Spammers Targeting Microsoft's Revised CAPTCHA

toomuchtoomuchspam writes "According to Websense, Microsoft's CAPTCHA has been busted again. CAPTCHA was surely a logical move for different service providers to fight against spammers, but it seems to be melting down. 'Realizing the potential for massive abuse from spammers with anti-CAPTCHA capabilities, who could use the clean IP reputation to carry out various attacks over Email and Web space, Microsoft attempted to increase the complexity of their CAPTCHA system. The CAPTCHA system was revised in an attempt to both prevent automatic registrations from computer programs or automated bots, and preserve CAPTCHA's usability and reliability. As this attack shows, those efforts have failed,' says Websense security researcher Prasad. Could there be any better CAPTCHA? A better solution?"

Captchas are no longer good enough

[AaronLawrence]

It seems that the time when Captchas were an effective way to protect valuable resources is over. Where valuable means "anything of more than a tiny value that is available in large numbers". One email account isn't of value, but a million mail accounts is worth a lot to a spammer, and it's just as easy to get a million automatically as it is to get one.

Frankly, modern captchas are often past the point where I can read them; and the image recognition programs are good enough to get a useful correct recognition rate. This tells us that captcha is a dead end, AI in the form of image processing is now about the same "intelligence" as a human, so there is nowhere for captchas to go.

What to do instead? Well, looking at that report, the bot signup surely looks recognisable - the same IP constantly trying to sign up? But maybe big NAT networks mean that "same IP" isn't a safe bet to block?

If you can't recognise the bot, and it can answer simple questions as well as a human, then the only thing left is to provide another form of identification - like a real-life physical ID.

Re:Captchas are no longer good enough

[Miamicanes]

> I agree all these things are difficult. So what solution do you suggest?

I personally applied a multi-pronged approach, and my spam problem has been negligible for YEARS.

1) Everyone I give my email address to is given a different alias, in the form 'myname-alias.validation@mydomain.com'. 'validation' is basically the hash of the salted alias, with different salting recipes for different pattern-matches just to make life difficult for spammers. In theory I could generate the aliases by hand, but I wrote a program that runs on my HTC Touch to generate them for me as necessary. Anything sent to 'myname@mydomain.com' automatically bounces with message to go to my website and obtain an alias to use for contacting me. Ditto, for the first message addressed to a given 'alias' whose 'validation' is invalid (thereafter they're unceremoniously sent to /dev/null).

2) I wrote an app to generate time-limited aliases in the form 'myname-yyyymmdd.validation@mydomain.com', but for now it ended up being gross overkill since nobody has ever tried reverse-engineering it so I just automatically accept all incoming mail sent to 'myname-yyyymmdd@mydomain.net' (where 'yyyymmdd' is today's date, or at least a date within the past week or so). But if spammers ever caught on, the generator app goes back up, and the rules get tightened.

Aside from the fact that some people and businesses get seriously weirded out when they're told to email you at 'myusername-theircompanyname.longhexstring@mydomain.org', it works BRILLIANTLY. How brilliantly? On a typical day, procmail chucks, bounces, or otherwise blackholes about 18,000 to 25,000 spam emails addressed to an outright nonexistent address, roughly 8,000-12,000 spams addressed to an alias that fell into spammer hands, and maybe a half-dozen that are in the right form, but have an invalid hashcode (they get sent to another account on the server that I check occasionally). Every few days, I have to spend a couple of minutes adding another blackhole rule to .procmailrc, but I've never really had enough to make it worth my time to actually write an administration program to manage it for me.

Would this work for Joe Sixpack or Sally Soccermom? Of course not. They have a hard enough time keeping one email address at aol.com straight, let alone generating salty-checksum-validated adhoc aliases unique to everyone who emails them (and every website that extorts their email address, etc). But for the world's Slashdot Elite, it's a nice, elegant solution (as long as you've got your own domain name or ten and have either a dedicated server or a hosting account somewhere with shell and script access so you can run Procmail. My email has gone from "worthless due to the avalanche of spam" to "for all intents and purposes, spam-free", and has stayed that way for almost six years now.

Re:Key exchange.

[TheSpoom]

Your post advocates a

(X) technical ( ) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
(X) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(X) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
(X) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
(X) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(X) Armies of worm riddled broadband-connected Windows boxes
(X) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
(X) Outlook

and the following philosophical objections may also apply:

( ) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
(X) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(X) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!

Re:Key exchange.

[AaronLawrence]

That form is amusing and enlightening for first-time proposals at solving spam. But as far as I can tell, it also rules out all solutions because it assumes there is a solution that doesn't have any cost or compromise.

The likely reality is that someone will have to pay or be inconvenienced to solve spam.

Captchas that humans can read, perhaps?

[Behrooz]

Am I the only one getting really really annoyed by captchas that use mixed-case letters and numbers that aren't distinguishable even to an actual human?

In the cruddy sans-serif fonts most captchas use, 0lRnBC looks like O1Rnl3C looks like 0lRnBC.

It's powers of 2, people! For each O or 0 in your captcha, the odds of a real person being able to correctly identify it are halved, and that's not even counting the other possible charspace collisions.

Re:Captchas that humans can read, perhaps?

[feepness]

Not to mention the $%@#$@#$@#% that don't realize 10% of the male population is colorblind.

That's right! Your light green letters with the swath of dark red across them are completely unbreakable... to me. I've literally abandoned websites after failing the capcha repeatedly.

Re:Key exchange.

[MrNaz]

Personally I think the form would be fine if you just took off the vigilante box. Spam can be solved by a few guys with a list of names, free air travel for a month and a box of bullets.

Re:Saw on ubuntu forums and other sites

[zobier]

Because of the pr0n hole (people solving CAPTCHA for you, for free, by proxy).

1. Set up a site with something people want.
2. When they come to the site your server goes to the target site*.
3. The target site gives your server a CAPTCHA.
4. Your server gives the punter the CAPTCHA.
5. Punter tries to solve CAPTCHA.
6. Server passes response to target.
7. Profit!

*via proxies or bot net to avoid IP blacklisting.