Understanding How CAPTCHA Is Broken

An anonymous reader writes "Websense Security Labs explains the spammer Anti-CAPTCHA operations and mass-mailing strategies. Apparently spammers are using combination of different tactics — proper email accounts, visual social engineering, and fast-flux — representing a strategy, explains their resident CAPTCHA expert. It is evident that spammers are working towards defeating anti-spam filters with their tactics."

Really?

[Nimloth]

"It is evident that spammers are working towards defeating anti-spam filters with their tactics."
Sounds like news to me!

Re:

[Hojima]

It's how the spammers are doing it that makes the news. I don't see why companies like yahoo just use a verification system that requires your correct first and last name with your corresponding SSN or some other permanent ID number. Then the user can have the option of changing their account name. Can anyone tell me why they haven't done this, because they obviously can.

Re:Really?

[SUB7IME]

Because people like me would never, ever use their service under those conditions?

Re:

[Hojima]

I never said you'd be forced to input your data, I was thinking more along the lines of what davidwr replied. It's a method you can use to filter out spam. Also, its not impossible to keep your personal information secret. My guess is you're worried about the government knowing what you're doing, but your IP address gives you away anyways.

Re:Really?

[SUB7IME]

No, I'm worried about a world in which I have to divulge my social security number to private corporations online to partake in services that should never require such information.

Would I give a bank my SS#? Sure.
Would I give my SS# to Yahoo? Not as long as there are other places where I can get free email and play fantasy sports.

A more practical approach - 3 grades of service

[davidwr]

I'd prefer 2, or better yet, 3 grades of service:

* verified user, someone using a credit card or providing some other ID that, if faked, can be prosecuted criminally
* established regular user, a person with a reasonably long and regular history, say, at least 10 logins a month, at least 10 outbound messages a month, and at least 10 inbound messages a month, for 3 of the past 6 months, and a minimal history of complaints.
* other - anyone else

On outbound messages, include a tag that the recipient's mail provider can use as part of its trust-assessment.

The "minimal history of complaints" is a potential problem due to false allegations and joe-jobbing.

Lack of ID could be a problem for users from countries whose IDs are not deemed trustworthy. If I give Yahoo my Nigerian passport number....

Re:A more practical approach - 3 grades of service

[Anonymous Coward]

* verified user, someone using a credit card or providing some other ID that, if faked, can be prosecuted criminally

This is a good idea, since spammers and other criminals don't have access to a large number of credit card numbers.

Re:

[mstahl]

because they obviously can

. . . and if Yahoo and Google can match first/last names to SSNs then so can spammers.

Re:Really?

[Anonymous Coward]

Your post advocates a

(X) technical ( ) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
(X) It will stop spam for two weeks and then we'll be stuck with it
(X) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
(X) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
(X) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
(X) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

(X) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
(X) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(X) Sorry dude, but I don't think it would work.
(X) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

Re:

[debatem1]

I'll be using this in the future.

Re:

[Hojima]

Once again I suggested it as a filtering method, not everyone will be required to do it. It's simple, if someone is fully registered, there's a smaller chance that they are spammers. Now as for identity theft, allow me to direct you to this page: http://www.freeidentityprotect.com/premium.php?gclid=CJPbxZrhrpMCFRYesgodpn1dow [freeidentityprotect.com] (and by the way there are tons more, and many for free, if you just Google it)

Page design

[Anonymous Coward]

Whose bright idea was it to use light grey text on a white background?

Re:Page design

[tepples]

Whose bright idea was it to use light grey text on a white background?

At least the page is easier to read than several common CAPTCHAs that shut out blind people. You could try changing the black level on your monitor, installing a custom style sheet, or just copying the text to a text editor.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[Anonymous Coward]

Whose bright idea was it to use light grey text on a white background?

You're not missing much anyway, that article was so poorly written, I found myself cheering for the spammers by the time it was through.

Re:

[dbitter1]

Try Prefbar: http://prefbar.mozdev.org/ [mozdev.org].

[Dis|En]able colors, images, animation, java, javascript, flash, popups, cookies, referrers, and a whole bunch more with a single click.

I guess I've gotten used to it

[Mordok-DestroyerOfWo]

Normally when I get spam I just delete it, by using trashmail [mozilla.org] and being somewhat safe about my browsing habits I've found that I only get one or two per week. However recently I've been getting spam through SMS on my phone and that's what I find really infuriating. Granted it is technically just another email, but the fact that I'm paying for this service is what really grinds my gears.

Re:

[Anonymous Coward]

You are PAYING to RECEIVE SMS?

What's to say that your phone company isn't paying people to send SMS to all their users?

Re:

[Anonymous Coward]

Most people pay $.10 per message, incoming or outgoing.

Re:I guess I've gotten used to it

[PontifexPrimus]

Most Americans pay $.10 per message, incoming or outgoing.

There, fixed that for you. It's quite unheard of here in Germany.

Re:I guess I've gotten used to it

[Fred_A]

Most Americans pay $.10 per message, incoming or outgoing.

There, fixed that for you. It's quite unheard of here in Germany.

Or in any country with a mature wireless industry for that matter.

Re:

[Nushio]

Or in any country with a mature wireless industry for that matter.

Wooh! Mexico is a country with mature wireless industries! (We don't pay to receive SMS)

Re:I guess I've gotten used to it

[dargaud]

As far as I know, the US is the only country where the SMS receiver pays up, which seems absurd to anybody else. Anyone cares to enlighten me as to the reason for that ?!?

Re:

[Tony Hoyle]

Hell, in a lot of countries now it's you don't even pay to send it on most packages.

Re:I guess I've gotten used to it

[Phroggy]

Sure: it goes back to how telephone service developed in this country.

Originally, everyone had to pay to make a phone call, but it was free to receive a call. Local calls were less expensive than long-distance calls, but both charged by the minute. Decades ago, phone companies started offering a monthly flat rate for unlimited local calls, and it was so popular that it's all they offer now. Long distance calls are still a per-minute charge for the caller (free to the recipient), except for some newer companies like Vonage that include unlimited long distance calls.

Enter cellular phones. Early adopters (mostly businessmen) wanted the convenience of being able to take a telephone with them in their car, without the rest of the world necessarily needing to know anything about what technology they were using, or having to pay any extra fees. The owner of the cell phone pays per minute for both incoming and outgoing calls, because the only alternative would be to treat all cell phones as long-distance numbers (requiring a 1 dialed in front of the number, and adding a per-minute charge to the calller's bill). People wouldn't have wanted to do that. Remember, the vast majority of calls to cell phones were from land lines, not from other cell phones (because the vast majority of people didn't have cell phones yet).

So, the owner of the cell phone pays for the privilege of having a mobile phone, paying for both sending and receiving calls. Over time, calling between cell phones becomes increasingly popular, but if one person with a cell phone calls another person with a cell phone, BOTH people pay per minute for the call.

And if you're going to pay for sending and receiving phone calls, you're gonna pay for sending and receiving text messages.

Of course, the per-minute fees are exorbitant, so to soften the blow, companies start offering "free" minutes included with the monthly plan, along with a certain number of "free" text messages. The more money you pay per month, the more "free" minutes and text messages are included.

Enter the marketing department. In an attempt to differentiate themselves from the competition, somebody starts offering unlimited calls during non-peak hours (nights and weekends), and all their competitors jump on board. Then, as mobile-to-mobile calling becomes increasingly popular, companies start offering "free" mobile-to-mobile calls within their own network, to entice people to recommend that everyone they know sign up with the same company. But since most people don't even know how to use text messages (my first cell phone didn't support them), there's no marketing reason to offer free text messaging. It's much more profitable to charge $0.10 per message (after the first few hundred per month that are included with the plan).

We now have a new generation who has grown up with cell phones and is perfectly comfortable typing entire conversations on a keypad, abbreviating anywhere they can save keystrokes just as we did when chatting on computer bulletin boards and IRC in the late 80s and early 90s. Some people here remember the days before 300baud modems; abbreviating was essential.

As demand for text messaging increases among this new generation and improving technology reduces actual per-call and per-message costs, marketing departments will decide that they stand more to gain from offering unlimited calls and text messages (because they can advertise it to attract customers) in their standard monthly rate than then do from charging $0.10/message. They're already moving in this direction, offering unlimited calls and texts to/from a certain number of "favorite" people. Eventually we'll all have one flat monthly rate for unlimited usage, and the whole question of paying to receive calls and text messages will be irrelevant.

I was about to say it will be forgotten, but it has never occurred to most Americans that things could work differently in the rest of the world, so there's no question to forget.

Re:

[Cardcaptor_RLH85]

Personally I remember that back on the 'original' AT&T Wireless (my first cellular provider) they offered free incoming text messages to all of their users. That deal unfortunately went by the way-side when Cingular bought the wireless department from the old AT&T unless you never wanted to get any more free phone upgrades. The Cingular SIM cards wouldn't work in old SIM-locked AT&T branded phones so, either you bought unlocked phones at retail or you had to change to a Cingular plan. It was

Re:

[dargaud]

The owner of the cell phone pays per minute for both incoming and outgoing calls, because the only alternative would be to treat all cell phones as long-distance numbers

Thanks for the detailed explanation... I have cell phones in 3 different countries, and in each the number starts very clearly with a different prefix, so everybody knows that they are calling a different number with different tarification: you have local, long distance and cell phone (and 800, 900, etc). I don't see anything strange with that, but I find it strange that some want to treat cells as if they were local numbers and have the callee eat the difference.

Re:

[Phroggy]

Thanks for the detailed explanation... I have cell phones in 3 different countries, and in each the number starts very clearly with a different prefix, so everybody knows that they are calling a different number with different tarification: you have local, long distance and cell phone (and 800, 900, etc). I don't see anything strange with that, but I find it strange that some want to treat cells as if they were local numbers and have the callee eat the difference.

Yeah, I failed to highlight this point in my excessively detailed post, but that's exactly it - we don't have a different prefix for cell phones here, so there's no way for the caller to know whether a particular number they're calling is a land line or a cell phone. Remember, by this time in the US, everyone had a flat monthly rate for local calls (the vast majority of calls most people ever made), while in the rest of the world, most people had to pay per minute for every call they made (with long dista

Re:

[carnalforge]

Indeed, i've been in a lot of european countries and usually i get a local sim for not spending much for calling. And in none of the the countries i've been was supposed to pay for recieving sms's

Re:

[jargon82]

None of the Americans I know pay to recieve SMS. To send though, yes.

Re:

[steveg]

I set up the server to send me a message when there were certain problems with a peripheral.

Then campus IT shut down the network for a day, which caused problems with that peripheral. The *next* day I get about 300 messages, once the network came back online. That cost me about $30 to *receive* those messages.

This is in California, which, despite what some people may think, is definitely in the US. True, it was one of those fly-by-night wireless companies (called Cingular...)

Re:

[charlieman]

Most USIANS pay $.10 per message, incoming or outgoing.

There, fixed that for you. It's quite unheard of here in Germany.

Fixed the fix, since in most countries in America, it's also unheard of.

Re:

[Yvan256]

I've never seen an charge on my phone bill for the SMS I receive. I'm in Canada.

Re:

[LeRandy]

Sounds like bullshit to me.

a. No SMS has a subject line, it is a "Short Message Service" (max 160 chars)

b. How the hell does the network know whether you have opened the message or not -- either it has been sent to your phone, or it has not. Any other way, and people would be publishing "free-SMS" hacks for phones.

This is a job for...TinySMS !

[justthinkit]

(1) Create TinySMS.com
(2) People type in their message and are given a helpful TinySMS string like &Ee*3#9-! to text to their SO, cleverly avoiding the cost of receiving an SMS by just recording the preview string
(3) People smash their phones trying to text strings like "&Ee*3#9-!" until they realize it isn't possible
(4) TinySMS ends up selling the unread text messages to the highest bidder
(5) E! buys an unread TinySMS and learns of Britney's latest accident 12 minutes sooner
(6) ...For If When

Wrong title

[RiotingPacifist]

The article describes how the spammers are using their new found accounts, nothing to do with CAPTCHAs other than they had to (either automatically or manually) break them to get the accounts.

Im surprised they're not using them to break the spam filter of yahoo/hotmail/gmail though, I mean if they all started sending each other spam and marketing it as ham, wouldn't that pretty much break any feedback based system that their using to protect their users.

Re:Wrong title

[nbert]

"Understanding How CAPTCHA Is Broken" is catchier than "Anti-Captcha and spamming strategy well explained!", guess that's why this article was chosen. The article's summary itself shows that it's not mainly about CAPTCHAs, otherwise fast-flux wouldn't show up there.

Re:

[stephanruby]

Im surprised they're not using them to break the spam filter of yahoo/hotmail/gmail though, I mean if they all started sending each other spam and marketing it as ham, wouldn't that pretty much break any feedback based system that their using to protect their users.

Wouldn't collaborative baysian [paulgraham.com] filtering mitigate that problem? The preferences of people who actually enjoy receiving spam would be combined with the preference of other similar-minded individuals. So then the people who like spam get their sp

Sometimes It Comes as an Easy Fix

[morari]

A little less than one year ago I had put up a forum for my website; PHPBB (insert whatever the current version was). Anyway, all was fine for a few weeks until I noticed obvious spam accounts registering maybe once a day. Nothing ever came of them, no abusive posts or anything of that nature, but they were sitting there in my user list. I tried several common approaches, such as using a different CAPTCHA and also forcing a verification word to be typed in. Nothing worked. Eventually I noticed that the one commonality between all of the spam accounts was that they all chose Albanian as their language. Odd. I initially thought that perhaps the spammers were based in Albania, but quickly came to the conclusion that the bots were simply selecting the first available option in the language dropdown. I wrote up a script (which was painfully sloppy, I'm sure) that would not allow anyone to successfully register with the Albanian language. After filling everything out and hitting submit, it would take you to a page and say something to the extent of "Sorry, you have selected an unauthorized language. Please try again". I watched carefully as for weeks I didn't spot a single new spam account. Eventually I made a fake language to sit at the top of the list and block, just in case any actual Albanians wanted to use the board. It continued to work just fine. After several months I did get hit by one or two spam accounts that had set their language to English. After that, I wrote a similar script for the "personal website" field of the signup process, forcing legitimate users to add it to their profile after successfully registering. I haven't had any problems since.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Dwedit]

Why on earth would a spambot care about a robots.txt file? Only reason I could think of was something popular a while ago, where people stuck a non-very-visible link on a website which generated loads of fake linked web pages, and garbage email addresses to try to trap harvesters in that section of the website.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[amRadioHed]

Unfortunately those easy fixes only work for you because you are a low profile site. If it was worthwhile to someone to specifically target your site they wouldn't have any problems working around those defenses.

Re:

[hostyle]

Why are the spammers intent on breaking the Internet?

Some people refer to it as capitalism. In short: greed, short term views and the almighty buck.

This is more about subverting CAPTCHA

[paratiritis]

The article does not really talk about how the spammers defeat CAPTCHA, which would be more interesting to me. It focuses instead on how once they defeat the CAPTCHA test (manually or automatically) they take advantage of the added credibility their new accounts have (because of that very test) for their purposes.

This is the scam part, not the technology part of their operations, which would actually tell us about the possible weakenesses for the CAPTCHA tests and give hints how to fix them.

My spam rules--

[Anonymous Coward]

I have determined that:

If the message is not in english or lojban, I don't want to see it.
If the message is in caps, I don't want to see it.
If the message was sent to more than ten people, I don't want to see it.
If more than 10% of the message text is not valid and correctly
spelled english or lojban, I don't want to see it.
If the message has anything to do with a lottery, I don't want to see
it-- I don't gamble, period.
If the message has anything to do with sex, I don't want to see it.
(for various reasons)
If

Re:My spam rules--

[Yvan256]

Wow.... all of those rules, and you end your post with your email address.

Re:

[Cedric Tsui]

Maybe that's the point. s/he doesn't want to have to hide his e-mail address from the world.

Re:

[Anonymous Coward]

Wait, Anonymous Coward here again, I made a typo. It's actually malda@slashdot.org

Animated CAPTCHAs?

[MasaMuneCyrus]

Every time I see an article about CAPTCHAs being broken, I always think, "Why not try animated CAPTCHAs?" Surely something this simple has been thought of before and tried; is there any reason it wouldn't work? Or would it just have the same effectiveness as a static-image CAPTCHA, and so there's just no reason to put forth the effort to make one?

Re:Animated CAPTCHAs?

[Anonymous Coward]

Animated captchas exist and are used but not too often. The only example I can think of is: https://www.e-gold.com/acct/login.html

Re:Animated CAPTCHAs?

[mstahl]

But that captcha on e-gold would be trivial to break. Over the course of the animation all parts of all numbers are visible with no variation or noise around them. If they rotated, though, and were slightly larger than the image, it might just work. That would be such a pain in the ass for humans to read I don't think it would be used at all.

The most likely captcha technologies to win, I think, are the ones that require some amount of contextual knowledge about our world. Nobody's really created an anti-captcha bot that can distinguish a kitten from a tiger, for instance. Tests like these, even though they're also obnoxious to humans, are much more effective.

Re:

[apt-get moo]

I don't know how you think they should work, but as only the noise may be changed during an animation (unless you want to be make the CAPTCHA even more inaccessible to ordinary users), a machine might even have an easier time to retrieve the signal (which has to remain constant in some way to be discerned by humans, at least in form and probably in colour), i.e. the text to entered to bypass the CAPTCHA.

Re:

[Yvan256]

Yes, but what if you ask the person to type the word/identify the picture/whatever in a specific, random frame of said animation?

Or even something like "please check the objects you see in the animation", followed by, say, 10 radio buttons?

Re:

[Fred_A]

Yes, but what if you ask the person to type the word/identify the picture/whatever in a specific, random frame of said animation?

Or even something like "please check the objects you see in the animation", followed by, say, 10 radio buttons?

Very language specific. And not easy to generalise. You need to write one set of rules per animation, presumably by hand. Captchas can be machine generated from a dictionary or random characters.
Which is the point.

Re:

[Yvan256]

Machine-generated captchas generated from dictionaries are already very language-specific.

The animations can also be machine generated from a dictionary of images, with a random number of frames and a random frame position for each image.

This is all pointless, however, since spammers probably pay people to register new accounts for them.

Re:

[apt-get moo]

Yes, but what if you ask the person to type the word/identify the picture/whatever in a specific, random frame of said animation? Or even something like "please check the objects you see in the animation", followed by, say, 10 radio buttons?

Presenting multiple words might work, but for a machine this would just multiply the complexity of one CAPTCHA with the number of frames, while a human takes significantly more time to solve it compared to a flat one. And radio buttons are out of question, they would produce too many false positives. Tick boxes might be slightly better, but still not as good as text input. Except may to distract some bots.

Re:

[xmpcray]

Every time I see an article about CAPTCHAs being broken, I always think, "Why not try animated CAPTCHAs?" Surely something this simple has been thought of before and tried; is there any reason it wouldn't work? Or would it just have the same effectiveness as a static-image CAPTCHA, and so there's just no reason to put forth the effort to make one?

Animated GIFs are simply multiple images(frames) saved in one file. It would be easier to break it since the bots can "see" the same text in multiple images and interpret it better when you have multiple images showing the same text.

CAPTCHA sucks

[thetoadwarrior]

They keep trying to make it harder to read which isn't accessible but some places (like rapidshare) have made it nearly impossible for even normal people to guess.

Re:

[Paradise Pete]

some places (like rapidshare) have made it nearly impossible for even normal people to guess.

I think rapidshare does that knowingly, to get people to sign up for the paid version.

Re:

[thetoadwarrior]

That's crossed my mind as well especially since it seems like you get fewer tries these days than before.

This article is an advertisement

[Omnifarious]

This article links to what is basically an infomercial. What it links to is filled with pictures and seeming explanations, but it's written in scare-mongering language and not written with an eye towards the reader understanding it. It as an advertisement telling you that Websense is a fantastic company because they understand all this terribly scary stuff and already have the technology to defeat it for you.

Re:This article is an advertisement

[owlnation]

This article links to what is basically an infomercial.

Quite correct. It does. There's also no news here whatsoever. It's good to know that it's not only readers that don't read TFA, the editors -- and even Taco -- don't always read it either.

Re:This article is an advertisement

[Omnifarious]

It would be really nice if people would tag articles like this with 'slashvertisement'. :-)

Captchas

[Anonymous Coward]

I was going to post an insightful comment about the article, but I've wasted so much time trying to figure out Slashdot's captcha to post this message, that I no longer have the time.

Fighting spam will either succeed or it will fail

[davidwr]

Either the spam-fighters will keep spam down to an acceptable level or they won't.

Mail services that don't provide good spam protection will fail.

If it becomes too hard to fight spam, mail as we know it will end and be replaced by something else, much like USENET was for most purposes replaced by other, less-spam-prone media.

This is getting silly.

[Asztal_]

Next time I'm just going to demand that anyone who wants to register for my site will have to send me a formal written request, signed and dated, with at least two good references and a registration history.

That should keep the bots out, right?

Re:

[gnud]

If it does not, it's time to go pay our respects to our new robotic overlords.

Understanding How CAPTCHA Is Broken

[JackSpratts]

Hmmm. Nothing in TFA about it really.

Why are we so helpless?

[Chemisor]

It ought to be obvious to everyone that spam is a property violation crime. Putting unrequested email in my account is the same as dumping used tires on my front lawn. Sure I have an address, but that doesn't mean I want just anyone to deliver anything to it without my permission. Why aren't we making this explicitly illegal, just like dumping and vandalism already are? Why are we putting up with these people?

Re:

[gsgriffin]

Unfortunately, it is not that simple. Your analogy is not correct. Email is more like snail-mail. And yes, anyone can send email to your mailbox via snail-mail and not go to jail. The difference is that snail-mail costs them something. The real solution is to get all the stupid people off the web that actually make purchases from companies that they received a spam email from. They keep spammers continuing to spam. If the idiot purchaser got off the web, the spam would quickly dry up. Ultimately, thi

Re:

[Chemisor]

> Your analogy is not correct. Email is more like snail-mail. And yes, anyone
> can send email to your mailbox via snail-mail and not go to jail.

I would instead apply the same analogy to snail mail.
It really is not difficult to differentiate between personal mail and spam. The former is written for a single recipient - you. Its intent is conversation. Spam is written generically, and its intent is to get you to buy something. Spam should be illegal in any form. Period. Be it email, phone calls, snail m

Re:

[amRadioHed]

One difficulty is that some people like some of the unrequested mail they get. For instance when I new restaurant in my neighborhood I don't know about sends me a coupon I am always glad to give them a try. I do however wish I could opt out of the mailings. It's a terrible waste to get weekly fliers from three supermarkets that I never frequent.

Re:

[Chemisor]

> Advertisements are everywhere. You have the right to look at it or listen to it

This is a different situation. Passive ads on web pages are just something that comes with the page; they are not sent to me personally. I just happen to come across them as I browse. This is fine, since I do not own the sites, and should not dictate the owners what they can not do with them. With email, I own my email box and I have the right to some control of what goes in there.

Re:

[Jeff Molby]

Nobody "pushes" to your email box. Your email box periodically "pulls" from the mail server. Feel free to program your email box so that it only pulls emails that fit your criteria.

That is the only part of the process that you own.

Re:

[Chemisor]

> If you own a television in the US, active ads are pushed into and interrupt your viewing

Yes, but that's still not the same thing. TV ads are served by the TV station and are used to subsidize the shows you watch. Yes, you also pay for your cable subscription, but there you are paying for content delivery, not the content itself. I can put up with TV ads (even though I never actually watch them) because they are used to pay for the content. Same situation with ad-supported web pages. The ads help pay fo

Re:

[amRadioHed]

One primary difference between email spam and postal spam is that email spam costs the provider a lot of money whereas postal spam makes it possible for the USPS to charge low rates for your first class mail. That's probably the reason why snail mail spam is impossible to avoid.

Re:

[Anonymous Coward]

No it's not obvious.

How on earth would you actually request each individual email you want to receive? Fax your dad and tell him he's authorized to send you an email detailing his vacation cruise? Have people call you up, where you give them an ID number that must be in the subject line?

Even if you went as far as white-listing email addresses (which you actually can do now) you'd miss out when your buddy gave your email to someone who was looking to offer you a job at twice your current salary, or that gir

Re:

[Chemisor]

> How on earth would you actually request each individual email you want to receive?

By explicitly giving the sender your email address. You can also publish it for use of a specific audience. For example, I have my sourceforge address in the header of each source file I write. This is clearly intended for people to report problems with software. There is some gray area, of course, but any email sent with the intent of selling me something definitely violates the criteria.

> I don't see how you could pr

Re:

[Chemisor]

> Your post advocates a
> (X) technical (X) legislative ( ) market-based ( ) vigilante

If my approach is tried, it obviously has a chance of success. If it is summarily dismissed as "not gonna work", then of course it won't.

> (X) Mailing lists and other legitimate email uses would be affected

Mailing lists are not a good use of email. Use discussion forum software or usenet, which are far more appropriate venues for this type of communication.

> (X) Users of email will not put up with it

Why won't th

Re:

[Chemisor]

> Who the hell are you to decide what is a good use of *my* e-mail?

Oh? So some people are allowed to decide how you use your email and others aren't? I can never understand statements like this. "Who the hell are you" is simply not a relevant question at any time.

> I happen to *like* mailing lists

Nobody's perfect.

> and there certainly are legitimate reasons to process large volumes of e-mail.

And what might those reasons be, except for mailing lists?

> What you describe is a tyrrany by majority, o

Re:

[Renraku]

I suspect that when all the major ISPs start setting bandwidth limits and thus putting a cash value on the byte, that spammers will start to dwindle. You can prosecute text message, SMS, and spam calls over cell phone..because they all have cash values.

Bytes on an unlimited service have no obvious cash value.

Web page redirection may have to go

[Animats]

We're seeing the need for some limits on web page redirection. Most of these attacks involve putting something on a trusted place which redirects to an untrusted place. Google, with incredible sloppyness, allows Blogspot accounts to do this, and as a result, they are heavily exploited by spammers. (Try, for example, "nikaluti21040.blogspot.com", which will redirect, via some iframes and other tricks, to "selissia.com", which is hosted on "secureserver.net").

Exploitation of legitimate sites to get through spam filters is a problem, but it can be dealt with if you're willing to take a hard line. Our first step in that direction was our list of major domains being exploited by active phishing scams. [sitetruth.com] Our position is that one phishing attack from within a domain blacklists the whole domain. But within three hours after the problem is fixed, they're off the list. Major sites make the list now and then; Google, Dell, MSN, and Yahoo have all been on the list at one time or another. But they now know to take steps to get themselves off within hours. The Anti-Phishing Working Group and PhishTank have been helpful with this effort. We're down to 47 such domains today. It was about 175 when we started last fall. Most of the remaining entries are free web hosting services or DSL providers.

We and others have observed that there's an inverse relationship between the number of redirects and the legitimacy of a web page. We've been looking at this at SiteTruth [sitetruth.com]. For things like AdWords ads, where some sites use redirection as part of a tracking systems, it's typically the bottom-feeders who are using redirection. An advertiser promoting their own product or service doesn't need it; it's brokers, intermediaries, and made-for-Adwords sites that use redirection. Anything with more than one redirect is almost bad. We expect to use redirection as part of our legitimacy metric in the future.

It's thus time for browsers to limit their acceptance of redirection. One HTTP-level redirect, OK. Beyond that, put up a popup warning of suspicious redirection behavior. Redirects via META tags and Javascript should produce a popup. Sure, some site operators will look bad, but they will adapt.

Re:

[kipin]

Sure, some site operators will look bad, but they will adapt.

Unfortunately, so will the spammers.

Re:

[Animats]

Unfortunately, so will the spammers.

Every time we close off another way to hide business identity, filtering gets better. We can't actually stop the spam, but we can fix it so few humans ever see it.

Spammers trick - REuseable captcha

[fastgood]

Find somewhere with 1000s of pageviews (eg. pr0n site)
Present Captcha image to 2 users (agreement = correct)

So the monkeys pull the right lever and get the reward
of viewing the next adult video, and the spammer gets
a near-realtime solution to even the best of captchas.

Re:

[chifut]

You don't need to give the captcha to two users, give each user one captcha, so what if one of them is wrong.. You'd have one captcha solved and another not. The web site will tell you that you got it wrong..

incoherent TFA

[ralphdaugherty]

This is the most incoherent TFA I've ever seen linked by slashdot. We just went through CAPTCHA breaking a few days ago and here we go again with the dancing images and worse suggestions.

Sheesh, there's this underlying assumption that the CAPTCHA image is automatically being broken by spambots using OCR, but all it takes is CAPTCHA images where the letters are not cleanly separated to keep all but some as yet univented world class OCR from identifying the characte

Phone-based varification

[Tablizer]

I think its time to use phone-based sign-up verification. An automated dialing system would call a user within about 5 minutes of signing up for an account to confirm via phone push-button that they indeed did sign up. Yes, it is fairly expensive, but who said good security is cheap.

It is possible to trick such a system, but very difficult on a scale of hundreds of thousands, which is what spammers need. Phone calls are better tracked than HTTP messages because of the costing infrastructure that underlies p

Re:

[dargaud]

Yeah, right, with the spammer putting your own phone number on the form and registering for the account at 3am... I don't think so.

Re:

[/dev/trash]

1and1 did this when they were offering they're free service years ago.

Re:

[Tony Hoyle]

Enjoy paying for all those peak rate calls to russia...

It would be so easy to bankcrupt a site that tried this (phone number generator, script) that no sane site owner would try it.

Stupid question about stupid people

[religious freak]

Ok, so I've got to say, I just don't GET (understand) spam. Who the hell is still clicking on the links?

Does anyone fall for a Nigerian scam anymore? Or buy pills? Or want a bigger schlong?

Don't people get it already?! How do these spammers make money?

Re:

[Tony Hoyle]

They don't need to any more.. it's self sustaining. People are paying for lists of 'verified' email addresses, they're paying for spammers to send the messages... the spammers have already made their money - off stupid management of so-called 'legitimate' business. There are enough stupid people around to sustain that industry for many, many years.

Nobody needs to reply.. there's no comeback for the companies paying the spammers so they keep doing it on the offchance someone might buy their crap. That's w

Captcha proxies

[chrysalis]

I once received a spam for a p0rn site. Accessing that site required to enter a Captcha code "in order to avoid bandwidth steal".

A Captcha for a p0rn site?! How much do you bet that the Captcha was actually proxied from another site, like a webmail?

privacy

[tacocat]

If people could successfully get legislatures to support privacy rights then any spammer would be considered a criminal. But businesses consider the ability to send cold call email a vital necessity to many of their business models and as such, promote spamming as a right of the free market, thereby eroding personal privacy

Can it break RapidShare's upcoming CAPTCHA? ;)

[antdude]

Digg [digg.com] shares several amusing doctored screen shots [bwtorrents.com] of RapidShare [rapidshare.com]'s CAPTCHA [wikipedia.org]s that might be shown in the future.

Even Easy Countermeasures Are Unavailable

[Doc Ruby]

How come Evolution still doesn't have a white/blacklist against the addressbook? How come it doesn't have a spam filter that traps even whitelisted spam that's bayesian-similar to marked spam?

How come big email servers like at ISPs don't flag as spam messages that have identical bodies but different senders and recipients?

How come ISPs don't pretend to be spammers in the market for spamming SW, then reverse engineer what the spam engineers sell them into filters, like virus honeypots have proven works?

Re:

[Dwedit]

It's not just email, it's also message boards, blog posts, and wikis. Those also have bots crapflooding them with spam.
Bots don't even need to post a URL to get people to visit, they'll just stick in a stock ticker symbol for pump and dump scams, so methods involving blocking new users from posting URLs will still fail.

Re:

[Dwedit]

The only thing really protecting you is that your solution is not standard, so bot writers have to treat your website differently, so they won't be as easily able to post there. The instant your solution becomes more commonplace, bot writers will be able to parse your SWF files, read the images, or do whatever else it takes to solve it.

It's a classic case of Security through Obscurity, and this time it works.

However, SWF files have accessibility issues, and there are always people who love to block them.