The arms race escalates between spammers and CAPTCHA

Picture 21.jpg

Ars Technica is reporting that spamboys have now officially cracked the CAPTCHA systems of Windows Live Hotmail and Gmail. Worse, they're able to tear through the average CAPTCHA protection system in less than a minute:

Windows Live Hotmail's Anti-CAPTCHA automatic bot, which hooks itself into Internet Explorer on a victim's machine, has a success rate of about 10-15 percent. That means that it takes up to one minute for a single bot to create a new account.

In one day, the bot can amass at least 1,440 accounts. And that's just one bot. This same bot can then send spam to multiple e-mail addresses (using both CC and BCC lists) continuously, switching between accounts (both in the from: and to: fields) in order to lower the chance of being spotted.

Meanwhile, it takes me, an actual human being, upwards of ten minutes to analyze and cypto-decipher the average CAPTCHA, all the while screaming "What kind of moon-man frickin' Cylon do you have to be to read this thing?"

But, really, what's the alternative here? On my other blog, we weed out spam with a simple text question system (ex: "What is the color of the yellow snow?") but I don't doubt that this utterly simple scheme would quickly fall apart if spammers were actually trying to dissect it. How do you suss out a human with 100% infallibility?

Gone in 60 seconds: Spambot cracks Live Hotmail CAPTCHA [Ars Technica]

Join the Conversation


  1. Show small images of six furry animals. Click on the three that are cats. Done and done, and kinda fun.

  2. And good for crowdsourcing the world’s largest index of cat images. If only we knew what to do with cat pictures on the internet!

  3. #1 – that’s no good. 6 choose 3 means that random picking gives a 1 in 20 chance (5%) of getting it right. Throw a botnet at that, and it’s not so bad. And if you have *any* cat-recognition technology, you can do better than pure chance.

    10 choose 5 might work, as that cuts it down random picking to 1/252.

    Of course, going down this path of human distinguishing challenges means that spammers will be the first to develop Turing-test passing AIs.

  4. Rather than “click on the cats”, a better approach would be “What’s this a picture of?” Then the spammers can write automatic image-recognition software for us.

  5. Seems like this spam arms race could inadvertently lead to the creation of the first self-aware AI. A self-aware AI that would peddle viagra and knock-off Rolex watches.

  6. Kurt said:
    “Of course, going down this path of human distinguishing challenges means that spammers will be the first to develop Turing-test passing AIs.”

    Essentially, an infallible CAPTCHA is, by definition, a reverse Turing Test: instead of trying to prove that a particular AI is indistinguishable from a human, you want to distinguish humans from AIs.

    If we were able to develop this infallible CAPTCHA, any AI able to beat it could then be said to have passed the Turing Test.

  7. Whatever happened to GMail requiring use of a cell phone? Yeah, there are throwaway prepaid SIMs, but you at least have to shell out money for one, and all the accounts that were created based on cell phone can easily be terminated at a moment’s notice. Completely open signup is just irresponsible on the part of mail providers.

  8. Serious question:

    If hackers have invented a system that can read deliberately messy, wavy CAPTCHA letters and numbers, have they not also invented a truly kick ass OCR solution?? Heck, they should just go legit with that!

  9. Admittedly I haven’t read the article yet, but based on the info in this post:

    If one bot can make 1440 hotmail accounts a day per machine, couldn’t the hotmail (and others) people make a huge difference by simply not allowing more than, say 3 new accounts to be created per day from a given IP?

  10. Murray, presumably these bots control a number of hijacked machines on different IPs? That’s what I got from the article, at any rate.

  11. John, yes, for sure. But for each single bot, you could cut down its output from 1440 a day to just a few accounts per service per day. Or even less, if you make the rules tighter.

  12. How about you watch a brief video and describe the general tone of the video (sad, happy, scary, etc…) and you’re allowed a variety of answers for each mood. Admittedly this can still be hacked by a bot entering random mood words, but it could slow them down..

  13. @#9, Mikey: For ordinary purposes, OCR needs to get it right almost all of the time, whereas spammers only need it be right a fraction of the time to be worthwhile.

    In any case, this is a much easier problem to solve: Hotmail’s CAPTCHA, for example, is always 8 characters, which are always upper case or numbers (I presume that actually means 35 possibilities if they leave out zero and O), and always in the same font. If you can strip out just some of the junk and determine where one character ends and the next one starts, then any half-way decent OCR library should be able to give you acceptable results.

  14. Jesus, is there really that much money to be made cracking this stuff?

    Why not think of it the other way around: set up a catchpa that involves fermats last theorem and quantum mechanics or something, and have the worlds penis enlargement industry solve it for us.

  15. I have something to say about this but I can’t figure out what color yellow snow is…. 🙁

  16. There’s no sense in developing a perfect Turing test passing machine for this purpose, because spammers will start (and have started) using actual humans to solve whatever machine-uncrackable test you come up with. Embed the captcha (or whatever) on their free porn sites and let the horny masses do the work. Or pay people to sit in Chinese cybercafes all day, but solving captchas instead of gold-farming WoW.

  17. If you’ve got fifteen minutes you’d like to kill, I’ve written a paper recently that discusses the issues raised in comments thus far.

  18. “You’re in a desert, walking along in the sand when all of a sudden you look down and see a tortoise, The tortoise lays on its back, its belly baking in the hot sun, beating its legs trying to turn itself over. But it can’t. Not without your help. But you’re not helping. Why is that?”

  19. Today, I saw the following CAPTCHA on the Perforce Knowledge Base web site:


  20. How about: “Drag the horse into the barn.”

    You see a bunch of random animal and building images; one image has to be dragged onto another. The question could also change, of course. “Drag the dalmatian into firehouse.” “Drag air bud onto the basketball court.”

    Bots seem to be really good at entering ASCII characters, but how good are they at dragging and dropping randomly positioned shapes onto randomly positioned targets. Can bots even manage complicated mouse controls?

    This seems like it would actually be easier than CAPTCHA for humans, too.

Leave a comment

Your email address will not be published. Required fields are marked *