back to article Russian serfs paid $3 a day to break CAPTCHAs

Why should miscreants bother to develop cutting edge programming techniques when they can pay $3 to somebody to set up spam-ready webmail accounts on their behalf? Evidence has emerged that people as well as malware are being used to defeat CAPTCHAs, challenge-response systems that are often used to stop the automatic creation …

COMMENTS

This topic is closed for new posts.
  1. Edward Lilley
    Boffin

    Obligatoy zombie-related post

    At least Captchas* will still work against the impending zombie/robot invasion... unless they first capture huge numbers of slaves that they can farm out their captcha-breaking to.

    *The physical sort that you put on doors to defend against zombie break-ins.

  2. ratfox
    Thumb Down

    Boring job

    I liked better the idea of giving free access to web surfers to a porn site on

    condition they'd solve a captcha... The largest group of web users (i.e., those looking for porn) become your free captcha solvers!

  3. Anonymous Coward
    Coat

    Jobs!

    does it mean that they are creating jobs? /ducks.

  4. Sabahattin Gucukoglu
    Happy

    Wa wa wa ...

    <rant>

    Excellent. No more CAPTCHAs. No more freemail accounts, either. We all really, really miss those. Especially blind people, like me. Yeah, I really need them so I can trall painfully slow-loading, graphic and ad-filled pages. We never wanted email redefined using the Web 2.0 paradigm, and here's why: it doesn't bloody work. No-one needs webmail outside of the ISP, and no-one need have anything but an ISP account if they don't run their own domain and/or mailer. And since protocols exist to do mail without the bloody web, no-one has any excuse. Portblocking becomes less useful, as does filtering on SMTP client behaviour, though, which is less good. But SPF and co. suddenly gain usefulness and those of a selfish tone of mind may then quite effectively and correctly blast the offensive domains. ISPs suddenly need to take responsibility for their output relays as more and more freemails become blocked, assuming portblocking is employed at all (Comcast, are you listening, you self-satisfied reprobates?).

    </rant>

    Cheers,

    Sabahattin

  5. Brett Brennan
    Dead Vulture

    Charge 'em, Danno!

    The quickest solution to this problem is for the major mail ISPs to start charging a fee for a mail account. This does not have to be an on-going monthly charge (although it will probably end up that way) but a sign-up fee would go a long way to eliminate SPAM accounts. If the price is more than the potential profit from accounts, the SPAM generators will quickly abandon this practice and go back to hacking existing accounts. Not like they've stopped that anyway, but it would eliminate one more vector for their infections.

    I'd like to suggest charging per email message as well - but that gets into other economic areas, opening up a bigger land-fill of worms, so to speak. How to reimburse honest (but stupid) people that get compromised for excessive mail bills, saving "our children" from developing economically crippling "email addiction", the discrimination against the poor who will be priced out of receiving email, the discrimination against the stoopid for getting us into this in the first place, the -- AAACCCK! ARRRGHHH!....

    (Senators Obama and Clinton silence this commentator, each pulling one end of his neck tie in different directions - hard...)

  6. Aditya Krishnan

    True

    I can agree with this... Back in college, I used to assemble and sell systems for extra cash. I supplied about ten PCs, low-spec P4 systems, to some new office...they didn't even have a nameplate anywhere. A few days later, one of the hard drives gave up the ghost and I had to go pick it up to get it replaced. When I walked in, it was full of people (they had about 40 machines in there by then) manually putting spam on people's Orkut profiles and on community discussion forums, 24/7. They were paid something like 7000 bucks (£90) to do this, 8 hrs a day, 6 days a week. From that to what is described here isn't much of a leap.

  7. Herby

    Another idea/solution

    How about increasing the delay (log scale) for subsequent "attacks" (signups) fro the same IP address. While it won't reduce the number (directly), it WILL make it more difficult.

    The lowly $3 per day people won't get much done after a while!

    Yes, I know about shared IP addresses, but after week, reset the time.

  8. theotherone
    Paris Hilton

    wot

    whats the point of using gmail to spam? there is a 500 message per day limit. spammers need to send out millions of emails per day to have any luck...

    P.H cause she can spam me anyday.....

  9. charles uchu

    Yup, Humans Are Spammers Too

    I'll confirm that too. With experience running a smaller free webmail service for a couple of years, I noticed a decent amount of traffic related to humans subscribing to the service and spamming. I picked up on dialogs from subscribed accounts they had with their "employer" and they would also do things like use yahoo and gmail accounts as at which to receive a confirmation email.

    They'd subscribe an account, broadcast out spam until it was cut off by our automated systems and then move on to the next account to spam from.

    Traffic of this sort was not only limited to Russia or Asian areas, as we picked up dialogs happening in Portuguese and originating from Brasil.

  10. Andy Hards
    Happy

    3 per day or

    per account or per hour? Where do is sign up? Do I get health and dental?

  11. Morely Dotes
    Thumb Up

    @ Brett Brennan

    Half of your idea is good.

    Charging a setup fee for a "free" email account would practically eliminate their use by spammers, because any form of payment whatsoever that works over the Internet can be traced.

    Charging per email doesn't work for a rather large number of reasons (do you charge per addressee, per byte, per destination domain? How do you calculate the actual costs, so as to ensure you profit from the charges? How do you keep your customers when they can get a free "unlimited email" account from me after paying the nominal setup fee? and so on.)

    But $3/day serfs aren't going to plunk down $5 or $10 per account, even if their masters are willing to pay it. Assume they each open 100 accounts per day. After all, they can pocket the $500 or $1000 for one day's "work" and quit immediately; why work the rest of the year for that amount of money?

  12. Morely Dotes

    @ theotherone

    "whats the point of using gmail to spam? there is a 500 message per day limit"

    1. A valid "return address" will defeat some anti-spam measures ( I won't name and shame; suffice it to say there are some truly shite-quility, expensive commercial packages that are trivial to get around).

    2. That same valid "return address" may be needed for some scams.

    3. As I understand it, Gmail permits up to 50 BCCs. That's 50 * 500 == 25000 spam recipients. Multiply that by the hundreds or thousands of phony accounts that are being set up and, well, you can see how quickly it adds up.

  13. ImaGnuber
    Dead Vulture

    @Andy Hards

    I hear the Russian Mafia has a unique health and dental plan.

  14. Lou Gosselin

    Captchas are already being broken

    Captcha's are at best a temporary solution to a long term problem.

    I've followed this topic for a long time.

    Do a search and find hundreds of links about breaking captchas.

    Some engines are generic enough to work with many captcha generators.

    http://www.cs.sfu.ca/~mori/research/gimpy/

    http://www.botmaster.net/pictocod/

    To respond to this threat, sites make the captchas more and more difficult to recognize to the point where I personally make mistakes when I incorrectly guess what the correct answer is. I imagine an automated program may have a better chance at solving these than I do.

    In any case it was long speculated that it would always be possible to pay people to manually solve the captchas.

    I would like to see more effort to block spammers at the point of origination.

    For instance, apply spam heuristics on a sender's email and take action earlier.

    If thousands of accounts are sending the permutations of the same email, then there is a very high chance that it is spam.

  15. Anonymous Coward
    Boffin

    Next step

    The next step is now obvious... require a captcha to be solved after every x messages sent, where x decreases to 1 when the number of messages sent increases.

    If they continue to pay people to solve these captchas, fairly soon it becomes un economic to be a spammer, so hopefully they'll give up (ideally in a darwin award candidate manner)

    After all, they are only in it for the money!

  16. Joe Cooper
    Stop

    Charging is not the solution

    It's wrongheaded to think that charging would solve the problem.

    When we put CAPTCHAs up, it didn't actually stop the spam, it just created a market for humans to break the CAPTCHAs.

    If you put up frees, you're just going to create a new market for stolen credit card numbers and identity information.

    Then you'll see spam REALLY start to cost people.

    I don't think there's a technological solution. I mean, it's ~crime~. Anyone who can ~solve~ the problem crime needs to step away from the computer and put their magnificent brain to work on some bigger crimes than people sending annoying E-Mails.

    Like murder or corruption or something...?

  17. Anonymous Coward
    Paris Hilton

    Brain Games

    What about a solution like a brain game...

    Have a CAPTCHA with a random string of letters and then says "only enter the blue letters" or "add one to each of the numbers" or "enter in reverse order".

    and put the instruction somewhere on the page that changes slightly with respect to where the image is to make automated sending of image and instructions.

    or if the bogus people are working from russia, have instructions in russian that are wrong.

    or just plain ban people from creating accounts!!!

    (paris because she is defeated by the current difficulty level of CAPTCHAs)

  18. This post has been deleted by its author

  19. mh.

    Money

    During the 90s a very common "computer" crime was nicking the memory chips out of machines. RAM was very expensive (c. £30 - £40/MB) and easy to carry so it was tempting to crooks. The price fell drastically with the release of Windows 95 because the manufacturers overestimated the demand. Now RAM is more like £30-£40/GB and you can buy a whole new machine for about £3-400. Computers still get pinched from time to time but the economic reasons for stealing RAM just aren't there any more.

    The same applies to spam. It happens because it makes money. Before broadband and wireless were widespread there were a lot of problems with rogue diallers which disconnect the connection and redial using a premium rate number. Difficult to run one over ADSL though. At some point the spammer will receive money from some sap who decides to buy their product. One line of enquiry might be to follow the money trail and find out where it ends up. It would take a bit of work as it's probably laundered through a web of Paypal accounts, "financial manager" mules and other means, but I think it's the only real way to reduce spam being sent in the first place.

  20. David Cornes
    Stop

    Time for something new

    Email is fundamentally broken. We're slowly drowning in a ever rising torrent of shite flooding the world wide network.

    It's time (ok way past the time) for something new to come along to replace SMTP, designed for a simpler more trusting world, where identities can be verified and traced, and yes I think where if you want to send someone a electronic message you'll have to put your hand in your pocket in some way.

  21. Pierre

    @ ratfox - boring job

    Billiant idea. Actually you don't even have to market it as captcha-breaking. Just set up a free pr0n site, only requiring you to solve a captcha to access it. Only the captcha will be pulled from Gmail/Hotmail/Yahoo/whatever instead of being generated by you. A new spam account per visitor. YIIIIIIIIIIIIIHA!

    @ the spoilt braindead people who want to make people pay for messages: the third world thanks you for breaking their last hopes. And yes, let's trace all that. And analyse the content of each message, too. And check the credentials of the recipient, as they might be supposed terrorists. And this lady you send steamy messages to might not actually be your wife. Your missus desserves to know that. Only the guilty have anything to hide anyway.

  22. Pheet
    Boffin

    Social, not technological

    That CAPTCHAs are being broken, either automatically or by sweatshop (or more likely a combination - simulated neural net in software, use the sweatshops to train it & when it can't answer correctly) is no surprise.

    CAPTCHA and similar concepts are are an attempt of a purely technological solution to what is a social problem, which of course, fails sooner or later.

    Technological solutions only work for technological problems.

    The solution is social - educate people to stop buying from spammers (fat chance), stop organised crime (again fat chance), etc.

    Slightly OT, I feel there's a pervailling false mentality that technology is a "quick fix" for problems - witness how our government is trying to force through biometric ID cards, allegedly to fight against "crime" and "terrorism".

  23. Anonymous Coward
    Stop

    RE: ratfox - boring job

    It's an old idea, featured on elReg, you don't need a porn site just an animated model. and the spammers already use it.

  24. Anonymous Coward
    Anonymous Coward

    Well....

    I get a dozen spams per day through my forms, which have word verification numbers on them.

    All from the same guys judging by their content. Looks automated to me.

  25. Matt Caldwell

    What kills me...

    is that this actually generates money. I cannot fathom that there are still computer-using-people on this earth who do anything but delete these as fast as they come in. Come on ppl, WTF???

    (and we need a 'confused as hell' icon too, so tux instead because he keeps a lot of spyware off my machine)

  26. Anonymous Coward
    Thumb Up

    Are they available for hire?

    I need one on staff to work out any captchas I can't figure out. At $3 a day, that's pretty cheap.

    PS: Can I beat them?

  27. Sean O'Connor
    Stop

    CAPTCHAS on phpBB

    Just from my own experience I used to use CAPTCHAs on my phpBB forums and I'd get about 5 spammers registering a day. I changed to using a simple question system which asked a random question like "what is five plus two? or, what colour is the sky?" and I haven't had a single spam registration for nearly a year now.

  28. Torben Mogensen

    mh. is right

    The only way to get rid of spam is to make it uneconomic. And that is not done by technological means (spammers will always find ways to circumvent these) but by educating users never to spend money on offers sent to them by unsolicited email, regardless of how good the offer seems or how legit the sender seems.

  29. Anonymous Coward
    Anonymous Coward

    my 2 pence...

    We all know someone with a gmail account right? well why they don't ask for a valid gmail account, and have that person confirm that the person signing up is not a spammer, lest their account gets obliterated - kinda like a social networking solution. Ok it doesn't get round hacked accounts, but very little will. As for 500 mails a day, who the heck writes and sends 500 unique emails a day? 50 is probably sufficient for most, and anyone above that should contact google and request an upgrade with a reason.

  30. Simon

    your 2 pence

    You mean like they (sort of) did with the invites?

    Bring 'em back, I say!

    Alright, world+dog had an account anyway, but having an address through an invite only service added a little... something, I think.

  31. Tom Kelsall

    4.6%??? Then... SO WHAT?

    OK we all seem to have missed the important statistic here. Only 4.6% of SPAM is sent by web-based mail accounts. So - the other 95.4 is being sent by other means; for instance, by hijacking a poorly protected SMTP server. I think a far better way to make a real impact on SPAM (well, the 95.4% anyway) would be to bring out a newer version of SMTP (SSMTP??) which incorporates certificate-based authentication between mailer and mail server, and between sending server and recipient server. The certificates for the "Mailer" would be tied to an individual and would therefore make hijacking a mail server totally impractical - because of course it would only send email from senders whose certificates it knows. Yes, the costs to provide email would ramp up... but lets face it who actually uses the "free" web-based interface for their email anyway? I always use Outlook to gather and send my web-based email - I only ever log into the web interface to check my spam folder for any legitimate messages before emptying the bucket. I don't use my ISP's mail service much because it has no filtering and because it gets blacklisted a lot (some of Virgin Media's servers do, anyway). The upshot being that if SSMTP came in and free web-based email disappeared, I would simply bring my email activities back to my ISP's offerings and live with the shortcomings.

  32. mh.

    Web email

    A lot of email spam is sent via compromised machines on botnets with their own SMTP server. Check the headers of a couple and towards the bottom you'll probably see a received line with some kind of DSL host. There will probably be a couple of fake received lines as well. Personally I quite like the idea of ISPs keeping an eye out for botnet style behaviour or open relays and blocking traffic from potentially compromised hosts until the owner is made aware of what's happening and either agrees to do a virus check or explains why they need to send thousands of emails to random addresses. It would certainly be more useful than booting people off just for using Bit Torrent.

    As for web mail accounts, a forum I admin gets about 40 - 50 spam registration attempts a day. I have various blocks in place so none are successful but I do get to see which domains they use for registering. A lot of these are free webmail services such as GMX or Gmail. I think a lot of the addresses are never actually read (although the XRumer forum spamming software does include something that can "process" verification emails) and are used because they're not likely to be blocked. The purpose of forum spam is linkspamming. A forum member list is just a collection of links. Get enough links pointing to the same site and it scores highly on Google. Search for one of the main spammy products and you'll probably find a memberlist.php or a vbulletin /members/ quite high in the results. Breaking the Google CAPTCHA means the spammers can also use Blogspot/Blogger for linkspamming.

    As I mention above, I do think the only way to stop spam is through economic means, but I think this needs to take place at a higher level than just educating end users. Pump & dump spam might not be so popular if the shares on penny stocks were automatically suspended if certain "suspicious" activity was detected such as a sudden massive increase in the number of shares changing hands. OEM software spam would probably reduce if the software publishers found out who was selling it and took steps to stop it.

This topic is closed for new posts.

Other stories you might like