back to article Automated crack for Windows Live captcha goes wild

Spammers are using a sophisticated piece of software that can create thousands of Windows Live email addresses by cracking the protections designed to prevent the large-scale creation of fraudulent accounts. According to security firm Websense, the bot is surreptitiously installed on the PCs of end users. It then establishes a …


This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward


    There is a whole SDK on the (Russian part of the) internet that I have seen, open source OCR software is coupled with random geometric deformation. It is beyond my level of programming, but from what I can tell - there are not so many implementations, and most of the implementations distribute with source code – and since it is known how the code will generate different characters, and develop a pattern of deformation - it was therefore reasonably easy to develop ways that guess the characters with a reasonably good degree of accuracy.

  2. Elisha

    Limit number of accounts from each IP??

    Why don't they limit the number of accounts for each IP within a certain timeframe. although this would block proxy's occasionally. I'm sure there isn't generally a legitimate reason that thousands of addresses are created within a few minutes from the same IP.

    Another method would be to block the spam before its sent. ie having a spam blocker on the send rather than just the receive.

  3. tony trolle

    not just AOL

    ..... we have to look out for now then.

  4. Mother Hubbard
    Black Helicopters

    Use the Internet Luke ..

    "The answer is correct as much as 35 per cent of the time. [...] It's also possible the spammers have found a new type of Captcha-cracking software."

    How familiar does that sound?

    "A team of Russian hackers has found a way to decipher a Yahoo CAPTCHA, thought to be one of the most difficult, with 35% accuracy. The Russian group's notice, posted by one "John Wane," is dated January 16. This site hosts a rapidshare link to what looks to be demonstration software for Windows" []

    The author called it ("Its discovery comes a few weeks after the release of proof-of-concept code that defeats a similar Captcha used by Yahoo! Mail."), as did the first poster, so why didn't Websense?

  5. Adam

    Sure it is 'automated'?

    One attack vector that has been used is to redirect the image to a user of their own servers.

    The spammers host a website usually containing warez or pornographic images, and ask their users to type in a captcha text to get the content. The captcha image however is one they have just grabbed from the whatever services' new account page. When the user types in the captcha, the web server simply passes that on to the spamming bot so it can create the account.

  6. Simpson

    Limiting IPs will not help

    "Why don't they limit the number of accounts for each IP?"

    Because the spammers are much more sophisticated than that. They "own" so many machines, it is sick. I run a mail server at my job/life. I have seen dictionary attacks that randomly attempt to send to thousands of users, where no IP is used twice. Every single email comes from a unique IP, for that attack.

    With their massive network, they can create crippling ddos attacks on those who dare to oppose them. See

    The spammers go up against reverse dns entries, residential IP blacklists, known spammer blacklists (spamhaus, etc), dynamic blacklists (spamcop), known sender "volume spikes" blacklists, rate limiting on the sender's isp side, rate limiting on the recipient side, port 25 blocking on the sender's isp side, greylisting, etc.. and they can still get the spam through.

    They might send one or two spams per hour from each machine. But if they send from 100,000 machines, that is 1,200,000 to 2,400,000 spams per day. If they can use those 100,000 machines to open 10,000 accounts per day, they might be able to send 100 spams per account, per day. adding another 1,000,000 spams per day to their tally, multiplied by how many days the account stays open.

    I have seen spammer programs that check the rbl lists to see if the IP is listed in the rbls, before sending mail from that "owned" ip. Their side has some very ingenious programs, and some very ingenious programmers. It seems to be modeled after the internet itself, with a distributed control system (like how dns works) and hundreds of thousands of nodes, to distribute the work over.

    Come to think of it, I wish that some of the regular software developers would adopt some of their tactics. Wouldn't it be nice, to have a database that has its content and meta data redundantly spread over thousands or hundreds of thousands of systems? With no single point of failure.

    Wait a minute... strike that last paragraph. Replace with: I have an idea for a database that has its content and meta data redundantly spread over thousands or hundreds of thousands of systems (patent pending, copyright 2008, pending trademark 2008, pending service mark 2008). And data encrypted too (another patent pending, another copyright 2008, another pending trademark 2008, another pending service mark 2008)

  7. Anonymous Coward
    Anonymous Coward


    Spam only exists becouse it's profitable.

    It's only profitable becouse people are stupid enough to open it. Some people are even stupider and believe it.

    It's alot like Renton in trainspotting says about the English

    "Some people hate the English, but I don't. They're just wankers. We, on the other hand, are colonized by wankers. We can't even pick a decent culture to be colonized by. We are ruled by effete arseholes. It's a shite state of affairs and all the fresh air in the world will not make any fucking difference. "

    Some people hate spammers, I don't. Spammers are just opportunists. We(The internet using masses), on the other hand, are exploited by wankers.

    I mean we all bitch and moan about it but at the end of the day the problems only there becouse it's profitable.

    I don't see why businesses would be letting in hotmail, yahoo and google anyway, if a business partner is using those things you should think about getting a new partner.

  8. Anonymous Coward
    Anonymous Coward


    "Their side has some very ingenious programs, and some very ingenious programmers."

    And as mentioned in the article they farm the coding out. I once visited one of the freelance sites where a piece of work is offered out to potential bidders. You've might have seem them, their forums are full of Americans complaining that they can't make a living because they are underbid by Asians who offer to do the job for sixpence and suggest that low bids should be disallowed as said Asians couldn't possibly do as good a job as them anyway.

    In my perusal of these sites there were a large number of requests for people to code this sort of captcha cracking software. Seems like the low cost Asians have done a pretty good job and proves that they are indeed very ingenious. With such a large potential programmer base it won't be long before other captchas are cracked as well.

  9. Anonymous Coward

    Gibson was right in a way

    Except instead of the Russian Military creating fancy code it is the spammers! :)

    Mine is the one with the Ono Sendai in the pouch built into the back.

  10. stizzleswick
    Thumb Up


    "Wouldn't it be nice, to have a database that has its content and meta data redundantly spread over thousands or hundreds of thousands of systems?"

    That already exists. It's called the "Internet."

  11. Stefan Spelter

    Better way

    Every Captcha the use can be cracked by some software. But, a captcha isn´t just a random alpha numeric code with fanzy colors and everything. You can use captchas in different ways/arts/etc. For example: the captcha i programmed get a question from the database and "ask" the user this question, i.e. "What color has the sky?" the answer whould be "blue". The String is converted to a lower string und if a space is at the end or start, i cut it of.

    The only thing is, there is a limit of questions you can ask, and if the are recorded by the spammers, they can made a simple question/answer function in the bot.

    We have the idea to use pictures or create pictures with GD or Imagemagic and ask for the main color, to crack this, you have to learn your bot the color and what hexcode it could be. On the other hand, you have to programm it to your software first.

    The idea with a picture could be extremly heavy. If the picture shows a elephant, you can ask "What Animal is on the Picture?" and to prevent that the bot recognize the picture with a hash, you can throw random pixel errors on the picture, that would be the best thing. Humans can see what the picture shows without getting eyecancer of ugly warped text you have to decrypt. In that case, you only need a handfull of pictures, questions and answers, easy for everyone, execpt the one who programm it ;) But if its programmed, it could be the best captcha on earth.

    And no, i dont like the book captcha, its stupid and could be cracked.

    Any ideas of other captchas, feel free to mail me @ spelter<dot>hof[@]freenet<dot>de (what for the @ in brackets)

  12. Anonymous Coward

    @ Elisha

    Further to the earlier comments, it's also (relatively) easy to spoof an IP address, a tatic used for many years by spammers.

  13. Eddie


    It's fascinating that in 2008 there are sufficient imbeciles still opening email from folk they don't know with stupid email addresses and subject headers, reading the usually idiotic message, then following any links to dodgy websites, then getting their credit cards out to buy penis enlargement pills, viagra or other drugs or stocks/shares in unheard of companies.

  14. Not That Andrew

    Hotmail and Yahoo! considered legitimate?

    On the boards I normally frequent, Hotmail and Yahoo! accounts are banned by default precisely because they are sources of spam, and have been for at least 3 years. I got grandfathered in, but good luck trying to create an account on them these days with a free account (even GMail).

  15. John F***ing Stepp

    Eh? (using that word lately, it is underused.)

    Image recognition based on Fourier transforms was developed about 15 years back.

    The process was analog (if I remember right) and used some kind of resonate fiber optic cable.

    Fast forward 15 years and that analog thing can be emulated digitally.

    (or for that matter, just aim the old analog version at your display and run the output back to the computer; why, exactly, did this take so long to figure out?)

  16. Trygve Henriksen

    The way to stop this...

    Is behavior matching and trick questioning.

    The first can be achieved by using session IDs and logging the time when certain pages are accessed.

    Whenever a registration page is accessed, the browser must have been on a page with a link to the registration page, right?

    And certain pages, like the terms of service, how long should it take to pass it, even if a user just skims it looking for the link to the correct page?

    Trick questioning...

    Here the user may be asked to 'select your favorite computer', and be given a list of 'Intel Pentium, Commodore PET, Zilog Z80, Atari ST, Sun ultraSparc 5, Asus eee, Lamborghini Dablo'.

    Anyone picking 'Intel Pentium', 'Zilog Z80' or 'Lamborghini Diablo' have of course failed the test...

    (The list of test subjects must contain related items to make an encyclopedic attack more difficult)

    Making the first item a 'fail' is a good idea to stop 'dumb' robots which scours the net searching for forums, filling out a certain set of well-known fields and ignoring all the rest.

  17. Ken Hagan Gold badge

    Easy fix

    "Free email services from Microsoft, Yahoo! and Google are rarely blocked by anti-spam products,"

    Well there's your problem then.

    It's all about cost. If I mis-use an email account provided by my ISP, I'll probably get rapped on the knuckles and since I've paid good money to my ISP to get the account I might be a bit miffed if they boot me off. If I mis-use a MicroYahoogle account, I may or may not get thrown off but it won't have cost me anything and I can get another one easily enough.

    There's effectively no penalty for mis-use of a free facility, so free facilities tend to get mis-used. Ergo, free email providers should be at the top of anyone's spam filter.

  18. Dave
    Black Helicopters


    sounds like you're in need of 'git' for your source control needs. secure, distributed, and you can treat branches like redundant copies.

    take a look at the source code, its just as good at database work as it is source control.

    ... the black chopper cause if everyone knew how good it is, Oracle would send round some thugs to shut me up.

  19. Giles Jones Gold badge

    Nintendo Wii

    The Nintendo Wii has a good email system implementation.

    When you add an email address to it's address book it emails the address with a confirmation message. You can then approve or deny receiving email from the Wii.

    Obviously this implementation is all in the client and to work for computers it would need to be part of the server implementation.

  20. Anonymous Coward
    Anonymous Coward


    Ironically MS are a victim of their own poor security models. With a bit of luck they'll realise that instead of wasting effort constantly trying to defeat a multi-headed, shifting set of attackers they could focus more on locking down their bloody OS.

  21. Pascal Monett Silver badge

    I have a new idea

    Forget images. Just send a flash-based animation that requires the user to click in a specific are at a specific moment in time. The area to click in will be a color box moving on a white background, and the box goes a different color for the half-second you have to click in it.

    The click has to be made with the mouse, and the color should change at every reload.

    Click at the wrong time, you're out. Click in the wrong place, you're out.

  22. Anonymous Coward
    Paris Hilton

    Neural Nets and AI

    It would be very easy to train a Neural Network to recognise fonts in heavy noise situations. I E Captchas. I imagine the unsupervised training set is thousands of captcha images from all the sources they can find, then supervised training can be a mixture of clear fonts and further captchas.

    It would also explain why its not always correct, as a human would prob get it right nearer 95% of the time. So my bet is that the 0day folks have gotten a hold of some AI students research into Neural nets and captchas, and are giving it the needed field testing. Or it could be the students themselves making a quick buck off of Viagra :-)

    RFP : Reason for Paris : Neural nets are reaching Paris speeds

  23. Geoff Mackenzie

    No problem

    I block all mail from AOL and MS anyway. Anyone using either of those has nothing to say that I want to hear.

  24. Anonymous Coward
    Anonymous Coward

    Uh... surprised the success rate is that low, actually

    Since most scanner software comes with a method of making text in a document that you've just scanned in editable - or at least the HP stuff does. Simple shape recognition surely...

  25. Anonymous Coward
    Anonymous Coward


    Wastn't the IC a Chinese military program?

  26. Mark
    Thumb Up

    Surely a better Captcha system would be.....

    Use the munged text to ask a question requiring data to be extracted from some other munged text.

    So the first would be "Type the first/last number of green/red/blue/black capitals/non-capitals in forward/reverse order ignoring/using only the letters in the word as follows ......"

    Or "type the number of bold capital M's in the text followed by the number of letter y's in the text" (this is clearly weaker than the one above)

    Then you give a larger captcha image with a load of randomly generated letters in order in caps/small and with colours (although colours could be excluded to aid those who are colour blind)

    This requires the computer to identify the text in the first captcha, parse it, understand the question, then decode the second captcha and extract the relevant data from it.

    This double captcha method would also work for audio systems for the blind. The first question could be something like - "what is the largest animal in the following list?" and the second audio would be a list like "house, airplane, cow, dog, road, balloon" - the computer would then have to identify both the question, the list of answers and then understand which is the correct answer. This task is possible for a computer but is computationally intensive so would make it expensive to break. On the other hand building the audio is fairly easy as you could merely distort stored audio in a way that makes it hard for a computer to recognise!

    I don't know if anyone has thought of using systems like this but I don't see them being much harder to create than a normal captcha and they eliminate the need for images or similar.

    Anyone got any better ideas than this?

  27. Anonymous Coward
    Anonymous Coward

    Flash and color for captcha...

    Well... May sound nice but being colorblind i'd hate to have to get someone to tell me the color of and area of the picture to be able to access your forums.

    As for flash...

    Image captcha's are already a problem for accessibility standards, leaving out many visually deficient users. I don't even dare speculate on how many users the flash solution will leave out...

  28. Gabor Laszlo

    Stopping spam

    As someone said, it keeps coming because it is profitable. Captchas are a cludge, not a solution. The only way to really stop it is to change the economics. BlueFrog had the right idea, and they were promptly DDoSed to death by the spammers, proof that they were actually making a difference. There are some FOSS projects trying to recreate their system on a p2p distributed model so this can't happen again, but it's slow going.

  29. Anonymous Coward
    Anonymous Coward


    They probably use software from the same company that supplies CSI/Miami/New York. You know, the stuff that can take the address off the back of a note held in the hand of the crimal who is a 6 pixels by 6 pixels reflection in the sunglasses of the man on the speeding motorbike.

  30. Spleen

    Re: Stefan Spelter

    A friend of mine developed a captcha that presents 9 pictures of animals in a 3x3 grid, and asks the user to pick the three kittens. Difficult for a computer to crack, and aw, kittens.

    Captchas do have to be easy for the human to solve as well as difficult for computers to crack. They're supposed to be a brief annoyance for the user, not some sort of intelligence test.

  31. Anonymous Coward

    My Captcha cracker

    uses locr (free Linux OCR util) with a number of ImageMagick commands fronting it to scrub the noise and improve the contrast of the original image. Mind you, the Captchas I'm breaking are quite low tech and don't feature text with significant wobblyness.

    Success rate for me is about 80%.

    Getting my coat from the locr.

  32. Robert

    Re: I have a new idea (flash captcha)

    You're not understanding the whole concept of captcha's. Though they make the human jump through hoops to proceed, that's not their purpose. Their purpose is to present a problem that, using present levels of technology, can (hopefully) only be solved by a human -- but not so hard a problem that any humans would be "left out" or so arduous that the human is dissuaded from proceeding. And, in order for them to remain effective, they must be able to be dynamically generated; if a human must generate them (such as creating a question / answer pair) then the attackers / spammers can just cache the proper answers in a database. (My definition.)

    A flash animation that required a human to click would annoy humans, leave out a significant subset of human users, and (here's the real problem) probably be solvable using current computer technology. All you need is an open source flash engine that you can hack to your purposes. No mouse click is really needed; your pwned flash engine can register a simulated click whenever it wants. The trickiest part is figuring out when and at what coordinates to send the clicks. But since the code that drives this flash captcha would be human generated, it could be human reverse-engineered, and the knowledge coded into the bots with the pwned flash engines. The good guys in this "war" might then turn to code auto-generation / obfuscation, but if I had to bet money on who would win, it wouldn't be on the good guys.

  33. jai

    more complex = less users

    the trouble with making the captchas more complex to defeat automated systems is that they'll then get more difficult for regular users. what about colourblind people? or those with bad eyesight

    and to be honest, if i have to spend 5 minutes trying to decipher a set of barely visible characters just to sign up to a web forum, or get free email, i probably can't be bothered.

    the idea of using double captchas where one is a question and the other an answer is a good one, but honestly it sounds like far too much effort for most users to be bothered with.

    so who would want to implement a system that is going to turn people away from your site before they've even managed to log in?

  34. Shakje

    Here's the problem...

    Users who are likely to not look at e-mail from random providers, surely won't treat hotmail with great regard, and surely won't fall for the usual 419ers?

    On the other hand, users who fall for scams are going to fall for them regardless of the email provider.

  35. Shakje

    Re: Hubris

    Howabout I hand out my router IP and you can break into my Vista box since it's so insecure.

  36. John Sims
    Dead Vulture

    Simple stop spam idea

    Along with the usual To, CC, BCC and Subject fields why don't they add an extra AntiSpam field. When you sign up with various websites and give away your email address you also give them an AntiSpam word or password. Within a setting with your mail provider you then provide a list of valid entries for the AntiSpam field. Any email without a valid entry goes straight into your spam box. If you start getting spam using one of the words or passwords you have a good idea who passed on or had your details stollen from and can then disallow that entry within your mail box. A spammer can find a valid email address easily but how are they ever going to know whether they used a valid entry in the AntiSpam field? Maybe I'm being short sighted but it sounds simple enough.

  37. Eddie Johnson

    I'm shocked I tell you...

    Shocked to hear that free email services are rarely blocked. Back around, oh, 1999 I guess, I didn't fully block but applied serious score penalties to hotmail, yahoo, msn, and of course aohell. I mean, back then they were often forgeries, but still. A man ahead of my time I guess.

    Well, there'll be no line at the coatroom at least. The one with the big "(A)" on the back please.

  38. Anonymous Coward
    Anonymous Coward

    @John Simms

    It's a goodish idea, but people don't care - an extra word is extra thought and effort. And users don't like extra effort. None of us do.

    Anyone who can already be bothered putting effort into things already has different accounts for different things

    1 email for rubbish you sign upto - to be honest for that kind of c--p most people will use fake email addresses from mailinator type companies.

    1 email for probably insecure junk like forums

    1 email for social networking junk

    1 email for kind of friends

    1 email for kind of important things - ecommerce type stuff, online games you pay for, pizza company, etc.

    1 email for important things like bills

    1 email for people who are really freinds and family

    1 email you don't give anyone often used to obtain email accounts for bills and family/friends

    You can get away with 3 I suppose, a master account you give no one, a major account for important things, and a thwor away account.

    However normal everyday people are as likely to do that as they are to want to remember yet more bits and pieces. I personally hate the fact that I need 4 seperate numbers for my banking - telephone pin, machine pin, web pin and a web account number. Email though unlike my bank isn't very important and should never be trusted.

    Why do we all care so much anyway, it's just junk, delete it and move on. One day people may stop falling for it, but then one day we may engineer flying pigs.

  39. Neil Docherty

    @John Sims

    Facebook actually do something similar to this already by adding a +somecode to the sender's address so you can validate it. For example,

  40. Avi
    Paris Hilton

    Hot or not...

    Didn't hot or not have a captcha API?

    I'm not sure there's any software out there that can be leveraged to pick the hottest out of four photos?

    You'd have the added advantage of effectively banning perverts, too.

    Ms Hilton, since she's not.

  41. Ros

    @ Stefan Spelter

    I've been using a text-based captcha that I developed myself for some time now, with good results. It uses a variety of types of question, which rotates on a daily basis.

    The only thing is, I've found that writing good captcha questions is an art. You have to be very careful to make them entirely unambiguous, and neither too hard nor too common. I see a lot of simple maths questions used as captchas, so it's only a matter of time before they are routinely broken. Ideally every website should have a unique set of trivia questions that don't follow a set pattern.

    Unfortunately this approach scales really badly for large websites, and I can't see it working for any of the major free email providers. They would need tens of thousands of questions and answers to make it work.

  42. Mark

    @Simple Stop Spam Idea

    That's all well and good but when the spammer gets hold of the antispam word you gave your bank/first born/local pub you would stop getting email from your bank/first born/local pub too. Ooops that's not a very good idea now is it? It wouldn't be too hard to get hold of said words given they would have to be unencrypted in the header to be of any use, and anyway what stops the spammer getting the words in the same way as they got the email address or just using a dictionary attack?

    Any sort of system like this requires pre-authentication which kinda removes a rather large part of the point of email. It would be like only accepting letters from people you actually know. You could I suppose have a secure anti-spam word based on a encrypted hash of the message, but that still falls foul of the spammer using a social engineering hack to get the keys to the code.

    My solution is to have 7+ different email addresses, 3 on free providers, 1 paid for web-mail, 2 domains with multiple aliases set up and that ignore anything not sent to one of said listed aliases, and finally my work address.

    One of the free providers is for sign ups to sites I never want to hear from again and that I think are likely to sell the address on, one is for slightly less dodgy sites and Live Messenger, one for Google Talk and as a destination for a number of the aliases. The paid for web-mail is for personal use with friends and as the destination for the remainder of the aliases. The aliases allow me to have email addresses that won't change so are useful for things I want to sign-up to for the long term or where the address might need to be reachable by someone in a couple of years time (I often use them in code I write for people). The work address is surprise-surprise for work related stuff, nothing important goes there since I'd lose it if I left the company - It gets no spam since it is never published or used for signups.

  43. bluesxman

    RE: Simple stop spam idea

    Something like that is already theoretically possible (though unworkable in reality) with the likes of Gmail -- IIRC they call it "plus addressing". Imagine your email address is yourname@somesite.blah ... you would sign up at (say) The Register with yourname+elreg@somesite.blah* ... the resulting email will still be delivered to your "yourname" account, but you can then filter based on the "plus" part**

    * Caveat #1: I did try to get something like this going on, but I quickly found that the VAST majority of websites (that I attempted this on) insist that "+" is NOT a valid character to include in the email address. If all those eejits would get wi' the program it'd've make my life a helluvalot easier!

    ** Caveat #2: in order for this to defeat most effectively those dirty spammers, you'd have to sign up with a "plus" suffix every time, and filter your email such that emails without such a suffix are always considered to be spam. Which would also mean your friends would have to remember to include the tag too.

  44. Anonymous Coward

    @John F***ing Stepp

    "Image recognition based on Fourier transforms was developed about 15 years back.

    The process was analog (if I remember right) and used some kind of resonate fiber optic cable."

    You don't remember rightly. That was a process for image sharpening and removing transmission noise. It didn't do any kind of recognition whatsoever.

  45. Anonymous Coward
    Thumb Up


    I hope this means an end to those annoying things.

  46. Josh
    Thumb Up

    @ Ken Hagan


    Gonna have to use that one...

  47. Hayden Clark Silver badge

    Disposable addresses don't always work

    This relies on all your friends, relations and whatnot also being good at security. If *they've* got a Trojan, their address book gets hoovered up and sent to The Bad Guys. Result - "enhance your manhood" adverts to your family mail account.

  48. Joe

    The best idea on here... the Wii one.

    It would be so easy for the free email providers to forbid users from sending email to an address until it has been entered into the address book, and accepted by the recipient as someone they know (via automated email).

    This wouldn't require more complex captchas - most of the ones suggested here are either too weak or too complex for the user. Certainly, most of those suggested here would block out all non English-speakers, colourblind people, etc.

    Yes, address book authentication is the way forward!

  49. John F***ing Stepp


    Oh, right.

    What I get for trying to *RWD.

    It was using holographic film; say a picture of the letter A that when held over the letter A would cause recognition. Even if the A in question was in a different font.

    (*of course I could be wrong again, now I am trying to remember while hung over.)

  50. theotherone

    nothing new...

    Captcha cracking is nothing fact, one of the more successful forum spamming software xrumer, does it very quickly and accurately, and as a matter of course. It's a small step from there to take the cracking algorithms and develop them further for other purposes.

    Me thinks it's high time this system was replaced by something that only a human intelligence can work out. It's easy to do, and only the laziness of web developers is to blame, for example can you tell me how in hell a bot could ever figure out an answer to this:

    Q- If Billy has 3 apples, and gave John 2 of them, then who won the world cup in 1996?

  51. Anonymous Coward
    Anonymous Coward


  52. Jared Earle


    "Q- If Billy has 3 apples, and gave John 2 of them, then who won the world cup in 1996?"

    Now that's one I can't answer. I don't know what sport you're talking about. There was no football or rugby world cup played in 1996, for instance. Does Tiddlywinks use a cup?

    # mv ${coat} > ~/

  53. Mark


    In fact it was Sri Lanka by 7 wickets. But I'm sure a computer can work that out.

  54. Shakje


    If that became common practice as a captcha, I'd do it by finding the question mark in the statement, then taking all the words back to the first punctuation mark it finds (in this case the comma, so "then who won the world cup in 1996" being the string I've got), then stick that string into a few search engines and look at what the most recurring words are that aren't included in the string you're passing in. This would work better if you specified the actual sport.

  55. Scott Butterworth

    Automated webpage security

    These spammers typically use sofware that either:

    a) Uses javascript or Windows API interactions to navigate the DOM of the "Create New Web Account" to select-from/fill-in the controls on the form before simulating the relevant control interactions (eg. button clicks) to cause the postbacks.

    b) Generates a proxy page that transmits the correct values to the receiver page. They'll often spoof the page path/name and domain to make it look legitimate enough to bypass any basic security checks

    c) Uses any unsecured web services that are designed to automate server interactions (such as account creation) for legitimate customers/partners. Due to the rise of AJAX people are creating web services more and more often these days and a lot of people forget to secure them adequately (merely using the SOAP protocol does not guarantee an adequate level of security).

    In Microsoft's case I doubt they are stupid enough to be caught out by either (b) or (c) which leaves (a) as the most likely scenario.

    In this case, in addition to using a Captcha image the server-side page that renders the "Create New Mail" could also start randomizing client control names/ids per request by a validated IP session (tracking the randomized names on the server so that when they are posted back it knowns how to correctly translate them). This would make it very difficult to write code to target those controls and they'd have to resort to using index values (eg. the first textbox control = firstname) which you could foul-up by generating a random number of fake masked controls on the page to mess up the index ordering.

    Also judicious use of secured Flash or Silverlight controls for data capture with no exposure of internal object names or programmatic control methods (basically make human interaction the ONLY means to interact with the flash object) can make like difficult for spammers too.

  56. Anonymous Coward
    Anonymous Coward

    @Hayden Clark

    so? Nothing important goes to that mail address - change it. Also as you only have X number of known people delivering mail to the address just bounce anything not from those people.

    It's pretty simple if you're bothered.

    Me I'm not all that bothered - the spam in my c--p mail box amuses me.

    Apparently there is an office in america that has a cheaque for £5 for me!

    Also a rogue millionaire who wants to share his secret! Apparently people are after him, I just need to click the link to find the answer da da daaaa

    There are also some sexy adults looking for a good time in my local area apparently!!

    And a rolex watch that I should look at!

    Seriously spam mail amuses me no end on a slow day through a text only client.

    Anyway I realised what the closest comparision to the modern internet is.

    Free local papers and that junk mail you get through the door. The whole thing is trash sponcered by rubbish adverts and unwanted junk. O well.

  57. Stephen Tordoff

    Re: Plus Address

    A email in this form surely will not fool spammers, they just disgard the information after the +

  58. Anonymous Coward

    @Jared Earle

    "# mv ${coat} > ~/"

    Fail. cant redirect stdout to a directory.

  59. theotherone
    Paris Hilton

    @worldcup 1996

    well, there you go, that's proof of concept innit? If humans are having a bloody hard time answering it, I'm sure computers will be buggered by it, and spammers will probably move on...

    Hilton...cause she knows her "score" in 1996...

  60. Anonymous Coward
    Paris Hilton

    Best Solution!

    Use get out of the basement and meet people face to face!

    Paris thinks the "basement" is a erogenous zone.

  61. Joel
    IT Angle

    Instant Messages

    No idea if this is related but I received a spam instant message from a random address, sending me a link to a website to download a MS Dos file of some kind.

    The ol' "I've found some pictures of you!" scam... I think the url they sent me too was or something along those lines.

  62. gman
    Thumb Up

    not even new

    good spam outfits have ocr software to read the captcha and send back a valid response approaching 99.5% of the time. The system described in the article is just a newbie typer system when the captcha is fetched using curl and appears on another web site for a "typer" to read and send back. Same technique is used for autoranking bots for several online games that use captchas.

  63. auser


    are simply using the algorithms developed for mmo games. In most games, the only way to interact with the system is through image recognition and simulated input events, because the game contains code against traditional hacking. The solution used there is to OCR the whole screen, extract the required data (like location of a mob) and generate the input events (like attack). Using the same technology for capcha decoding is possible. The human vision system is well understood and there are good neural models that can give almost the same precision. There are cases when the captcha is so distorted that a computer has better chances to undersand it, than humans.

    The problem is that if you require some intelligence to solve the problem, then some users won't be able to use the service. If you make it hard but dumb task, a neural algoritm can be used to defeat it. And computers are getting better than some people.

    For mass mail detection, a distributed database would work, where every email is recorded, fingerprinted and checked. If a mail matches one of the known spam mails, the spam can be revoked from all participating servers on the internet. The problem with this solution is that this lends itself to political censorship. Actually the chinese government tries to do exactly this with every email and blog within china, that contains any political meaning. A working, but usually nonpolitical version is used by some izraeli email providers to flag and filter spam emails. If a mail hits more than one of their user accounts, they flag it as spam and if a user indicates that it's truely a spam (by clicking), they remove it from all other accounts. The result is that at most only one user sees every spam they get, no matter how many users get them in the inbox. Connecting multiple servers (and providers) decreases the redundancy of the checks and the amount of displayed spam.

  64. Alastair

    All rubbish

    This why places like Facebook get so popular. I've not e-mailed any of my friends in ages- I just send them a message on FB. That way I know it actually gets through and gets noticed...

    Really, the best CAPTCHA is one that you make yourself. Well, to a limit- if you make a crap one you'll get everything you deserve. One of the more effective solutions I made at my work was to create a form field labelled "Do not fill this field in", given it the name "email" and hidden it with CSS. A bot doing a DOM scan will pick it up and shove some text in there, and they'll fail validation.

    Obviously, that could be (and eventually probably will be) circumvented within 10 minutes if one of these talented spammy programmers took the time- but they don't. We're just one (minor) web site, so they never notice.

  65. Dave
    Thumb Up


    Nice idea. How about storing a large database of images, each of which is tagged with a number of keywords. Thus the user can be presented with a random selection of images and asked to "Select all animals", "Select all buildings" or "Select all cats".

  66. marc
    Gates Halo


    Take £1 from their account and then put it back in a day later. That would stop automated registration :)

  67. gman

    about flash captchas..

    flash captchas are even easier to crack than standard image captchas bc flash stores the info from them on the hard drive making it even easier to write a psuedo ocr for using the stored info to determine the correct response. several online games have tried this already and went back to image captchas.

  68. Adam


    Your method of sending a flash animation is just as easy to break as any existing solution. Mouse clicks don't get sent over the internet, they are simply messages in a queue on your local machine. When the flash application gets around to polling the message queue, it notes the message and can react to that. At the end of the day, your security model involves you trusting the communications from the flash running on the client when it says the click occurred at the right moment.

    The best method I have seen is a combination of some form of captcha and some obscurity techniques. You can create form elements, but use CSS to make sure certain elements are never visible to the user. Most bots will randomly fill in different fields (particularly if they have a common name like Password), but because you know that a user could not have seen that field, anything that filled that field must be a bot. It is not foolproof, someone studying your CSS would discover this trick and could code around it, but it might be sufficiently annoying. You can not outrun a lion, but you can usually outrun the bloke behind you.

  69. Anonymous Coward
    Paris Hilton

    only for the English speakers

    all of the question based captcha schemes suggested here would only let English speakers in

    I've heard this is something Paris also does

  70. amanfromMars Silver badge

    Mars Believe Captcha .......... Base Space Stations Docking?

    "The Nintendo Wii has a good email system implementation.

    When you add an email address to it's address book it emails the address with a confirmation message. You can then approve or deny receiving email from the Wii.

    Obviously this implementation is all in the client and to work for computers it would need to be part of the server implementation.".... By Giles Jones Posted Friday 8th February 2008 10:14 GMT ..... A Very Honourable Validation Service, Mr Jones. Sublimely and Supremely/SuperMemely HyperRadioProActive. And something to be QuITe XXXXPected of Pensive Eastern Wisdoms/Personal Universal Protocols.

    ....... AI Space Confederation Alliance with all Base Players Totally Aware of Information and ITs Appeals/Drivers.

    "Their purpose is to present a problem that, using present levels of technology, can (hopefully) only be solved by a human -- but not so hard a problem that any humans would be "left out" or so arduous that the human is dissuaded from proceeding. And, in order for them to remain effective, they must be able to be dynamically generated; if a human must generate them (such as creating a question / answer pair) then the attackers / spammers can just cache the proper answers in a database. (My definition.)" .... By Robert Posted Friday 8th February 2008 12:55 GMT ........ A Definition of Virgin Viable Source 42 Build with ...... Boldly Go .........Jump, Robert.

    IT would certainly be One that I would Recognise as Available.

    "Use get out of the basement and meet people face to face!

    Paris thinks the "basement" is a erogenous zone." .....AC, Paris in the basement would be an erogenous Zone. And Beautifully Dangerous in UltiMate Pleasures. :--------) ;-)

    If e-mail does not Provide Guarantee in Service of Delivery then Important Delivery messages will be BroadbandCast to the Web in a Personal Blog/Forensic Record of CyberActivity....... Thus removing the Offered and Confered Advantage to E-Mailed "Clients". That is far too much like shooting oneself for no good reason to be wise and practised. However .......... the world is a strange place with all sorts at their Work, Rest and Play.

    Which you Gotta Admit, is One Helluva Turing Test in Magical Mysteries for Creative Controls..... Generative Power of Parallelling Intellectual Property. AIMining of Minds in XXXXChange for the Battle of Wills.

  71. Jeremy

    All missing the bloody point.

    Using Captchas to stop spammers is like trying to stop the horse as it legs it out the stable door.

    Rather than spending all that creative geekness on devising new and more irritating ways to annoy people signing up for your service, we need to be looking at making spamming an unattractive business to be in.

    How? Don't ask me cos I don't know (I wouldn't be so poor if I did) but it's probably not something that can be done with technology alone. Are we really intending to play this cat and mouse game with the spammers forever? Eventually either Tom or Jerry has to grow up and end the game.

  72. Donald
    Thumb Down

    I told you so!

    Sorry but I work this out months ago, its not even hard to build apps with ocr these days, even a 6 year old could. I love the comments about how people think spammers are stupid can cant code, hahaha would you like a Degree with that MCSE? Hey when some people say thats a stupid method, keep thinking what you like and get your self another rentacoder. You want it safe and stoped. Do it ast ISP level. There is no reason a ISP connot block you going to ilegal sites or stopping spam been sent out or comming in. But do give us a choice if we can select this option ON or OFF. Why do people always try fix the problem at the bottom of the chain. If its blocked spammer would stop for good, why would they even bother. Then again they might already be tracking everyones activity and can fit another software layer ontop, lol

  73. ChessGeek

    Yes, but...

    They can register all the email addresses they want, but someone is going to have to do a LOT better than the idiotic drivel I get for spam before they get me to open it, let alone click on anything.

    Even my mom, who isn't very computer savvy, doesn't open spam - so it doesn't take computer smarts.

    That's the only way we'll ever end the spam epidemic, for people to wise up.

    Sadly, that's also why we'll never end the spam epidemic. Even the relatively small percentage of hopeless morons in the world is profitable for spammers.

  74. Bruce Leyden
    Paris Hilton

    Apologies if this has been mentioned already...

    Instead of trying to deduce the captcha string heuristically or by serving the images in return for free porn, if I was a spammer I'd be serving them one after the other to some poor hired hand on a piece rate per correct answer.

    Paris 'cos that job could be right up her street - apparently she needs the money these days.

  75. J

    No, no...

    All wrong. You guys have got no clue.

    The way to really stop spam is... Voodoo CAPTCHAs!

    Here's how it works: do whatever, preferably nothing. Then ask a witch doctor to put a spell on your registration mechanism, or whatever bloody thing it is you're doing. For the spell... something sweet and simple will do, say: registering for spam purposes? OK, the author of the bot instantly get an incurable testicular cancer -- or other body part of your choosing, of course. Ask your local witch doctor what would be preferable. What about random organs? Organ of the day?

    But that's not all, the most important comes now! The CLIENT of the spammer gets an incredibly painful brain tumor -- fatal, of course. OK, the brain itself does not really hurt, you will say, but any respectable witch doctor should be able to take care of that...

    If you implement my strategy, I assure you that spam traffic will be reduced to 1.3% of current levels in a few days. You're welcome.

  76. Tezfair

    simple idea?

    If your faced with CAPTCHA your likely to enter your throw away email anyway, so why not have the CAPTCHA emailed to you and then you enter it as a double verification. Nothing is seen by bots and im sure they don't want the task of spamming themselves before spamming others

This topic is closed for new posts.