Porn Rewards Users To Get Past Anti-Spam Captchas

Stalke writes "Spammers are now usings a new technique to circumvent the 'captchas,' the distorted text in graphics, that users must input to receive the free email account. The spammers have cracked the system by displaying the 'captchas' on free porn sites in real time. Since there are always a large number of people signing up for free porn, they do the work of decripting the 'captchas' which is then replayed back into the spammers program to create a new email account. Who thought that porn could be a hacking technique!" Sure sounds plausible, though the link here says only "someone told me."

Foundation

[millahtime]

Porn, the foundation of the internet. It will never go away or die. It has more uses then we can even imagine.

Spam spam spam spam SPAAM!

[seidleroniman]

What is everyone in the Slashdot crowd gonna do? On one hand you dont want to get spammed, but on the other hand you NEED your pr0n. However, i think this will take care of itself because eventually people will be too busy deleting spam to look at pr0n online, reducing the amount of spam....Ok, i'm half kidding, but i really do think this is an ingenius way of spammers getting around certain barriers. Say what you will, but spammers have shown/proven that they can overcome many obstacles to continue their spamming.

Sounds like rubbish

[Snipet]

Two reasons this sounds like rubbish: The catchups are generated on a per session basis for the person trying to sign up for the email address . Surely if they then try and get a third party to do the decoding the session will be expired. Also The article points out that Optical Character recognition is more than adequate to break this so I can not see a situation that spammers would do this elaborate probably unworkable method over OCR. No facts and a friend of a friend source makes this sound like total BS.

Valid News Sources

[akadruid]

Is it just me or are people becoming less critical about what a valid news sources is?
'Someone told me...' on a 'blog'?

That doesn't carry quite the weight of the BBC and Reuters to me, but I suppose there's a good chance no-one was threatened by a 'democratic' government during the production of the article, so maybe it's less biased than some.

Re:Easily countered

[perlionex]

I'm sure it's only loaded into pages they've served themselves. The p0rn sites just grab the image, then display from their own sites to the users directly. When the users send the correct text back to the p0rn site, the site then sends it back to the website. It's actually quite trivial, but ingenious.

Make it copyrighted

[sabri]

This is a challenge for the HABEAS [habeas.com] idea (HABEAS uses a copyrighted poem to sue spammers who send spam). The pornspammers are quite obviously circumventing a security-measure. Based on the sending-IP address, aol/hotmail etc should be able to do some sueing.

Re:Spam spam spam spam SPAAM!

[thedillybar]

What are we going to do?

How about type something other than what's in the box? I seriously doubt you have to sit there waiting while it verifies that what you entered is actually correct. They're probably just assuming most people will type it correctly.

Re:Countermeasure...

[Glog]

Referer can be spoofed so that won't work. But it's very easy for a large company like Yahoo (or any company for that matter) to setup its images server as an internal server - i.e. accessible to their *own* web servers alone. However, what's to stop spammers from grabbing the image off the browser cache and literally serving it from there on other pages. I can see how the article has a point unless the images appear on a SSL page which can't be cached. But then again I think you can cache even those.

Where?

[Bazman]

Can someone show me a real example of this being used? Please. Pretty please....

Valid News sources... on a blog.

[LinuxParanoid]

You're right. But. A) you're repeating what the editor already said, and B) you are overstating your case a bit for the following reasons:

In fairness, the poster on the blog was Cory Doctorow, who is a long time, well-known net-citizen and isn't exactly some random guy, although you may not know him. For a sample of his work, see this piece in Salon [salon.com] which mentions that he won the John W. Campbell Award for best new science fiction writer at the 2000 Hugo Awards. He's not a journalist, he's a blogger, but it's an interesting tidbit nonetheless...

And even if he was a random blogger, his credentials are much less important than the core concept he's disclosing: that someone seeking to generate email accounts (or open bank accounts or whatever) could have porn-seeking humans workaround the turing-ish test security measures. The story is less that someone is doing it, than that someone could be doing it. At least to me.

Plus this is a hacker-type story... I wouldn't expect Reuters, etc. to carry it first.

I actually was glad to see the Slashdot editor point out the "someone told me" caveat... it's a sign to me that the editors here are getting better. They're warning us about the weaknesses in the story, not just slapping stuff up here without a care.

--LP

Re:Valid News Sources

[dabadab]

Well, this posting is not about "news" but more about an interesting idea - an idea's "interesting" factor does not depend on its source.
It is intriguing and worth think about, a lot more than, say, eweek's zero-content article about the wishlist for linux 2.7.

Re:Countermeasure...

[leoboiko]

The referrer field is easily forged.

Ok new "captcha" test...

[tekiegreg]

Rather than guess a single image, how about a feature on the page at random? For example Yahoo Mail can ask "What is the menu to the immediate right of Addresses. (which according to my Yahoo Mail screen would be "Calendar"), Or even "What company is the banner ad up top advertising" which serves 2 purposes 1) Captcha Test and 2) Ensuring the advertising is looked at :-)

Unless a Spammer plans on building a porno site exactly like Yahoo (and incur the wrath of a zillion lawyers consequently), this would be a difficult one to counter attack (unless someone here could prove otherwise). Thoughts?

Re:Sounds like rubbish

[JDevers]

Think about the same thing, but in reverse. Have the script run ONLY when someone signs up for the free porn, it automatically connects to the free e-mail provider and the glyph is just tranfered to the viewer in truly real time...

Copyrights are a good thing here!

[earthforce_1]

All they have to do is copyright the capta image, and sue the pants off anybody who uses it without permission.

Any lawyers want to comment on this?

Re:Spam spam spam spam SPAAM!

[Anonymous Coward]

Why sign up for porn? Damn, isn't there enough available without signing up? It's bad enough that they can match your IP address; why give them registration info too? It's hysterical that a bunch of geeks who won't sign up to read the New York Times will gladly give name, rank, and serial number for porn.

Re:Sounds like rubbish

[druske]

The porn site wouldn't know what the catchup was supposed to be, but the email signup page would, and if the wrong response was provided, it'd return a page saying so. The porn site could parse that page and reject the user's answer. No valid response, no naughty bits.

Without any facts to back the story up, I don't know if this is really happening, but it sounds plausible. I wonder if anyone's filed a patent on the method? ;)

Re:Countermeasure: URL in Image

[Anonymous Coward]

That's probably the way to go.. the legitimate site generating the captcha should embed some text into the image, for example "To complete your Hotmail account signup, enter the text below. NOT VALID if seen on any other website". However, if you put the text in the same place on the image each time, a sneaky spammer (is there any other sort?) could just crop the image before presenting it.
Better, I would suggest, to place the text in a random location in the image each time, or even overlay it in watermark-fashion. Hey, don't anyone go trying to patent this idea now.. did I think of it first? :-)

Re:Sounds like rubbish

[Imperator]

THIS IS, BY THE WAY, A PERFECT WAY TO FOIL SPAMMERS AND TO STILL GET YOUR PORN -- since the porn site doesn't, in fact, know what the catchup is supposed to be and is only using you, enter a wrong one.

Uh, if the spammers are smart, they'll actually use the word you give them to submit the form, and if it doesn't work they'll make you enter another one. some of them are hiring smart people. Maybe if there weren't so many out-of-work programmers in the world...

Re:Nifty

[fermion]

We have always said every security system has a crack. We may not be able to think of it. We may not think the crack is cost effective, but the crack exists and will become feasable.

This is fuckin' briliant. A pure barter system. A product that has value but many are not willing to pay for. A small service that takes very little time but will create value.

Include the Original Web-site in 'Captchas'

[Anonymous Coward]

The free email-website should just add some text inside their image including their URL like this:
"registration for: free-mail.com"
"only for registation at: free-mail.com"
"don't help spammers, answer this only
if you are at free-mail.com"

At least the people registering on the porn site would realize they are helping a spammer and would *hopefully* not do the decoding.
CJones

I'm afraid I disagree

[fejikso]

I thought that'w why there's something called ethics, which tells you when an ingenious thing may be good or bad.

IMHO, you can't applaud unethical uses of ingenuity.

challenge/response system is good idea

[Matt Ownby]

A well designed challenge/response system won't challenge those people to whom the user has already sent email out to. I think nuisances like you have mentioned are temporary and will be refined in the future as spam becomes a greater problem (and it will).

I use a challenge/response system myself for my email and it certainly has nothing to do with me thinking I am really important or that my time is worth more than yours. It is all about me being totally sick of spam and being willing to take extreme measures to stop it.

All of my friends are already on my whitelist (or get on it quickly enough) and have forgotten that I ever had a challenge/response system in place. It really is not a nuisance at all to anyone who communicates with me on a regular basis.

Captchas can only prove human-ness

[AnotherBlackHat]

It's a clever idea (even if nobody has actually done it yet) but I think Captchas will always be ahead in the arms race.

Cut and paste my Captchas? Ok, I'll embed it in a java program.
Screen capture? I'll make it dependant on the web-site you're visiting.
(which of these objects starts with the same letter as the third letter of my website?)

In the end though, the best a captchas can do is prove there's a human somewhere in the loop.
A spammer (or anyone else for that matter) could hire real people to answer them.
Automate the non-captcha part of the signup, and you could generate several hundred accounts per hour.

-- this is not a .sig

put your trademark in your captchas

[marvinglenn]

It's not a complete fix, but making your 'captchas' larger and putting your trademark and website identity inside the 'captchas' would make it pretty obvious if anyone is doing this to you. The text to echo back should be at a random location in the image, so the spammer cannot crop it in an automated fashion. Also, a URL in the image to report to if it's seen on a site where it's not expected would be good.