There have been a couple of stories lately suggesting that spammers may have created bots capable of cracking Gmail’s registration CAPTCHAs, but that isn’t exactly the case.
A CAPTCHA, which is short for Completely Automated Public Turing test to tell Computers and Humans Apart, is an image file that displays warped or visually obscured characters that supposedly only a human can decipher.
Obviously if spammers could create bots capable of solving CAPTCHAs it would be bad news, but the latest attack seems to still rely on humans.
The Register, Ars Technica and Slashdot all point to an article on the Websense Threat Blog, with the headline: “Google’s CAPTCHA busted in recent spammer tactics.”
However, if you read through to the end of the article, Websense points out that the bot system uses a webpage (in Russian) offering money to anyone who will solve the CAPTCHAs presented.
In other words, the bots are harvesting Gmail’s CAPTCHAs and sending them back to be solved by humans. Websense estimates that 1 in 5 bot-based registrations is successful.
Which is not good news, but at this point the problem isn’t the bots, it’s the humans solving the CAPTCHAs.
Still, while Websense’s headline may be misleading, it would overly optimistic to suggest that bots won’t get into Gmail. They’ve already cracked through Yahoo, Live Mail and plenty of BB Forum CAPTCHAs. Spam is, regrettably, only going to get worse.
Given that CAPTCHAs suffer from a number of useablity drawbacks and really aren’t that effective anymore, perhaps it’s time for something a bit more sophisticated, like the system proposed by xkcd:
[via Slashdot]
Has anyone ever thought about how easy it would be for them to redirect captcha to real humans, who don’t even know they are part of a spam action? Every forum and webplatform has captchas, it would be too easy for them to show captchas from google to real people on other sites, so that they think that they are answering a captcha from the local system, while instead they do the dirty work for spammers.
It’s the same concept as google uses in Google Image Labeler - too much work, make it a game for users, somebody will be happy to do it without receiving payment.
Thanks for reading
Andreas
http://thoughtsnessays.blogspot.com/
it has already been done andreas
y not make a flash base CAPTCHA
that constantly warps and changes colour
chris, it would be JUST AS EASY for a human worker to see and read it.
Has anyone tried blocking based on TOO MANY answers from the same IP in too a short a time?
Humans might post info to one CAPTCHA once every few minutes, bots would flood the system every minute with a multitude of requests for new CAPTCHAs and possibly send a flood of replies back.
It’s possible that someone has solved this ‘problem’. The following quote is from a CBC news article describing how hackers were grabbing concert tickets ahead of real fans.
“Allan Caine, a University of Waterloo computer sciences student, showed CBC a similar program he designed to read the captcha, which makes sure a human is entering a site, on a ticket company’s website.”
Full article at
http://www.cbc.ca/canada/british-columbia/story/2008/02/27/bc-ticketprobe.html
Bill