back to article Spam swine break next-gen CAPTCHAs

Spammers have reportedly defeated revised CAPTCHAs from both Google and Microsoft. Worse, miscreants intent on establishing online webmail accounts to bombard us all with useless stock tips and penis pills have also broken other forms of verification system designed to tell humans and computers apart, such as kitten-based …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Flame

    Timestamps?

    If the user was only given, say, 5 seconds to decipher a captcha, could the sweatshops keep up? They'd need a lot of staff, and even at $4/h that adds up.

    Failing that we could just find the people who own the sweatshops and kick them until their balls drip out their ears...

  2. Ros

    Image-based captchas must die

    They don't work effectively, they're not usable, and they inconvenience genuine users. So in some ways this could be a good thing, because the captcha should have been re-thought a long time ago.

  3. Ken Hagan Gold badge

    Is this really surprising

    Long-standing tradition has it that the easiest way to break into a company is to bribe the secretary. (He, she or it is probably paid far too little.) So the easy way to pass a Turing test is to bribe a human to take it for you.

    The solution is to block everything from "free" accounts. People tend not to abuse things they've paid for, and there's a paper trail back to their bank account if they do. About the only convincing reason I've ever heard for using these services is people who want a throwaway address to use for a limited period in some public forum, like a newsgroup. Now *that* problem would go away if spam went away and spam would go away if the free accounts went away. (Chicken, meet egg.)

  4. Anonymous Coward
    Paris Hilton

    Oh rats

    I was looking forward to having an excuse to look a pussies every time I need to tell a computer I am (mostly) human.

    Hmm. Now should I use the "joke" or "Paris + obligatory pussy implication" icon?

  5. Anonymous Coward
    Unhappy

    Despair.

    Why is spam still here? Is the human race really that stupid that any spam scheme ever actually sells anything? Or is it just the marketing turds ("Just kill yourself. No, really: kill yourselves. I'm not joking." - Bill Hicks) that are being scammed by the spammers into *thinking* that spam actually produces return on (marketing) investment?

  6. Charles

    @Ken Hagan

    Unfortunately, anonymity has legitimate legal and moral concerns. Consider whistleblowers. Laws or no laws, they may not wish to reveal their identities (at least at first) when trying to uncover reprehensible action on the part of their employers, since doing so would paint a big target on their backs.

  7. Tsu Dho Nimh
    Pirate

    Sweatshop Recruiting

    You see recruiting posts on "work at home" sites,often listed as "data Entry". They pay a tiny amount per 1,000 images typed in, but it's apparently worth it to the spammers to get accounts.

  8. Anonymous Coward
    Anonymous Coward

    @Ken Hagan

    I use a free one because... well, because I don't have a paid-for one apart from my works email address. And that'd just be a pain in the ass.

    Also, there are several million free email addresses in genuine use worldwide and you'd be inconveniencing every one of them- you'd have to copy every message, give full transfer instructions, etc etc or start having people pay for their previously free accounts (if they didn't they'd get the chance to download all of their previous email and then lose their account.

    And if everyone started charging for emails, someone would just come up with an ad-supported version again, leading to the customer being royally screwed.

    We'd need a geographically independant Internet Government to push something through like that.

  9. Bruno Girin
    Boffin

    @Ken Hagan

    The convincing reason I have for using a (free) gmail account is that it has a much nicer web interface, a much better spam filter and much more storage space than anything my ISP can offer (and that I have to pay for).

    Also note that email spam existed before free webmail accounts so your argument seems flawed to me. What free email accounts do is provide another way to distribute spam but it is far from the only way.

    I agree with your analogy about bribing the secretary though.

  10. Someone

    Re: Timestamps?

    There’s a problem with time limits. You can make the time allowed so short that a reasonably smart Indian can’t complete the task quickly enough. Then, even allowing for the extra time a genuine user would have because the image is not being relayed and queued up, someone like “asdfghjkl” would stand no chance.

  11. Anonymous Coward
    Unhappy

    RE: "a virtual stripper program"

    THAT is clever.

    Sort of a manual SETI@HOME.

    WANKIE@SPAM

  12. Anonymous Coward
    Happy

    Are the kittens still unbroken? *

    I didn't notice anything about the kittens (e.g. KittenAuth) or cats (e.g. http://research.microsoft.com/asirra/) in the references for broken CAPTCHA mechanisms...

    *reference to "Will the Circle Be Unbroken", by Joan Baez (and many others), for the benefit of those of us who still remember the 60s.

  13. Solomon Grundy

    Kitten Based

    Oh, fuck it. It's not really even worth commenting on.

  14. Anonymous Coward
    Anonymous Coward

    "Kitchen-based"?

    Nice typo in the subtitile. I thought for a moment that it was some sort of recipe captcha "which seasoning goes well with fish?"

    How about a test such as

    "Fill in the blanks correctly with these words - There, they're, their :

    __ waiting for __ lunch over __

    Or maybe a capcha that involves choosing the funny punchline to a joke?

    (Yes, I know these would stop lots of legitimate users too.)

    Some sites offer arithmetic questions to text-only browsers like lynx/links.

  15. Anonymous Coward
    Coat

    If You Can Remember the Sixties...

    ...you weren't there.

  16. Tony Hoyle
    Flame

    I do hope they do break capchas

    ..then make a firefox plugin that does it automatically.

    Some, like the rapidshare one, are so ridiclulous you only get the right answer by sheer luck. I'd pay money for an app that could do it.

  17. Simon Buttress
    Thumb Down

    @AC posting first in the thread

    Read the money in the article again pal, 4 dollars a DAY not an HOUR.

  18. Andus McCoatover

    @"Kitchen-based"?

    Excellent! "Their, They're and There"

    Hope we don't implement this on El Reg's comments section.

    It'd completely fuc*k most flamers. (Don't ya just luuuve chuckling at their illiteracy. Mucking Fuppets.).

    Also, might filter out amanfrommars. He'd rewrite the sentence so it meant utter bollocks. I do SOOOOOO enjoy his mystical meanings. Helps me pass out at the keyboard, without having to give the missus a good seeing-to first.

    (God, I HATE Friday nights. Waking up feeling all dirty-and-used in the morning...)

  19. Anonymous Coward
    Flame

    It's time to...

    It's time to start getting serious. Spamware programmers should be punished by removing .1mm of their fingertips, per mail, or forumposting done using their software. When shoulders are reached, start from the soles of their feet. Stop again when shoulders are reached. This should provide both a solution to the problem, and serve as a warning to others considering an unethical career.

  20. Anonymous Coward
    Pirate

    The reason spam works...

    Rule of large numbers. To wit:

    Say you send out a hunded million spam messages per day.

    Suppose that only one hundredth of one percent of recipients respond, giving you 10,000 suckers that day.

    Now, suppose that you take each of those suckers for $20 for a fake diploma or some herbal viagra pills, whatever. 20 * 10000 = $200000

    So, you've just made two hundred grand for basically no work.

    And, before you start telling me that people are too smart or well informed to fall for spam.... just remember that a third of America still think Iraq was involved with 9/11. And that's a hundred million people.

  21. Graham Marsden
    Flame

    @ a recognition task easy for humans but tricky for computers.

    Are you kidding? I can think of more than a few occasions when it's taken me multiple attempts to try to decipher distorted text or figure out which image is actually a bloody kitten. These things are a total PITA.

  22. John Benson
    Alert

    Amazon's Wetware Mechanical Turk

    Want a few pennies for doing something on the web? Amazon is flogging Artificial Artificial Intelligence at:

    https://www.mturk.com/mturk/welcome

    I don't know whether this Amazon is THE Amazon, but it certainly shows how CAPCHA workarounds can be organized on a massive scale.

  23. Anonymous Coward
    Anonymous Coward

    @AC Re: Wages in India

    $4/hour? Not so much:

    "...the CAPTCHAs puzzles themselves are being solved in 21st century sweatshops, where workers in India are paid as little as $4 a day..."

    The scary thing is that in India, that wage makes you pretty well-off, vs. the average, anyway. If my figures are correct, somewhere around 70% of the population earns less than $1.25/day.

    Given the other jobs on offer at those rates, CAPTCHA-typing is probably a pretty sweet gig for a lot of people...

  24. Frank

    Chicken and Egg

    I only half agree with Ken Hagan and most of the other comments here. I have my own domain and corresponding e-mail addresses which i use for 'serious' purposes. There is no way I will give one of those addresses to any person or organisation that I do not trust because of my fear that they will pass it on to a spammer.

    I have Hotmail and Yahoo e-mail for 'casual' use and find the yahoo 'Address Guard' disposable e-mail addresses to be an ideal way to protect yourself. I've had to dispose of two of these addresses in the past year. As far as I can figure out, when you order something online and they ask for a contact e-mail, they then pass it on to spammers. I don't complain, I just delete the address and never deal with that organisation again.

    I think that anyone who needs to send out large numbers of e-mails or send bulk e-mail should have to operate a paid-for webmail account (or run their own domain and servers), which can be shut down if verified complaints are made to the ISP/operator. To change over to this method would probably be impractical for many legitimate clubs and societies and the ISPs would have to spend money organising it, so it's not going to happen.

    Some way is needed to make it 'non-profitable' for the spammers to operate. This would require thought, planning and co-operation between ISPs and web-mail operators (cynical chuckles).

    The comment about an 'independent Internet Government' made me laugh because such an organisation would need to be international and trans-national, like the UN (cue long belly laugh).

    Let's face it, you're on your own out there and only you can look after yourself. Use disposable e-mail addresses, or multiple webmail accounts and be ruthless about deleting them if they become spam targets.

  25. Quirkafleeg
    Thumb Up

    Try this one…

    http://www.userfriendly.org/cartoons/archives/08oct/uf012005.gif

  26. bruceld
    Thumb Down

    spamorama

    the solution is simple....set a limit to new free e-mail accounts registered to known subdomains and/or IP addresses of known sweat shop/spam countries.

    simple isn't it?

  27. Anonymous Coward
    Thumb Down

    @Ken Hagan

    I have a free email address for my personal correspondance - I don't want everything to go through work, and I don't want the email associated with my my web addresses to attract spam. So all my personal shopping, surfing and correspondence uses a webmail account. The advantage is that when this gets so weighted down with spam that it's unusable I can start a new one and just inform those parties I want to continue with. This is a very common approach and I suspect any spam filter attempting to block webmails would find itself very unpopular very quickly.

  28. blackworx

    Er...

    "Originally it was thought that sophisticated automated tools alone were being used to defeat CAPTCHA controls"

    Surely it was pretty obvious from the outset that there were fleshies at the end of the line? If this is the quality of thinking on the white hat side then no bloody wonder they're fighting a losing battle.

  29. SImon Hobson Bronze badge

    RE: spamorama

    "... set a limit to new free e-mail accounts registered to known subdomains and/or IP addresses of known sweat shop/spam countries"

    Simple yes, correct no.

    Almost certainly, the signing up will be done by machines in a bot herd, spread all over the world and IP space. These bots will forward the puzzle on to their controller (which then farms it out to a human for solving), and wait for the answer back before completing the sign-up.

This topic is closed for new posts.