Porn Rewards Users To Get Past Anti-Spam Captchas

Stalke writes "Spammers are now usings a new technique to circumvent the 'captchas,' the distorted text in graphics, that users must input to receive the free email account. The spammers have cracked the system by displaying the 'captchas' on free porn sites in real time. Since there are always a large number of people signing up for free porn, they do the work of decripting the 'captchas' which is then replayed back into the spammers program to create a new email account. Who thought that porn could be a hacking technique!" Sure sounds plausible, though the link here says only "someone told me."

Easily countered

[Yggdrasil42]

This can be easily countered if the free e-mail sites configure their servers, so that the 'captchas' can only be loaded into pages that they've served themselves.

I'm not sure how that works, but I've seen it in action on some sites.

Maybe someone else knows how it's done?

Countermeasure...

[LinuxParanoid]

If the image ...has been inlined from Yahoo or Hotmail... as the article says, couldn't Yahoo/etc have their image generation scripts setup dynamically to check the referrer (or should I say referer? ;-)).

I seem to recall this approach being used by online comic strips trying to prevent inline linking from elsewhere...

--LP

Re:Sounds like rubbish

[superwiz]

Catchups are constantly designed to be undecodable by OCR. But the porn solution doesn't sound like rubbish at all. It actually sounds quite clever. Here's how it might work: 1.An automated script tries to sign up for public emails (yahoo, hotmail, etc.). 2.At some stage during sign up a page with a catchup is "presented" to the script. 3.The script gets the catchup out of the page and adds it to a pool of catchups to be associated with their perspective words. 4. At some point, shortly after, a visitor to a porn site is presented with a catchup and enters the correct word. THIS IS, BY THE WAY, A PERFECT WAY TO FOIL SPAMMERS AND TO STILL GET YOUR PORN -- since the porn site doesn't, in fact, know what the catchup is supposed to be and is only using you, enter a wrong one. 5. The word entered by the user on the porn site is used to submit a reply to the public email system.

Re:Sounds like rubbish

[Peridriga]

Well.... yes the facts are missing but, I could think of the progam logic.

Load page to harvest captchas
Save the captchas image to DB
Maintain open page where captchas was harvested
Serve captchas to real user on porn site
Capture real user's response to captchas
Re-input user's repsonse to the text field on the harvest page
Voila.

Still the same session on the harvest page, just multi-tasked the captchas out. A script can maintain a session just like a user can.

Now... The band-aid (not the fix) comes by accepting all user information first (name, address, etc) then on the next page request the captchas input. Have that page have a cookie timeout of 30 seconds. If the user can't read 7 charecters in 30 seconds then redisplay another one. After x number of failures ban for 10 minutes etc...

Now this fails if the spam harvester has access to enough concurrent hits on his false verifier to maintain the 30 second window but, I'd hope at that point his profit margin has shrunk a great deal more due to the traffic requirements.

Computer Program

[UPAAntilles]

The computer science department at Berkeley has already broken the Yahoo-like Captcha [berkeley.edu]. They use an algorithm to break it. They recommend "Gimpy" as a replacement, which their software has yet to crack. The blog is full of crap, the captcha is generated every session, so you can't make a link to the image like they would like because the session would end.

Re:Nifty

[acidtripp101]

I thought this exact same thing. Every time I see a simple 'sollution' to a 'problem' like this, I always have to give the creator credit due to them... I don't care whether it's for the linux kernel or to send me pills for a larger penis, it's still ingenious.

From an insider...

[Mazzie]

I can tell you that 99% of the illegal or 'gray area' activities like SPAM that go on in the online porn community are likely performed by less than 1% of the companies.

A vast majority of operators I speak with are firmly against SPAM because it simply doesn't result in profit. For one, customers who join up as a result of SPAM, result is a much higher chargeback rate on credit card purchases, and in general being on the receiving end of traffic from SPAM is more than a nightamre dealing with 1000s of pissed of system admins.

Also, porn site operators want to maintain legitimate mailing lists to keep their customers informed, but that is now a pipe dream, as even customer support is difficult over e-mail because much of it gets caught up in SPAM filters.

Personally I won't do contract work for any porn company that uses SPAM because those are the ones that usually try to beat me out of a check. Also, they are the least likely to be around in 6 months, because most of them go under very quickly. In addition, I get sick of moving apps from host to host to host as they routinely get booted for sending, or being associated with SPAM.

Re:good or evil

[mlush]

Now if we could only get spammers to use their ingenuity for good rather than evil, we could solve all of the worlds problems.

I could see this working for some image recognition problems. To get the next page you have to perform some small task. Salt the tasks with 10% control images for which you know the answer and a finders fee where you get a weeks free access if you find X or do Y work units. Could be used in to check survalance video images ...

Re:Spam spam spam spam SPAAM!

[Zeinfeld]

What are we going to do?

I think half of us are going to flame on slashdot and the other half will go off to find the web site where you can get the free porn.

I hate these C/R schemes, they are OK when they are used for mailing lists or for checking signups to Yahoo! mail or some other forum where the intent is to protect ME. I do not accept that they are at all legitimate when the only purpose is to protect some dweeb who thinks he is really important.

Worst of all are the systems that send out C/R challenges in response to email that was a reply to something that the challenger sent. I get students asking me some question about a Web spec or something else I did. I spend time writing an answer and then get a C/R challenge. Like some student's time is much more important than mine...

Worst of all are the C/R systems that don't whitelist after the first challenge. Dan Bernstein is the worst offender here, I answered three of his challenges and still get his robot if I make the mistake of replying to one of his mails to me. So I have his robot blacklisted in my email.

So on balance I am not at all sad that the nuisance of C/R tests looks like it will be soon ended.

What is worrying though is that the fact such schemes have worked may well mean that hashcash and other CPU payment schemes are not viable either. The senders could run a java component on the porn viewers machine to generate message authentication ids.

Countermeasure: URL in Image

[G4from128k]

If the captcha contained a background of additional instructions such as "To get your free account, please type in www.free-email.com/username/captchawords", then it would prevent the porn site/ spammer from seeing the results.

Re:Valid News sources... on a blog.

[akadruid]

Nice post...
You're right, the concept is interesting, I was just playing Devil's Advocate with the concept of 'news' - the idea that the moon landings were faked is an interesting concept, but not 'news' as such.
'Sides, it was attempt at the ever elusive concept of irony. On a day when the BBC is buying ads to it's coverage of the Dr Kelly case, the traditional media is on a back foot against a prominant blogger - 'news' is a concept worth a little exploration today.

Wow

[Illserve]

That's genius. Much as I hate spammers, I have to admire this very clever solution.

just added captcha

[jqh1]

We *just* added captcha functionality at spamgourmet [spamgourmet.com] but we're using a random number at the end of each quizword, and we use a random filename for each image. The code just went up on sourceforge [sourceforge.net] if you want to take a look.

Re:Make it copyrighted

[marcello_dl]

That's what I had in mind, too.

It would suffice to trademark a logo which would be added to the other generated random letters of the captcha. That would render ocr recognition harder, too.

Re:Sounds like rubbish

[Tim Macinta]

I have been letting people set up free email accounts at kmfms.com [kmfms.com] for awhile, and there has been an abnormally large surge in new accounts recently (and the sign-up process does use the distorted letters). These have been junk accounts too. I had a huge number of sign-ups just last night and only 1 person actually came through my site first (the email service is provided by everyone.net [everyone.net], so somebody was evidently going straight there without hitting my site first). Once these junk accounts are created, spammers then send email from their own servers, but with the return address of the junk account. I don't know why they are doing this - I seriously doubt they are checking the accounts, and they aren't actually sending anything from the accounts, but they are doing it nonetheless and I have been getting a lot of complaints recently about spam even though all of the headers inidicate that my network and everyone.net's network wasn't involved.

I have given up that this point and as of today I am switching the email system so that all new users must be paid users. These spammers are like a swarm of locust consuming everything in their path, and now they have destroyed the free service I had been offering for years. I wish they were in the US so I could pursue legal action.

Re:It really is true

[whterbt]

Parent was modded funny, but there's an odd truth to this. Consider Burt Rutan [scaled.com]'s comment [popsci.com] that porn will be the driving force behind eliminating business travel. Read it and you'll understand :).

Re:Why not...

[eklipz19]

Having worked for an entreporneur, I can tell you what the point would be. It's all well and good to get access to free email accounts, but, as has been said, that's more or less pointless.

What is useful, however, is signing up for free webspace. That's the holy grail of porn sites, an unlimited supply of website all pointing back to your main page. Good for search engine rank, dontcha know?

When I did some programming for a gentleman who served up porn sites, it was my task to give him a script that would go to Geocities, create an account, and then FTP up a small site with tons of links back to his main site. It would track the account name and password (randomly generated) and parse the URL of the site into a list, which he then used for...something.

Shortly thereafter (read: Next Day) Geocities put up a captcha for the signup. Related? Perhaps, perhaps not, but I do know that over multiple T1 connections, he created over 5,000 sites overnight on the 8 hours of running the script.

Something to think about.

Re:Sounds like rubbish

[IthnkImParanoid]

I believe what the grandparent was saying is that when you sign up for porn, the bot starts the email account sign up process. There's a short delay (for you) while the bot grabs the glyph and sends it to be displayed on your page. You enter it, then the bot immediately attempts to complete the email account sign up process. If the word is correct, you're given a success page, and if not the bot gives you another glyph to decipher.

This process won't add much at all to the time it takes to sign up for an email account, so reducing the expiration time won't solve the problem. It only helps if the bot has already started the email account sign up (a long time) before you start the porn sign up process.

It's quite clever.

Re:Old news and incorrect data

[po8]

And to end this off, the basic premise of C/R is that the return address is valid. Even if spammers break these visual tests, in order to do that, they must have a valid return address - ergo, making them traceable.

But why do "captcha"-style visual puzzles, then? If your big concern is traceability, it seems that any old challenge/response, including a 3 digit ASCII number, would do.

IMHO the news here is that the visual puzzles don't add anything for a clever and determined adversary. It's apparently old news to you, but I hadn't heard of this technique until now; I find it fascinating and am glad the /. editors passed it on.

VeriSign Proposes a solution

[Anonymous Coward]

Imagine a beowulf cluster of porn viewers.

The Verisign Chief Scientist just proposed a solution on the ASRG list [ietf.org].

"Basically Microsoft should add a copyright notice to their turing test image and offer a free X-Box for the first person to report each site using a man in the middle attack to defeat it."

Later on

"Set up a bounty system for reporting such attacks, a free X-Box is probably more attractive than free porn. Or you could give a free X-Box and a subscription to your choice of Penthouse, Comopolitan or a non-porn title."

Cosmopolitan? A porn title? Err yes I guess it is.

Kinda sneaky, using one social network hack to defeat another.

Re:It really is true

[glesga_kiss]

There is more to what you point at. Porn is the driving force behind technology. Or, at the very least it is one of the early adopters.

Another reply mentioned the printing press; when it was invented we started dirty books. Coincidently, there was a link [tijuanabibles.org] to some olde style smut on BoingBoing [boingboing.net] (Cory's blog) the other day.

It goes back further. Since we started drawing on cave walls, we've been drawing titties and dicks. Ditto scupture and art. Sex lines, late night porn on TV, erotism has always been the centre. Even the first movies that most folk saw ("What the butler saw") were smut. At least it's better than then running away from a celluloid train, however with this demo they might want to rush the stage instead!!

I can't remember where I read this; think it was a sig in the last week or so:

"If you took all the porn of the internet, there would only be one page left; BringBackThePorn.com"

Re:Nifty

[kramer2718]

Sure, give credit, but not to spammers. Manuel Blum, who invented CAPTCHA, came to speak at my school. First, he explained CAPTCHA. Then he explained how to beat it. The idea is called 'stealing cycles'. In his version, the CAPTCHA tests would be part of games rather than porn sites, but the concept is the same.