I had to fill in a GMail CAPTCHA today - it took me two goes and a lot of squinting to read it myself. And I think I'm human...

We all know that Google GMail can't be used for spamming. That's what Google says every time they ignore your complaints about spam coming from their mail servers.

I'd wager their sophisticated OCR tech actually only matches one in a hundred captchas. You know, the poorly generated ones that an amoeba could read. The article mentions only 500,000 accounts generated by the HotLan trojan, if it were more sophisticated at reading I'd imagine this figure would be in the millions.

In which case, Google and MSN should just limit multiple captcha page retries and block access from specific IP addresses for several hours if its deemed to be trying too often.

...Or does it match good enough to work on the first, second or third try of a captcha in most cases? That would work.

Unless the spammers could go into legit business with incredibly sophisticated OCR technology, I doubt they're THAT clever - just that GMail and MSN aren't that reactive to such threats.

But I dont really know...

No, no, no. CAPTCHA is the opposite of a Turing test - A Turing test is a human trying to tell a human and a program apart, a CAPTCHA is a program trying to tell a human and a program apart.

Where the people dress in Black...

With that tag-line, I've now got several Dead Kennedys tracks going round in my mind, and this will have to be dealt with by playing said tracks at maximum volume which will annoy the wife.

I can't quite see the connection between the tag and the article, but maybe I'm just too semantically blinkered!

As someone who has problems trying to read the letters in captcha images, I could do with some help.

I had to reset my brother in law's Hotmail password for him (yeah, I know, he's a tyre fitter, what can you expect) and I couldn't read the bloody captcha so respect to anyone who's written software that can.

Making the zombies work harder is the solution.

Current captcha cracks against Google are only successful 1 time in 5 (20% successful). By chaining three captchas together, Google could reduce the success rate to a mere 0.8%, or one in 125 attempts.

While I don't think captchas are especially good security, this simple step would be an interim measure while something truly effective is developed.

... is the presumably the correct DK track the semantically challenged amongst us should be listening to right now.

Actually, it's the work of people who write captcha-reading software that makes captcha's harder and harder to read by humans. So, if you have a hard time reading captcha's, you should be AGAINST those who write software to read them.

So apparently Russians are paying people to correctly identify captcha strings for their bots?

For the person who is ready with a new, secure, backwards compatible, and spam proof e-mail replacement when the existing system finally collapses in a year or so. Someone needs to rethink this from the ground up as the current e-mail technologies just aren't adequate, and there are far too many circumstances where whitelisting isn't practical.

It was kind of neat when Gmail was invite-only. Felt like you were in some special club or something.

It'd also utterly defeat most Human users...

Considering the name of the author, perhaps that would be more appropriate.

Imaging a animated GIF captcha swirling in an infused cloud of incandescent murkeyness. That would stump everyone. Top marks.

Will

How about having to crack the first 3 levels of bricker or pac man before your sign up is accepted. Now we are talking!

@Jacob Reid - that had always bothered me too...

Also, what's with the Dead Kennedys ref? Or is it the DKs refering to somethig else?

"In which case, Google and MSN should just limit multiple captcha page retries and block access from specific IP addresses for several hours if its deemed to be trying too often."

Which would have blocked me the other day as it took me multiple failed attempts to work out that the Hotmail CAPTCHAs don't work in Firefox!

You can put the right characters in as many times as you like, it always fails until you try IE (didn't check with Opera)

> So apparently Russians are paying people to correctly identify captcha strings for their bots?

That's how I read the Websense article; And the second host appears to be (doing a bad job of) trying to crack the Captcha programatically, so Man is still ahead of Machine.

But why don't the bad guys just pay people to create accounts for them? Surely none of their "workers" think that getting paid just for reading Captchas can be legit? Or does GMail disallow 2 signups from the same "source"?

A web site I frequent must not have too much of a problem with CAPTCHA crackers - their CAPTCHA image consists of four or five GIFs string together, a la 1.GIF 7.GIF 3.GIF 2.GIF 9.GIF.

Brilliant!

Given the amount of spam pushing penis enlargement, surely the correct Dead Kennedys track is Pull My Strings - "is my cock big enough, is my brain small enough ..."

my favourite types of 'captcha' are the ones which dinnae tell you in advance whether or not the code is case sensitive... or tell you it is and then present you with a letter which looks the same in both upper and lower case... or make no distinction between capital I [eye], lower case l [el] and the number 1 [one] .... or between the letter O and zero...

and dinnae even get me started on sign up forms which ask you to pick a username or password and then *only* after you've submitted the form, throw an error in your face, telling you that 'your username needs to be at least six characters' or 'your password must contain at least one number'..... so you change your username/pass from the ones you wanted to use to ones that conform to the whims of the form designer and then have to write the feckers down, so you willnae forget them - which kinda defeats the whole purpose of having a login/pass in the first place!

thats a shame, but Google Mail is still light years ahead of every other mail service on many fronts so i'm still voting for them

One of the biggest problems is a particularly nasty piece of scumware called XRumer. It cracked the phpBB2 CAPTCHA some time ago and it looks like it'll add "support" for Gmail, Windows Live and Yahoo in due course. If you've ever had to do admin for a forum and delete hundreds of spam registrations with generic details such as random countries for location or bland descriptions for occupation you'll have come across its after effects.

I don't think coming up with increasingly obscure and technical ways is really the best way to deal with spam and malware. This isn't some bored teenage cracker trying to show off his l33t h4x0r skills but a bunch of crooks with plenty of time and (often stolen) money. The problem of botnets is a bit like someone who doesn't realize they own a toxic waste dump that's polluting a river. Sure someone downstream might come up with a way of removing some of the pollutants and stop it affecting them, but the source is still there.

Bots generally have a pretty distinctive "signature" for the type of traffic they produce. You can usually guess a pwned machine from the headers of a spam email or a failed semi-automated attempt at registering on a forum. It's likely that the owner of the machine (as opposed to the bot herder) is unaware that they don't have full control of what happens on it and they would probably be shocked to know a criminal gang is using it for nefarious purposes. One problem is that people don't always understand the importance of keeping a machine patched ("I don't use that feature so why should I care?") and even if they do it isn't physically possible to do so because MS have decreed that it's reached the end of its life. The audience on El Reg will understand this, but someone who just uses an old Win98 computer for a bit of email and word processing probably wouldn't.

I think one way to address this would be a "your machine is infected. Do this to fix it or you will be disconnected" letter sent to the owner of that IP address (make sure it's sent to the right place!) along with a mandatory requirement for MS to continue to update its operating systems until the usage is so small that any impact will be minimal. Changes to the OS kernel mean that a lot of old DOS viruses don't work under Windows, open mail relays are somewhat a thing of the past and rogue diallers were pretty much killed off by broadband. However it's difficult to lock down an old Windows box with gaping holes when MS refuses to patch them.

I'd like to see software reliably tell bunnies & kittens apart.

AND

I'd like to see bunnies & kittens!

@madra

kevin mitnick, the famed ex-hacker now security adviser, recommends that people select very complex passwords and that they write them down, and keep them somewhere safe - like in their wallet with the other valuable paper.

too many people choose lame passwords and if we try to force people to adopt more secure passwords, there is a huge resistance. personally i try to use passphrases of a sort. the downside is i am a slow typist - but that is the price i pay for being security conscious.

Well tonight's the nice that we've got the truck

Gonna go downtown gonna beat up drunks

We'll ride oh how we'll ride

Diabolical ingenuity should *NOT* be rewarded.

Spam email is an economic problem, and no technical or legal or medical or non-economic solution is going to fix it.

One solution would be to fine anyone who helps spammers. That would eliminate the free email accounts and free website hosts, but at this point I think it would be worth it. In Japan, I'd hope the ISP Dion would go bankrupt on their spam-support fines.

Are these the same spammers who invented image spam? When spam filters started using OCR, they started to distort the image to bypass this.

So, if I understand correctly, captcha is a technique used to disguise spam, and make it harder for humans to register. it is machine readable by spambots but not spam filters.

If I understand correctly.

Now they will have to come up with something even more annoying to authenticate humans.

Good thinking. Instead of identifying numbers and/or letters, the random question might ask what colour the letter i is or which character is uppercase, which character is Chinese, etc. And, as mentioned above, blocking the IP from creating an account after creating an original account would help too.

G spot?

No, I'm not wearing anything thanks!

I'm a phpBB2 forum admin, and when the bogus accounts started to appear (they would register but couldn't activate - I use confirmation emails, obviously not an option when signing up for an email account:) So I just added a nonstandard mandatory field in the registration form. Problem solved, haven't seen hair or hide of bots since then.

CAPTCHA does not stand for "Completely Automated Public Turing test to tell Computers and Humans Apart"; As a previous poster said, it's the reverse of a turing test.

There's something wrong with the elreg glossary, because this comes up EVERY time there's a story about CAPTCHA's.

The correct wording is:

Completely Automated Program to Tell Computers and Humans Apart.

That's not that difficult, is it?

They're also known as REVERSE Turing tests, for the above reasons.

Grrrrrr

Spam-as-a-service, anyone?

"'d like to see software reliably tell bunnies & kittens apart.

AND

I'd like to see bunnies & kittens!"

What for, if you can't tell them apart w/o help?

Bunnies and kittens, eh?

That could be more fun than you think! Look up the alternative meanings for "la chatte" (French) and "el conejo" (Spanish) sometime .....

Just wonder how late could be security firms when they are so commercialized.

The story of Gmail Captcha crack was published 10 days ago in Russian IT news. You can find it in English (read my lips: no need for a tutor)

http://webplanet.ru/english/2008/02/15/google_captcha_en.html

And yes, the spammers use humans (biobots) to break captchas for money.

These are many sites for this business around the world -

Look2Earn.com, RabotaOnline.com, grand-sale-5.com, x999.info etc

And while sleeping GMail is open for spambots, some Russian web-mail services already started to use more serious captchas where you have to choose the recognized signs one by one from a virtual keyboard, and the captcha alphabet could be changed in a moment (not just digits or letters but any pictograms like road signs can be used).

Here are the details, but now it's in Russian only (just for fun):

http://webplanet.ru/knowhow/security/designer/2008/02/21/mail_captcha.html

How about a new service from PayPal? Want to send an email that I'll read? Make a small payment into my PayPal account and attach a message.

[I think one way to address this would be a "your machine is infected. Do this to fix it or you will be disconnected" letter sent to the owner of that IP address (make sure it's sent to the right place!)]

The now defunct Metronet ISP had this in their Ts and Cs - if you were getting bot traffic or had an open smtp relay you got your connection cut. They had some very funky network monitoring stuff and account self-management tools before they got Borged by Plusnet.

All the problems with email arise due to its acient design.

Trying to have a system backward compatable would just render the new system useless

The sooner we ditch the current system the better!

I run a phpBB2 board, is this method documented somewhere?

Re: Bot army now with human servants?

> So apparently Russians are paying people to correctly identify captcha strings for their bots?

That's also how I read the Websense article. When I first had a play with Amazon's Mechanical Turk I thought it would be perfect to farm out CAPTCHAs for real people to type in for a cent a pop, and that's what they're doing here.

Now that's Web 2.0!

http://creatr.cc/creatr/logo/CrowdSpamr.png?1204024057

(And whilst you're at it, why not, as these spammers appear to, have your own bot have a go and compare it with the correct human to help learn do it automatically and save those few cents and speed it up considerably.)

Bunnies and Kittens? Bah, you're all missing a trick. What we want is a 'Pointless Blonde Celeb Line Up' where you have to pick out Paris Hilton and type the code that appears on the black plackard she's holding in profile :)

you know the one where they pair you up with some other saddo and show a series of images and you both type in words to describe the image. If you match you get a new image and some points.

So at least for gmail, show an image(s) and ask for a word to describe, if you match more than n% then accept.

Downside is that it becomes language and spelling specific and there are too many images that just have tags like "man", "girl" etc. Also very variable and more time consuming.

Further down with all of these is it's hard for people with visual impairments who may rely on text to speech systems or if you are using a text only browser (lynx).

1 in 5 = 20%, 20% is not a low percentage when its performed regularly, quickly by computers.

If it can test 5 accounts per minute, that's 1 new account per minute, that's not a minor issue...

Small percentage would of course have to be relative to the number of accounts the system can break in a given time frame otherwise its meaningless.

Posted anon because my forum gets enough attention from spammers as it is (I made the first post above about phpBB2), but I find the text confirmation mod for phpBB2 works quite well. The trick is to ask the right type of questions (the sweatshops that handle spam registrations can answer "what is 2 + 2" with little effort) and I've gone from 10 - 20 a day to none. I still have to delete the "registration attempt failed" emails but a couple of mail server rules do that for me. The humanizer mod (which asks "are you a human?" worked for a while) but that's now been cracked.

Something I'd really like to see is use of XRumer made illegal (what legit uses does it have?) and the entertainment industry lawyers do something a bit more useful such as tracking down the spammers.

kinda reminds me of that thing that did the rounds a while ago where you had decide whether a pic was of an upper or lower cleavage

can read the Captchas for the bots... Set up bots to open accounts and route the captchas to a human who can learn and improve his speed. Pretty soon you will have humans able to type captchas at 60 per minute. A network of such humans could open hundreds of thousands of accounts daily. So, Google will have to go to plan B, which is... I have no clue.

>The humanizer mod (which asks "are you a human?" worked for a while) but that's now been cracked.

Answer - "Negative, I am a meat popsicle."

...name the movie.

.

@Doc Dish - Funny that, every Google Captcha I've tried I've only failed it once or twice at most. I've done quite a few in my time too. True though that Captchas on some sites r so bad its taken me maybe 3 or 4 attempts, no more.

.

@Will -

>Imaging a animated GIF captcha swirling in an infused cloud of incandescent murkeyness.

Actually thats not a bad idea, people are better at seeing patterns in motion, kind of like picking out soldiers in forests, can be seen better if they move around. Might make some people sick tho!!!

I was reading on wikipedia the other day about "Turing Porn Farms" (er, I searched on the term "turing", honest), which are apparently a clever way around these CAPTCHAs. You just set up a free porn site, and require folk to fill in a CAPTCHA to access it; because you can rely on a fairly constant stream of people signing up to your porn site, you can just scrape the CAPTCHAs from gmail or livemail or whatever in real time, and use the results to sign up for dummy accounts. Nifty, eh?

"Anybody else want to negotiate?"

Still use an image or audio file, but have it ask a question

"Which number is smallest?", "Which number is largest?", "Which shape is a circle?", "Which of these images is a cartoon cat?", "Which of these pictures is a real cow?", "Which of these images is a photograph?"

For the vision impaired, an audio question and audio options could be used.

It means the user must actually make sense of the question. Of course, you'd need enough options for answers that chance wouldn't be 1 in 5 to make a difference. Use maybe 8 or 10 possible answers, and only allow one miss.

@Anonymous Coward above,

8 or 10 possible answers and allow one miss. Because 2/10 is harder that 1/5 ? Or 2/8?

@Stu. My son is called Korben.

I was getting the CAPTCHA characters correct, it's just that the Hotmail (owned by Microsoft) CAPTCHA can only be passed via Internet Explorer (made by Microsoft)

Go figure

Now in beta!

>The audience on El Reg will understand this, but someone who just uses an old Win98 computer for a bit of email and word processing probably wouldn't.

Actually I wish that were the case. Someone who has such a machine and uses it sporadically isn't a threat. Its the people who've got their PC directly attached to their cable or DSL modem who leave the thing up 24/7 that are the problem. There are a lot of people like that out there and many are completely clueless about how computers work. We don't normally move in such circles so when we do have to deal with these users -- as I was recently (an elderly friend) -- its the very devil to get them to understand that when a web page says "you've got malware, click here to remove it" that the last thing you should do is follow those instructions! (Fortunately I've got her system rebuild down to a fine art -- I've been thinking of mirroring her disk so I just have to press the button.......)

As for the CAPTCHA code, I'm almost tempted to have a crack at it myself. This is the kind of puzzle that's fun. But just as cracking encryption is the price you pay for getting better quality encryption all this is going to do is improve the quality of the CAPTCHA algorithms. Its an arms race, and a fun one at that.

A great way to check if an account is genuine is to require payment with a credit card!

>> CAPTCHA does not stand for "Completely Automated Public Turing test to tell Computers and Humans Apart"; As a previous poster said, it's the reverse of a turing test. The correct wording is: "Completely Automated Program to Tell Computers and Humans Apart."

Um: http://www.captcha.net/ (© 2000-2007 Carnegie Mellon University)

"The term CAPTCHA (for Completely Automated Turing Test To Tell Computers and Humans Apart) was coined in 2000 by Luis von Ahn, Manuel Blum, Nicholas Hopper and John Langford of Carnegie Mellon University."

That fact that the name is misleading doesn't mean it's not the name.

What is the primary purpose of a Turing Test?

Is it to test if a human can tell a computer and a human apart?

Or is it to test if a computer is able to convince a human that it itself is human?

If it is the latter, it really is secondary whether the ‘judge’ is human or – as is the case with Captcha, the judge is another computer.

So, nothing ‘reverse’ here, eh?

Paris, because I'm sure Captchas are keeping HER from passing.

I can't read these ink blots on some forum boards; so respect to them thar 'youfs'

Actually Google is easy but Yahoo is a bum pain - which is why I never use it.

Its not that I'm that old -but I did learn MS-DOS 3.1, so I suppose I am an ancient

for Google etc to disallow the setup of more than say 3 accounts from any given IP address in any given 24 hour period? What real person wants to set up 500,000 accounts, or even 50 accounts?

It seems to be a little surprise. However, it was planned at the moment when software for handriting input was created. Inference: think of security before implementation of something new