×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Spammers Targeting Microsoft's Revised CAPTCHA

samzenpus posted more than 5 years ago | from the paint-a-bullseye-on-it dept.

Security 303

toomuchtoomuchspam writes "According to Websense, Microsoft's CAPTCHA has been busted again. CAPTCHA was surely a logical move for different service providers to fight against spammers, but it seems to be melting down. 'Realizing the potential for massive abuse from spammers with anti-CAPTCHA capabilities, who could use the clean IP reputation to carry out various attacks over Email and Web space, Microsoft attempted to increase the complexity of their CAPTCHA system. The CAPTCHA system was revised in an attempt to both prevent automatic registrations from computer programs or automated bots, and preserve CAPTCHA's usability and reliability. As this attack shows, those efforts have failed,' says Websense security researcher Prasad. Could there be any better CAPTCHA? A better solution?"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

303 comments

Key exchange. (4, Funny)

suck_burners_rice (1258684) | more than 5 years ago | (#25227361)

I suppose it would make sense if you had to make an exchange of keys with someone before initiating communication. Thus, when you give out your email to people, you could give them a key that they would need in order to send you an email, and similar methods would apply to other communication mechanisms. Now the spammers will need to waste inordinate amounts of computer time computing all kinds of keys, and the practice of spamming will (hopefully) disappear. Now this being /., someone will tell me why such a scheme is impossible. :-)

Re:Key exchange. (5, Funny)

TheSpoom (715771) | more than 5 years ago | (#25227411)

Your post advocates a

(X) technical ( ) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
(X) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(X) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
(X) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
(X) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(X) Armies of worm riddled broadband-connected Windows boxes
(X) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
(X) Outlook

and the following philosophical objections may also apply:

( ) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
(X) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(X) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!

Re:Key exchange. (5, Insightful)

AaronLawrence (600990) | more than 5 years ago | (#25227495)

That form is amusing and enlightening for first-time proposals at solving spam. But as far as I can tell, it also rules out all solutions because it assumes there is a solution that doesn't have any cost or compromise.

The likely reality is that someone will have to pay or be inconvenienced to solve spam.

Re:Key exchange. (4, Funny)

TheSpoom (715771) | more than 5 years ago | (#25227581)

The form doesn't assume there is a solution without cost or compromise.

It just assumes it's really, really easy to make fun of other ones. ;^)

Re:Key exchange. (-1, Troll)

Anonymous Coward | more than 5 years ago | (#25227585)

But as far as I can tell, it also rules out all solutions because it assumes there is'nt a solution that doesn't have any cost or compromise.

There, fixed that for ya.

Re:Key exchange. (1, Funny)

TheSpoom (715771) | more than 5 years ago | (#25227735)

But as far as I can tell, it also rules out all solutions because it assumes there isn't a solution that doesn't have any cost or compromise.

There, fixed that for ya.

There, fixed that for ya.

Re:Key exchange. (3, Funny)

RiotingPacifist (1228016) | more than 5 years ago | (#25228003)

But as far as I can tell, it also rules out all solutions because it assumes there isn't a solution that doesn't have any cost or compromise.

There, fixed that for you.

There, fixed that for you.

There, fixed that for you both.

Re:Key exchange. (5, Funny)

MrNaz (730548) | more than 5 years ago | (#25227593)

Personally I think the form would be fine if you just took off the vigilante box. Spam can be solved by a few guys with a list of names, free air travel for a month and a box of bullets.

Re:Key exchange. (4, Funny)

Anonymous Coward | more than 5 years ago | (#25227987)

SpammerAssassin.org? What do we need to get this project off the ground?

Re:Key exchange. (1)

denmarkw00t (892627) | more than 5 years ago | (#25227633)

The likely reality is that someone will have to pay or be inconvenienced to solve spam.

Oh I know this one: The Spammers!

Re:Key exchange. (2, Interesting)

hairyfeet (841228) | more than 5 years ago | (#25228599)

Well,the problem as I see it with the whole CAPTCHA thing is this: even if they manage to find a version of it that is so good that no bot can ever be built that can break it(considering how good some of these bots writers are that is doubtful) then the spammer can either use social engineering or good old cheap labor in countries where you can pay them pennies.

Of course they wouldn't even have to hire anyone with social engineering,just fill an old server with a bunch of porntube style clips(and get extra cash from link sharing) and have them prove they aren't a bot with a little cross side scripting. Then you have plenty of guys happy to do the work for you in exchange for a chance at getting some free pr0n. For extra efficiency you could have their answer "fail" the first couple of times so each user has to give you the answer to three or four CAPTCHAS for each entrance. If they don't want to go to thr trouble then they simply hire day laborers in third world countries and pay them a few pennies per CAPTCHA. I am sure there are still quite a few countries were the cost/benefit ratio of doing so would come out in the spammers favor.

So as long as the spammers can make money off of hErb@l V!@gra and other crappy spam schemes then they WILL find a way around it. Because as long as there are fools willing to part with their money there will be someone with no scruples who will be more than happy to take it from them. So I think in the long run it will be better if the effort was concentrated more on fighting botnets and getting rid of crappy domain registrars than making more and more difficult CAPTCHAS. Because it is getting to the point that some of them are so horribly screwed up that I as a human can't figure the damned things out.

Re:Key exchange. (1)

humphrm (18130) | more than 5 years ago | (#25228181)

I'm convinced that today's SPAM prevention methods used together (including end user*) is about as good as it's ever going to get.

* The most effective SPAM filter is a human, sitting in front of their e-mail client, deleting mail that they know is SPAM from the subject line.

I know it's annoying. But I think we're stuck with it.

Re:Key exchange. (0)

Anonymous Coward | more than 5 years ago | (#25228693)

Where the fuck do you guys get these forms from?!

Re:Key exchange. (1)

collinstocks (1295204) | more than 5 years ago | (#25227457)

The scheme is not impossible, just impractical. Most (non-nerd) people cannot be bothered installing software to compute keys. Also, the amount of computing time necessary becomes negligible once you have enormous botnets, like the Russian mafia.

Re:Key exchange. (1)

MrNaz (730548) | more than 5 years ago | (#25227635)

Cut it out with the finger pointing at China and Russia. The vast majority of spam comes from the US, initiated by US citizens. It's not "the Russians" at fault. Anyway, what is this? The 80s? The Mozlems are the new enemy, or didn't you get the memo?

http://www.spamhaus.org/rokso/index.lasso [spamhaus.org]

Re:Key exchange. (3, Informative)

gnick (1211984) | more than 5 years ago | (#25228217)

Cut it out with the finger pointing at China and Russia. The vast majority of spam comes from the US, initiated by US citizens. It's not "the Russians" at fault. Anyway, what is this? The 80s?

I don't buy that. Accuse me of over-indulging on Kool-Aid if you must. Most spam streams out of America - That's no surprise. We've got a helluva lot of computers with broad-band access and clueless users who basically bend over and hand lube to zombie-lords.

I've seen cyber-intelligence numbers (disclaimer - collected by US intelligence) and they indicate pretty clearly that the bots are being controlled by people in Russia and China (Poland, Switzerland, and Holland house a surprising number too). Those people may be Russians, Chinese, Americans, whatever, but they're running their armies from overseas (relative to the US). I'm actually surprised fewer are operating out of Africa - It seems to be a relative safe-house.

It's not paranoia once you've got data supporting it. (Let me be the first to criticize myself for not supplying a link...)

Re:Key exchange. (1)

collinstocks (1295204) | more than 5 years ago | (#25228397)

Mod parent up funny!

You do know, of course, that the majority of spamming computers in the US are part of the botnets controlled by the Russian mafia, right [citation needed]?

Sales or support (1)

tepples (727027) | more than 5 years ago | (#25227565)

Thus, when you give out your email to people, you could give them a key that they would need in order to send you an email, and similar methods would apply to other communication mechanisms.

Under your system, when one opens a means of contact for sales or support of his products or services, I'd assume he would give out the key for that. So how would he prevent that name:key@host from getting spammed?

Re:Sales or support (3, Funny)

lysergic.acid (845423) | more than 5 years ago | (#25228013)

easy, you just need to encrypt the first key with a second key. surely, there's no way for a spammer to get a hold of all 3 pieces of vital info now needed to send an e-mail.

but if by some off chance that spammers manage to get a hold of all 3 pieces of info (because users have to give out these keys just as they would an e-mail address), we'll just add another key to the system, and another...

we'll all need to get bigger business cards.

Re:Key exchange. (1)

WK2 (1072560) | more than 5 years ago | (#25227715)

I suppose it would make sense if you had to make an exchange of keys with someone before initiating communication. Thus, when you give out your email to people, you could give them a key that they would need in order to send you an email

What you described is called, "only giving your email to people you trust." Except we call it an e-mail address, not a key. It is already available, and does not require any sort of special software other than an e-mail client. It is a good practice for most people. Unfortunately, it does not solve the problem for people who need to receive email from strangers, such as contractors.

Re:Key exchange. (1)

tubapro12 (896596) | more than 5 years ago | (#25228183)

Or just tell everyone to send you messages encrypted with X PGP key. Then when you get mail, if you can't read it after one decrypt, trash it.

Re:Key exchange. (1)

fuzzyfuzzyfungus (1223518) | more than 5 years ago | (#25228517)

While TheSpoom's criticism is largely correct, the nice thing about your key exchange notion is that, in combination with existing email signing and encryption techniques, it is essentially a minor extension to whitelisting. By whitelisting people's public keys you are, in effect(thanks to the magic of asymmetric key encryption), making it so that their private keys are the unforgeable and easy to revoke if stolen passwords to be able to send you email.

On the minus side, encryption and signing are far less common than they ought to be, and everybody's infatuation with webmail isn't helping, and all the usual whitelisting pitfalls apply; but it would otherwise work quite easily with changes only on your end.

Akismet (2, Informative)

TheSpoom (715771) | more than 5 years ago | (#25227369)

Akismet [akismet.com] is great for comments and such. Basically, it's a neural net using user submissions to determine whether or not a submission (sent automatically from your site for checking) is spam or not.

Captchas are no longer good enough (5, Insightful)

AaronLawrence (600990) | more than 5 years ago | (#25227389)

It seems that the time when Captchas were an effective way to protect valuable resources is over. Where valuable means "anything of more than a tiny value that is available in large numbers". One email account isn't of value, but a million mail accounts is worth a lot to a spammer, and it's just as easy to get a million automatically as it is to get one.

Frankly, modern captchas are often past the point where I can read them; and the image recognition programs are good enough to get a useful correct recognition rate. This tells us that captcha is a dead end, AI in the form of image processing is now about the same "intelligence" as a human, so there is nowhere for captchas to go.

What to do instead? Well, looking at that report, the bot signup surely looks recognisable - the same IP constantly trying to sign up? But maybe big NAT networks mean that "same IP" isn't a safe bet to block?

If you can't recognise the bot, and it can answer simple questions as well as a human, then the only thing left is to provide another form of identification - like a real-life physical ID.

Re:Captchas are no longer good enough (1)

zobier (585066) | more than 5 years ago | (#25227741)

Real-life physical ID is not accessible. If you have to show up somewhere in person this is infeasible. If you have a hotline to call for access codes you're going to have to provide a TTY alternative -- easy enough to create a TTY bot. It ceases to be Completely Automated at this point anyway.

Foolproof CAPTCHA is an impossibility, you would need true AI at which point it would be self-defeating.

Not to mention the pr0n hole (people solving CAPTCHA for you, for free, by proxy).

Re:Captchas are no longer good enough (1)

AaronLawrence (600990) | more than 5 years ago | (#25227837)

I agree all these things are difficult. So what solution do you suggest?

Re:Captchas are no longer good enough (5, Interesting)

Miamicanes (730264) | more than 5 years ago | (#25228267)

> I agree all these things are difficult. So what solution do you suggest?

I personally applied a multi-pronged approach, and my spam problem has been negligible for YEARS.

1) Everyone I give my email address to is given a different alias, in the form 'myname-alias.validation@mydomain.com'. 'validation' is basically the hash of the salted alias, with different salting recipes for different pattern-matches just to make life difficult for spammers. In theory I could generate the aliases by hand, but I wrote a program that runs on my HTC Touch to generate them for me as necessary. Anything sent to 'myname@mydomain.com' automatically bounces with message to go to my website and obtain an alias to use for contacting me. Ditto, for the first message addressed to a given 'alias' whose 'validation' is invalid (thereafter they're unceremoniously sent to /dev/null).

2) I wrote an app to generate time-limited aliases in the form 'myname-yyyymmdd.validation@mydomain.com', but for now it ended up being gross overkill since nobody has ever tried reverse-engineering it so I just automatically accept all incoming mail sent to 'myname-yyyymmdd@mydomain.net' (where 'yyyymmdd' is today's date, or at least a date within the past week or so). But if spammers ever caught on, the generator app goes back up, and the rules get tightened.

Aside from the fact that some people and businesses get seriously weirded out when they're told to email you at 'myusername-theircompanyname.longhexstring@mydomain.org', it works BRILLIANTLY. How brilliantly? On a typical day, procmail chucks, bounces, or otherwise blackholes about 18,000 to 25,000 spam emails addressed to an outright nonexistent address, roughly 8,000-12,000 spams addressed to an alias that fell into spammer hands, and maybe a half-dozen that are in the right form, but have an invalid hashcode (they get sent to another account on the server that I check occasionally). Every few days, I have to spend a couple of minutes adding another blackhole rule to .procmailrc, but I've never really had enough to make it worth my time to actually write an administration program to manage it for me.

Would this work for Joe Sixpack or Sally Soccermom? Of course not. They have a hard enough time keeping one email address at aol.com straight, let alone generating salty-checksum-validated adhoc aliases unique to everyone who emails them (and every website that extorts their email address, etc). But for the world's Slashdot Elite, it's a nice, elegant solution (as long as you've got your own domain name or ten and have either a dedicated server or a hosting account somewhere with shell and script access so you can run Procmail. My email has gone from "worthless due to the avalanche of spam" to "for all intents and purposes, spam-free", and has stayed that way for almost six years now.

Re:Captchas are no longer good enough (4, Interesting)

Miamicanes (730264) | more than 5 years ago | (#25228299)

Oh, I forgot to mention... the fundamental reason why everyone who emails me is given a unique generated alias is to protect myself against trojans/worms/malware that might harvest the contents of a trusted friend's addressbook. If it happens (like to my dad 3 times already. Sigh. He's actually the reason I came up with this scheme... he kept getting my addresses harvested and ruining them forever), all I have to do is nuke that one specific alias, and tell that one person to use a different address to reach me at going forward. It's a lot easier to nuke an incoming address used by ONE person, and notify that ONE person if something changes, than it is to notify everyone (including banks, websites, etc) that they need to use a new address to reach you.

Re:Captchas are no longer good enough (4, Insightful)

vux984 (928602) | more than 5 years ago | (#25228769)

1) Everyone I give my email address to is given a different alias, in the form 'myname-alias.validation@mydomain.com'. 'validation' is basically the hash of the salted alias, with different salting recipes for different pattern-matches just to make life difficult for spammers.

Ok. So you effectively made the most complicated whitelist imaginable. Except instead of whitelisting your contacts, you've added a layer of indirection and whitelist a code your contacts must send you instead.

I've seen the same thing implemented many times before by giving each contact a passcode and requiring them to include it in the subject line of all correspondence. I do give you props for embedding it into the address instead of the subject line, as that will let you use it for automated systems, like websites that 'extort' an address, etc.

Aside from the fact that some people and businesses get seriously weirded out when they're told to email you at 'myusername-theircompanyname.longhexstring@mydomain.org', it works BRILLIANTLY.

Yes, if torpedoing usability was your goal. What happens when you send something to someone and they reply? Do they have to use your unique address to reply? What do you do when you need write an email address out or give it over the phone? goofball-yourdomain-a23fbf32a4e544303... good times. Or if someone forwards your message to a 3rd person to reply to you...

My email has gone from "worthless due to the avalanche of spam" to "for all intents and purposes, spam-free", and has stayed that way for almost six years now.

I manage the same with spamassassin, amavisd etc and a couple custom rules. And my mail server processes some 30,000 messages a day as well, for a business with half a dozen employees. We get maybe 8 or so spam through a day, and less than half a dozen false positives a month. (Most of which are due to other people sending from domains that publish SPA records and then don't follow what they've published...ie their own damned fault.)

But for the world's Slashdot Elite, it's a nice, elegant solution (as long as you've got your own domain name or ten and have either a dedicated server or a hosting account somewhere with shell and script access so you can run Procmail.

I wouldn't call it elegant. Clever yes, but not elegant.

Anything sent to 'myname@mydomain.com' automatically bounces with message to go to my website and obtain an alias to use for contacting me. Ditto, for the first message addressed to a given 'alias' whose 'validation' is invalid (thereafter they're unceremoniously sent to /dev/null).

Do you even score it for spam at all or do you just generate a lot of needless backscatter?

At the end of the day, I'm not really seeing the advantage of your solution over a moderately sophisticated white-listing + grey-listing solution.

Re:Captchas are no longer good enough (4, Interesting)

lysergic.acid (845423) | more than 5 years ago | (#25228311)

requiring a physical ID for internet accounts is a bad idea.

i like the reCAPTCHA approach. if spammers want to abuse a reCAPTCHA system, at least they'll be making a positive contribution to society by helping to digitize printed literature. maybe Project Gutenberg or the Google Books Library Project can launch a reCAPTCHA service to put those botnets to good use. if you can't stop them, at least this helps to recover some utility from the problem.

there's also the issue of CAPTCHA porn [boingboing.net] and the related phenomena of outsourcing CAPTCHA solutions. as long as there are people willing to solve CAPTCHAs for porn, or money to feed their families, then no reverse turing test will ever be foolproof. so the best thing to do is to exploit this CAPTCHA-solving machinery.

why not make CAPTCHAs educational? instead of random words or random excerpts from books, make them arithmetic word problems, geometry proofs, SAT analogy questions, stoichiometry equations, spelling quizzes, etc. this way, the CAPTCHA solvers gain an education from their labors instead of just some cheap porn or a couple of bucks a day. and after solving CAPTCHAs for a few years, they'll be educated enough to land a real job and/or afford to pay for better porn.

this way you turn the spam problem into a way of educating horny teenagers and underprivileged poor in 3rd world countries.

Re:Captchas are no longer good enough (1)

a whoabot (706122) | more than 5 years ago | (#25228751)

Don't spammer AIs for solving captchas usually have a high error rate? They are only useful for the spammers because they repeat after failure. Wouldn't that sort of make them useless for helping out recaptcha?

In fact, if those AIs were any good at identifying the text without error, then why wouldn't whoever is digitizing the texts just use them for the job?

AI isn't beating captchas -- networks are (1)

patio11 (857072) | more than 5 years ago | (#25228641)

>>
AI in the form of image processing is now about the same "intelligence" as a human
>>

Not even close, but it doesn't need to be.

What useful work could you do with an OCR program which was correct only 25% of the time? Nothing -- any book you read would look like one of those Babblefish English-by-way-of-Russian-by-way-of-English monstrosities. But a 25% accurate OCR is a 100% solution to the captcha, because you have a big freaking botnet and can generate additional requests for free.

Aside from botnets, the cloud-based outsourced captcha busting business model ($1 per 1,000 captchas done by a subcontractor of a subcontractor in a place where paying people to get a repetitive-stress injury makes excellent economic sense as long as they have an automated assistant to keep the queue full, like a factory line) is also doing some severe damage. Forget the old "Ahh, we'll give you porn for breaking a captcha you didn't even realize was Yahoo's" exploit, which was mostly theoretical. This gives you a *controllable, constantly available, scaleable* level of whatever the resource protected by the captcha is.

Captchas: pretty much screwed.

Easy... (-1, Flamebait)

Zonekeeper (458060) | more than 5 years ago | (#25227393)

Death penalty for spamming. Might not stop it but it will sure stem the tide like no other tactic would. /Is he joking, you ask?

suck my balls (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#25227397)

listen up niggers: That $700 billion bailout that used to be 3 pages is now 450+ pages. Call your honkey in congress and tell them to flush this turd.

Dupe (1)

Dan East (318230) | more than 5 years ago | (#25227415)

This was from back in April, and was already discussed on Slashdot [slashdot.org] (the "tuning / exploitation" link).

Just out of curiosity, why doesn't the Slashdot software simply check to see if a submitted story contains the same url as an existing story? Wouldn't that stop a lot of dupes?

Re:Dupe (1)

explosivejared (1186049) | more than 5 years ago | (#25227557)

Well the submission system already does this for url's submitted outside of the main body of the article summary. In short, it would be cumbersome to sort of blacklist url's as you suggest, because a previously used url could be relevant again. If you are thinking that why don't the editors actually check the url's... well then my friend... you must be new here.

Re:Dupe (3, Funny)

denmarkw00t (892627) | more than 5 years ago | (#25227659)

Wouldn't that stop a lot of dupes?

Yes, but the editors would work out a system to get around this - actually, I read a story on /. [slashdot.org] about CAPTCHAS thats along the same lines as what you're talking about.

That's what chu git fo tryin' to be NUMBA ONE, (1)

davidsyes (765062) | more than 5 years ago | (#25227425)

ALL the time, motha-humpas.... SOMEbody's gonna captcha yo flag...

reCAPTCHA (4, Insightful)

yincrash (854885) | more than 5 years ago | (#25227535)

from the dude who coined CAPTCHA, comes reCAPTCHA. using words in old library books that existing OCR tech can't figure out, humans can help digitize books and stop spam at the same time!

http://recaptcha.net/ [recaptcha.net]

Re:reCAPTCHA (1, Informative)

yincrash (854885) | more than 5 years ago | (#25227561)

If you want to know how it works...

But if a computer can't read such a CAPTCHA, how does the system know the correct answer to the puzzle? Here's how: Each new word that cannot be read correctly by OCR is given to a user in conjunction with another word for which the answer is already known. The user is then asked to read both words. If they solve the one for which the answer is known, the system assumes their answer is correct for the new one. The system then gives the new image to a number of other people to determine, with higher confidence, whether the original answer was correct.

http://recaptcha.net/learnmore.html [recaptcha.net]

Re:reCAPTCHA (1)

TheSpoom (715771) | more than 5 years ago | (#25227657)

ReCAPTCHA has the same issues as a CAPTCHA because it gives you one to which it knows the answer, so if you get that one right, it assumes you got the other one right. So you still only have to get one of the words right, which, in the end, is the same as a normal CAPTCHA.

Re:reCAPTCHA (0)

Anonymous Coward | more than 5 years ago | (#25227899)

but at least recaptcha helps translating those books into digital form. which is good =)
also its not a too bad captcha.

then again, captcha are all broken by design and only work for so long.

http://www.insecure.ws/2007/06/15/captcha-wiib-2 [insecure.ws]

Re:reCAPTCHA (0)

Anonymous Coward | more than 5 years ago | (#25227979)

Thats not exactly true. The CAPTCHAs reCAPTCHA provides have been solved by HUMANS, not computers. Once enough people guess the same second word, it teaches itself what that word is and provides it as the verification word, even though the computer still cannot read it. The other CAPTCHA systems are created by computers.

Re:reCAPTCHA (1)

yincrash (854885) | more than 5 years ago | (#25228161)

The words it knows the answer to are still words that OCR tech has not solved. They are words that have been solved by humans in previous attempts using reCAPTCHA.

All the researchers have to do is prime the pump by solving a few words and everyone else does the rest. :)

reCAPTCHA has a critical flaw in its strategy (1)

patio11 (857072) | more than 5 years ago | (#25228707)

The reCAPTCHA strategy is that one of the following two things will happen:

1) No improvement in OCR happens and the CAPTCHA remains effective
2) Spammers improve OCR substantially and we get books digitized for free

It fails to account for the 3rd option

3) Spammers improve OCR marginally, achieve a 20 ~ 25% success rate on reCAPTCHA. There is no penalty for getting it wrong if you can generate requests for free and only care about maximizing successes! Its a multiple choice test with infinite questions and a fixed bar for passing! As soon as this happens, spammers will flood the legitimate users out of the system, because they can generate infinite requests and legitimate users can not. Its usefulness as a CAPTCHA is compromised and its usefulness for text digitization is zero, because the "multiple users checking each other" becomes multiple instances of the same lobotomized spam OCR program vouching for its own accuracy, with an infintessimal portion of humans being drowned out by sheer numbers.

Captchas that humans can read, perhaps? (5, Insightful)

Behrooz (302401) | more than 5 years ago | (#25227567)

Am I the only one getting really really annoyed by captchas that use mixed-case letters and numbers that aren't distinguishable even to an actual human?

In the cruddy sans-serif fonts most captchas use, 0lRnBC looks like O1Rnl3C looks like 0lRnBC.

It's powers of 2, people! For each O or 0 in your captcha, the odds of a real person being able to correctly identify it are halved, and that's not even counting the other possible charspace collisions.

Re:Captchas that humans can read, perhaps? (5, Insightful)

feepness (543479) | more than 5 years ago | (#25228275)

Not to mention the $%@#$@#$@#% that don't realize 10% of the male population is colorblind.

That's right! Your light green letters with the swath of dark red across them are completely unbreakable... to me. I've literally abandoned websites after failing the capcha repeatedly.

Re:Captchas that humans can read, perhaps? (1)

techno-vampire (666512) | more than 5 years ago | (#25228463)

Am I the only one getting really really annoyed by captchas that use mixed-case letters and numbers that aren't distinguishable even to an actual human?

No, especially when I'm never sure if the reply is case sensitive or not. Sometimes I have to try three and four times, even when I'm sure I've gotten it right. However, the thought occurs to me that the site might simply require you to get three successive captchas right to make it harder on bots.

Security thu disgust. (0)

Anonymous Coward | more than 5 years ago | (#25227589)

"Could there be any better CAPTCHA, a better solution?"

Base them all on Goatse.

fingerprint (1)

jrozzi (1279772) | more than 5 years ago | (#25227645)

We use a fingerprint jquery library to record the timestamps for every keystroke made by the submitter and inject them in to the form. You can then determine if the form submission is legitimate or not if the timestamp for key down and timestamp for key up events fall between a certain time. I guess the down sides to using this method is that the form submission won't work if javascript is disabled or if malicious people figure out your algorithm. Seems to work okay to help prevent spam bots for us though. http://narcvs.com/javascript/fingerprint/ [narcvs.com]

Really, really, really, really obvious (1)

QuoteMstr (55051) | more than 5 years ago | (#25228341)

What makes you think a spammer won't just send fake keystroke times? Never trust the client.

Give them all the accounts they want, but ... (1)

PPH (736903) | more than 5 years ago | (#25227691)

...charge them a penny per e-mail sent.

Re:Give them all the accounts they want, but ... (1)

creature124 (1148937) | more than 5 years ago | (#25228009)

Your post advocates a

( ) technical ( ) legislative (X) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
(X) Mailing lists and other legitimate email uses would be affected
(X) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(X) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
(X) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

(X) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
(X) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

( ) Sorry dude, but I don't think it would work.
(X) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!

Re:Give them all the accounts they want, but ... (1)

vandan (151516) | more than 5 years ago | (#25228511)

Interesting. As a socialist, I despise market-based approaches. In particular for bigger-picture type problem, such as social planning, provision of services, protecting the environment, etc, I think the market is the LAST mechanism that I'd want to use.

But for spam the situation is a little different. Spam is all about 'the market', and in particular, spam exists because free email creates a potentially unlimited market, with zero marketing costs ( for all intents and purposes - there are some nominal costs ). The one sure-fire way to eradicate spam is to introduce just a tiny little per-email charge. See my post below ( search for me ) for more details ...

Saw on ubuntu forums and other sites (1)

Taibhsear (1286214) | more than 5 years ago | (#25227717)

Why not have the captcha ask a question?
"2 + 2 = ?"
or
"What color is a firetruck?"
etc.

Re:Saw on ubuntu forums and other sites (2, Insightful)

WK2 (1072560) | more than 5 years ago | (#25227763)

The main problem with those is that there are only so many questions you can ask. The spammer just needs a database with all of them, or just a significant portion. As for the simple math, that can easily be parsed and calculated.

Re:Saw on ubuntu forums and other sites (2, Funny)

ozphx (1061292) | more than 5 years ago | (#25227769)

Good call. You can type in the first thousand questions, and anyone that agrees with you can add another thousand.

Re:Saw on ubuntu forums and other sites (1)

Vectronic (1221470) | more than 5 years ago | (#25227841)

Math doesnt work, cause even a basic script can interpret that.

Same with basic questions like that, it would deny some, but not enough, some database of objects = color/shape/etc would be pretty easy.

Mixing them may work though...

"If you have 2 trucks, and three ambulances, and 6 motorbikes, how many four wheeled vehicles do you have?"

or maybe

"If you have 3 firetrucks, eight ambulances, and 1 + 1 red Ferrari's, how many license plates do you have?"

etc...

Re:Saw on ubuntu forums and other sites (2, Interesting)

Asmor (775910) | more than 5 years ago | (#25227869)

Better yet, how about a combination of image recognition and random questions?

E.g. you're shown a randomly-generated picture with a duck, a chicken, a skunk, and a dog, and background noise. You're asked to click the duck. If you correctly click in the general area of the duck, you're verified.

Probably not the best example, since you'd have a reasonable success rate just for guessing, but it seems like a solid concept.

Re:Saw on ubuntu forums and other sites (5, Insightful)

zobier (585066) | more than 5 years ago | (#25227873)

Because of the pr0n hole (people solving CAPTCHA for you, for free, by proxy).

  1. Set up a site with something people want.
  2. When they come to the site your server goes to the target site*.
  3. The target site gives your server a CAPTCHA.
  4. Your server gives the punter the CAPTCHA.
  5. Punter tries to solve CAPTCHA.
  6. Server passes response to target.
  7. Profit!

*via proxies or bot net to avoid IP blacklisting.

Re:Saw on ubuntu forums and other sites (1)

ckedge (192996) | more than 5 years ago | (#25228239)

What if we sent the captcha to them by e-mail as a two megabyte image attachment?

Anyone trying to do things with bots would need an e-mail server that can handle tens of thousands of 2 MB e-mails, and ALL e-mail service providers would be able to insta-ban them based on bandwidth usage. Heck we can even make it easy for e-mail service providers to recognize our 2MB capcha e-mail images, by naming them capcha.jpg. Any account that gets more than 10 captcha e-mails in a single day is banned by gmail/yahoo/etc.

I swear, I'm a fucking genius. This only took me 30 seconds to think of.

Re:Saw on ubuntu forums and other sites (1)

QuoteMstr (55051) | more than 5 years ago | (#25228415)

A cleaner version of the link of thing you suggest is hashcash [hashcash.org] . The idea is that you force anyone using your service to invest certain resources, with the idea being the investment would be acceptable for a single user, but unacceptable for a massive attack.

The problem with hashcash, though, is that computing power is dirt cheap, especially in this day of botnets. The Storm botnet, taken as a whole, peaked last year as one of the world' most powerful computers.

I think we'll be able to come up with a captcha system that works reasonable well for reasonable periods, making using word problems, cultural questions, or some kind of clever pattern recognition problem. (Of course, any captcha is going to discriminate against somebody: the blind, the deaf, the dumb, the ignorant, etc. Unfortunately, that's a fact of life.)

I think we're better off in the long run destroying the economics of spam than continuing this arms race. Unfortunately, destroying the economics of spam requires regulation and legislation.

The porn hole is still a big problem though, and there's really no way around that. You can think of various cryptographic schemes, sure, but fundamentally, a capcha still relies on something transmitted to our sense organs. And what we can transmit, we can easily record and replicate elsewhere.

Re:Saw on ubuntu forums and other sites (1)

Jesus_666 (702802) | more than 5 years ago | (#25227947)

"What color is a firetruck?"

The answer to this one is: "Where?"

Remember, web apps are used internationally and not everyone knows what color the firetrucks in your country are.

The CAPTCHA isn't dead yet. (4, Informative)

Fantastic Lad (198284) | more than 5 years ago | (#25227727)

When going through the step-by-step in the article, (which is pretty awesome, btw), it appears that there is no character recognition being employed, but rather the security is being defeated by a fairly hacky work-around.

Hacky work-arounds can be defeated simply by programming smarter, (less sloppily?). There's no graphic-reading AI involved, which means the basic fundamentals of the CAPTCHA system remain sound.

While I find CAPTCHAs a little annoying when signing up for stuff, I recognize their necessity and actually kind of grin while doing them, thinking, "Hh ha! Look at this monkey, all smarter than a dumb computer. This must be frustrating for spammers. Ho ho!"

-FL

Re:The CAPTCHA isn't dead yet. (0)

Anonymous Coward | more than 5 years ago | (#25228253)

In my job, I have to use certain websites that constantly require you to enter a new captcha. (multiple searches on the same database)

Doing it once is fine, but see how you like it if you're entering them 200 times a day. These things are EVIL!

Re:The CAPTCHA isn't dead yet. (1)

White Flame (1074973) | more than 5 years ago | (#25228289)

There are companies out there (usually in 3rd world countries) that provide CAPTCHA-breaking services, simply by paying some worker a penny or two per CAPTCHA bypassed.

Anything any human can be expected to do, they can get through as well.

Re:The CAPTCHA isn't dead yet. (0)

Anonymous Coward | more than 5 years ago | (#25228291)

CAPTCHAs are vulnerable to porn. By offering free porn for solving a CAPTCHA, organizations have successfully implemented a mechanical turk. Since it's people on the other end, CAPTCHAs can't resolve this problem.

Re-captcha is fun to screw with (0)

Anonymous Coward | more than 5 years ago | (#25227865)

I can't help it but every time I use re-captcha I like to type things slightly incorrectly, just one or two letters for example:

It is obviously "to shouted" I will type "to chouted" and it still works fine...

Try it out if you like:
http://recaptcha.net/learnmore.html

Just Require Iris Scans (1)

BoRegardless (721219) | more than 5 years ago | (#25227887)

Everyone who does anything gets scanned. Your scan matches or it doesn't.

Re:Just Require Iris Scans (1)

BoRegardless (721219) | more than 5 years ago | (#25228101)

It does stop NON-HUMANS.

Then my computer, car, home and business can open for me without keys or captchas.

Yeah, there has to be smarts to eliminate photos. Not hard with a living person.

Re:Just Require Iris Scans (1)

White Flame (1074973) | more than 5 years ago | (#25228303)

If the client's eyeballs aren't physically present at the receiving server, how can you trust that the scan you're receiving over the wire is actually of the person on the other end?

A revised CAPTCHA? (4, Interesting)

Panaqqa (927615) | more than 5 years ago | (#25227959)

I had played with this idea a bit a few months back and came up with an idea I think could work - but only ever got around to coding the most basic example of it. For those on /. who are interested, find it here [panaqqa.com] . Each reload will produce the image of a new challenge.

In a closer to final version I had envisioned instructions in multiple fonts and colors involving shapes, letters, etc., and much more flexibility.

In the example I've shown above, pure random clicking will produce a correct response to the challenge 1 time in 30 approximately. So - make them solve three in a row and there you are - 1 chance in 27,000.

The main problem is. (0)

Anonymous Coward | more than 5 years ago | (#25228055)

The main problem with Captchas is it's generated by a machine based on a set of algorithm. Therefore it's just a matter of time before another machine can understand it.

What we need is not a better algorithms. Instead..........

-AM

Capitalize on which computers are poor performers (1)

ToadMan8 (521480) | more than 5 years ago | (#25228129)

How about aesthetics? Put up several hot-or-not comparisons, asking the user to select amongst several different pictures, some hideously ugly, one beautiful. Yeah, yeah, some people think the fat lady with a hairy mole is more beautiful than the fake skinny girl with big boobs, so put text that says "select from the following pictures which image society at large would find most visually attractive".

With extremely varied composition (profile shots, portraits, etc.) you could mix things up to the point where computers couldn't figure it out. Microsoft and many other companies already have license-free picture repositories for use for this (flikr and the like). It would be faster than reading the weird image, as "who is prettier" is an extremely quick, intuitive decision for most. "Training" would be done by asking the user to do an additional comparison that didn't have an "answer" yet, only using it as a valid test when you have a statistically-significant margin.

Interactive? (2, Interesting)

supernova_hq (1014429) | more than 5 years ago | (#25228137)

How about something interactive?

Use some javascript/css/etc to make a box where depending on the position of you mouse in the box, little images/icons/whatever move around in the box till they overlap and create a bigger picture, then send the mouse position (x,y) to an AJAX server and have it validated.

Re:Interactive? (0)

Anonymous Coward | more than 5 years ago | (#25228783)

Have fun doing that on your mobile phone.

I wonder about a time delay for E-mail out (2, Interesting)

mlts (1038732) | more than 5 years ago | (#25228165)

This won't be a be all and end all to spam, but maybe for new accounts that are freshly created, have an escalating delay for each message sent out? This would go away after some certain rules are matched (date of account creation.)

One can add and subtract modifiers. For example, multiple E-mails sent out to many recipients will have a longer delay than messages sent to the same person, a longer delay if the outgoing content is flagged spam through a heuristic filter, etc.

This in no means would stop spam, but a delay of 10-15 seconds won't affect users much, but will definitely put a crimp on spammers.

pay-per-email // smtp service charge (1)

vandan (151516) | more than 5 years ago | (#25228439)

Yes there's a better solution. All smtp servers should all have mandatory per-email charges for RECEIVING, all the way to the email account-holder ( ie I charge my ISP for each email I receive ). Then each account holder would be responsible for refunding this charge when they have read the email, if they are satisfied that it's not spam. If it is spam, then I would of course not refund this amount. My ISP would in turn not refund their amount to the upstream smtp server, and so on, right up to the original sender, who would not get his charge refunded. This would make all legitimate email free, and would make spam too expensive to be worthwhile.

Re:pay-per-email // smtp service charge (1)

QuoteMstr (55051) | more than 5 years ago | (#25228557)

You want to charge to messages sent to your SMTP server? Okay, you go first. Unless you run aol.com, gmail.com, or yahoo.com, I don't think you're going to get much traction. Perhaps not even then.

You'd have to either arrange payment details for every communicating pair of SMTP servers or provide a clearing-house. Who's going to run this clearing house? And wouldn't it be in the clearing-house's interest to either see spam (and their their fees) increase, or to simply charge people per legitimate email? If you're willing to go that far, simply charging people per email would have the same effect on spam.

Keep in mind that people don't press the "spam" button. Most of the time, they just delete spam messages like other messages. The financial penalty for a spam message would have to take into account the low likelihood of the message being reported by a given user.

Also, it doesn't address botnets. In fact, it further exacerbates that problem. Now, instead of a user's computer being hijacked to send spam, it's hijacked to send spam and drain the user's bank account.

Maybe, maybe, consider header a saying 'This is for real, cryptographically-signed ClearingHouse: "I'm [foo@example.com]-0x54afafa and I guarantee this message is not spam. If it is, I agree to pay you $10 minus clearing-house fees, cryptographically-signed SomeCompany"'

If you attach that header, your spam score on heuristic filters would decrease markedly. If you forged the header, you'd be marked as spam instantly. (Since everyone using this system would have ClearingHouse's public key on file.)

Re:pay-per-email // smtp service charge (1)

vandan (151516) | more than 5 years ago | (#25228773)

You want to charge to messages sent to your SMTP server? Okay, you go first.

Obviously this would require ISPs to get onboard and implement it. But considering that they're the ones choking under spam, I think they'd see the point. I know for a fact that some of the largest ISPs in Australia are experiencing serious interruptions to their smtp services because of spam.

You'd have to either arrange payment details for every communicating pair of SMTP servers

We already have a list of smtp servers the email has traveled through in the email headers. It's not hard to use this information to charge the associated party. As for the clearing-house approach, you're right - this is not the way to go ( conflict of interest ).

Keep in mind that people don't press the "spam" button.

This will change when they can make $1 per click.

Also, it doesn't address botnets. In fact, it further exacerbates that problem.

No, it helps solve the problem. That's like saying that prosecuting people for leaving firearms lying around only exacerbates the problem. If your PC is infected, then you're a part of the problem. Simple as that. If people want to take the issue up with Microsoft, then I encourage them to do this. But the buck must stop somewhere, and at the moment, it's stopping at me, because I have to pay to download spam ( over a mobile internet account, this is actually quite expensive ). My way, it will stop at the point that sent the spam, which is at least better if not perfect.

Now, instead of a user's computer being hijacked to send spam, it's hijacked to send spam and drain the user's bank account

OK. So people can nominate an smtp 'limit' on their account, or pay for smtp traffic in advance. So you can't 'accidentally' go over your nominated X number of messages, or X credit.

Maybe, maybe, consider header a saying 'This is for real, cryptographically-signed ClearingHouse: "I'm [foo@example.com]-0x54afafa and I guarantee this message is not spam. If it is, I agree to pay you $10 minus clearing-house fees, cryptographically-signed SomeCompany"'

No. We don't need clearing-house, OR an explicit message stating that it is not spam. ALL messages carry the IMPLICIT guarantee that the message is not spam, and have already paid their $10 guarantee, which I will refund upon deciding if it is spam or not.

Social engineering vs captchas (1)

gmuslera (3436) | more than 5 years ago | (#25228669)

Even if developed a clever image captcha that can't be solved by computers but yes for humans, spammers can use social engineering to make humans solve that captchas for them (i.e. bulk paying [freedom-to-tinker.com] or showing porn [washingtonpost.com] ).

Captchas alone don't solve the problem, but maybe combined with some kind of behaviour blocking, or add more human/machine detection (i.e. sometimes require an answer to be able to send the Nth email) after the account was created could make things a bit less profitable for spammers.. Or other kind of solution.

Hashcash? (1)

fuzzyfuzzyfungus (1223518) | more than 5 years ago | (#25228779)

Since CAPTCHAs are frequently an indirect anti-spam measure, somebody may have already mentioned HashCash [wikipedia.org] . It was designed as a mechanism to put a computational cost on sending email, to discourage spamming in a standard market solution type way; but without having to wait for a viable micropayment system.

It strikes me that, with the rise of javascript and xmlhttprequest, and so on, the hashcash concept could be trivially adjusted to serve as a CAPTCHA like mechanism. All one would have to do is include a little javascript implementation of the hash calculator and a random challenge string into the form being protected. The client would then compute the hash, and submit it along with all the other information. The user would notice nothing, other than a short CPU spike; but it would be easy enough to make the computational demands too high to be paid 10s or hundreds of thousands of times without significant cost.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...