Feeds

back to article (New) dirt-cheap bots attack Hotmail Captchas

UK researchers have devised a novel and inexpensive way of cracking Microsoft's Windows Live Captchas with a success rate of more than 60 percent, a finding that further exposes weaknesses in a key measure designed to keep miscreants from infiltrating free online services. In a paper (PDF) published Monday, Jeff Yan and Ahmad …

COMMENTS

This topic is closed for new posts.

Page:

All Free Emails Should..

I think _all_ free email providers should put a CAPTCHA on **every** outgoing email. if they get complaints, tell the complainer to either live with it or pay to upgrade to a not free, premium email acct. I would rather type a few letters every email than be bombarded by myriads of spam.

Perhaps someday the laws will force the providers (not just email, BTW), to be more responsible, better netizens by having them implement systems to prevent abuse. But then I'm not holding my breath - what with lobbyists, politicians in the pockets of corps, etc.

0
0
Stop

Charge to send email

Every email should cost something to send, say $0.01 per recipient, then there would be no more SPAM.

0
0
Silver badge

@TranceMist

"Every email should cost something to send, say $0.01 per recipient, then there would be no more SPAM."

How do you charge? Credit card? Phail.

0
0
Black Helicopters

Re: Charge to send email

The accounting for a charge per email would cost more than it would be worth; email falls into the "too cheap to meter" category.

A better idea would be to force better user identification at the time of account opening. Then you would need to steal someone's identity before creating a spam email account, which is a slightly higher bar. No identification system is foolproof: even banks, who have heavy customer identification requirements when opening accounts (thank you USA Patriot Act), are sometimes gamed by fraudsters and identity thieves. However, if we held spammers to no more than that level of success the internet would be a different place.

What, you don't want to have to identify yourself? You want privacy? Anonymity? Bah, don't kid yourself.

0
0
Unhappy

Its only a matter of time...

I signed up for a service recently and had to try three times before I got the captcha right, which puts me on 33% against the machine's 60%, and they're not even trying to make it easy for the machine. Once the majority of the population can't outwit a spambot (and frankly, comparing the intellectual content of comments on youtube with my spam, that day may already have arrived) we might as well give up and go back to writing letters.

0
0
Les
Dead Vulture

The only surprise...

...is that anyone is surprised.

CAPTCHAs are, not to put too fine a point on it, rubbish. They are a damn silly idea enthusiastically embraced by people who are either very naive or who like to make a show of "doing something" about spam.

Any CAPTCHA will, sooner or later, be cracked by some kind of bot, or by hordes of actual humans. And if you make them really hard for bots, you find more real people can't read the damn things. I have good eyesight with glasses, I use a nice big, clear screen and I keep running into CAPTCHAs that are hard to impossible to read.

As most spam seems to come from compromised PCs running their own little SMTP servers, applying CAPTCHAs to Hotmail and other such services isn't really going to make much difference, is it?

And "TranceMist" - how do you propose collecting that fee from a bot-infested PC? And who gets the money?

0
0

Re: Charge to send email

Ahahahahahaha, thats a good one. After you get every single MTA out there to work out some method of charging each other, you'll probably still wonder to whom to give the profits. I'll volunteer for that part.

Plus it wouldn't stop spam at all, it'd just make spammers try to hack real accounts more, which would result in gigantic charges to helpless users. Also if you didn't get the drift from my first paragraph, this is less feasable than faster than light travel. And probably less useful.

0
0
Happy

Computers are just machines

I've been told that computers can distinguish between patterns very well, but have trouble telling the difference between, say, a puppy and a kitten (they're anatomically very similar).

Instead of words, present the user with a picture of a puppy or a kitten and ask them to identify it. Or a smiling face and a sad face.

(did I choose the happy icon or the sad one?)

0
0
Anonymous Coward

Re: Les The only surpise...

"As most spam seems to come from compromised PCs running their own little SMTP servers, applying CAPTCHAs to Hotmail and other such services isn't really going to make much difference, is it?"

Not true. The vast majority of spam comes from compromised windoze machines. The bots on the machines use the mail settings to determine which SMTP server(s) that machine is allowed to use and sends the mail via that server. Some/most/all ISPs have rate limits on their SMTP servers to attempt to limit the amount of spam a compromised machine can send, but the bot farms can be so large it makes little or no difference to the spammers.

0
0
Silver badge

A better solution

Why not have "word problems" and a picture. Like "multiply the left two digit number and right three digit number". Then the 'bot needs to understand a bunch of things. Then also require it on outgoing mail. A "reasonable" limit on the outgoing mail (n per day) could help as well. People with a yahoo! address don't need to send over 100 mails in the span of 5 minutes! The big reason for wanting the account is for the responses, not the outgoing stuff anyway.

Maybe they will have a one-time fee of $1.00 to open an account. Might help. Double it if more are opened in a 24 hour period.

0
0

Charging for email - preposterous!

There is no way you can implement charging for email. Where would you monitor it? At the ISP? Are you going to get the agreement of EVERY ISP globally?

@Acme FIxer

Adding CAPTCHAs to every outgoing email is not going to work, either. Are you seriously suggesting that ALL email software be re-written to include a graphical CAPTCHA? What about text-based clients? Not everyone uses Webmail....

@Joseph Zygnerski

Don't be daft, your idea will give a 50% correct return. Way better than a spammer actually needs.

SPAM is a problem that is here to stay. The only way it will stop is if EVERYONE stops buying products and services from spammers. If they don't see a return on their investment, they will find an alternative advertising channel.

If you don't like it, get a decent spam-filter or pay for an email service that filters the SPAM for you. Better still, be REALLY selective about who you give your email address to.

0
0
Thumb Up

KittenAuth

THAT's what needs implementing!

0
0
Bronze badge

Get what you pay for

There's no need to charge for each e-mail. That's even dumber than teaching a computer what a spammer looks like. Charging for the e-mail account is all you need. People will be more careful with their computers if they keep loosing $20 e-mail accounts. I'm sure stolen credit cards will pay for many accounts. That should teach people to stop making online purchases from spammers. (spammers==criminals. Get it? The cheap Nikes your ordered from Chinese spammers will not be arriving. Duh!)

People using free e-mail services will have to accept the fact that some people will refuse delivery. I've been refusing GMail and MSN for a long time. Yahoo is kinda spammy too but they process complaints quickly.

0
0

It's the govmint's fault

The real problem here is the Wassenaar signatory governments' suppression of cryptographic technologies during the development of e-mail. Otherwise you'd simply regard as spam those e-mails which are beyond some distance in your web of trust.

Now it's too late to get that sort of sophisticated crypto user interface into e-mail clients.

0
0

Solutions

@Joseph Zygnerski - That's a pretty good idea actually. Bogwitch, I think that was an *example*, not a standard document. Identifying objects is going to be MUCH harder for computers to do. As soon as I read that, I envisioned a picture of a pile of forks.

@Herby - Another good idea, but you have to consider the intelligence of the users. It may very well defeat them too... hmmm... That could be a good idea in it's own right :)

0
0

@"no way you can implement charging for email"

What about prepaid stamps?

When I say "pay", I'm sure nobody would really pay in practice, there's no end of ways people could give you free stamps - ISP promotions, watching adverts, etc.

Also, if the stamps are reusable then you can use the stamps from your incoming mail - no need to pay for those.

0
0

Lets see...

@kitten captcha.....

yes, with one picture it is 50-50....so give users a set of 15 pictures to identify, just the same as the current method doesn't use a single digit (perhaps 1in60 depending on symbol set and caps sensitivity) but a whole word. That gets you well below the 0.01% line. HOWEVER this is also just a stopgap. Read up on the idea of neural networks, I'm confident that it would be no hassle to train up a neural network model to recognise a kitten from a puppy.

@charge per e-mail

How about charge per e-mail with a minimum topup of £10 (or your currency of choice) then, if a spammer gets hold of a legit account all that happens is it runs out of credit rather than getting an £8,000 bill or whatever.

Another possibility is more agressive screening of outgoing mail. e.g.

1) detect rate of outgoing mails, if it is high proceed to step 2 else send the mail

2) scan the mail contents, if the usual hitwords are mentioned (viagra, penis, porn pill etc etc etc) don't send the mail and block the IP from sending mail for 24 hours.

Of course, then you have arguments of what defines a high send rate and what you put in the word blacklist, but I don't imagine anyone has sent out 100 e-mails containing the word viagra legitimately.

And that doesn't address the idea of people setting up a linux box with its own mail server.....

0
0

Charging

Charging is not, I think, the answer. All it would do would be to further encourage the selling on of compromised credit card details and the like.

I quite like the idea of a cap on the number of emails an account can send over a 24 hr period. Couple that with more sophisticated CAPTCHA

techniques to validate new email accounts (yes, I like kittenauth too) and you start to control the problem....

0
0

no free lunch

It's really time to get to grips with the whole philosophy of everything on the internet being "free". Somebody somewhere has to pay to provide the services. There's really no justification for not paying for email - a paid for account ok, but I couldn't support a pay-per-message plan, not at this time. Maybe pay-per-many-thousands : marketting depts should have a budget after all.

0
0
Anonymous Coward

The Answer

I think everyone is missing the obvious solution here...

http://hotcaptcha.com/

0
0
Paris Hilton

Better CAPTCHAs

How about identifying facial expressions? You could have (say) five pictures with a list of ten adjectives for each (angry, sexy, confused, bored etc). That's five clicks to complete, but five-nines odds to defeat

Make them good looking/naked, and it could even be quite fun, even if you get it wrong a couple of times.

0
0
mh.

Keeping them at bay

One way to make free email services less attractive might be to have a 24 hour delay between registering and being able to use the account. Maybe get to use it faster if you pay a small fee (which would at least allow some kind of audit trail even if the details were stolen).

0
0

"Charge to send email" emails aren't just for humans

Us techies use automated emails to send out load notifications, system errors, server notifications, backup scripts output/confirmations, etc etc etc etc etc etc etc etc etc etc etc etc etc etc etc etc etc etc etc.

As well as automated emails carrying backups as attachments, automatic data feeds from monitoring sensors from wind farms, steel works, ship yards etc etc etc etc etc etc etc etc etc etc etc etc etc etc etc etc etc etc etc etc etc etc etc etc etc etc etc etc etc etc.

Charging for email will just not work. If you block the the intercommunication between the servers which actually run the internet then the internet would grind to a halt. Servers would fail because the admins didn't get the vital email through telling them that disks in the RAID failed.

Don't even think of trying to suggest doing it another way - email works fine and it's how the internet works. Any other suggestion would just be laughable.

If you want to stop spam just install Postfix and set up spamassassin and other tools. This cuts out most of the spam for our clients.

0
0

AI

In some perhaps not too distant future we'll have to thank the spammers for the advances in OCR and AI.

0
0

This post has been deleted by a moderator

Rob

Captchas

I hate this frickin things, i have no problem with them if they are actually legible to a human being, but I recently went to post a comment on some site, I tried, unsuccessfully, about 30 times to get their stupid stupid stupid captchas right in order to post my single comment and eventually I gave up, it wasn't even that difficult to read, I don't see what other meaning could have possibly been hidden within there, but it certainly didn't want whatever my eyes and brain were reporting as being there, why can't there just be a simple logical question that anyone could answer but a machine couldn't,

0
0
Stop

easier...

er wouldn't it be easier for the bots to use the audio version of the Captcha?

I've always thought this was the unsecure part of the system :-s

0
0
Paris Hilton

And I forgot to mention mailing lists!

And how would mailing lists run if being charged for emails?

I receive about 1-2 thousand emails a day which are filtered into different folders via procmail. This is very common for the sysadmins who keep the servers running.

Mailing lists would have to stop because every time someone joined it would be more cost. And we've been using mailing lists since before the web.

Please - lets knock this idea of charging for emails on the head before some ignorant politicians backed by ignorant MS gets it into their head and tries to implement it.

I'll put it as clearly as possible.

Charging for emails would destroy the internet in the same way that taking away the foundations from under the Empire state building and replacing them with marsh-mallows would make the building collapse.

Paris because she'd be nothing without the internet.

0
0
Coat

Captchas...

I seem to remember when I signed up for a hotmail account (I wanted to sign up for a news letter but just knew it would lead to tons of junk) that the damned hotmail captcha was just about unreadable (it claimed to have 8 letters in it but it only had 7). I think it took me about 8 refreshes to get something that didn't look like a mad spider covered in ink had crawled all over it!

0
0

Use combo boxes to let user enter the captcha digits

Just an idea not sure how practical it will be:

-once the computer shows a Captcha image, the user is required to enter the random digits from the letter using combo boxes. eg. if the image word says "google" the user is asked to enter the 2nd, 5th and 6th character. Each time the characters asked are changed so as to make it more difficult for bots to identify the right characters.

-Also might be worth having two part captha identification system. After the first captcha word is entered a second one is populated. Users only get one chance to enter the second captcha word correctly. If on the first attempt they type the second captcha word wrong, the first captcha word is changed and the user has to start again. Although this is more tideous for users who want to create account it would hopefully reduce the probability of a bot guessing both captcha words correct the first time round.

0
0

Whitelisting

Legitimate emails tend to split between individuals (who can respond to some challenge from an email system) and from companies/websites people have given their email address to.

Would a connected system of whitelisting emails be useful?

eg when you give your email address to a website, the process causes your mailserver to be sent a message (via your email client, subject to your approval) to allow mails from the appropriate address[es].

Simple email-client-based management of server-based whitelists could be handy.

0
0
Silver badge

Image CAPTCHAs could work.

How about a series of images that have rabbits, a duck, a kitten, some items of clothing etc, each with the various items in different colours.

Then the user has to answer two or three questions about the image, such as:

What colour is the kitten? Which animal is wearing the pancake? What colour is this question?

Put the questions into the image as well, then any attacker has to first solve the OCR problem, followed by understanding the questions, and finally decoding the image content itself.

This concept does require that the user is able to understand and spell in [insert language of choice], but surely that's actually a GOOD thing!

0
0

Stuff

As stated above Captchas are not a solution for broken Captchas. A limit on how many e-mails you can send through a free webmail account would make these far less attractive for spammers but would not have a major impact on total spam volumes (as the majority come from compromised Windows PCs at the moment). As long as the spammers can turn a good profit with low risk of capture and prosecution they will find a way to circumvent any casually usable security system we can currently implement.

"Free" e-mail isn't free. The companies providing it aren't doing it out of the kindness of their own hearts. They have made a cold heated analysis and the benefits they gain from providing these services outweigh the costs. You might not see cash leaving your account but they are still getting their ounce of sweat one way or the other.

0
0

Scrap Captcha and Computerise Guess Who!

Everyone knows computers are rubbish at facial recognition. Whatever happened to the study where they used facial recognition instead of words? Maybe its a good time to look at that again!

I.E. Look at the pictures below. Click on the guy with glasses and a tash.

Correct! It's Archie! Have an email account and a cookie.

0
0
Anonymous Coward

Free email...

Where does this notion that email should be free come from?

Seems to me free email was a marketing ploy (which worked), not a declaration of email as a public good.

As for CAPTCHA's, the best way I have found to defeat the spammers is to not use them at all.

Instead, use a relevant question to the site being registered on (working on the assumption that the only people I want registering are those who know what the sites are about). Overnight this stopped the cavalcade of porn images appearing on my forums.

Admittedly, this is not a solution for generic sites (such as webmail) because the question would have to be so generic/easy as to be useless against a sheds full of people being paid to create accounts for spammers.

I'm with Kevin McMurtrie on this. While people click the links and hand over their money to spammers, they are here to stay.

Therefore, the only solution is to stop stupid people having access to money.

0
0
Anonymous Coward

tshh

the only people spam gets made is that it's profitable.

If people would stop clicking the links.

Wouldn't install the failware.

Would stop buying penus pillzz.

Would stop opening files from people they don't know.

If people were just taught not to be a sodding idiot most of these problems would go away.

But no... no. Instead We'll keep messing around with technology so people can get stupider.

*sigh*

0
0
Paris Hilton

Problem with facial expressions...

...is that there's a whole crowd of people with certain forms of autism that have a *really* hard time identifying emotions so "pick the angry face" just wouldn't work for them. (There's even people who have trouble recognizing faces *at all* and rely on other cues like movement or voice to identify even people that they know extremely well.)

As for all the other clever ideas with pictures, celebrities, etc., you'll run into the same problem that the clever chaps who invented CAPTCHAs initially overlooked: what do people with vision handicaps who rely on screen readers do? Anything that a screen reader can figure out, a bot can figure out too (by definition). So you'll always need a workaround for those people.

(Paris, because even a bot can recognize her)

0
1
Anonymous Coward

err - tsh

"the only people spam gets made is that it's profitable."

should have been

"the only reason spam gets made is that it's profitable."

0
0

@AC

The only part of this:

> Not true. The vast majority of spam comes from

> compromised windoze machines. The bots on the

> machines use the mail settings to determine which

> SMTP server(s) that machine is allowed to use and

> sends the mail via that server.

that is accurate is that most of the spam comes from Windows-based machines -- which is to be expected since they are more prevalent. -- although most of the phishing mail that I have gotten lately comes from compromised linux servers not home machines.

My spam logs, however, show that the spam we receive is still coming in primarily from residential DSL circuits.

Your "windoze" comment shows your preference, or lack thereof, of the Windows operating system (one with which I happen to agree, but I digress…). Anyway, not liking it doesn't you license to spread ill-informed misinformation. the "mail settings" in the windows operating system do not have the provision to set which are allowed SMTP servers, and most home users are no longer using mail clients like outlook express, Eudora, and the like. The "modern home user" uses web-based mail and doesn't use ANY smtp servers. They use web-based mail because their ISP's are blocking all port 25 traffic, which has in turn resulted in the successful push from the spammers to break the CAPTCHA systems of the web-based email providers.

0
0
Gates Halo

email avalanche

Here's my idea.

When you open an email account you get a message in the account that tells you that to activate the account to allow sending of email you have to get seven of your friends to send you an email first, when those are received you're allowed to send seven emails which have to go to seven different valid addresses that aren't the seven that you got emails from, those seven then have to email each of the initial seven who forward the seven emails they receive to you, the headers should contain the email addresses of the seven you emailed that emailed the seven who originally emailed you.

Once that's done your account is fully activated.

0
0
Flame

Only road is the hard one

There is no easy fix to spam or scammers.

Charging for E-mail is NOT feasible by any reasonable method. User authentication and spoofing prevention would be easier to add to IPv4 IF (big IF) we were to re-write the internet code from the groud up, and would have a better effect. We could no easier decide to start charging for web pages, or charging a penny per packet. These are just not reasonable routes, and for the most part are technically nor legally feasible.

We do have laws on the books in most countries and extradition ability to be able to prosecute these fools whereever they may try to hide. If countries are willing to hide spammers and scammers then the U.N. should set up the emargos and chop the fibre cables coming out of said country. What we are missing is an informed legilature who will create a law enforecement arm, and encourage counterpart agencies to be created in neigbor countries, who are capable of performing packet sniffing and getting quick warrants to trace who is controlling bot nets. This idea of mysterious bot nets is hooey, if ISP and government co-operate it would be easy to find the originaition of a lot internet problems.

Even if actual convictions are low, if we are actively closing and correcting compromised machines it would be an improvement, and if command machines and zombies keep falling we are making their job a lot harder at little cost to us honest folk.

Another necessary factor - a new law that would make it a misdemenor crime for neglectfully operating a broadcast system (PC) on public airwaves (the net). There are already similar laws covering other areas of broadcast (RF, radio, sound, microwaves etcl They are all legislated, if you buy a $1000 radio broadcast device and start blasting the airwaves negligently, (before you learn the basics of how not to be an ass to the rest us), well then you would get a fine, why is a PC and the net any differnet? If you aren't willing to take some basic time to educate yourself and take some reasonable steps to protect your public broadcasting device, then you should pay the fine.

Yes legislation of reasable public safety laws, and then their enforcement doesn't sound like such a sexy quick fix, but it might actually have some effect in the right direction.

0
0
Unhappy

re: email avalanche

darn, where am I going to find another 6 friends from?

0
0
Silver badge
Linux

@Free email...

Where have you been the past 10 years? Everything is supposed to be free now. That includes but is not limited to email, music, video, software, cocaine, and prostitutes. Jesus man, haven't you been keeping up with the times.

0
0
Coat

@Grundy

No, the prostitutes still cost, just ask Spitzer in NY.

btw, to post this I had to use the password reminder, and it ended up in my spam folder.

0
0
Flame

Jeff Yan and Ahmad Salah El Ahmad are on the wrong side of the battle

Shame on Jeff Yan and Ahmad Salah El Ahmad, of the School of Computing Science at Newcastle University for aiding those who send spam and abuse free services.

If they want to do something useful for society, they could come up with a better turing test.

Instead they did something simple, destroying the usefulness of someone else's work.

They did something simple and destructive.

This says something about the ethics of Newcastle University.

0
0
Joke

Capvkt not Captcha

Completely Automated Public Voigt-Kampf Testing. With the spammers being 'retired' if they fail.

0
0
Coat

the alternatives to captchas invade privacy and restrict freedom

@Bogwitch, not purchasing spamvertised products is not a perfect solution because of "joe jobs". Joe jobs are where a competitor sends shoddy spam on while impersonating a competitor, in order to damage the competitor's business. And then there is the tiny percentage of people who actually want what is being spamvertised. How do you get them to cooperate?

The only workable solutions at this time are the ones that privacy enthusiasts and computer hobbiests currently abhour:

1. ISPs and email services scan outgoing email for spam, suspending service to computers found spamming.

2. Restrictions in the number of email destinations and number of emails that can be specified in a 24 hour period.

3. Temporarily suspending service to computers that attempt to bypass 1 or 2.

4. Sending those who provide analysis and programming services to spamming companies, and those who rent or sell spamming services, to jail for longer and longer periods of time.

And really, only 4 will be effective. There will always be ways to disguise spam to get it to pass baysian filters, and restrictions in how much spam each PC can send will simply lead spammers into infecting more and more PCs.

0
0

Operating system irrelevant

I think we can agree that most spam comes from computers running popular operating systems.

In other words, Windows.

Spammers write bot and trojans for money. There simply isn't money to be made infecting the small number of computers running less popular operating systems with spamming software.

If another general purpose operating system came along that was cheaper and easier for home users, and it became dominant, then spammers would go to work on it, and soon most spam would come from it. (And we know these have vulnerabilities, since blackhats looking to break into high-value targets are able to break into Linux, Unix and Apple systems.)

So developing a new operating system that would be both easier (than Linux) and cheaper (than Apple's OS) for home users isn't a workable solution.

0
0
Anonymous Coward

kittenauth

I tried to sign up for something last night but the capatcha text was so hard to read (rotated, outline, noise, grouped close together, even overlapped I think) that I had to skip about 7 or 8 images to get one I could actually read. Even then I failed it a couple of times, so I'm probably at about 10% success for that particular case. It's starting to get silly.

@Joseph Zygnerski

The animal picture method does exist, in fact there was a story on here about one.

http://www.theregister.co.uk/2006/04/12/kittenauth/

0
0
Paris Hilton

Real world

Wow, I always love the endless "we should do THIS" scenarios....

Problem is that none of them really will work in the Real World (RW).

In the RW people like webmail. In the RW people like to change e-mail addresses, or create new ones for specific needs. In the RW some people like "real" e-mail, downloaded to a local PC, and others like Google or Yahoo or Hotmail and keeping everything on the host server.

In the RW a lot of people and businesses send a lot of bulk e-mail, very legitimate opted-in e-mail. In the RW a lot of people get important messages from entirely new people, people who haven't been whitelisted, and who are unlikely to bother going through the whole "If you want to e-mail me you need to click the link below and prove that you exist" process. After all, clicking links in e-mail is something that we teach people to NOT do.

And in the RW the spammers always stay one step ahead of the ISPs and mail providers anyhow.

No, what's needed is a real ground-up redesign of how e-mail works. we need something that encompasses the ease of current POP/IMAP/Webmail services, but which somehow includes ways to authenticate and/or block mail without user intervention, and which does so with near perfect reliability. And which maintains some backwards compatibility for at least a few years.

Adding more hoops or captchas or whitlelists to the existing mail sysytems just isn't going to solve the problem.

Paris because she hardly ever shows up in my spam any more....

0
0

Page:

This topic is closed for new posts.