Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Understanding How CAPTCHA Is Broken

CmdrTaco posted more than 6 years ago | from the stuff-to-think-about dept.

148

An anonymous reader writes "Websense Security Labs explains the spammer Anti-CAPTCHA operations and mass-mailing strategies. Apparently spammers are using combination of different tactics — proper email accounts, visual social engineering, and fast-flux — representing a strategy, explains their resident CAPTCHA expert. It is evident that spammers are working towards defeating anti-spam filters with their tactics."

cancel ×

148 comments

Sorry! There are no comments related to the filter you selected.

Really? (5, Funny)

Nimloth (704789) | more than 6 years ago | (#23445806)

"It is evident that spammers are working towards defeating anti-spam filters with their tactics."
Sounds like news to me!

Re:Really? (0)

Hojima (1228978) | more than 6 years ago | (#23445994)

It's how the spammers are doing it that makes the news. I don't see why companies like yahoo just use a verification system that requires your correct first and last name with your corresponding SSN or some other permanent ID number. Then the user can have the option of changing their account name. Can anyone tell me why they haven't done this, because they obviously can.

Re:Really? (4, Insightful)

SUB7IME (604466) | more than 6 years ago | (#23446068)

Because people like me would never, ever use their service under those conditions?

Re:Really? (1)

Hojima (1228978) | more than 6 years ago | (#23446396)

I never said you'd be forced to input your data, I was thinking more along the lines of what davidwr replied. It's a method you can use to filter out spam. Also, its not impossible to keep your personal information secret. My guess is you're worried about the government knowing what you're doing, but your IP address gives you away anyways.

Re:Really? (3, Insightful)

SUB7IME (604466) | more than 6 years ago | (#23447058)

No, I'm worried about a world in which I have to divulge my social security number to private corporations online to partake in services that should never require such information.

Would I give a bank my SS#? Sure.
Would I give my SS# to Yahoo? Not as long as there are other places where I can get free email and play fantasy sports.

A more practical approach - 3 grades of service (5, Interesting)

davidwr (791652) | more than 6 years ago | (#23446160)

I'd prefer 2, or better yet, 3 grades of service:

* verified user, someone using a credit card or providing some other ID that, if faked, can be prosecuted criminally
* established regular user, a person with a reasonably long and regular history, say, at least 10 logins a month, at least 10 outbound messages a month, and at least 10 inbound messages a month, for 3 of the past 6 months, and a minimal history of complaints.
* other - anyone else

On outbound messages, include a tag that the recipient's mail provider can use as part of its trust-assessment.

The "minimal history of complaints" is a potential problem due to false allegations and joe-jobbing.

Lack of ID could be a problem for users from countries whose IDs are not deemed trustworthy. If I give Yahoo my Nigerian passport number....

Re:A more practical approach - 3 grades of service (5, Insightful)

Anonymous Coward | more than 6 years ago | (#23446348)

* verified user, someone using a credit card or providing some other ID that, if faked, can be prosecuted criminally
This is a good idea, since spammers and other criminals don't have access to a large number of credit card numbers.

Re:Really? (1)

mstahl (701501) | more than 6 years ago | (#23447008)

because they obviously can

. . . and if Yahoo and Google can match first/last names to SSNs then so can spammers.

Re:Really? (4, Funny)

Anonymous Coward | more than 6 years ago | (#23447056)

Your post advocates a

(X) technical ( ) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
(X) It will stop spam for two weeks and then we'll be stuck with it
(X) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
(X) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
(X) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
(X) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

(X) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
(X) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(X) Sorry dude, but I don't think it would work.
(X) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

Re:Really? (1)

debatem1 (1087307) | more than 6 years ago | (#23447586)

I'll be using this in the future.

Re:Really? (1)

Hojima (1228978) | more than 6 years ago | (#23449150)

Once again I suggested it as a filtering method, not everyone will be required to do it. It's simple, if someone is fully registered, there's a smaller chance that they are spammers. Now as for identity theft, allow me to direct you to this page: http://www.freeidentityprotect.com/premium.php?gclid=CJPbxZrhrpMCFRYesgodpn1dow [freeidentityprotect.com] (and by the way there are tons more, and many for free, if you just Google it)

Re:Really? (1, Funny)

Anonymous Coward | more than 6 years ago | (#23448028)

Perhaps Websense could start up their own form of CAPTCHA - white text on white background... After all, their site is VIRTUALLY there...
God, how I hate these Web 2.0 retards who have to copy every other shite looking site on the internet, because it 'looks good' - what a shame they have never heard of the word CONTRAST. Arrogant wankers.

Page design (2, Insightful)

Anonymous Coward | more than 6 years ago | (#23445820)

Whose bright idea was it to use light grey text on a white background?

Re:Page design (3, Informative)

tepples (727027) | more than 6 years ago | (#23445838)

Whose bright idea was it to use light grey text on a white background?
At least the page is easier to read than several common CAPTCHAs that shut out blind people. You could try changing the black level on your monitor, installing a custom style sheet, or just copying the text to a text editor.

Re:Page design (0)

Anonymous Coward | more than 6 years ago | (#23448262)

"You could try changing the black level on your monitor, installing a custom style sheet, or just copying the text to a text editor."

Asshole. Your first sentence - never heard of 'two wrongs don't make a right'?
Secondly - why don't Websense just hire a COMPETENT web designer who has heard of CONTRAST, and isn't a Web 2.0 parrot?
I am SICK of low contrast, grey text on white background asshole sites. So are MOST people, but these little dictators never bother to ask their CUSTOMERS what THEY want...

Re:Page design (4, Funny)

Mr. Picklesworth (931427) | more than 6 years ago | (#23446544)

It's an anti-copying measure, of course! Way more effective than those useless Javascripted right-click blockers. When a person copies the text into Word, he won't be able to read it... and then he will be confused and give up!

Pure genius. Even cleverer than those blacked out PDFs...

Re:Page design (1, Funny)

Anonymous Coward | more than 6 years ago | (#23446672)

Whose bright idea was it to use light grey text on a white background?

You're not missing much anyway, that article was so poorly written, I found myself cheering for the spammers by the time it was through.

I guess I've gotten used to it (4, Interesting)

Mordok-DestroyerOfWo (1000167) | more than 6 years ago | (#23445832)

Normally when I get spam I just delete it, by using trashmail [mozilla.org] and being somewhat safe about my browsing habits I've found that I only get one or two per week. However recently I've been getting spam through SMS on my phone and that's what I find really infuriating. Granted it is technically just another email, but the fact that I'm paying for this service is what really grinds my gears.

Re:I guess I've gotten used to it (1, Interesting)

Anonymous Coward | more than 6 years ago | (#23446260)

You are PAYING to RECEIVE SMS?

What's to say that your phone company isn't paying people to send SMS to all their users?

Re:I guess I've gotten used to it (1, Informative)

Anonymous Coward | more than 6 years ago | (#23446328)

Most people pay $.10 per message, incoming or outgoing.

Re:I guess I've gotten used to it (5, Informative)

PontifexPrimus (576159) | more than 6 years ago | (#23446390)

Most Americans pay $.10 per message, incoming or outgoing.
There, fixed that for you. It's quite unheard of here in Germany.

Re:I guess I've gotten used to it (3, Insightful)

Fred_A (10934) | more than 6 years ago | (#23446436)

Most Americans pay $.10 per message, incoming or outgoing.
There, fixed that for you. It's quite unheard of here in Germany.
Or in any country with a mature wireless industry for that matter.

Re:I guess I've gotten used to it (3, Funny)

Nushio (951488) | more than 6 years ago | (#23446496)

Or in any country with a mature wireless industry for that matter.

Wooh! Mexico is a country with mature wireless industries! (We don't pay to receive SMS)

Re:I guess I've gotten used to it (0)

Anonymous Coward | more than 6 years ago | (#23446932)

Wooh! Mexico is a country with mature wireless industries! (We don't pay to receive SMS)

That logic is akin to: "There are lizards in Mexico. I am in Mexico. Therefore, I am a lizard."

Re:I guess I've gotten used to it (3, Insightful)

dargaud (518470) | more than 6 years ago | (#23446978)

As far as I know, the US is the only country where the SMS receiver pays up, which seems absurd to anybody else. Anyone cares to enlighten me as to the reason for that ?!?

Re:I guess I've gotten used to it (1)

Tony Hoyle (11698) | more than 6 years ago | (#23447502)

Hell, in a lot of countries now it's you don't even pay to send it on most packages.

Re:I guess I've gotten used to it (0)

Anonymous Coward | more than 6 years ago | (#23447874)

Probably because there aren't any termination fees between carriers, but I don't know for sure.

Here in NZ, we pay NZ$0.20 per SMS sent, and there is no fee to receive. However, there is a termination fee charged between carriers.

This is used to justify high fees to their application service providers, forcing them to have connections to each carrier to avoid the termination charges.

Re:I guess I've gotten used to it (1)

carnalforge (1207648) | more than 6 years ago | (#23446838)

Indeed, i've been in a lot of european countries and usually i get a local sim for not spending much for calling. And in none of the the countries i've been was supposed to pay for recieving sms's

Re:I guess I've gotten used to it (1)

jargon82 (996613) | more than 6 years ago | (#23446848)

None of the Americans I know pay to recieve SMS. To send though, yes.

Re:I guess I've gotten used to it (1)

steveg (55825) | more than 6 years ago | (#23447562)

I set up the server to send me a message when there were certain problems with a peripheral.

Then campus IT shut down the network for a day, which caused problems with that peripheral. The *next* day I get about 300 messages, once the network came back online. That cost me about $30 to *receive* those messages.

This is in California, which, despite what some people may think, is definitely in the US. True, it was one of those fly-by-night wireless companies (called Cingular...)

Re:I guess I've gotten used to it (1)

charlieman (972526) | more than 6 years ago | (#23446864)

Most USIANS pay $.10 per message, incoming or outgoing.
There, fixed that for you. It's quite unheard of here in Germany.
Fixed the fix, since in most countries in America, it's also unheard of.

Re:I guess I've gotten used to it (1)

Yvan256 (722131) | more than 6 years ago | (#23446654)

I've never seen an charge on my phone bill for the SMS I receive. I'm in Canada.

Re:I guess I've gotten used to it (0)

Anonymous Coward | more than 6 years ago | (#23446420)

I had that same problem I asked my cell phone provider what I could do about it. Basicly it came down to the only option, if you don't open them you don't get charged... So try and see if you can see who the SMS is from or what the subject line is before opening.

Re:I guess I've gotten used to it (3, Informative)

LeRandy (937290) | more than 6 years ago | (#23446494)

Sounds like bullshit to me.

a. No SMS has a subject line, it is a "Short Message Service" (max 160 chars)

b. How the hell does the network know whether you have opened the message or not -- either it has been sent to your phone, or it has not. Any other way, and people would be publishing "free-SMS" hacks for phones.

Re:I guess I've gotten used to it (1)

police inkblotter (1228830) | more than 6 years ago | (#23446560)

That depends on the phone. I know for the Razr it is a tried and true method if you have gone past your data allowance (my girlfriend has a small allotment of SMS allowed, and the razr shows a preview of most of the message without opening it, I'm guessing the act of opening is sent back to the CO or whatever). Luckily I have unlimited data on my Blackberry :)

This is a job for...TinySMS ! (1)

justthinkit (954982) | more than 6 years ago | (#23447488)

(1) Create TinySMS.com
(2) People type in their message and are given a helpful TinySMS string like &Ee*3#9-! to text to their SO, cleverly avoiding the cost of receiving an SMS by just recording the preview string
(3) People smash their phones trying to text strings like "&Ee*3#9-!" until they realize it isn't possible
(4) TinySMS ends up selling the unread text messages to the highest bidder
(5) E! buys an unread TinySMS and learns of Britney's latest accident 12 minutes sooner
(6) ...For If When Do loop While...
(7) Profit!

Wrong title (5, Informative)

RiotingPacifist (1228016) | more than 6 years ago | (#23445844)

The article describes how the spammers are using their new found accounts, nothing to do with CAPTCHAs other than they had to (either automatically or manually) break them to get the accounts.

Im surprised they're not using them to break the spam filter of yahoo/hotmail/gmail though, I mean if they all started sending each other spam and marketing it as ham, wouldn't that pretty much break any feedback based system that their using to protect their users.

Re:Wrong title (5, Informative)

nbert (785663) | more than 6 years ago | (#23445992)

"Understanding How CAPTCHA Is Broken" is catchier than "Anti-Captcha and spamming strategy well explained!", guess that's why this article was chosen. The article's summary itself shows that it's not mainly about CAPTCHAs, otherwise fast-flux wouldn't show up there.

Re:Wrong title (1)

stephanruby (542433) | more than 6 years ago | (#23446706)

Im surprised they're not using them to break the spam filter of yahoo/hotmail/gmail though, I mean if they all started sending each other spam and marketing it as ham, wouldn't that pretty much break any feedback based system that their using to protect their users.
Wouldn't collaborative baysian [paulgraham.com] filtering mitigate that problem? The preferences of people who actually enjoy receiving spam would be combined with the preference of other similar-minded individuals. So then the people who like spam get their spam and the people who do not -- don't.

Sometimes It Comes as an Easy Fix (5, Informative)

morari (1080535) | more than 6 years ago | (#23445860)

A little less than one year ago I had put up a forum for my website; PHPBB (insert whatever the current version was). Anyway, all was fine for a few weeks until I noticed obvious spam accounts registering maybe once a day. Nothing ever came of them, no abusive posts or anything of that nature, but they were sitting there in my user list. I tried several common approaches, such as using a different CAPTCHA and also forcing a verification word to be typed in. Nothing worked. Eventually I noticed that the one commonality between all of the spam accounts was that they all chose Albanian as their language. Odd. I initially thought that perhaps the spammers were based in Albania, but quickly came to the conclusion that the bots were simply selecting the first available option in the language dropdown. I wrote up a script (which was painfully sloppy, I'm sure) that would not allow anyone to successfully register with the Albanian language. After filling everything out and hitting submit, it would take you to a page and say something to the extent of "Sorry, you have selected an unauthorized language. Please try again". I watched carefully as for weeks I didn't spot a single new spam account. Eventually I made a fake language to sit at the top of the list and block, just in case any actual Albanians wanted to use the board. It continued to work just fine. After several months I did get hit by one or two spam accounts that had set their language to English. After that, I wrote a similar script for the "personal website" field of the signup process, forcing legitimate users to add it to their profile after successfully registering. I haven't had any problems since.

Re:Sometimes It Comes as an Easy Fix (0)

flerchin (179012) | more than 6 years ago | (#23445976)

These solutions are quite elegant for your situation. However, you are not much of a target.

Re:Sometimes It Comes as an Easy Fix (0)

Anonymous Coward | more than 6 years ago | (#23446162)

I took down forms and still get spam to them.

The spammers aren't going through the formmail forms posted on the Internet anymore.

I noticed all my forms listed under https://etc...

Did not get spammed. So now I'm just going to put all forms under a secure certificate. Hope that works for a while.

Why are the spammers intent on breaking the Internet?

Re:Sometimes It Comes as an Easy Fix (1)

hostyle (773991) | more than 6 years ago | (#23446512)

Why are the spammers intent on breaking the Internet?
Some people refer to it as capitalism. In short: greed, short term views and the almighty buck.

Re:Sometimes It Comes as an Easy Fix (1)

liquidpele (663430) | more than 6 years ago | (#23446822)

There are two ways I block this type of thing:

1) Make a css hidden field, that must be submitted blank or else the account creation or post fails. Bots try to enter data into every field provided, but users can't see the field and will leave it blank.

2) Have the robots.txt file actually dynamic, and anything that hits it is labeled as a bot, and then if they try to register an account, ban the IP for a while. Then put a hidden link (via css again) to a page with a form to submit. If anything hits that page that didn't hit robots.txt first, ban the IP because it's a bot that is faking being a browser.

Just my $0.02

Re:Sometimes It Comes as an Easy Fix (1)

Dwedit (232252) | more than 6 years ago | (#23447414)

Why on earth would a spambot care about a robots.txt file? Only reason I could think of was something popular a while ago, where people stuck a non-very-visible link on a website which generated loads of fake linked web pages, and garbage email addresses to try to trap harvesters in that section of the website.

Re:Sometimes It Comes as an Easy Fix (0)

Anonymous Coward | more than 6 years ago | (#23447610)

Those bots tend to fill post values for every form field. Someone here on slashdot recommended an approach where you would hide a form field via css or the hidden attribute.

If it was submitted in the post, it is most likely a bot on the client side.

This is more about subverting CAPTCHA (4, Informative)

paratiritis (1282164) | more than 6 years ago | (#23445924)

The article does not really talk about how the spammers defeat CAPTCHA, which would be more interesting to me. It focuses instead on how once they defeat the CAPTCHA test (manually or automatically) they take advantage of the added credibility their new accounts have (because of that very test) for their purposes.

This is the scam part, not the technology part of their operations, which would actually tell us about the possible weakenesses for the CAPTCHA tests and give hints how to fix them.

My spam rules-- (1, Interesting)

Anonymous Coward | more than 6 years ago | (#23445938)

I have determined that:

If the message is not in english or lojban, I don't want to see it.
If the message is in caps, I don't want to see it.
If the message was sent to more than ten people, I don't want to see it.
If more than 10% of the message text is not valid and correctly
spelled english or lojban, I don't want to see it.
If the message has anything to do with a lottery, I don't want to see
it-- I don't gamble, period.
If the message has anything to do with sex, I don't want to see it.
(for various reasons)
If the message has anything to do with drugs, pharmaceutical or
otherwise, I don't want to see it.
If the message was sent from africa, I don't want to see it. I don't
know anyone in africa.
If the message was sent from asia, with the exception of south korea
and the one guy in the UAE, I don't want to see it either.
If the message was sent from central or south america, with the
exception of one guy in argentina, same thing.
If the message /contains/ more than ten email addresses, I don't want
to see it. Death to chain mail.

If anyone knows of an email provider where I can set rules that
detailed and flexible that currently exists, please let me know.

ethana2@gmail.com

Re:My spam rules-- (4, Funny)

Yvan256 (722131) | more than 6 years ago | (#23446320)

Wow.... all of those rules, and you end your post with your email address.

Re:My spam rules-- (2, Insightful)

Cedric Tsui (890887) | more than 6 years ago | (#23448112)

Maybe that's the point. s/he doesn't want to have to hide his e-mail address from the world.

Re:My spam rules-- (2, Funny)

Anonymous Coward | more than 6 years ago | (#23447052)

Wait, Anonymous Coward here again, I made a typo. It's actually malda@slashdot.org

WRONG TITLE! (0)

Anonymous Coward | more than 6 years ago | (#23445942)

I get the idea that the editor failed to RTFA.

Good article nonetheless, but c'mon.

Animated CAPTCHAs? (4, Interesting)

MasaMuneCyrus (779918) | more than 6 years ago | (#23445968)

Every time I see an article about CAPTCHAs being broken, I always think, "Why not try animated CAPTCHAs?" Surely something this simple has been thought of before and tried; is there any reason it wouldn't work? Or would it just have the same effectiveness as a static-image CAPTCHA, and so there's just no reason to put forth the effort to make one?

Re:Animated CAPTCHAs? (5, Interesting)

Anonymous Coward | more than 6 years ago | (#23446006)

Animated captchas exist and are used but not too often. The only example I can think of is: https://www.e-gold.com/acct/login.html

Re:Animated CAPTCHAs? (4, Informative)

mstahl (701501) | more than 6 years ago | (#23447148)

But that captcha on e-gold would be trivial to break. Over the course of the animation all parts of all numbers are visible with no variation or noise around them. If they rotated, though, and were slightly larger than the image, it might just work. That would be such a pain in the ass for humans to read I don't think it would be used at all.

The most likely captcha technologies to win, I think, are the ones that require some amount of contextual knowledge about our world. Nobody's really created an anti-captcha bot that can distinguish a kitten from a tiger, for instance. Tests like these, even though they're also obnoxious to humans, are much more effective.

Re:Animated CAPTCHAs? (1)

apt-get moo (988257) | more than 6 years ago | (#23446148)

I don't know how you think they should work, but as only the noise may be changed during an animation (unless you want to be make the CAPTCHA even more inaccessible to ordinary users), a machine might even have an easier time to retrieve the signal (which has to remain constant in some way to be discerned by humans, at least in form and probably in colour), i.e. the text to entered to bypass the CAPTCHA.

Re:Animated CAPTCHAs? (1)

Yvan256 (722131) | more than 6 years ago | (#23446296)

Yes, but what if you ask the person to type the word/identify the picture/whatever in a specific, random frame of said animation?

Or even something like "please check the objects you see in the animation", followed by, say, 10 radio buttons?

Re:Animated CAPTCHAs? (1)

Fred_A (10934) | more than 6 years ago | (#23446474)

Yes, but what if you ask the person to type the word/identify the picture/whatever in a specific, random frame of said animation?

Or even something like "please check the objects you see in the animation", followed by, say, 10 radio buttons?
Very language specific. And not easy to generalise. You need to write one set of rules per animation, presumably by hand. Captchas can be machine generated from a dictionary or random characters.
Which is the point.

Re:Animated CAPTCHAs? (1)

Yvan256 (722131) | more than 6 years ago | (#23446638)

Machine-generated captchas generated from dictionaries are already very language-specific.

The animations can also be machine generated from a dictionary of images, with a random number of frames and a random frame position for each image.

This is all pointless, however, since spammers probably pay people to register new accounts for them.

Re:Animated CAPTCHAs? (1)

apt-get moo (988257) | more than 6 years ago | (#23446620)

Yes, but what if you ask the person to type the word/identify the picture/whatever in a specific, random frame of said animation? Or even something like "please check the objects you see in the animation", followed by, say, 10 radio buttons?
Presenting multiple words might work, but for a machine this would just multiply the complexity of one CAPTCHA with the number of frames, while a human takes significantly more time to solve it compared to a flat one. And radio buttons are out of question, they would produce too many false positives. Tick boxes might be slightly better, but still not as good as text input. Except may to distract some bots.

Re:Animated CAPTCHAs? (1)

xmpcray (636203) | more than 6 years ago | (#23447038)

Every time I see an article about CAPTCHAs being broken, I always think, "Why not try animated CAPTCHAs?" Surely something this simple has been thought of before and tried; is there any reason it wouldn't work? Or would it just have the same effectiveness as a static-image CAPTCHA, and so there's just no reason to put forth the effort to make one?
Animated GIFs are simply multiple images(frames) saved in one file. It would be easier to break it since the bots can "see" the same text in multiple images and interpret it better when you have multiple images showing the same text.

CAPTCHA sucks (3, Interesting)

thetoadwarrior (1268702) | more than 6 years ago | (#23445978)

They keep trying to make it harder to read which isn't accessible but some places (like rapidshare) have made it nearly impossible for even normal people to guess.

Re:CAPTCHA sucks (1)

Paradise Pete (33184) | more than 6 years ago | (#23446990)

some places (like rapidshare) have made it nearly impossible for even normal people to guess.

I think rapidshare does that knowingly, to get people to sign up for the paid version.

Re:CAPTCHA sucks (1)

thetoadwarrior (1268702) | more than 6 years ago | (#23447304)

That's crossed my mind as well especially since it seems like you get fewer tries these days than before.

This article is an advertisement (5, Insightful)

Omnifarious (11933) | more than 6 years ago | (#23446030)

This article links to what is basically an infomercial. What it links to is filled with pictures and seeming explanations, but it's written in scare-mongering language and not written with an eye towards the reader understanding it. It as an advertisement telling you that Websense is a fantastic company because they understand all this terribly scary stuff and already have the technology to defeat it for you.

Re:This article is an advertisement (3, Interesting)

owlnation (858981) | more than 6 years ago | (#23446092)

This article links to what is basically an infomercial.
Quite correct. It does. There's also no news here whatsoever. It's good to know that it's not only readers that don't read TFA, the editors -- and even Taco -- don't always read it either.

Re:This article is an advertisement (3, Insightful)

Omnifarious (11933) | more than 6 years ago | (#23446712)

It would be really nice if people would tag articles like this with 'slashvertisement'. :-)

VLAD SHAT (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#23446042)

Vlad took a dump right on his infant son's head!! God damn it, Lockwood!! Fuck! FUCK!! FUCK!!!

If I EVER see you I will fucking end you!!

Captchas (2, Funny)

Anonymous Coward | more than 6 years ago | (#23446066)

I was going to post an insightful comment about the article, but I've wasted so much time trying to figure out Slashdot's captcha to post this message, that I no longer have the time.

Fighting spam will either succeed or it will fail (2, Insightful)

davidwr (791652) | more than 6 years ago | (#23446072)

Either the spam-fighters will keep spam down to an acceptable level or they won't.

Mail services that don't provide good spam protection will fail.

If it becomes too hard to fight spam, mail as we know it will end and be replaced by something else, much like USENET was for most purposes replaced by other, less-spam-prone media.

This is getting silly. (4, Funny)

Asztal_ (914605) | more than 6 years ago | (#23446080)

Next time I'm just going to demand that anyone who wants to register for my site will have to send me a formal written request, signed and dated, with at least two good references and a registration history.

That should keep the bots out, right?

Re:This is getting silly. (1)

gnud (934243) | more than 6 years ago | (#23448820)

If it does not, it's time to go pay our respects to our new robotic overlords.

Understanding How CAPTCHA Is Broken (1)

JackSpratts (660957) | more than 6 years ago | (#23446098)

Hmmm. Nothing in TFA about it really.

Why are we so helpless? (3, Insightful)

Chemisor (97276) | more than 6 years ago | (#23446110)

It ought to be obvious to everyone that spam is a property violation crime. Putting unrequested email in my account is the same as dumping used tires on my front lawn. Sure I have an address, but that doesn't mean I want just anyone to deliver anything to it without my permission. Why aren't we making this explicitly illegal, just like dumping and vandalism already are? Why are we putting up with these people?

Re:Why are we so helpless? (3, Insightful)

gsgriffin (1195771) | more than 6 years ago | (#23446272)

Unfortunately, it is not that simple. Your analogy is not correct. Email is more like snail-mail. And yes, anyone can send email to your mailbox via snail-mail and not go to jail. The difference is that snail-mail costs them something. The real solution is to get all the stupid people off the web that actually make purchases from companies that they received a spam email from. They keep spammers continuing to spam. If the idiot purchaser got off the web, the spam would quickly dry up. Ultimately, this battle will never end...there will always be idoits that can get on the web.

Re:Why are we so helpless? (1)

Chemisor (97276) | more than 6 years ago | (#23447022)

> Your analogy is not correct. Email is more like snail-mail. And yes, anyone
> can send email to your mailbox via snail-mail and not go to jail.

I would instead apply the same analogy to snail mail.
It really is not difficult to differentiate between personal mail and spam. The former is written for a single recipient - you. Its intent is conversation. Spam is written generically, and its intent is to get you to buy something. Spam should be illegal in any form. Period. Be it email, phone calls, snail mail, door-to-door salesmen, or street hustlers. There is to be no "push" advertising whatsoever. If I want advertising, I MUST ask for it explicitly. Every time!. Only genuine personal communications should be allowed without explicit permission. Where's the difficulty here?

Re:Why are we so helpless? (3, Insightful)

Anonymous Coward | more than 6 years ago | (#23446322)

No it's not obvious.

How on earth would you actually request each individual email you want to receive? Fax your dad and tell him he's authorized to send you an email detailing his vacation cruise? Have people call you up, where you give them an ID number that must be in the subject line?

Even if you went as far as white-listing email addresses (which you actually can do now) you'd miss out when your buddy gave your email to someone who was looking to offer you a job at twice your current salary, or that girl who really dug you at that party.

I don't see how you could propose a law that requires permission to send an email without destroying most of email's practical benefits as well.

Re:Why are we so helpless? (1)

Chemisor (97276) | more than 6 years ago | (#23446934)

> How on earth would you actually request each individual email you want to receive?

By explicitly giving the sender your email address. You can also publish it for use of a specific audience. For example, I have my sourceforge address in the header of each source file I write. This is clearly intended for people to report problems with software. There is some gray area, of course, but any email sent with the intent of selling me something definitely violates the criteria.

> I don't see how you could propose a law that requires permission to send an email

One possibility is to pass a law requiring each email to be encrypted with your public key. Anyone trying to contact you legitimately would know what it is, because you'd give it out with your email address, in whatever manner. It also makes bulk mail impossible, especially if you choose a long key.

Re:Why are we so helpless? (0)

Anonymous Coward | more than 6 years ago | (#23447158)

One possibility is to pass a law requiring each email to be encrypted with your public key. Anyone trying to contact you legitimately would know what it is, because you'd give it out with your email address, in whatever manner. It also makes bulk mail impossible, especially if you choose a long key.
Your post advocates a

(X) technical (X) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
(X) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(X) Users of email will not put up with it
(X) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
(X) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
(X) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(X) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
(X) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

(X) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(X) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

Re:Why are we so helpless? (0)

Chemisor (97276) | more than 6 years ago | (#23447234)

> Your post advocates a
> (X) technical (X) legislative ( ) market-based ( ) vigilante

If my approach is tried, it obviously has a chance of success. If it is summarily dismissed as "not gonna work", then of course it won't.

> (X) Mailing lists and other legitimate email uses would be affected

Mailing lists are not a good use of email. Use discussion forum software or usenet, which are far more appropriate venues for this type of communication.

> (X) Users of email will not put up with it

Why won't they put up with it? Users hate spam, and would certainly welcome anything that removes it. Yes, there are some morons who actually read spam and buy stuff advertised in it, but that is not really relevant here. We're a democracy, and sacrificing the wants of the few for the needs of the many is what we do.

> (X) Microsoft will not put up with it

Microsoft will love it. It runs hotmail, and would certainly appreciate the enormous increase in available capacity that will result from eliminating spam. Spam does not benefit Microsoft. Spam hurts Microsoft.

> (X) Many email users cannot afford to lose business or alienate potential employers

You mean spammers "cannot afford to lose business". Destroying their business is precisely what's needed.

> (X) Lack of centrally controlling authority for email

No central authority for email is needed. What is needed is the ability to pursue legal action against spammers for spamming. This could be done simply by forwarding the spam message to the police, who could then arrest the spammer, if he can be tracked down. Currently, sending spam is not illegal, so the authorities can do nothing.

> (X) Armies of worm riddled broadband-connected Windows boxes

If spam were illegal, the police could track down the people who create these boxes. How? By following the money. Spam exists to sell stuff, so it is trivial to find the company responsible for sending it. If it wasn't possible, the company wouldn't be making any money, would it?

> (X) Technically illiterate politicians

Even politicians these days use email. And anybody who uses email eventually receives an offer to enlarge his penis. Any questions?

> (X) Ideas similar to yours are easy to come up with, yet none have ever been shown practical

If the idea isn't tried, how can it be shown practical?

> (X) Sorry dude, but I don't think it would work.

Sorry dude. It will work.

Re:Why are we so helpless? (0)

Anonymous Coward | more than 6 years ago | (#23446626)

Your plan is brilliant. Please tell us how someone can know whether there particular email is wanted or not.

Web page redirection may have to go (4, Interesting)

Animats (122034) | more than 6 years ago | (#23446128)

We're seeing the need for some limits on web page redirection. Most of these attacks involve putting something on a trusted place which redirects to an untrusted place. Google, with incredible sloppyness, allows Blogspot accounts to do this, and as a result, they are heavily exploited by spammers. (Try, for example, "nikaluti21040.blogspot.com", which will redirect, via some iframes and other tricks, to "selissia.com", which is hosted on "secureserver.net").

Exploitation of legitimate sites to get through spam filters is a problem, but it can be dealt with if you're willing to take a hard line. Our first step in that direction was our list of major domains being exploited by active phishing scams. [sitetruth.com] Our position is that one phishing attack from within a domain blacklists the whole domain. But within three hours after the problem is fixed, they're off the list. Major sites make the list now and then; Google, Dell, MSN, and Yahoo have all been on the list at one time or another. But they now know to take steps to get themselves off within hours. The Anti-Phishing Working Group and PhishTank have been helpful with this effort. We're down to 47 such domains today. It was about 175 when we started last fall. Most of the remaining entries are free web hosting services or DSL providers.

We and others have observed that there's an inverse relationship between the number of redirects and the legitimacy of a web page. We've been looking at this at SiteTruth [sitetruth.com] . For things like AdWords ads, where some sites use redirection as part of a tracking systems, it's typically the bottom-feeders who are using redirection. An advertiser promoting their own product or service doesn't need it; it's brokers, intermediaries, and made-for-Adwords sites that use redirection. Anything with more than one redirect is almost bad. We expect to use redirection as part of our legitimacy metric in the future.

It's thus time for browsers to limit their acceptance of redirection. One HTTP-level redirect, OK. Beyond that, put up a popup warning of suspicious redirection behavior. Redirects via META tags and Javascript should produce a popup. Sure, some site operators will look bad, but they will adapt.

Re:Web page redirection may have to go (1)

kipin (981566) | more than 6 years ago | (#23446414)

Sure, some site operators will look bad, but they will adapt.

Unfortunately, so will the spammers.

Re:Web page redirection may have to go (1)

Animats (122034) | more than 6 years ago | (#23446826)

Unfortunately, so will the spammers.

Every time we close off another way to hide business identity, filtering gets better. We can't actually stop the spam, but we can fix it so few humans ever see it.

Spammers trick - REuseable captcha (3, Interesting)

fastgood (714723) | more than 6 years ago | (#23446472)

Find somewhere with 1000s of pageviews (eg. pr0n site)
Present Captcha image to 2 users (agreement = correct)

So the monkeys pull the right lever and get the reward
of viewing the next adult video, and the spammer gets
a near-realtime solution to even the best of captchas.

Re:Spammers trick - REuseable captcha (1)

chifut (998159) | more than 6 years ago | (#23446642)

You don't need to give the captcha to two users, give each user one captcha, so what if one of them is wrong.. You'd have one captcha solved and another not. The web site will tell you that you got it wrong..

What about a CAPTCHA made in flash? (0)

Anonymous Coward | more than 6 years ago | (#23446730)

I made a CAPTCHA using flash and PHP. It seems as if the spammers might have a hard time reading flash content, no?

Re:What about a CAPTCHA made in flash? (2, Insightful)

Dwedit (232252) | more than 6 years ago | (#23447378)

The only thing really protecting you is that your solution is not standard, so bot writers have to treat your website differently, so they won't be as easily able to post there. The instant your solution becomes more commonplace, bot writers will be able to parse your SWF files, read the images, or do whatever else it takes to solve it.

It's a classic case of Security through Obscurity, and this time it works.

However, SWF files have accessibility issues, and there are always people who love to block them.

incoherent TFA (1)

ralphdaugherty (225648) | more than 6 years ago | (#23446870)


      This is the most incoherent TFA I've ever seen linked by slashdot. We just went through CAPTCHA breaking a few days ago and here we go again with the dancing images and worse suggestions.

      Sheesh, there's this underlying assumption that the CAPTCHA image is automatically being broken by spambots using OCR, but all it takes is CAPTCHA images where the letters are not cleanly separated to keep all but some as yet univented world class OCR from identifying the characters. Anyway, no one has presented a case for automatic OCR breaking anyway.

      It'd be nice to see some more basic examinations of the technologies involved in attack and defend of websites. We deal with this in adminning our websites day in and day out so this is an important subject.

  rd

Phone-based varification (1)

Tablizer (95088) | more than 6 years ago | (#23446918)

I think its time to use phone-based sign-up verification. An automated dialing system would call a user within about 5 minutes of signing up for an account to confirm via phone push-button that they indeed did sign up. Yes, it is fairly expensive, but who said good security is cheap.

It is possible to trick such a system, but very difficult on a scale of hundreds of thousands, which is what spammers need. Phone calls are better tracked than HTTP messages because of the costing infrastructure that underlies phones.
         

Re:Phone-based varification (2, Insightful)

dargaud (518470) | more than 6 years ago | (#23447082)

Yeah, right, with the spammer putting your own phone number on the form and registering for the account at 3am... I don't think so.

Re:Phone-based varification (1)

/dev/trash (182850) | more than 6 years ago | (#23447190)

1and1 did this when they were offering they're free service years ago.

Re:Phone-based varification (2, Insightful)

Tony Hoyle (11698) | more than 6 years ago | (#23447556)

Enjoy paying for all those peak rate calls to russia...

It would be so easy to bankcrupt a site that tried this (phone number generator, script) that no sane site owner would try it.

Re:Phone-based varification (0)

Anonymous Coward | more than 6 years ago | (#23447580)

Sites primarily of interest to Americans and Western Europeans (i.e. most of those of commercial value) need never make a verification call to Russia, China, Costa Rica, or any other spam haven. Those legitimately in those countries with interest could pay for forwarding. Of course, this doesn't address that a spammer could get a huge block of U.S. phone numbers on the cheap to take verification calls one per site implementing such a scheme.

Email is broken, captcha is pointless (0)

Anonymous Coward | more than 6 years ago | (#23447344)

The spammer problem wouldn't exist if email wasn't so hopelessly broken. It wasn't designed from the ground up to prevent assholes from abusing it.

Ditch email, design something else. This is slashdot for crying out loud, surely we can come up with a solution!

Re:Email is broken, captcha is pointless (1)

Dwedit (232252) | more than 6 years ago | (#23447358)

It's not just email, it's also message boards, blog posts, and wikis. Those also have bots crapflooding them with spam.
Bots don't even need to post a URL to get people to visit, they'll just stick in a stock ticker symbol for pump and dump scams, so methods involving blocking new users from posting URLs will still fail.

Stupid question about stupid people (1)

religious freak (1005821) | more than 6 years ago | (#23447356)

Ok, so I've got to say, I just don't GET (understand) spam. Who the hell is still clicking on the links?

Does anyone fall for a Nigerian scam anymore? Or buy pills? Or want a bigger schlong?

Don't people get it already?! How do these spammers make money?

Re:Stupid question about stupid people (1)

Tony Hoyle (11698) | more than 6 years ago | (#23447588)

They don't need to any more.. it's self sustaining. People are paying for lists of 'verified' email addresses, they're paying for spammers to send the messages... the spammers have already made their money - off stupid management of so-called 'legitimate' business. There are enough stupid people around to sustain that industry for many, many years.

Nobody needs to reply.. there's no comeback for the companies paying the spammers so they keep doing it on the offchance someone might buy their crap. That's where the law needs tightening up - paying for spam services should have punitive fines (a million dollars or so... basically any company that tries it gets wiped out, if not by the fine, by their shareholders when they find out).

captcha = discrimination (0)

Anonymous Coward | more than 6 years ago | (#23447622)

Captcha is discrimination against scixelsyd!

Captcha proxies (1)

chrysalis (50680) | more than 6 years ago | (#23448786)

I once received a spam for a p0rn site. Accessing that site required to enter a Captcha code "in order to avoid bandwidth steal".

A Captcha for a p0rn site?! How much do you bet that the Captcha was actually proxied from another site, like a webmail?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?