back to article Spammers crack Gmail Captcha

Spammers, fresh from the success of cracking the Windows Live captcha used by Hotmail, have broken the equivalent system at Gmail. Internet security firm Websense reports that miscreants have created bots which are capable of signing up and creating random Gmail accounts for spamming purposes, defeating Captcha-based defences …


This topic is closed for new posts.
  1. Chris

    Hats off to them...

    I had to fill in a GMail CAPTCHA today - it took me two goes and a lot of squinting to read it myself. And I think I'm human...

  2. Jacob Reid

    'Turing test'?

    No, no, no. CAPTCHA is the opposite of a Turing test - A Turing test is a human trying to tell a human and a program apart, a CAPTCHA is a program trying to tell a human and a program apart.

  3. Anonymous Coward

    Holiday in Cambodia

    Where the people dress in Black...

    With that tag-line, I've now got several Dead Kennedys tracks going round in my mind, and this will have to be dealt with by playing said tracks at maximum volume which will annoy the wife.

    I can't quite see the connection between the tag and the article, but maybe I'm just too semantically blinkered!

  4. Cameron Colley

    Where can I buy this software?

    As someone who has problems trying to read the letters in captcha images, I could do with some help.

  5. Anonymous Coward
    Anonymous Coward

    Can I get a copy?

    I had to reset my brother in law's Hotmail password for him (yeah, I know, he's a tyre fitter, what can you expect) and I couldn't read the bloody captcha so respect to anyone who's written software that can.

  6. Morely Dotes

    Trivially defeated

    Making the zombies work harder is the solution.

    Current captcha cracks against Google are only successful 1 time in 5 (20% successful). By chaining three captchas together, Google could reduce the success rate to a mere 0.8%, or one in 125 attempts.

    While I don't think captchas are especially good security, this simple step would be an interim measure while something truly effective is developed.

  7. Anonymous Coward

    "Stealing People's Mail"...

    ... is the presumably the correct DK track the semantically challenged amongst us should be listening to right now.

  8. Anonymous Coward
    Jobs Horns

    Actually, it's the work of people who write captcha-reading software that makes captcha's harder and harder to read by humans. So, if you have a hard time reading captcha's, you should be AGAINST those who write software to read them.

  9. Wyrmhole
    Black Helicopters

    Bot army now with human servants?

    So apparently Russians are paying people to correctly identify captcha strings for their bots?

  10. Kevin McMurtrie Silver badge
    Thumb Down


    We all know that Google GMail can't be used for spamming. That's what Google says every time they ignore your complaints about spam coming from their mail servers.

  11. Stu
    Black Helicopters

    Other techniques

    I'd wager their sophisticated OCR tech actually only matches one in a hundred captchas. You know, the poorly generated ones that an amoeba could read. The article mentions only 500,000 accounts generated by the HotLan trojan, if it were more sophisticated at reading I'd imagine this figure would be in the millions.

    In which case, Google and MSN should just limit multiple captcha page retries and block access from specific IP addresses for several hours if its deemed to be trying too often.

    ...Or does it match good enough to work on the first, second or third try of a captcha in most cases? That would work.

    Unless the spammers could go into legit business with incredibly sophisticated OCR technology, I doubt they're THAT clever - just that GMail and MSN aren't that reactive to such threats.

    But I dont really know...

  12. Barry Rueger

    There's Money to be made...

    For the person who is ready with a new, secure, backwards compatible, and spam proof e-mail replacement when the existing system finally collapses in a year or so. Someone needs to rethink this from the ground up as the current e-mail technologies just aren't adequate, and there are far too many circumstances where whitelisting isn't practical.

  13. tfewster Silver badge

    Re: Bot army now with human servants?

    > So apparently Russians are paying people to correctly identify captcha strings for their bots?

    That's how I read the Websense article; And the second host appears to be (doing a bad job of) trying to crack the Captcha programatically, so Man is still ahead of Machine.

    But why don't the bad guys just pay people to create accounts for them? Surely none of their "workers" think that getting paid just for reading Captchas can be legit? Or does GMail disallow 2 signups from the same "source"?

  14. Anonymous Coward
    Anonymous Coward

    Ineffective CAPTCHAs

    A web site I frequent must not have too much of a problem with CAPTCHA crackers - their CAPTCHA image consists of four or five GIFs string together, a la 1.GIF 7.GIF 3.GIF 2.GIF 9.GIF.


  15. Anonymous Coward
    Anonymous Coward

    More Dead Kennedys

    Given the amount of spam pushing penis enlargement, surely the correct Dead Kennedys track is Pull My Strings - "is my cock big enough, is my brain small enough ..."

  16. Anonymous Coward
    Thumb Down


    my favourite types of 'captcha' are the ones which dinnae tell you in advance whether or not the code is case sensitive... or tell you it is and then present you with a letter which looks the same in both upper and lower case... or make no distinction between capital I [eye], lower case l [el] and the number 1 [one] .... or between the letter O and zero...

    and dinnae even get me started on sign up forms which ask you to pick a username or password and then *only* after you've submitted the form, throw an error in your face, telling you that 'your username needs to be at least six characters' or 'your password must contain at least one number'..... so you change your username/pass from the ones you wanted to use to ones that conform to the whims of the form designer and then have to write the feckers down, so you willnae forget them - which kinda defeats the whole purpose of having a login/pass in the first place!

  17. Jach

    Back to Invite-Only

    It was kind of neat when Gmail was invite-only. Felt like you were in some special club or something.

  18. This post has been deleted by its author

  19. Will

    even better

    How about having to crack the first 3 levels of bricker or pac man before your sign up is accepted. Now we are talking!

  20. Will

    moving captchas

    Imaging a animated GIF captcha swirling in an infused cloud of incandescent murkeyness. That would stump everyone. Top marks.


  21. Anonymous Coward
    Anonymous Coward


    @Jacob Reid - that had always bothered me too...

    Also, what's with the Dead Kennedys ref? Or is it the DKs refering to somethig else?

  22. Anonymous Coward
    Gates Horns


    "In which case, Google and MSN should just limit multiple captcha page retries and block access from specific IP addresses for several hours if its deemed to be trying too often."

    Which would have blocked me the other day as it took me multiple failed attempts to work out that the Hotmail CAPTCHAs don't work in Firefox!

    You can put the right characters in as many times as you like, it always fails until you try IE (didn't check with Opera)

  23. Goo
    Thumb Up


    thats a shame, but Google Mail is still light years ahead of every other mail service on many fronts so i'm still voting for them

  24. Anonymous Coward

    And so it continues

    One of the biggest problems is a particularly nasty piece of scumware called XRumer. It cracked the phpBB2 CAPTCHA some time ago and it looks like it'll add "support" for Gmail, Windows Live and Yahoo in due course. If you've ever had to do admin for a forum and delete hundreds of spam registrations with generic details such as random countries for location or bland descriptions for occupation you'll have come across its after effects.

    I don't think coming up with increasingly obscure and technical ways is really the best way to deal with spam and malware. This isn't some bored teenage cracker trying to show off his l33t h4x0r skills but a bunch of crooks with plenty of time and (often stolen) money. The problem of botnets is a bit like someone who doesn't realize they own a toxic waste dump that's polluting a river. Sure someone downstream might come up with a way of removing some of the pollutants and stop it affecting them, but the source is still there.

    Bots generally have a pretty distinctive "signature" for the type of traffic they produce. You can usually guess a pwned machine from the headers of a spam email or a failed semi-automated attempt at registering on a forum. It's likely that the owner of the machine (as opposed to the bot herder) is unaware that they don't have full control of what happens on it and they would probably be shocked to know a criminal gang is using it for nefarious purposes. One problem is that people don't always understand the importance of keeping a machine patched ("I don't use that feature so why should I care?") and even if they do it isn't physically possible to do so because MS have decreed that it's reached the end of its life. The audience on El Reg will understand this, but someone who just uses an old Win98 computer for a bit of email and word processing probably wouldn't.

    I think one way to address this would be a "your machine is infected. Do this to fix it or you will be disconnected" letter sent to the owner of that IP address (make sure it's sent to the right place!) along with a mandatory requirement for MS to continue to update its operating systems until the usage is so small that any impact will be minimal. Changes to the OS kernel mean that a lot of old DOS viruses don't work under Windows, open mail relays are somewhat a thing of the past and rogue diallers were pretty much killed off by broadband. However it's difficult to lock down an old Windows box with gaping holes when MS refuses to patch them.

  25. Ryan

    Kittenauth FTW

    I'd like to see software reliably tell bunnies & kittens apart.


    I'd like to see bunnies & kittens!

  26. Grant Alexander

    passwords and logins


    kevin mitnick, the famed ex-hacker now security adviser, recommends that people select very complex passwords and that they write them down, and keep them somewhere safe - like in their wallet with the other valuable paper.

    too many people choose lame passwords and if we try to force people to adopt more secure passwords, there is a huge resistance. personally i try to use passphrases of a sort. the downside is i am a slow typist - but that is the price i pay for being security conscious.

  27. Adam White

    Police Truck

    Well tonight's the nice that we've got the truck

    Gonna go downtown gonna beat up drunks

    We'll ride oh how we'll ride

  28. Shannon Jacobs

    No, heads off the spammers

    Diabolical ingenuity should *NOT* be rewarded.

    Spam email is an economic problem, and no technical or legal or medical or non-economic solution is going to fix it.

    One solution would be to fine anyone who helps spammers. That would eliminate the free email accounts and free website hosts, but at this point I think it would be worth it. In Japan, I'd hope the ISP Dion would go bankrupt on their spam-support fines.

  29. Mark Simon
    Paris Hilton

    The irony of it all ...

    Are these the same spammers who invented image spam? When spam filters started using OCR, they started to distort the image to bypass this.

    So, if I understand correctly, captcha is a technique used to disguise spam, and make it harder for humans to register. it is machine readable by spambots but not spam filters.

    If I understand correctly.

  30. Anonymous Coward
    Thumb Down


    Now they will have to come up with something even more annoying to authenticate humans.

  31. Anonymous Coward
    Thumb Up

    @ Morely Dotes

    Good thinking. Instead of identifying numbers and/or letters, the random question might ask what colour the letter i is or which character is uppercase, which character is Chinese, etc. And, as mentioned above, blocking the IP from creating an account after creating an original account would help too.

  32. Bogwitch

    Taken by force

    Considering the name of the author, perhaps that would be more appropriate.

  33. Anonymous Coward

    So, they have finally found the...

    G spot?

    No, I'm not wearing anything thanks!

  34. Gabor Laszlo
    Thumb Up

    @And so it continues

    I'm a phpBB2 forum admin, and when the bogus accounts started to appear (they would register but couldn't activate - I use confirmation emails, obviously not an option when signing up for an email account:) So I just added a nonstandard mandatory field in the registration form. Problem solved, haven't seen hair or hide of bots since then.

  35. Anonymous Coward


    CAPTCHA does not stand for "Completely Automated Public Turing test to tell Computers and Humans Apart"; As a previous poster said, it's the reverse of a turing test.

    There's something wrong with the elreg glossary, because this comes up EVERY time there's a story about CAPTCHA's.

    The correct wording is:

    Completely Automated Program to Tell Computers and Humans Apart.

    That's not that difficult, is it?

    They're also known as REVERSE Turing tests, for the above reasons.


  36. TeeCee Gold badge

    SAAS - Google stylie.

    Spam-as-a-service, anyone?

  37. Anonymous Coward


    "'d like to see software reliably tell bunnies & kittens apart.


    I'd like to see bunnies & kittens!"

    What for, if you can't tell them apart w/o help?

  38. A J Stiles
    Paris Hilton

    Bunnies and Kittens

    Bunnies and kittens, eh?

    That could be more fun than you think! Look up the alternative meanings for "la chatte" (French) and "el conejo" (Spanish) sometime .....

  39. Anonymous Coward
    Anonymous Coward

    Websense is toooo late

    Just wonder how late could be security firms when they are so commercialized.

    The story of Gmail Captcha crack was published 10 days ago in Russian IT news. You can find it in English (read my lips: no need for a tutor)

    And yes, the spammers use humans (biobots) to break captchas for money.

    These are many sites for this business around the world -,,, etc

    And while sleeping GMail is open for spambots, some Russian web-mail services already started to use more serious captchas where you have to choose the recognized signs one by one from a virtual keyboard, and the captcha alphabet could be changed in a moment (not just digits or letters but any pictograms like road signs can be used).

    Here are the details, but now it's in Russian only (just for fun):

  40. Count Ludwig

    PayPal Micropayment

    How about a new service from PayPal? Want to send an email that I'll read? Make a small payment into my PayPal account and attach a message.

  41. zedee

    Re: AC - And So It Continues

    [I think one way to address this would be a "your machine is infected. Do this to fix it or you will be disconnected" letter sent to the owner of that IP address (make sure it's sent to the right place!)]

    The now defunct Metronet ISP had this in their Ts and Cs - if you were getting bot traffic or had an open smtp relay you got your connection cut. They had some very funky network monitoring stuff and account self-management tools before they got Borged by Plusnet.

  42. Sam

    @Gabor Laszlo

    I run a phpBB2 board, is this method documented somewhere?

  43. Chris Ellis

    @ Barry Rueger

    All the problems with email arise due to its acient design.

    Trying to have a system backward compatable would just render the new system useless

    The sooner we ditch the current system the better!

  44. Hugo

    Web 2.0 CrowdSpamming in action!

    Re: Bot army now with human servants?

    > So apparently Russians are paying people to correctly identify captcha strings for their bots?

    That's also how I read the Websense article. When I first had a play with Amazon's Mechanical Turk I thought it would be perfect to farm out CAPTCHAs for real people to type in for a cent a pop, and that's what they're doing here.

    Now that's Web 2.0!

    (And whilst you're at it, why not, as these spammers appear to, have your own bot have a go and compare it with the correct human to help learn do it automatically and save those few cents and speed it up considerably.)

  45. dreadful scathe

    captcha ideas

    Bunnies and Kittens? Bah, you're all missing a trick. What we want is a 'Pointless Blonde Celeb Line Up' where you have to pick out Paris Hilton and type the code that appears on the black plackard she's holding in profile :)

  46. Anonymous Coward
    Anonymous Coward

    Let google use their images game ...

    you know the one where they pair you up with some other saddo and show a series of images and you both type in words to describe the image. If you match you get a new image and some points.

    So at least for gmail, show an image(s) and ask for a word to describe, if you match more than n% then accept.

    Downside is that it becomes language and spelling specific and there are too many images that just have tags like "man", "girl" etc. Also very variable and more time consuming.

    Further down with all of these is it's hard for people with visual impairments who may rely on text to speech systems or if you are using a text only browser (lynx).

  47. Karl Lattimer

    1 in 5

    1 in 5 = 20%, 20% is not a low percentage when its performed regularly, quickly by computers.

    If it can test 5 accounts per minute, that's 1 new account per minute, that's not a minor issue...

    Small percentage would of course have to be relative to the number of accounts the system can break in a given time frame otherwise its meaningless.

  48. Anonymous Coward
    Anonymous Coward


    Posted anon because my forum gets enough attention from spammers as it is (I made the first post above about phpBB2), but I find the text confirmation mod for phpBB2 works quite well. The trick is to ask the right type of questions (the sweatshops that handle spam registrations can answer "what is 2 + 2" with little effort) and I've gone from 10 - 20 a day to none. I still have to delete the "registration attempt failed" emails but a couple of mail server rules do that for me. The humanizer mod (which asks "are you a human?" worked for a while) but that's now been cracked.

    Something I'd really like to see is use of XRumer made illegal (what legit uses does it have?) and the entertainment industry lawyers do something a bit more useful such as tracking down the spammers.

  49. tim

    Bunnies and kittens

    kinda reminds me of that thing that did the rounds a while ago where you had decide whether a pic was of an upper or lower cleavage

  50. Robert Pogson


    can read the Captchas for the bots... Set up bots to open accounts and route the captchas to a human who can learn and improve his speed. Pretty soon you will have humans able to type captchas at 60 per minute. A network of such humans could open hundreds of thousands of accounts daily. So, Google will have to go to plan B, which is... I have no clue.

  51. Stu


    >The humanizer mod (which asks "are you a human?" worked for a while) but that's now been cracked.

    Answer - "Negative, I am a meat popsicle." the movie.


    @Doc Dish - Funny that, every Google Captcha I've tried I've only failed it once or twice at most. I've done quite a few in my time too. True though that Captchas on some sites r so bad its taken me maybe 3 or 4 attempts, no more.


    @Will -

    >Imaging a animated GIF captcha swirling in an infused cloud of incandescent murkeyness.

    Actually thats not a bad idea, people are better at seeing patterns in motion, kind of like picking out soldiers in forests, can be seen better if they move around. Might make some people sick tho!!!

  52. Anonymous Coward
    Thumb Up


    "Anybody else want to negotiate?"

  53. Anonymous Coward
    Anonymous Coward

    random questions

    Still use an image or audio file, but have it ask a question

    "Which number is smallest?", "Which number is largest?", "Which shape is a circle?", "Which of these images is a cartoon cat?", "Which of these pictures is a real cow?", "Which of these images is a photograph?"

    For the vision impaired, an audio question and audio options could be used.

    It means the user must actually make sense of the question. Of course, you'd need enough options for answers that chance wouldn't be 1 in 5 to make a difference. Use maybe 8 or 10 possible answers, and only allow one miss.

  54. Bogwitch

    Odds are...

    @Anonymous Coward above,

    8 or 10 possible answers and allow one miss. Because 2/10 is harder that 1/5 ? Or 2/8?

    @Stu. My son is called Korben.

  55. Anonymous Coward


    I was getting the CAPTCHA characters correct, it's just that the Hotmail (owned by Microsoft) CAPTCHA can only be passed via Internet Explorer (made by Microsoft)

    Go figure

  56. Christos Georgiou
    Black Helicopters

    Now in beta!

  57. Martin Usher

    Age is sometimes the answer

    >The audience on El Reg will understand this, but someone who just uses an old Win98 computer for a bit of email and word processing probably wouldn't.

    Actually I wish that were the case. Someone who has such a machine and uses it sporadically isn't a threat. Its the people who've got their PC directly attached to their cable or DSL modem who leave the thing up 24/7 that are the problem. There are a lot of people like that out there and many are completely clueless about how computers work. We don't normally move in such circles so when we do have to deal with these users -- as I was recently (an elderly friend) -- its the very devil to get them to understand that when a web page says "you've got malware, click here to remove it" that the last thing you should do is follow those instructions! (Fortunately I've got her system rebuild down to a fine art -- I've been thinking of mirroring her disk so I just have to press the button.......)

    As for the CAPTCHA code, I'm almost tempted to have a crack at it myself. This is the kind of puzzle that's fun. But just as cracking encryption is the price you pay for getting better quality encryption all this is going to do is improve the quality of the CAPTCHA algorithms. Its an arms race, and a fun one at that.

  58. Anonymous Coward

    Stop free email accounts!

    A great way to check if an account is genuine is to require payment with a credit card!

  59. Anonymous Coward
    Anonymous Coward


    >> CAPTCHA does not stand for "Completely Automated Public Turing test to tell Computers and Humans Apart"; As a previous poster said, it's the reverse of a turing test. The correct wording is: "Completely Automated Program to Tell Computers and Humans Apart."

    Um: (© 2000-2007 Carnegie Mellon University)

    "The term CAPTCHA (for Completely Automated Turing Test To Tell Computers and Humans Apart) was coined in 2000 by Luis von Ahn, Manuel Blum, Nicholas Hopper and John Langford of Carnegie Mellon University."

    That fact that the name is misleading doesn't mean it's not the name.

  60. conan
    Paris Hilton

    Turing Porn Farms

    I was reading on wikipedia the other day about "Turing Porn Farms" (er, I searched on the term "turing", honest), which are apparently a clever way around these CAPTCHAs. You just set up a free porn site, and require folk to fill in a CAPTCHA to access it; because you can rely on a fairly constant stream of people signing up to your porn site, you can just scrape the CAPTCHAs from gmail or livemail or whatever in real time, and use the results to sign up for dummy accounts. Nifty, eh?

  61. Anonymous Coward
    Paris Hilton

    What is the purpose of a Turing test?

    What is the primary purpose of a Turing Test?

    Is it to test if a human can tell a computer and a human apart?

    Or is it to test if a computer is able to convince a human that it itself is human?

    If it is the latter, it really is secondary whether the ‘judge’ is human or – as is the case with Captcha, the judge is another computer.

    So, nothing ‘reverse’ here, eh?

    Paris, because I'm sure Captchas are keeping HER from passing.

  62. archie lukas

    Respect, cos I can't read them there blots

    I can't read these ink blots on some forum boards; so respect to them thar 'youfs'

    Actually Google is easy but Yahoo is a bum pain - which is why I never use it.

    Its not that I'm that old -but I did learn MS-DOS 3.1, so I suppose I am an ancient

  63. MarkMac

    Surely the fix is...

    for Google etc to disallow the setup of more than say 3 accounts from any given IP address in any given 24 hour period? What real person wants to set up 500,000 accounts, or even 50 accounts?

  64. Anonymous Coward
    Anonymous Coward

    Planned Action

    It seems to be a little surprise. However, it was planned at the moment when software for handriting input was created. Inference: think of security before implementation of something new

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2021