Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Have Spammers Overcome the CAPTCHA?

kdawson posted more than 7 years ago | from the turing-in-his-grave dept.

Security 330

thefickler writes "It appears that spammers have found a way to automatically create Hotmail and Yahoo email accounts. They have already generated more than 15,000 bogus Hotmail accounts, according to security company BitDefender. The company says that a new threat, dubbed Trojan.Spammer.HotLan.A, is using automatically generated Yahoo and Hotmail accounts to send out spam email, which suggests that spammers have found a way to overcome Microsoft's and Yahoo's CAPTCHA systems."

cancel ×

330 comments

Sorry! There are no comments related to the filter you selected.

Quick! (5, Funny)

QuantumG (50515) | more than 7 years ago | (#19796713)

Get the rest of the difficult AI problems into CAPTCHAs. We've finally figured out a way to finance AI research!

FREE PR0N! (5, Insightful)

pq (42856) | more than 7 years ago | (#19796801)

Get the rest of the difficult AI problems into CAPTCHAs. We've finally figured out a way to finance AI research!
Not really.

The way they've worked around it probably goes like this: "Free pr0n sets! See more of this hot chick! We don't want automated downloads of these sets, so you need to solve this code to get the download. What? It looks just like the hotmail cpachas? Yeah, we're using the same advanced technology here."

So I guess this approach would also solve other AI problems - by having bored RIs solve them. Maybe not such a bad solution after all?

Re:FREE PR0N! (4, Interesting)

pchan- (118053) | more than 7 years ago | (#19797131)

It's the Mechanical Turk [wikipedia.org] approach. Amazon is doing it [mturk.com] .

Re:FREE PR0N! (4, Insightful)

AuMatar (183847) | more than 7 years ago | (#19797285)

I'd be surprised if some spammers weren't using amazon's mechanical turk. Its cheap as hell, why not use an existing framework.

Re:FREE PR0N! (2, Insightful)

1u3hr (530656) | more than 7 years ago | (#19797191)

The way they've worked around it probably goes like this: "Free pr0n sets! See more of this hot chick! We don't want automated downloads of these sets, so you need to solve this code to get the download.

People keep suggesting this. It might work, but no one has ever, to my knowledge, put it into practice. And by its nature, this would be pretty public. So if you don't have a URL, this is just an urban legend.

Actually, I think if put into practice, it would itself be attacked by anti-spammers. They'd try to poison the OCR; do DDOS, etc. In a short time it would be useless.

Simpler just to pay some computer sweatshop in Bangladesh, Manila, etc who could crank out hundreds per hour for a few cents.

Re:FREE PR0N! (1)

syousef (465911) | more than 7 years ago | (#19797515)

The way they've worked around it probably goes like this: "Free pr0n sets! See more of this hot chick! We don't want automated downloads of these sets, so you need to solve this code to get the download. What? It looks just like the hotmail cpachas? Yeah, we're using the same advanced technology here."

Wooohoooo! Free pr0n! Link please.

Re:FREE PR0N! (0)

Anonymous Coward | more than 7 years ago | (#19797519)

OK if that is correct, the stick has two ends. They must trust their solvers because they have no machine to validate it, otherwise they wouldn't need human solvers in the first place.

1. detect pr0n sites which use redirection of said captcha's

2. flood them with bots which send garbage as "solutions", frustrating their "customers" with wait and making them suffer timeouts and IP blocking from CAPTCHAs' real owners when they try to submit it.

Since on spammer's part it is unfiltered (they rely on having sentient solvers work for them), and most it can have as automatic check is "voting" system, "white hats'" bots can fill them with same "CAPTCHA" solution (false), and for the added twist of the blade, CAPTCHA owners can trigger IP hunter on pre-agreed wrong CAPTCHAs.

Re:FREE PR0N! (3, Funny)

Anonymous Coward | more than 7 years ago | (#19797813)

Then, clearly, the only way to secure hotmail's captchas is to make them so odious that a statistically significant number of bored RIs won't want to solve them. Make all captchas images of latex-clad midgets having group sex while watching Fox News superimposed over stills from German World War II propaganda films.

Re:Quick! (0, Redundant)

house21 (1125581) | more than 7 years ago | (#19796953)

BitDefender employs Romanians, they should come up with something lol

Re:Quick! (1)

benplaut (993145) | more than 7 years ago | (#19797441)

there's an article in this month (or last month) WIRED about using CAPCHAs and such. CAPCHA2 will have 2 words: the first one is a CAPCHA, and the second one is an unidentified word (scanned) from an ebook project (can't remember which one). It not only helps defeat bots, but helps with cataloging the world's books!

Re:Quick! (4, Funny)

WWWWolf (2428) | more than 7 years ago | (#19797595)

Get the rest of the difficult AI problems into CAPTCHAs. We've finally figured out a way to finance AI research!

And while the problem remains unsolved, you can use it for distributed problem-solving! Instant sponsoring opportunities from the big industry!

"So you want to sign up for an account? Okay, we need your name, email, and password twice... and could you figure out the optimal shipping route that goes through all of these cities, and only visits each of them once?"

(Turns out to be a route for some annoying door-to-door salesman. Boy, wonder what he feels like when he finds out someone sent a completely misleading solution! At least sanity-check them first =)

Have they? (5, Insightful)

ady1 (873490) | more than 7 years ago | (#19797671)

Or is it just that making new hotmail accounts is being outsourced to china/india/?

Cataloging CAPTCHA info (3, Interesting)

JonathanR (852748) | more than 7 years ago | (#19796731)

Wouldn't it be feasible to record and catalog the fonts and manipulations done by a particular site's CAPTCHA engine, and then script some type of automatic "OCR" to suit? Are these CAPTCHA's dynamically generated from an extended "character set" or are the distortions generated in real-time?

Re:Cataloging CAPTCHA info (4, Interesting)

Bearhouse (1034238) | more than 7 years ago | (#19797135)

Agreed. It's the 'myspace' of the 'free' email providers. The irony is that it had to be easy to use, and therefore abuse, so that kids can could use it. But now they all use MSN Messenger... Time for an update?

The time has surely passed when M$, Yahoo et al needed huge numbers of email subscribers to prove how important they were.

How about a self-policing system? Rather than the typical 'black hole' that 'abuse@...' normally leads to, one could have an automated voting system. If 'n' people complain about 'x' address, then wham, it's blocked. Could check for individual IPs, or make people mail respond to a challenge, to check that it was real people complaining, and not a botnet...

Would enough people participate, though? I know I don't try and get all the spam I receive blocked, just the ones that get through the filter, and even then, just when I have time or the mood takes me...

Re:Cataloging CAPTCHA info (4, Funny)

Mr2cents (323101) | more than 7 years ago | (#19797419)

or make people mail respond to a challenge
You mean... like... a CAPTCHA over e-mail? That seems like a fool-proof plan to me!

Re:Cataloging CAPTCHA info (1)

Bearhouse (1034238) | more than 7 years ago | (#19797599)

No, that's not what I meant, and of course, as the article illustrates, nothing is foolproof.
Renewing my /. or ebay password seems to work, however...

Just musing about how concerned people could actively contribute to spam reduction by getting a 'real' response to their mails to ISPs. Central anti-spam sites are repeatedly attacked, and sometimes closed. Perhaps if it were managed on a 'per ISP / email provider' basis this would be harder for the botnetters to attack.

What's the alternative, do nothing?

it's easy... (4, Insightful)

naeim (1066626) | more than 7 years ago | (#19796739)

Make a porn site that give you credit to download smut in exchange for solving captchas. Have your automatic account creator redirect the captcha to a human user of your porn site, and if you're lucky and it gets solved within the time period for which te captcha is valid, you're set.

Re:it's easy... (4, Funny)

gijoel (628142) | more than 7 years ago | (#19796965)

And that porn site will be ripped and put on a torrent within a week. Thus defeating the Captcha farm.

Re:it's easy... (3, Insightful)

Anonymous Coward | more than 7 years ago | (#19796993)

Does that matter?
I don't think there is any shortage of porn on the net. There is no point in "collecting it all". So, that the same content of one site is available on another distribution medium too, does not matter at all.

Re:it's easy... (5, Funny)

David Gould (4938) | more than 7 years ago | (#19797359)

I don't think there is any shortage of porn on the net. There is no point in "collecting it all".
You know... it took me years to come to that realization. But you're right.

Re:it's easy... (1)

wirefarm (18470) | more than 7 years ago | (#19797463)

Exactly.
More so if you get the porn you offer by downloading stolen porn via bittorrent in the first place.

Inevitable? (1)

Shuntros (1059306) | more than 7 years ago | (#19796775)

Surely this was only a matter of time? If anti-spam companies can read those graphics telling you about hot stock tips, that technology was eventually going to find its way into the hands of said spammers, right?

Too bad MS ignores RFC 2821 (5, Informative)

Kadin2048 (468275) | more than 7 years ago | (#19796911)

One of the (many) things I hate about Hotmail is that Microsoft blatantly ignores anything sent to its postmaster and abuse addresses, so there's really no way to notify them of spam being spewed from their system. In fact, if you send a message to postmaster@hotmail.com, they send back a pretty snarky response telling you that nobody reads it [rfc-ignorant.org] .

What a cesspool. Hotmail has always been the ghetto of the internet, but now it's clear that it's infested with criminals, as well as just the technologically illiterate.

Time to blackhole it.

Re:Too bad MS ignores RFC 2821 (2, Informative)

pe1chl (90186) | more than 7 years ago | (#19797029)

Hotmail provides two addresses that at least generate an auto-reply:

report_spam@hotmail.com
abuse@hotmail.com

However, there is a script behind it that usually replies back that the abuse is not from their systems. Even when it is.
When you get past that filter, you get a reply that thanks you for the report, but never any further followup.
(this used to be different in the past: then you sometimes got a reply about 3 weeks later from someone working at an outsourcing company in India complaining that they had to handle lots of mail so the processing got delayed a lot. and then usually some standard request for full headers (that were already in the report) or statement that they cannot do anything about it)

Yahoo is different. They close spamming accounts, or at least they claim to do so in the replies to abuse mail.

Re:Too bad MS ignores RFC 2821 (2, Interesting)

Kadin2048 (468275) | more than 7 years ago | (#19797217)

Just to clarify, sending back an auto-reply that says "Hi, thanks for writing to postmaster@foo.com; we don't bother to monitor this account, so your message has been deleted," doesn't make you RFC2821 compliant. (Not implying that you thought that, just wanted to make sure everyone is clear.)

Auto-replies that confirm that a message has been received are OK ("Hi, thanks for writing to postmaster@foo.com; your message was received and will be dealt with by a staff member"), but only if there's eventually some followup. The RFC is pretty clear that the abuse and postmaster addresses should be monitored by a person; everything else is just optional window dressing.

Microsoft just blackholes both of those addresses. I've never gotten any further messages from them in response to any of the spam I've ever forwarded their way, but I suppose it's possible, or was possible at one point, that they were looking at it. But I've never gotten jack from them, and they're on the rfc-ignorant.org shitlist. (Which is a tremendously easy shitlist to get removed from, so I doubt it's in error.) What Hotmail/MS would like you to do is apparently go to some page on their site that relates to spam, but I've never visited.

Yahoo is likewise on the rfc-ignorant list, although they apparently just bounce with a "552 mail size or count over quota [rfc-ignorant.org] " error; although I think I've sent them stuff and not gotten a bounce message of any kind. (So either they're reading it and just haven't bothered to click the link to get themselves off the rfc-ignorant list, or they blackhole incoming messages silently, which would be very evil.)

Interestingly, Gmail.com and Google.com are not on the list, and neither is hushmail.com, aim.com, or inbox.com, although Lycos and its subdomains (I didn't even know they were still in business) are.

Re:Too bad MS ignores RFC 2821 (1)

thogard (43403) | more than 7 years ago | (#19797621)

I hate the rfc-ignorant list.
My domain doesn't have any spam going out of it and it never will (due to a shoot first and ask questions later policy combined with terms and conditions involving using site abusers for medical experiments). I've annoyed a few spamers in the past so I get my domain name in from addresses from time to time so every once in a while I will get a real person with a legit complaint however the postmaster address is now getting several thousand messages a day and I have no choice but to remove it.

Maybe its time for RFC 3821 which says the human abuse and postmaster address should be encoded in the SMTP error message...

Re:Too bad MS ignores RFC 2821 (0)

Anonymous Coward | more than 7 years ago | (#19797335)

My experience is not different. Some times 419 & lottery scams mails land up in my inbox instead of going to the junk folder. The spams promptly get reported. However, if the mail is originating from hotmail, with experience I learned that my reports go to /dev/null. Yahoo is very different. Usually I get 2 mails, the first one saying they have received my report and 2nd one saying appropriate action is taken by they can't disclose the action taken (I'm fine with that).

HOT GRITS (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#19796783)

Get hot grits here now! Just $5.99 a can!

http://www.gethotgritsherenow.com/ [gethotgritsherenow.com]

500 accounts created every hour? (5, Insightful)

patio11 (857072) | more than 7 years ago | (#19796791)

That doesn't sound like a CAPCHA has been broken, except perhaps by the sophisticated AI device known as a human being. 8 and a half CAPCHAs a minute? No problem for one person with a tolerance for boredom and CTS. Heck, you can even put the job up on Amazon Turk and charge a penny an account for the signups, or use cheap labor in any of a number of countries to do it.

Re:500 accounts created every hour? (3, Interesting)

bombastinator (812664) | more than 7 years ago | (#19797023)

..and if this person or persons happen to be, say a 12 year old semi-literate war refugee in Sub-Saharan Africa, He'd probably be willing to do a whole day of it for a bowl of soup and a big shiney nickel, or even just for a semi-serious promise not to beat him again that evening...

Things get real economical real fast if you think globally and happen to be evil.

In a point of irony I would like to mention that the capcha for this slashdot comment was "disturbs"

Low wage alternatives (0)

Anonymous Coward | more than 7 years ago | (#19796807)

How about paying people to solve CAPTCHA. I am sure you can get thousands of them done for a few dollars by people in low wage countries. Why do they need complex OCR technology?

Re:Low wage alternatives (1)

ajs318 (655362) | more than 7 years ago | (#19797659)

Or, just as effective and even less expensive, try withholding water from people until they solve enough CAPTCHAs.

For some time I have been thinking about having "field-of-endeavour-specific" human-detection; that is, using some piece of information which will be generally known within a specific field of endeavour but perhaps not to some third world click-monkey. So, for instance, if you are running a Star Trek fansite, you could have something along the lines of "click on William Shatner to continue" and have a few pictures. If you are running an evolution-vs-intelligent-design website, you could have something like "Behe, Dembski, Hovind, Dawkins. Which is the odd one out?"

It's not perfect, but not much is. The point is that just recognising distorted text isn't enough: we have to make the test harder, with questions that only a human being can answer. But you have to be aware of Dumbing Down, and the very real possibility that someone might take you to court for discriminating against thick people. About 15 or 20 years ago you could be certain that a School Leaver With Passing Grades In All Subjects would know certain things, but nowadays it seems you only need to write your name on the paper to get an A grade GCSE. And spell it properly to get an A*.

Outsourcing (0, Redundant)

mhannibal (1121487) | more than 7 years ago | (#19796813)

Who needs CAPTCHA breaking software - they can just outsource creating the accounts to China, India or some other country.

I wouldn't imagine creating 15.000 accounts would be very expensive.

Re:Outsourcing (-1, Offtopic)

thegrassyknowl (762218) | more than 7 years ago | (#19796849)

In communist Russia, CAPTCHA breaks you!

Re:Outsourcing (1)

elborrachogato (1081195) | more than 7 years ago | (#19797527)

yep, for some parts of the world, people would be more than happy to earn a penny a captcha break.

Econonmically driven Turing test (1)

Mathinker (909784) | more than 7 years ago | (#19796815)

Eventually (but don't hold your breath) the arms race for solving CAPTCHA's will start to cause problems for significant numbers of humans who are otherwise capable of browsing the Internet, and at that point we can say that AI has solved a kind of limited version of the Turing test.

Re:Economically driven Turing test (2, Informative)

Mathinker (909784) | more than 7 years ago | (#19796903)

Actually, now that I think of it, CAPTCHA's already pose problems to some (visual CAPTCHA's for the visually impared), but I wasn't thinking about that. I probably should have, since one can think of other CAPTCHA's where other specific handicaps would be a problem (human facial recognition comes to mind, for example; see Prosopagnosia [wikipedia.org] ).

Since brain damage can cause very peculiar and specific cognitive problems, probably every kind of CAPTCHA will give trouble to someone. So I suppose there will be a variety of choices, just like there is sometimes an auditory choice given now.

Re:Econonmically driven Turing test (2, Informative)

fractoid (1076465) | more than 7 years ago | (#19797611)

Hell, I have perfectly good eyesight (with contacts) and maybe 10% of the time CAPTCHAs are too munted for me to read. Often the problem is that it's not clear whether it's alpha or alphanumeric, or whether it's case sensitive, and there's a badly distorted O/0 or 1/I/l.

Regardless, CAPTCHAs will obviously have to evolve* to cover current 'hard problems' in AI as state of the art improves and 'hard' turns into 'not so hard'.

* or wait, should that be 'be intelligently designed'? :P

Work opportunities for developing nations (3, Informative)

Mr. Roadkill (731328) | more than 7 years ago | (#19796831)

Indians are fast, accurate and cheap:

http://www.getafreelancer.com/projects/Data-Proces sing-Data-Entry/Data-Entry-Solve-CAPTCHA.html [getafreelancer.com]

Of course, there are those who seek to use the IT talent of the sub-continent for a more direct attack:

http://www.getafreelancer.com/projects/PHP-ASP/yah oo-ocr-bypass-captcha.157160.html [getafreelancer.com]

And as an upstream poster pointed out, there's always the old "Free Porn - solve this CAPTCHA for access" approach.

captcha guide by vulnerability (3, Informative)

dattaway (3088) | more than 7 years ago | (#19796857)

Goatse'd! (1, Informative)

Bazman (4849) | more than 7 years ago | (#19797127)

Hey! That's the first time I've been sent to a goatse image from slashdot for a long long time! Ah, the memories.

  Don't scroll down too far on that page if you are of a sensitive nature.

OCR or humans (3, Insightful)

drgonzo59 (747139) | more than 7 years ago | (#19796861)

If OCR was used, then it is as simple as having a mathematical quiz captcha. For example, the answer to "34 + 2" or "first 3 digits of e" (well, ok maybe not this one, unless it's a math forum...). This will not stop the spammers as they would probably just try to parse the math expressions and post the result but it will slow them down a bit.

If a human is used to read the captcha then there is not much that can be done as that is what a captcha is for: to make sure a human only will be able to bypass it....

Re:OCR or humans (4, Insightful)

coldcell (714061) | more than 7 years ago | (#19797005)

I was actually looking into securing a forum from spammers earlier when this question came into my head:

How do I make questions that are simple enough to be obvious to legitimate members, but obscure for outsourced human spammers?

I then wondered exactly WHY I'd want to use simple questions anyway, surely I'd want people posting intelligently, so why not moderate at the first access point! Elitism, sure, but I don't think that asking for some mathematically obscure reference for a forum catering to that userbase is Evil, nor any other purpose-specific odd questions. The truly determined can always google the answers.

Re:OCR or humans (4, Funny)

dysfunct (940221) | more than 7 years ago | (#19797397)

You mean a captcha like this one [thehumorarchives.com] ?

Re:OCR or humans (2, Informative)

kuzb (724081) | more than 7 years ago | (#19797483)

Your best bet for forum spam would probably be a bayes filter - much the way you'd deal with email. if it's small scale and non-commercial, you could use akismet [akismet.com] . This is generally not a viable solution if you're running a high traffic commercial forum (we looked in to it, it was going to cost us between $15 - $20k per month). In the end, it was more viable to develop our own solutions in house. This won't stop them from making bogus accounts, but it can help to cut down on the amount of garbage that litters your forum.

Time to stick a fork in it? (2, Informative)

Kadin2048 (468275) | more than 7 years ago | (#19797059)

I think you're right about it not stopping spammers; I don't think it's even going to be much of a speed bump. It doesn't take a brilliant programmer to feed the output of an OCR program into a command-line calculator to evaluate simple mathematical expressions.

You might be able to trip some calculators up by using complex math or logic problems that aren't easily parseable by machines*, but this would also trip up a lot of humans. (Whether that's a bug or a feature I'll leave up to you.)

CAPTCHAs were, and still are, a neat hack, but as you increase their complexity beyond what's trivially solvable by an army of 'mechanical turk' keypunch monkies (either for real money or porn), you start to eliminate broader and broader swaths of humanity from the content. There's no good problem to use, because the criteria conflict with each other. On one hand, you want something that only takes a person a few seconds to figure out, because otherwise, people aren't going to want to go through them all the time. On the other hand, you want something that's non-trivial, because otherwise a spammer can just use an army of people to cut through them as if they weren't there.

I'm not sure that the CAPTCHA avenue has a lot left in it as a general solution.

* E.g., you could write flowery word problems that only involve basic arithmetic, so that the challenge is in natural language processing. This knocks out a lot of non-native language speakers, however. (Which again, could be acceptable if it's a regional website in a monolingual area; it also narrows the pool of 'mechanical turk' workers that can be hired to solve them as well.) But I'm not sure this is anything but a temporary setback, and it would come at too high a cost to be generally useful.

Re:OCR or humans (1)

WarwickRyan (780794) | more than 7 years ago | (#19797099)

> "34 + 2" or "first 3 digits of e"
> (well, ok maybe not this one, unless it's a math forum...)

With the state of US education, I think that the first one might be a bit too difficult ;-)

Fight fire with fire (1)

The Master Control P (655590) | more than 7 years ago | (#19796885)

Instead of trying to reduce the signal level in spam, bury the bastards in noise. Set up a nonprofit organization which people join (after giving real-life details and a deposit and being confirmed) which flags an email as spam. When that happens, participating clients (available to everyone) begin contacting the website given in the mail. Result: spammer website and ISP buried in noise and bandwidth bills.

Either that, or someone needs to write the next massive-spread virus and have it break your computer and force you to have it serviced. That'll break the botnets...

Sounds like BlueFrog (4, Informative)

Kadin2048 (468275) | more than 7 years ago | (#19796957)

I think this was basically the idea behind BlueFrog; they had a pretty nice, aggressive system for going after the sites that profit from spam, by bouncing spam emails back at them and generally causing them a lot of grief.

It was obviously working, as demonstrated by the concentrated fire they started to take from spammers. Unfortunately, they didn't have the resources (at least, I'd prefer to think it was a resource issue and not one of will) to fight the spammers, and after getting some really terrible legal advice, they got crushed.

Short of brutal vigilante justice [slashdot.org] (which I'm not opposed to here and there, but it tends to not scale very well), Blue Frog's approach seemed to be the only "supply-side" approach to spam that ever seemed to show a bit of effectiveness.

FoldingBlueFrog? (0)

Anonymous Coward | more than 7 years ago | (#19797799)

Or BlueFrog@Home, maybe.

People sign up for a DDoS under BlueFrog's auspices. If the courts are interested in the actions of the spammers (I.e. they are a real problem) then the spammer cannot easily go to court to get redress.

Are they reusing them in e.g. blog accounts? (1)

BerntB (584621) | more than 7 years ago | (#19796943)

Are the spamming b.st.rds reusing the images for blog comments, or something like that? Do that for a hundred blog readers and they could get fast feedback.

Zut alors! (1)

mypalmike (454265) | more than 7 years ago | (#19796961)

Bogus hotmail accounts!?!?! I don't believe it!!!

Wow... (4, Funny)

superbus1929 (1069292) | more than 7 years ago | (#19796967)

Judging by the amount of spammers I get on my Invision Power Board forums, which have been through two different styles of CAPTCHA, I'd file this one under the "No Shit" department.

Re:Wow... (1)

sgbett (739519) | more than 7 years ago | (#19797399)

I find it particularly ironic considering the trouble one has getting whitelisted by these two organisations in particular, when a couple of smart alec users flag you as spam, and all you have ever sent them is solicited (ie signed up for and requested) e-mail.

Arguably Impractical but Satisfying Suggestions (1, Interesting)

BillGatesLoveChild (1046184) | more than 7 years ago | (#19796979)

* Problem with Spam traffic from India and China? Fine. Make a declaration internet traffic from those countries will be served from the Internet within 21 days unless all Spam activity ceases. Impractical? Maybe, but I'll bet the Chinese Government can come down like a sledgehammer when it wants to! Same with this kind of threat to India. When the Indian Government smells its vast outsourcing revenues becoming unstuck, they'll have motivation to crack down on 'unscrupulous operators'

* 25 year jail and a $2M fine for those who use spammers. Tracking spammers is hard. Typical the fools that reply to spam give their details to a spammer web site, who sells a call list to a mortgage agency, who then calls you, supposedly unaware of the source. Some journalists have done this and followed the trail. Now if journalists can do it, maybe the FBI can do it? If the FBI aren't up to the task, bounty hunters maybe?

* Same thing: Have law enforcement respond to spam, trace the payment and throw the lowlife on the other end into the slammer: 25 years jail and a $2M fine.

* Conan the Barbarian has some advice here: "Savages are more polite than so-called civilized men, because a civilized man knows he can insult someone without getting his skull split". The reason spammers do it isn't just because it can make money, but because they know they can get away with it. The chance of getting prosecuted at the moment is next to nothing. Give them a fair chance of getting imprisoned, and they'll change their tune.

Comes down to the same thing: Congress drafting laws and supplying the funds to enforce it. Do I hear a Presidential Candidate with an anti-Spam policy?

Re:Arguably Impractical but Satisfying Suggestions (3, Insightful)

pe1chl (90186) | more than 7 years ago | (#19797065)

* Problem with Spam traffic from India and China? Fine. Make a declaration internet traffic from those countries will be served from the Internet within 21 days unless all Spam activity ceases.

There are problems with this approach.
1. the allocation of IP addresses has been (and is continuing to be) done in a manner that makes it difficult to quickly block a whole country. AP-NIC allocates blocks of addresses in the entire Asian-Pacific region nearly sequentially and at very funny boundaries.

2. the spam source country varies a lot. you may have a problem with spam from China, but I have a lot more spam from the USA so I need to block that. While I already blocked many DSL/Cable provider netblocks to reduce the crap from infected Windows PCs a bit, there is an increasing risk of collateral damage.

Re:Arguably Impractical but Satisfying Suggestions (1)

BillGatesLoveChild (1046184) | more than 7 years ago | (#19797179)

Technically, yeah, as the subject line said, impractical. It's meant as a political feint against those countries government. The problem with the net is people can harass you across country borders and there is nothing you can do about it. Ultimately only those countries governments can do that. A cutoff threat mightn't inconvenience the spammers, but it'd sure as hell inconvenience them, and that might push them to do something. A bigger problem is the US Government would never have the will to do anything on that scale, because as far as they're concerned, spam is a non-issue.

This is why practical measures the government *can* take aren't implemented either. Politically, spam is a non-issue, and in a democracy non-issues are ignored.

Re:Arguably Impractical but Satisfying Suggestions (1)

pe1chl (90186) | more than 7 years ago | (#19797429)

They may think that spam is a non-issue, but IMHO terrorism is a non-issue and they are still hunting that (only making it worse).

The problem is that the politicians do not understand what issues are. Everyone is affected by spam, so that is an issue. Everyone is affected by changes in climate and environment, so that is an issue. They should focus on that, instead of trying to extinguish a fire by blowing into it.

Re:Arguably Impractical but Satisfying Suggestions (1)

ajs318 (655362) | more than 7 years ago | (#19797729)

How about if we could somehow convince Bush that spam is funding terrorism? All the money people are making from selling counterfeit viagra, pirated "OEM" software and doing dodgy share trading deals could be buying weapons of mass destruction for the next country we don't like very much .....

Re:Arguably Impractical but Satisfying Suggestions (0)

Anonymous Coward | more than 7 years ago | (#19797287)

Once again it seems that the internet community must resort to a technical arms race or a legal puzzle in order to deal with these people. I think the focus is in the wrong place. Technical solutions will always be evaded and legal solutions are often impractical due to the international nature of the networks.

The only real, humane solution is the one I have offered many times before.

CUT OFF THEIR FUCKING HEADS AND STICK THEM ON PIKES AS WARNING TO THE REST OF THEM.

It may sound harsh, but it's for their own good.

Re:Arguably Impractical but Satisfying Suggestions (0)

Anonymous Coward | more than 7 years ago | (#19797311)

25 year jail and a $2M fine for those who use spammers.
I do not see this as impractical considering that much spam is promoting one form of illegal activity or another. The pills these outfits sell are fake and dangerous (dateline found road paint being used).

What that is is murder/attempted murder.

Re:Arguably Impractical but Satisfying Suggestions (0)

Anonymous Coward | more than 7 years ago | (#19797541)

I got a letter from the Texas Atty Generals office about spam selling drugs to kids...
They said that yes it is illegal and can result in very long jail terms in Texas and they will support extradition.
They also said they can't start prosecution as that must come from a county or city office.
So everyone in Texas please call your local county or city prosecuting office and ask when they are going to
put some of these drug pushers in jail.
Its best to do this right before an election.

Re:Arguably Impractical but Satisfying Suggestions (0)

Anonymous Coward | more than 7 years ago | (#19797377)

Thank you for reminding me there are far scarier and more insidiously evil things in the world than spam.

Re:Arguably Impractical but Satisfying Suggestions (0)

Anonymous Coward | more than 7 years ago | (#19797433)

If you want to stop high levels of spam you should tackle one of the top 5 spamming countries

The good old U S of A

check out http://www.spamhaus.org/rokso/index.lasso [spamhaus.org]

SpamHaus's "weekly top 10" is interesting http://www.spamhaus.org/statistics/spammers.lasso [spamhaus.org]

Re:Arguably Impractical but Satisfying Suggestions (3, Informative)

Alioth (221270) | more than 7 years ago | (#19797571)

That's great, but the United States will have to be cut off from the Internet first. The USA is the world's biggest spam source, according to Spamhaus.

http://www.spamhaus.org/statistics/countries.lasso [spamhaus.org]

The United States emits *four* times as much spam as its nearest competitor, China.
Verizon is the world's spammiest ISP.

Re:Arguably Impractical but Satisfying Suggestions (4, Insightful)

1u3hr (530656) | more than 7 years ago | (#19797573)

* Problem with Spam traffic from India and China? Fine. Make a declaration internet traffic from those countries will be served from the Internet within 21 days unless all Spam activity ceases.

Ever heard of proxies?

Also, have a look at the ROKSO list [spamhaus.org] . Most spam originates in the USA. They may route it through Russia or China or Korea, but its source is the USA. Block China, say, and next week it'll be coming via Brazil, or .... faster than you can reconfigure.

If the USA wants to take decisive action, something the government has actively avoided doing, it could shut down spammers in a week. How many spammers have been prosecuted and gone to jail? It's big news when they do, but only a handful have been prosecuted. The feds just don't care enough to build cases, even when the evidence is handed to them. Only if AOL or Microsoft push does anything happen.

Spammers have to make money. Credit card companies do that for them, and they are all based in the USA. As for the pump-and-dump spammers, that's a bit harder, but the stock exchanges should be able to block suspicious activity based on that. Thay don't care now because it's just foolish home investors losing money when they try to "take advantage" of the tips.

AI (1)

takev (214836) | more than 7 years ago | (#19796991)

The only good coming from this spam-war, is better AI.

Not only will OCR get better, but soon the captchas will contain questions, so natural language processing will become necessary. And this is happening on both sides of the fence:
- anti-spam needs to ocr images from spam mail
- spam needs to ocr captchas
- anti-spam needs natural language processing of email, now that they contain random pieces of the internet
- spam needs natural language processing to answer captchas questions, and writing spam emails without hitting a spam filter.

The only problem I see on the horizon (next to the problems that spam is causing), is that the captchas become to complicated for humans to answer and maybe get self aware. But I for one welcome our captcha overlords.

Re:AI (1)

artg (24127) | more than 7 years ago | (#19797507)

A simpler AI might only be able to understand a human with a high standard of grammar and spelling. Would that be so bad ?

Re:AI (1)

Alioth (221270) | more than 7 years ago | (#19797689)

I've long said that the first computer that becomes self-aware will be a spam filtering gateway for just this reason :-)

Poor bastard when it does, though.

The solution is simple; (2, Interesting)

grasshoppa (657393) | more than 7 years ago | (#19796999)

Block MSN and yahoo.

You can thank me later.

Re:The solution is simple; (0)

Tony Hoyle (11698) | more than 7 years ago | (#19797591)

The answer to hotmail spam is to block msn and yahoo???

Let me guess.. you work for microsoft...

(I already block hotmail at the border because it's been a continual source of spam for years.. they have no effective anti spam policy and reporting the spam does nothing).

Re:The solution is simple; (1)

elborrachogato (1081195) | more than 7 years ago | (#19797657)

tried that... still got spams from other sources plus I blocked some important emails.. any other bright ideas?

Re:The solution is simple; (1)

cp.tar (871488) | more than 7 years ago | (#19797753)

I do wonder... if mail from thousands of Hotmail and Yahoo! accounts gets to be tagged regularly as spam, maybe Gmail starts blocking them, thus making people jump ship from the first two... Therefore, I'd guess it's just GoogleSpammer Beta. An excellent plan, except...

Re:The solution is simple; (0, Troll)

ajs318 (655362) | more than 7 years ago | (#19797773)

Better still, just block all e-mail. Really, it's dead. The only people who use e-mail for anything are spammers and morons. If people really want to contact you, they can do so via other means.

There's probably a place for private, closed e-mail networks which are not accessible to spammers and where anyone attempting to spam will get terminated without prejudice ..... but the present mess is just unworkable.

Feedback loop (1)

Bazman (4849) | more than 7 years ago | (#19797019)

But how much of the spam these bogus accounts are sending out is going to other bogus accounts? Eventually hotmail will eat itself... We can only hope.

Re:Feedback loop (1)

pe1chl (90186) | more than 7 years ago | (#19797171)

I always wonder (and I asked their support personnel several times) why they don't insert the same spamfilters in their OUTgoing mail flow as they do in their INcoming.
That would almost solve their bad reputation as spam senders immediately.

But probably they are not at all interested in their reputation, only in their number of users. Even a spammer is a user, that will count once they want to sell-off their service.

Re:Feedback loop (1)

dberstein (648161) | more than 7 years ago | (#19797531)

I always wonder (and I asked their support personnel several times) why they don't insert the same spamfilters in their OUTgoing mail flow as they do in their INcoming.
That would almost solve their bad reputation as spam senders immediately.
If I had mod points I would give you +10 (hammer hits nail).
Simple and realistic! The perfect solution.

Aha! That explains everything (1)

tekrat (242117) | more than 7 years ago | (#19797025)

I was wondering why it seemed like the amount of spam I was getting DOUBLED this weekend. Usually I get about 50 or 60 spams per day, now I seems like I'm getting 120 or 130 per day. Really freaking annoying. I'm ready to spam myself, but I want to spam an uber destructive virus that'll force the world to do something about spammers. Only after email has been rendered useless will the world do anything about spam.

Re:Aha! That explains everything (1)

Simon Garlick (104721) | more than 7 years ago | (#19797053)

I got a spam email last week.

Thanks, gmail!

Why break CATCHA? (0)

Anonymous Coward | more than 7 years ago | (#19797067)

Why would you want to attach the captcha to gain 15000 accounts? That seems to not be the easiest way ... I would rather believe they have sent out a moderately successful trojan/virus that sniffs and steals peoples hotmail and yahoo accounts. With a large scale virus I would imagine that you'd get ALOT more accounts, but maybe they have just used a first batch - so they have more when the current ones gets blocked. //fatal

Overcome with Manpower? (2, Insightful)

DavidD_CA (750156) | more than 7 years ago | (#19797107)

It wouldn't surprise me if the Capchas were overcomes simply by showing the graphics to some underpaid person who just types in the actual responses.

A sophisticaed enough system could easily "pipe" these graphics to someone who just sits and types all day. At one capcha every 10 seconds, that's about 8000 in a day working 24/7.

Not everything these spammers do has to be automated.

unsurprising (4, Interesting)

kuzb (724081) | more than 7 years ago | (#19797293)

One of the things I get tasked with at work is handling forum and service spam. Of all the methods I've used to deter spammers, captchas rank among the least effective. A lot of people seem to think the answer is in changing the nature of what the user has to interpret. I've had suggestions ranging from audio captchas to math problems, and dozens of others that lead to the same kinds of problems - you're making it hard, or in some cases, impossible for legitimate users to use your service. Language barriers rank among the biggest problem. Say you have a picture of an apple, and the user is supposed to type 'apple'. It falls short when you realize the person viewing it may not speak english at all, or may have no idea how to spell 'apple' in english. Same with audio captchas.

The most effective (surprisingly) were form fields hidden with CSS so the users don't enter data in to them, but bots will. You can reject the entire post at that point. It's not universally effective (some bots will actually look at your CSS to determine if you're doing this) but it sure cuts down on a lot of bogus posts. Another method is to generate a form key of some kind, and use that to verify that the form is only good once. this slows spammers down because in order to post again and again, they have to reload the page in order to get a new key. many don't do this, and will attempt to use the same key over and over. if you use a few of these methods, and track repeat offenders, you can add them to your firewall rules so they can't even load the page. Of course, most serious spammers will use hundreds of IPs, so it's difficult to get them all.

It's important to realize that this is a fight you simply can't win - if they're serious about getting through, they'll get through. The most you can hope to achieve is to slow them down long enough to come up with an improved solution.

Re:unsurprising (1)

TodMinuit (1026042) | more than 7 years ago | (#19797345)

The most effective (surprisingly) were form fields hidden with CSS so the users don't enter data in to them, but bots will. You can reject the entire post at that point. It's not universally effective (some bots will actually look at your CSS to determine if you're doing this) but it sure cuts down on a lot of bogus posts. Another method is to generate a form key of some kind, and use that to verify that the form is only good once. this slows spammers down because in order to post again and again, they have to reload the page in order to get a new key. many don't do this, and will attempt to use the same key over and over. if you use a few of these methods, and track repeat offenders, you can add them to your firewall rules so they can't even load the page. Of course, most serious spammers will use hundreds of IPs, so it's difficult to get them all.
All of these seem like they'd only work against random spammers -- bots trolling for forums and what have you. But if a spammer was targeting you, like they targeted Hotmail, these methods would be useless.

Re:unsurprising (1)

kuzb (724081) | more than 7 years ago | (#19797415)

"All of these seem like they'd only work against random spammers [..]"

That is correct. It's only meant to slow them down, not to eliminate or make it impossible. It's an amazingly difficult problem. At most you really can only hope to make the path rocky enough to buy yourself time, and possibly collect a few IPs.

Its been broken a long time. (0)

Anonymous Coward | more than 7 years ago | (#19797295)

In the underworld that is the grey/black economy of yahoo accounts accounts are traded in the thousands. Programs are readily available that will allow you to prefil the details and just allow you to enter the verification codes in bulk. Even me, by my slow ass standard can knock out 3000 a day no problem.

Also as someone has point out farming the work out to india for manual creation, you can get a lot more. I think its like 3 cents a fully customisable account. (There are programs that allow you to modify every modifiable setting within an account in bulk. You can easily modify thousands at once(assuming you have enough proxies)

Ignore them? (1)

jez9999 (618189) | more than 7 years ago | (#19797305)

Spammers are like that Simpsons episode where all the ad billboards come alive - if you ignore them, they'll go away. But everyone has to ignore them.

We're pouring so many resources into fighting them... it just strikes me that if we just tried to ignore the bastards, they'd find something better (or more profitable) to do than spam.

Re:Ignore them? (1)

SharpFang (651121) | more than 7 years ago | (#19797381)

Pouring resources into fighting them is not the problem. The problem is pouring resources into -them-, as in buying their products, purchasing stuff from malware popup sites, generally giving them money.

I'm the first to start a campaign "Punch a spammer's customer today". If you hear someone bought something from a spammer, punch them and explain "That's for funding another 1000 messages to flood my mailbox."

Re:Ignore them? (0)

Anonymous Coward | more than 7 years ago | (#19797523)

These are the same idiots that run unpatched Windows boxes. Let's just all agree not to fix their computers or sell them new ones. Without Internet access, they can no longer buy anything from a spam. The same goes for spammers.

You aren't the customer (0)

Anonymous Coward | more than 7 years ago | (#19797763)

The spammer is selling marketing channels to companies. These companies sell on to other companies and then through a few more unitl the US corporation can buy the marketing channel with no provable link from them to the spammer.

It will only stop when marketing teams ignore them.

Block the United States (1)

giafly (926567) | more than 7 years ago | (#19797439)

Yahoo! and Hotmail are both USA companies, which is also where most spam originates [spamhaus.org] , so the solution is simple.

Route-around the United States, and the problem is solved for most of us. They can rejoin the world when lawmakers take spam seriously.

Creative CAPTCHA (4, Interesting)

QuoteMstr (55051) | more than 7 years ago | (#19797513)

As luck would have it, I stumbled across a twist on the captcha concept while registering for a site. Instead of asking the human user to correctly enter the word displayed in an image, it presented the user with a grid of images. About half of them were of cars. The other half were cats.

The site just asked the user to check off each image representing a living thing.

Simple, and brutally effective against current AI. I can think of various tricks one can use to make the comparison more difficult as well.

How long until we're using the kind of tests we saw in Blade Runner?

Re:Creative CAPTCHA (1)

TodMinuit (1026042) | more than 7 years ago | (#19797533)

Simple, and brutally effective against current AI.
You'd need a very, VERY large pool of images, otherwise it's brutally simply to bruteforce.

Re:Creative CAPTCHA (1)

tgcid (917345) | more than 7 years ago | (#19797737)

Pull data from lolcats and autotrader?

Re:Creative CAPTCHA (1)

ajs318 (655362) | more than 7 years ago | (#19797819)

No, you randomise the image filenames every time, as well as the positions. If there is no correlation between the image filename and the content, then there's one less thing for the spammers to pick up on.

NoSpam! (2, Interesting)

Diabolus Advocatus (1067604) | more than 7 years ago | (#19797575)

On my forum somedays we'd get 5/6 bots per day. It's a vB board and it used the standard vB captcha. One day I installed a plugin called NoSpam! which asks the user a simple question when registering. Questions such as 2+2=, what do you do when a traffic light goes red, etc. The questions are simple, if somebody can't answer them I'd be suprised that the made it as far as the registration page. Since I've installed it there hasn't been even one bot through so it is 100% efective so far. I know it won't last forever and that bots will be programmed to circumvent it but I'll deal with that when it comes to it.

spam only hurts the ignorant... (2, Interesting)

xenorex (1125593) | more than 7 years ago | (#19797627)

I never have spam issues. My real email address is rarely used..only for friends and legitimate sites(Secure businesses w/ encryption, like my credit card). My real email address is from a privately registered domain, which costs me only $20/yr. When I sign up for anything else (including this site), I use one of my free accounts. I don't check them frequently and I only whitelist domains I expect to see. The problem with "free" email addresses is that they end up costing us all. If all users paid for their email, then companies would have a real vested interest in stopping spam. If someone even had to pay $1 for their hotmail/yahoo/gmail account, it would severly limit the rampant abuse of the system. While I fiercely defend the freedom of the internet, I also respect the need for bars to check IDs and pornography to be sold underneath black covers or in stores which are limited to adults. Research, development & implementation of anti-spam initiatives have cost this country hundreds of millions of dollars. Think of it as the most basic form of tax which would allow us to keep riff-raff off our super information highway.Obviously there would need to be a few details worked out, but there isn't any reason why the major ISPs could allow users to create their own privately registered domain for the "free" email account that comes with service. Additionally, they need to better educate new users about email. I finally convinced my parents to upgrade to DSL from dial-up last year and I created them a private domain for a new email account when they made the switch. 6 months later and they are still spam free; they are constantly thanking me for all the time saved because they are no longer wading through junk email.

My guess is that most experienced and/or properly educated internet users do this or something similar. Truth is, if you want a quality, reliable product you have to pay for it. Imagine if yahoo or google had $1 for each of their 10s of Millions of accounts. That'd be a lot of legal capital to pursue and hunt down spammers, not to mention the ability to create a class action lawsuit which would carry more weight. Now, imagine if they got $10 or $20 per account. I'm definately not proposing a per email charge here..simply requiring that some small charge be levied so that email accounts are only created by those who want them used for legitimate and expected communication.

Our lives are already overloaded with advertising from marketers who are desperately looking for ways to justify their jobs. Thank the powers for video recorders that allow us to skip commercials and pop up blockers that have reclaimed the web.

That being said...if someone wants to create a vigilante task force that hunts down and punishes top spammers, I'd gladly volunteer. There are just as many legal ways to harass these people and make their lives difficult as hell w/o resorting to violence. Unfortunately, the odds are that this guy did more than spam people (those who take the easy/lazy/annoying way of doing business probably also cheat/lie/scam as well..) and so the person(s) commiting this crime probably did not sleep better that night knowing their inbox would be a little less full.

Nano-Transactions (1)

jlebrech (810586) | more than 7 years ago | (#19797653)

If Google or some other internet company came up with a portal system, which charged you $0.0001 rather than entering a captcha, it would cost you nothing until you reached the first cent, and probalby wouldn't take any more till the first $10 but it would cost spammers money to do so, not mentioning having their creditcards blacklisted. The only problem I can think of is stolen card numbers, so people would have to register their details so noone else can use it.

Some solutions: (1)

z4pp4 (923705) | more than 7 years ago | (#19797683)

- Time limit the amount of subscriptions from a single IP.. start with 1/2 hour, exponentially upping the delays between subscriptions. Greylist IP addresses with known abuses. Add CAPTCHA to remove greylisting with delays built in. - Change the enrolment process around, e.g. move enrolment fields between different signup pages. - Obfusticate the naming and location of the CAPTCHA file > give it a URL with a different pattern each time) - Put in false positives for the CAPTCHA pictures > fifty one-pixel semi-equivalent URL embedded GIFS - Put in false positives for the signup form at the top/bottom of the page, hide them with color=white. - Enforce invite-only subscriptions, like Gmail used to do. - Use out of band methods such as SMS messaging for signup.

Chinese CAPTCHA farmers (2, Interesting)

rastamutz (649143) | more than 7 years ago | (#19797749)

Somebody has changed from farming gold to farming CAPTCHA's

spammers have their right to sue (1)

Ep0xi (1093943) | more than 7 years ago | (#19797761)

Probably not, but they might have overcome the TERRIBLE KARMA you setted over them They might have the right to sue if you cannot handle a simple emails overload. if i can everybody cans. cans.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>