Porn Rewards Users To Get Past Anti-Spam Captchas

Stalke writes "Spammers are now usings a new technique to circumvent the 'captchas,' the distorted text in graphics, that users must input to receive the free email account. The spammers have cracked the system by displaying the 'captchas' on free porn sites in real time. Since there are always a large number of people signing up for free porn, they do the work of decripting the 'captchas' which is then replayed back into the spammers program to create a new email account. Who thought that porn could be a hacking technique!" Sure sounds plausible, though the link here says only "someone told me."

Re:One thing leads to another

[cyb97]

That method is already in use by several sites that get paid by the number of ad-clicks. To make *dead sure* that the patrons click the banners you have to fill in a missing word in a sentence collected from the banner-site or the 3rd word etc to get into the site.

It's pretty lame, and I guess most ad-agencies frown upon it as the clickers aren't really producing any business..

Technology Review

[Anonymous Coward]

This was suggested in an old issue of Technology Review [technologyreview.com]

Re:Easily countered

[Violet Null]

Wouldn't matter.

Automated spam script goes to sign up new email address, gets presented captcha. Downloads captcha -- as the server would expect any normal web browser to do.

Captcha is copied to some location. Filename probably contains information that can identify the specific script that's running, since there'll undoubtedly be many going simultaneously.

From that point, there's about 20 minutes, give or take, for the porn site to display the copy of the captcha and ask for the user's input. On a site seeing any amount of traffic at all, that should be more than enough.

Once a user has given input, the spam script is notified, and sends the input back to the captcha server. The captcha server never sees the IP address of the human -- it only deals with the spam script -- so it'll never know anything's up.

Re:Sounds like rubbish

[Z-MaxX]

Two reasons this sounds like rubbish: The catchups are generated on a per session basis for the person trying to sign up for the email address . Surely if they then try and get a third party to do the decoding the session will be expired.

Not neccesarily. From the writeup:

by displaying the 'captchas' on free porn sites in

real time.

If you have thousands of visitors every hour, then you only have to wait a few seconds on average to have your image shown to a user and a few more seconds for the user to respond.

Re:Sounds like rubbish

[Anonymous Coward]

'Bot logs into the mail server and attempts to sign up for a new email address. 'Bot recieves page showing the imaged text. 'Bot grabs the image and redisplays it on the entry page for the next person accessing the free porn. That person enters the text, which is sent back to the 'bot. This only takes a few seconds if a person signs in to the porn page in the right time frame. If the porn site gets reasonably heavy traffic, one certainly will. If not and the page times out, the 'bot just tirelessly tries it again. Or the 'bot waits until someone tries to access the free porn, gives them an intro page to distract them while it contacts the email server and gets the imaged text. For every person who accesses the porn site, the 'bot gets a new email address.

OCR may or may not be good enough. However, the whole purpose of the graphics is that the text is obfuscated in such a way that it makes it difficult for OCR but still easy for humans. The article says that which a computer can generate, a computer can often solve. Sometimes perhaps, but certainly not always. For a trivial example, take a photograph and change every pixel in it to black. A computer can do it but another computer can obviously not undo it, as all of the original information is lost. When you blur or otherwise obfuscate text, you're destroying information. The remaining information may be sufficient for a human to understand it, but insufficient for an OCR algorithm. I haven't seen anything reliable which evaluates OCR on captchas, but I know how well OCR does on regular scanned text. It's much better than it used to be but still far from exact.

John Dvorak suggestion

[Anonymous Coward]

I first heard about this meme from an article by John Dvorak. He suggested that one way around these capkchas would be for porn sites to serve them to surfers, asking them to solve them before allowing them access to a page or site. I have not personally seen this suggestion implemented, but I have used it as an example many times while explaining why this form of computer security doesn't work.

Re:Sounds like rubbish

[mark-t]

Wrong. Here's how it works.

Porn site gets a visitor.
The cgi or other executable on the web server's site then starts to sign up for an email account, and caches the graphic that must be decoded.
The exact same graphic is presented to the porn site visitor.
The porn visitor decodes the graphic and clicks "Submit"
The program at the porn site then finishes signing up for an email account by entering the text that the porn visitor entered.
If the email address is successfully created, the program then permits the user into the restricted area, otherwise entrance is denied and the whole process repeated.

Yes, these images are generated on a per session basis, but the whole point is that each visitor to a porn site gives the porn sites a new potential email address with which to spam.

It's actually quite ingenious if you ask me.

Re:Computer Program

[wedg]

No. It's quite simple. You get the HTML (open a session), and instead of retrieving the image for the Captcha right away, you wait until someone's signing up for free porn (a few nanoseconds), then show *them* the inline image, which only needs to be loaded once in this case, they enter the code, which your script sends back as the form reply.

I wish I'd thought of it first, I could've patented it. Or maybe someone should, so the spammers can't use it.

Old news and incorrect data

[shaftek]

This is ancient news, it has been mentioned by me [ietf.org] on the ASRG list in November and on my blog [blogspot.com]. The original new article was published by the Post Gazette [post-gazette.com], and found by Matt McCay in his blog [bestkungfu.com]. Liudvikas Bukys mentioned it in his blog [rochester.edu] also. You might also want to take a look at the W3C draft [w3.org] on why these visual tests do not work for disabled people. And to end this off, the basic premise of C/R is that the return address is valid. Even if spammers break these visual tests, in order to do that, they must have a valid return address - ergo, making them traceable.

Re:I am not looking at porn

[Grotus]

Here's a little hint, it isn't Slashdot that collapses your two spaces into one, it is your browser, which is following the HTML specification concerning white space [w3.org].

Now, the case of <code> elements is different. Although it doesn't say so in the HTML spec, most browsers handle them with white space being preserved.