Porn gets spammers past Hotmail, Yahoo barriers

By offering free porn, spammers are using Internet surfers to bypass a security protection designed to stop bot software from automatically opening Web mail accounts.

Free Web mail services such as Hotmail and Yahoo are often used by spammers to send unsolicited e-mails. But because of the sheer quantity of e-mail sent, spammers require thousands of accounts and employ Web bots to automatically open them.

To combat this automation, Web mail companies started using the Captcha test (Completely Automated Public Test to tell Humans and Computers Apart), which creates a graphically distorted representation of a simple word that can easily be read by a human but not by a machine. The word is often written in an unusual font and presented on a patterned background to further confuse the bots.

To open an e-mail account, the applicant is asked to read the word in the Captcha graphic and type it into an application form. Because the disguised word is virtually impossible for a computer to read, spammers need a human to intervene, which ruins their automation process.

However, as first noted in the Boing Boing blog earlier this year, some spammers have found an ingenious way to bypass the Captcha protection.

First, the spammers open and advertise a Web site containing pornography. Visitors to the porn site are asked to enter the word contained in a Captcha graphic before they are granted access.

In the background, spammers have already used scripts to automate the Web mail accounts opening process to the point where they need a human to "read" the Captcha graphics. The Captcha graphics from the Web mail site are transferred to the porn site, where the porn consumers interpret the Captcha words. As soon as they enter the correct word, the script can complete its application process and the visitors are rewarded with free porn.

Simon Perry, vice president of security at Computer Associates International, said security is always a "moving target," and as soon as a company like MSN uses a new technology to secure a product or service, it is only a matter of time before it will be bypassed.

"Each little improvement makes it a little bit more difficult for the spammers. This is an exercise in continually moving up the bar," he said.

According to Perry, the only way to make a real difference is to combine technology with legislation and enforce that legislation. However, he said that even though spammers may have found a way past the Captcha, it is still slowing them down.

"Before the Captcha, those bots could open a million Hotmail accounts a day, but now, if they can attract 10,000 people to their free porn site, they can set up 10,000 accounts, which is a lot but still an order of magnitude less," Perry said.

Neither Microsoft's Hotmail nor Yahoo would comment on the issue.

Munir Kotadia of ZDNet UK reported from London.

How about a timer for fix?

If a timer is associated with the Captcha picture which changes periodically (say 10 seconds) will that alleviate this problem so porn sites can not get timely typing to create a new account?

Just require Captcha graphics to send email!

It seams so simple. Just require the sender of any email message to interpret a Captcha graphics image before each email message is sent, kind of like a stamp. And only allow the sending of bulk email messages for paying accounts. That should put crimp in the spammers hose!

Even better, require Captcha image for delivery of email

When a sender of an email message is not listed in the recipient's list of valid email senders, the email system would automatically send a challenge email message reply containing a URL the sender would then have to click on to complete the challenge. The email would have the recipient's email address and name exactly as it was in the sender's email. The sender would have to have placed the recipient?s email address in their own list of valid email senders to receive the challenge message. This challenge would be sent regardless of whether the email was sent to a valid email address to avoid successful probing. Bulk email to addresses that do not list the sender as valid would be discarded without generating a challenge. Only when the challenge was successfully met would the message be delivered to the recipient. Unless the recipient adds the sender's email address to their valid email address list, the sender would have to meet the challenge each and every time a message was sent. How's that for eliminating spam but still letting your long lost buddy's email get through!

[sebastiannielsen]

Watermark is the solution....

If you own a site named "www.myforum.org"...
Render a red text repeatedly in the background of the captcha: "www.myforum.org". Then you render the black CAPTCHA code above the red text.
Make sure the watermark text shines thru the black text a little, so it becomes VERY hard to remove the watermark text without damaging the captcha text so severly thats its impossible to read the captcha text....

Another idea is to make up the captcha text with the watermark text... Maybe it gets too hard to read the captcha text, but experiment with the spacing, to get well readibly.

(captcha text = the code the user is supposed to enter)
(watermark text = your site's name)
---------------------------------------
The offending porn sites will get very bad reputation for stealing captchas.