Throttle account registration to prevent spam?

If spammers are using sweatshops to circumvent CAPTCHA, why not introduce a system that causes delays in setting up multiple webmail accounts e.g., from same IP address (space) effectively?

Another approach could be Google et al. to set up a limit against sending too many e-mails to too many recipients. A limit not even noticed by bona fide users could be detrimental for spammers sending large numbers of e-mails. Gmail could also throttle heavy outbound traffic that too many of the recipients report as spam. "Many mail recipients have reported your e-mails as spam, for the next X days you can only send Y e-mails per day, to max. Z recipients each..". A bit of cooperation between the mail providers would be helpful here, too.

Obviously, these measures would not stop spam entirely, but if the spamming process turns costly and complicated, it reduces the profitability = it works.

Gmail Spam Filtering

I'm always astonished at how well Google Mail filters spam - way better than my own mailserver's spamassassin config. I always assumed it was down to their feeding back the results of the mass ranks of gmail users marking mails as spam.

Presumably a similar method can be used to limit the abuse of spam _from_ gmail accounts. If Google see lots of spam arriving from user fool@gmail.com they could automatically disable that account.

@Mikko Kaarela

I've often thought this would be an easy way to stop spam. Simply have a limit on the number of emails an account can send in a day.

If you need to send hundreds of genuine emails then you need to get a premium account, which will cost money - even a few cents an email will make spam unprofitable.

As for CAPTCHAS, has anyone tried using faces?

But how ... show a picture of a "celebrity", and hope the human guesses it.

Maybe a better CAPTCHA would be to show a photo from a large stock library, with one of a number of possible questions : "how many trees are there ?", "Is there a church in the picture".

No!

>> show a picture of a "celebrity", and hope the human guesses it.

Some of us manage to maintain our cultural vacuum* with few, or selective leaks. I wouldn't have recognised the Paris icon if it wasn't for the posts.

*I've had mine so long now it came with a free international flight!

@anyone using faces

The point is that CAPTCHA is broken as they're using human slaves to interpret it. They're human, so it'll work.

Also, WTF is a celebrity? If it weren't for the image of Paris here, I'd have no idea who she is. In fact I've still no idea and care even less. What about cross-cultural problems; show me a picture of President Sarkozy's missus and I wouldn't recognise her (nor him for that matter unless he was wearing a string of onions and a beret).

This is why CAPTCHA uses mangled /Latin/ characters: everyone knows them, even Arabs and Chinese. Or, put it another way, I could even sign up on a Japanese website that had a CAPTCHA even though I don't speek the lingo. And of course that's the weakness; get a sweatshop full of barely literate slaves (or even British chavs) and they will sit there cracking CAPCHAs all day.

Of course the only answer is a universal ID card....

The answer is with Gmail et al

Unfortunately the answer lays firmly with Gmail, Hotmail, et al to validate email accounts.

They need to put newly created email accounts "on probation" where they're limited to sending very few emails a day until, say, a couple of months have passed. If someone needs to send many emails, they can upgrade to a paid account (which should make the web mail providers happy). Once the couple of months probation has passed, and if the email account has done nothing wrong (e.g. all outbound email should be scanned for spam) then the restrictions could be lifted.

Alternatively they should scan all their outbound email for spam.

Probably some stick will be required to do anything: the major spam validation engines need to blacklist the web email services for them to take action.

The odd thing is that it's in everyone's interests, except the spammers, to be more proactive in managing web email services. Gmail, Hotmail et al stand to loose a lot of credibility if this continues, ultimately leading to more people blacklisting their domains.

@IP ban won't work

The point is that the spammers are out to make money. Anything that eats away at their margins will cut down the type of spam they can profitably send and hence the overall volume of spam.

Has anyone made a study of the profitability of spam operations btw? What is a Gmail account valued at these days? I presume the people running these kinds of scams are reasonably canny are are making a good profit for the legal risks they run.

Spam really grates my cheese

Spam is never going to stop, because the "whole industry" never gets on board, SPF had potential, and my home mail server is setup with it, it doesn't stop it being banned because it's on a public IP, the SPF record is updated within 1-5 minutes of my IP changing.

No harm in thinking solutions though, and we have, from other posters:

- Limit to X emails a day

- Restrict the number of sign ups per day per IP

- Spamfilter the outgoing mails

My addition:

I'm assuming these sweatshops just create the account, and then automated software is used to send the spam. The simple fact they're using sweatshops shows CAPTHAS are working, so stick one on the "send mail" page, requiring the sweatshops to send each mail individually, dramatically increasing the running cost for spammers, while only adding a couple of seconds onto sending mail for legitimate users.

Say 1 person can send an email every 15 seconds, copy & paste the address, copy & paste the content, add attachments, fill in the CAPTCHA. Over an 8 hour shift, that one person could send 1,920 e-mails, that's a hell of a lot less than automated bots sending God knows how many thousands an hour.

The way the UK government is going, e-mail will be banned soon anyway.

lets think out of the box

..voice sampling

if they cant pronounce their "V's" properly or pronounce Guitar as "gee-taar" with a hilly billy redneck accent they that should know it all on the head.

Don't delete SPAM accounts

Don't actually delete the SPAM accounts, just silently bin everything they send. This way the spammer has no idea if they are still getting through, unless they SPAM themselves just to see if it's still working.

Google Abuse

There was someone spamming a newsgroup with abusive posts towards the people in that newsgroup, then he started sending total and usless junk messages into that newsgroup and it is still going on now 9 months later.

Sending an email to Google Abuse I got the reply back

"Thank you for your note. Google does not regularly monitor or censor

postings sent to Google Groups, but we do try to prevent wide-scale spam

and other forms of Usenet abuse. Please be assured that the information

you sent to us is being collected and taken into account. While we

understand how annoying off-topic posts can be, we aren't able to pursue

most complaints we receive about them. We are using the information you

provide to make large-scale improvements in preventing abuse. We

appreciate your help in our efforts to increase the quality of Google

Groups. "

Now because of their inability to stop a Google user that newsgroup is now dead, no posts anything in it apart from that rogue person.

Pay to open

I'm not expert in this area but surely if you had to paypal (or other method) a £1 (or similar) fee to open the email account (which is then free to use) then this would help put them off. You could then limit how many accounts could be setup with that paypal account within a set space of time.

You would also have the benefit of being able to prove who you are if your account is hijacked or you forget the password.

@Anonymous Coward

"by invitation only scheme google used when it rolled out gmail for testing purposes and limiting the number of invitations to maximum of one or two invites a day."

This is completely useless.

I'm a spammer. I get an invitation (I play nice on a forum and say please please, like people did for gmail accounts).

Next day, I have 2 accounts as I send myself (well, my bot does it) an invitation, being limited to 1 a day.

Next day, I have 4.

After 10 days and an hour (the hour it took to get the first invitation from a forum), I have 1000 accounts.

After 20 days, I have 1,000,000

After a 33 days, I have more accounts than human beings on the planet.

Not such a great idea. If *I* want to invite three friends, I can't.

But it does absolutely nothing else than annoy legitimate users and prevent the amount of spam worldwide from doing more than doubling each day.

ways to beat the sweatshops?

Could this work?

- Credit card authentication. Users are severely limited to say 10 outgoing emails per day unless they verify who they are via a credit card check - the infrastructure is already there thanks to google checkout.

- Phone numbers, the user must give a valid phone number - google calls them (could be an automated call) to verify that it is really their number. If later found to be spamming then they can be traced by finding who bought the number.

It's unfortunate but free accounts are both useful and necessary...

Free accounts are required for many reasons, mainly to do with anonymity:

* signing up to websites to avoid their spam

* signing up to a website to track their spam

* a temporary email address for an advert (e.g. newspaper/website)

* a one-off email address to bait phishers / scammers / marketingdroidtards

* testing applications

* etc.

And why on earth should I let everyone have my 'real' email address? This is the internet for goodness sake.

In exchange for giving us a "free" email account, they get access to our emails (Gmail) and display advertising. Therefore they, Gmail, Hotmail, etc. have a vested interest in sorting it out.

@ Hany Mustapha

Quote "Paris because... erm... he and she might appear to be well suited!"

They're not phishing spam emails in my Gmail. They're from Google. Therein lies the humour.

It's very simple. Just like Paris...

ElReg redux

"Obtaining a working Gmail account has a number of advantages for spammers. As well as gaining access to Google's services in general, spammers receive an address whose domain is highly unlikely to be blacklisted, helping them defeat one aspect of anti-spam defences. Gmail also has the benefit of being free to use."

Haven't I read that exact phase 3 times now in ElReg GMail stories?

Only Workable Solution

Appears to be to start blacklisting service providers until they clean their acts up.

When users start getting "Your mail was rejected because your service provider does not maintain their system against UCE properly" then they'll start voting with their feet.

smart captchas

instead of using letters and number. the server could generate a 'smart' picture.

Ik could generate s composite image on the fly.For example :afruitbasket with apples,pears,oranges, and then ask the question: how many oranges ?

someone else posted the idea of using stock photo : that could be automatically circumvented. it's a matter of cloning the databse.

if the images are 'generated' then this is not possible.

another thing could be cartoon like faces. show 10 faces , with a random male/female ratio. and ask questions like : how many have brown hair...

if you overlay them a bit then pixel mapping tools would have trouble 'counting' colored zones, but for a human the difference is still clear..

or you could still use numbers and letters in the catpcha. deform them and give them a color. overlay the letters partly. then ask question to spell only the letters in a particular color . again matching algorithms would fail. make sure there is overlap between letters of the same color.

for example: the text HELLOWORLD. H and E are partially overlapping and green.

E and L are partially overlapping. both L are yellow. and so on. then RLD are green again .

the answer would be HERLD if the question was green text only..

if you break the 'hello world ' in two lines wo that words overlap vertically it would become a real nightmare. you would have colored 'blurbs' but the human eye can still read this wehre as a computer this would fail. if you then warp the text a bit too the game is really on ...

Re: spam filter on the output?

That wouldn't work -- it could catch legitimate e-mail on the way out. If I start sending friends and family e-mails about great deals I found on eBay (that's germane to their interests) or craigslist or ..., then those mails will almost certainly be flagged as spam, even though they may *not* be spam to them.

And most non-SPF reliant spam filters rely upon word/phrase detection, so if you included a few "bad" phrases into your mails, legitimately, you'd be in the same spot as above.

Outbound filters...

Wait for a while, then if detected as "bad", bounce back and request confirmation. The confirmation may be as simple as "what is your city" which you answered when you setup the account. Then the mail goes out. Anything that causes interaction on the outbound side will help.

As a note:

Spam exists because it works. People are (somehow) making money doing it. If we, by any means, make it less profitable it WILL go away. Any bit helps in this task.

Making SMTP die and come back with safeguards might do the trick! (we wish!)

Is it a cat or a dog? You decide...

I'm amazed that nobody has mentioned Microsoft's Asirra Project http://research.microsoft.com/asirra/ where you are asked to select all the cats out of a set of ten cats and dogs. The important matter is that the pool of cats and dogs is in the millions, so almost no chance of duplications.

And to Vincent Himpe I have two words to say: colour blindness (and thus his idea could be challenged under the Disability Discrimination Act).

I always like kittenauth

I've setup kittenauth for an image CAPTCHA system. It is nice because it is easier for a human to get right (I always screw up the text ones ones or twice) and harder for a computer.

Nice thing is you use quite a variety of pictures and customize it for your users. Motorcycle site click all the Harleys, etc.