CAPTCHA – almost broken

by Steve Ragan - Mar 18 2008, 14:00

Yahoo, MSN Live (Hotmail), and GMail all have two things in common. The first is that they are free online email services and the second involves CAPTCHA usage. The CAPTCHA systems used by these companies are now being called into question as it has been proven that bots are cracking their codes, and that humans are earning lunch money by helping them along.

 

MessageLabs said earlier this month that analysis of spam shows that 4.6 percent of all spam originates from webmail services. Adding to that, the proportion of spam from GMail increased two-fold from 1.3 percent in January to 2.6 percent in February, mainly promoting adult-oriented websites. Yahoo Mail was the most abused Web mail service responsible for sending 88.7 percent of all Web mail-based spam.

 

The reason for the large bump in the numbers is that bots are breaking the CAPTCHA puzzles on each of those sites. Completely Automated Public Turing Test to Tell Computers and Humans Apart, or CAPTCHA for short, are mechanisms designed to eliminate automated sign up tools used by spammers by requiring the user to perform a task that can only be performed by a human. This worked well for a while, but now researchers are reporting that, slowly but surely, it is failing.

 

Early reports on the CAPTCHA cracking say that one in five, or twenty percent of the automated cracking attempts, are succeeding. According to the NY Times and Websense, Russian workers are being employed to open GMail accounts and to help crack CAPTCHA code. They help by submitting it to various tools so cracking software can learn from samples.

 

The workers are apparently (based on translation of the page written in Russian) paid a max of $3 per day. The program apparently works on a per-CAPTCHA basis, and once there are

 $3 in credits in the workers account, they can ICQ someone for a payout. Sadly, $3 is not very much. The average Russian worker will make about $100 per month if you go by government mandated minimum wages, which were set in 2007.

 

The recent debate over the news that the CAPTCHA system might be on its last leg has sparked some interesting thoughts. One line of thought would induce limits to the free email accounts.

 

For example, “limit users to 10 outgoing emails the first day and 100 outgoing emails a week for the first two weeks. After that, allow customers to manually request a higher limit, but only if the account has actually been used, not left idle. If they request a limit higher than 1000 a week, make them prove they are a human the old-fashioned way, by telephone or postal mail,” reads one comment on the NYT Blog. 

 

The other general thought that is being shared, is one that calls this situation just one part of technological evolution. As spammers grow smarter, and crack CAPTCHAs, the security applications grow stronger to match them. This idea is decent, accept for the fact it does not offer a solution for the interim.  

 

Meanwhile, the advice of the past is still true. Filter any domain as needed. Often Google is exempt from email filtering because it’s, well, Google. This is not the correct way to deal with spam, and Google should not be exempt from email policy.

 

Finally, here is a question, while its serious business that CAPTCHA is failing, whatever happened to ISP’s filtering email, and the use of Domain Keys?

Around the Web