenge obfuscation," I hereby release the above description under the licensee's choice of either the BSD license, or the "do what the fuck you want" license. Cheers.

Re:Captchas are no longer good enough

[Miamicanes]

>What happens when you send something to someone and they reply? Do they have to use your unique address to reply?

Yep. There's even a nice extension for Thunderbird ("Virtual Identity") that lets me send outgoing email with arbitrary return addressess (so if I'M the one initiating contact, I just generate the alias I want them to use to reply to me and use it as the return address so they can just hit 'reply'). Even better, Virtual Identity keeps track of what alias goes with what sender/recipient, so the NEXT time I go to send email to that person, Virtual Identity recognizes their email address and automatically changes the "reply-to" address to the adhoc alias I used the first time I sent email to them.

> What do you do when you need write an email address out or give it over the phone?
> goofball-yourdomain-a23fbf32a4e544303... good times.

Compared to the fun I have getting them to spell the domain name (Americanized spelling of Ukranian-Slovak-ish last name), it's really not a problem. I DO, however, have occasional problems with stupid websites that try to be too clever and filter out what THEY think are invalid characters for an email address. Nine times out of 10, it's a javascript validation script with braindamaged regex, and all I have to do to get past it is use Firebug to comment-out their wolf-calling sanity-checker and let it through to the server. Back when I ran my own mail server using Mercury for Win32, ITS primitive adhoc-alias support gave me lots of website grief, because IT used "+" instead of "-" to indicate the division between username and alias, and lots of stupid form-handling code treated "+" as if it were a HTML-encoded space character at the server end.

> Or if someone forwards your message to a 3rd person to reply to you...

In which case I now have two people using the alias to reach me, not one. It's still a vast improvement over having one address you have to guard with your life, and still accept the fact that SOMEONE is eventually going to get their addressbook harvested and compromise it anyway.

The nice thing about my strategy, vs SpamAssasin and Bayesian strategies is that as long as the sender gets the alias right, there's ZERO risk of a legit message getting spam-trapped. A tiny bit of extra work to set up that first email contact, but reliable communication every single time thereafter.

Re:Captchas are no longer good enough

[ralphdaugherty]

Good work in TFA documenting an attack. A critical piece is that the CAPTCHA image is sent off and an encrypted answer of eight letters returns in an average of six seconds.

      Most replies in all of these CAPTCHA /. threads assume the image is being decoded by computer (i.e., OCR), therefore suggest supposedly harder tests for a computer to solve as a solution (although most suggestions are actually easier).

      There is a possibility of that going on, but more likely the images are being transmitted to humans to decode. I don't know for sure, but I've never seen one post ever that gave any good indication it was OCR being used, and plenty of known situations where humans are decoding it.

      So for the case where OCR is actually being used, some of the characters in each image need to physically overlap to break OCR. But if humans are decoding, then obviously they can do what we can do, so just overlap the CAPTCHA characters to make OCR impossible and forget about all the other exotic suggestions.

      In the case of phpBB (forum software I use), the CAPTCHA's don't overlap but the image is displayed embedded in the web page via CSS (as far as I can tell) so the whole page would have to be transmitted back for decoding versus an image file as from Hotmail's process. Not that that solves anything, but at least make it that much harder to transmit and decode the CAPTCHA.

      If there is a service that anyone can abuse based on nothing more than ability to read some letters from an image, then everyone else needs to protect themselves from that abusive service. One possibility is blacklisting the domain and only allowing whitelisted addresses from it. But I use Postini and it traps most spam without anything special going on with hotmail. If it's spam it gets trapped and if it's good it comes through to me.

      But hotmail could do a few things to keep from being blacklisted. One would be to require a confirmation from another email address, a different one for each hotmail account, to enable the hotmail registration with info such as a code provided with the registration required to be typed into the body of the reply email. Three failures or a timeout would delete the registration.

      I also would suggest a controversial but effective strategy. I would allow for a whitelist of worldwide ISP domains that have identifiable customers. Other services similar to hotmail such as gmail wouldn't be on that list. I would allow email only from registrants who confirmed from a whitelisted domain to be sent from hotmail to any address. Others would only be allowed to send email to addresses for domains within their own regional internet registries.

      This of course does not address spam overall as a problem, just spam emanating from hotmail accounts.

      Speaking of which, I see the usual about most spam coming from the US. Yes, it may, but if it does it's because US PC's were owned by Euroasian botmasters and the spam is controlled by them.

      In my experience with my small phpBB forum, by a huge amount most attacks come from Euroasia. It's those attacks that take over PC's, and it's taken over PC's that send out spam. Looking at the source of the spam from an IP address perspective isn't the answer. You would need to look at where the botmasters are to say where spam comes from.

  rd

reCAPTCHA

[yincrash]

from the dude who coined CAPTCHA, comes reCAPTCHA. using words in old library books that existing OCR tech can't figure out, humans can help digitize books and stop spam at the same time!

http://recaptcha.net/

Captchas that humans can read, perhaps?

[Behrooz]

Am I the only one getting really really annoyed by captchas that use mixed-case letters and numbers that aren't distinguishable even to an actual human?

In the cruddy sans-serif fonts most captchas use, 0lRnBC looks like O1Rnl3C looks like 0lRnBC.

It's powers of 2, people! For each O or 0 in your captcha, the odds of a real person being able to correctly identify it are halved, and that's not even counting the other possible charspace collisions.

Re:Captchas that humans can read, perhaps?

[feepness]

Not to mention the $%@#$@#$@#% that don't realize 10% of the male population is colorblind.

That's right! Your light green letters with the swath of dark red across them are completely unbreakable... to me. I've literally abandoned websites after failing the capcha repeatedly.

Re:Dupe

[denmarkw00t]

Wouldn't that stop a lot of dupes?

Yes, but the editors would work out a system to get around this - actually, I read a story on /. about CAPTCHAS thats along the same lines as what you're talking about.

The CAPTCHA isn't dead yet.

[Fantastic+Lad]

When going through the step-by-step in the article, (which is pretty awesome, btw), it appears that there is no character recognition being employed, but rather the security is being defeated by a fairly hacky work-around.

Hacky work-arounds can be defeated simply by programming smarter, (less sloppily?). There's no graphic-reading AI involved, which means the basic fundamentals of the CAPTCHA system remain sound.

While I find CAPTCHAs a little annoying when signing up for stuff, I recognize their necessity and actually kind of grin while doing them, thinking, "Hh ha! Look at this monkey, all smarter than a dumb computer. This must be frustrating for spammers. Ho ho!"

-FL

Re:Saw on ubuntu forums and other sites

[WK2]

The main problem with those is that there are only so many questions you can ask. The spammer just needs a database with all of them, or just a significant portion. As for the simple math, that can easily be parsed and calculated.

Re:Saw on ubuntu forums and other sites

[ozphx]

Good call. You can type in the first thousand questions, and anyone that agrees with you can add another thousand.

Re:Saw on ubuntu forums and other sites

[Asmor]

Better yet, how about a combination of image recognition and random questions?

E.g. you're shown a randomly-generated picture with a duck, a chicken, a skunk, and a dog, and background noise. You're asked to click the duck. If you correctly click in the general area of the duck, you're verified.

Probably not the best example, since you'd have a reasonable success rate just for guessing, but it seems like a solid concept.

Re:Saw on ubuntu forums and other sites

[zobier]

Because of the pr0n hole (people solving CAPTCHA for you, for free, by proxy).

1. Set up a site with something people want.
2. When they come to the site your server goes to the target site*.
3. The target site gives your server a CAPTCHA.
4. Your server gives the punter the CAPTCHA.
5. Punter tries to solve CAPTCHA.
6. Server passes response to target.
7. Profit!

*via proxies or bot net to avoid IP blacklisting.

A revised CAPTCHA?

[Panaqqa]

I had played with this idea a bit a few months back and came up with an idea I think could work - but only ever got around to coding the most basic example of it. For those on /. who are interested, find it here. Each reload will produce the image of a new challenge.

In a closer to final version I had envisioned instructions in multiple fonts and colors involving shapes, letters, etc., and much more flexibility.

In the example I've shown above, pure random clicking will produce a correct response to the challenge 1 time in 30 approximately. So - make them solve three in a row and there you are - 1 chance in 27,000.

Re:A revised CAPTCHA?

[clickety6]

How about a randonmly generated grid of say 5 x 5 icons of different every day objects (also randomly selected to display in the grid from a database of 1000s of icons) and a question that says click the following sequence.... cat/kettle/cloud

To get it right, you'd need some good image recognition that can recognise a wide variety of objects, and to prevent random clicking attacks, make the list longer...

The article is almost 6 months old.

[asserted]

"04.10.2008 - 10:54 AM" - April 10th.

this is the article mentioned in the original "Hotmail CAPTCHA sucks" slashdot post.

Re:Sales or support

[lysergic.acid]

easy, you just need to encrypt the first key with a second key. surely, there's no way for a spammer to get a hold of all 3 pieces of vital info now needed to send an e-mail.

but if by some off chance that spammers manage to get a hold of all 3 pieces of info (because users have to give out these keys just as they would an e-mail address), we'll just add another key to the system, and another...

we'll all need to get bigger business cards.

Interactive?

[supernova_hq]

How about something interactive?

Use some javascript/css/etc to make a box where depending on the position of you mouse in the box, little images/icons/whatever move around in the box till they overlap and create a bigger picture, then send the mouse position (x,y) to an AJAX server and have it validated.

I wonder about a time delay for E-mail out

[mlts]

This won't be a be all and end all to spam, but maybe for new accounts that are freshly created, have an escalating delay for each message sent out? This would go away after some certain rules are matched (date of account creation.)

One can add and subtract modifiers. For example, multiple E-mails sent out to many recipients will have a longer delay than messages sent to the same person, a longer delay if the outgoing content is flagged spam through a heuristic filter, etc.

This in no means would stop spam, but a delay of 10-15 seconds won't affect users much, but will definitely put a crimp on spammers.

Lycos has the solution

[Ofenza]

They should use Lycos' CAPTCHA. It was pretty effective with me. http://img255.imageshack.us/img255/9947/picture3ga6.png

Where do I sign up?

[Nimey]

I will provide my own rifle, bullets, and bayonet.

Re:Captcha: Thirteen = 4 + ? Ask questions??

[Ash-Fox]

Where I am currently:

What color is the sky?

Gray.

What color is the sun?

White.

What is seven plus three?

seventhree

What common pet barks?

a canine pet.

What animal meows?

A feline.

What animal does milk come from?

All of them?

Your comment has too few characters per line (currently 7.3).

Artificial Intelligence

[not-my-real-name]

I've been wondering if the arms race between spammers and people trying to stop them may be what eventually leads to a true artificial intelligence.

Consider: We want to distinguish between a machine and a human (presumably intelligent). The spammers are motivated to make their machines act more and more intelligent. We also want to distinguish between valid, meaningful messages and spam.

So, on both fronts there is pressure to increase the intelligence of the machine.

Ultimately, there will be one set of AIs sending messages to another set of AIs offering to improve body parts that the AIs don't have.