Captcha vs. Idiot

 By Shamus Feb 8, 2007 19 comments

I mentioned before that I always follow links to people who link to me. Last week I visited one such site, and a lone captcha appeared in the middle of the page, with nothing else. “This is strange”, I thought, “This idiot has their entire site behind a captcha? That can’t be good for traffic.”

Now I was really curious as to what sort of freak would do such a thing. I entered the captcha, but somehow messed it up. Another one appeared. This is why I hate these things, dangit! I tried again. I managed to mess it up again. I tried a third time, and when it failed I suddenly realized I’d been had.

Every captcha used a different scheme. This should have clued me in that something was wrong. The page didn’t have any other text, which also should have clued me in.

I’m sure I was entering them properly. What I believe I was seeing was part of a spamming mechanisim. First, the comment spam program runs into captchas. It then lifts the image and presents it to a human like me, and waits for me to tell it what the captcha says. I’m sure every time I entered a valid captcha I was causing a spam to appear somewhere, for someone. Once it finds a willing dupe like me, it will keep showing them captchas until they get bored or give up.

(It might not have been a weblog comment spam program. It might have been making lots of user accounts on a forum, which would then be used for spamming.)

Evil, but I give them full points for creativity. They can’t hope for much traffic like that, but they weren’t really trying that hard. If they really wanted to defeat captcha in volume, they could harvest some boobie pics from around the net, make users enter captchas to move from one image to the next, and then post the results to FARK. That would give them all the captchas they could ever need.

I hope the people that design captchas learn from this: The current generation of captcha-creation is overkill. Purple text on a red background with blue dots over it with the characters “1lIjt”, all rotated at different angles and overlapping one another, and then run through a wobbling distortion filter? Are you serious? Sure, nobody would ever dream of writing software to defeat that, but half the human beings in the world can’t be expected to get it right on the first try, either.

I doubt the spammers are even trying to keep up with them. Honestly, I’m sure just rotating the letters 45o is more than enough protection to defeat OCR attempts. There would be no reason for spammers to struggle with the OCR, when they could just use the trick I outlined above.

19Just 19 comments.


  1. Sem says:

    I especially hate it if the captcha has capital o’s and zeroes. Incredibly easy to mix up.

  2. kat says:

    I ended up going with textual captcha for my site, because, dude. It’s a wee blog in the middle of nowhere. Just because the spammers could find me was no reason to make my handful of readers suffer through those evil pictures.

    It’s working pretty well, so far, in that no one’s complained, a few people have even found the questions funny, and the spam has gone from 10-20 messages a day to 1 or 2 a month. So if anyone else is in my boat, try it. You are not Yahoo or Blogspot. You don’t *need* ugly pictures.

  3. Teague says:

    Now if we could just get the incredibly clever and creative people that currently work on both sides of the “internet security race” to apply themselves to more worthwhile and important issues, like curing cancer, eliminating poverty, or getting the Bengals back to the Super Bowl, the world would be a much better place.

  4. Shamus says:

    ” or getting the Bengals back to the Super Bowl, the world would be a much better place.”

    Cancer and poverty first. Start with the easy stuff, you know?

  5. Nick says:

    I dunno, I kind of like that effort being put forth into stuff like KittenAuth… Too bad they don’t have a working demo anymore.

  6. Sem says:

    What I don’t get is that spam still works. By now, most people should have an automagic reaction to banish spam to electronic heaven.

    And even if you read it (I do it sometimes out of curiosity) it’s usually something that doesn’t make sense or contains no link to a website or an email-adress, so what’s the point ?

  7. Shamus says:

    Sem: I’ve noticed the same thing. I’ve also seen spam that links to domains which do no exist.

    What the heck is the point of that? It’s a waste of my time, network resources, and even a waste of the spammer’s time. It doesn’t benefit anyone.

  8. Will says:

    Spam still works because people like my grandmother, who just aren’t web savvy, still click through stuff that would send off warning bells for any one of us here. With no concept of what computers really can and cannot do or how the web really works, she trusts those stupid “send this to five people to see ___ appear” emails and all the other garbage that floats around out there. She gets in trouble because she can’t tell the difference between a pop-up and a legitimate Windows warning box.

    It’s going to take a turnover in generations before spamming as we currently understand it becomes useless. Then they’ll just have to keep coming up with new ways to throw a world full of web savvy people off their guard.

  9. Steve says:

    Actually, I just read an article from someone claiming that he used a “heuristic neural net” to crack capchas on a series of blogs. OCR is no longer state of the spammer art it would seem.

    I’ve never heard of cracking them using the method you think you were caught by. That’s very clever.

    As for getting the “clever” and “inventive” people working security to deal with some real-world problems as Teague suggests, well, if they could do anything other than computers they’d be doing it. No flying car will ever come from these guys. Most of ‘em can’t even spell or properly choose which spelling of “your/you’re/yore” they really mean.

    I should know. I work with some of the buggers.

    Steve.

  10. Phiend says:

    I personally hope that spammers learn an easy way to digitally read the capchas. Not because I like spam, but because of a program like that’s usefulness in AI. That would be a big step towards allowing computers to recognize generalized objects.

  11. RodeoClown says:

    Spam that links to nowhere is sent to reduce the effectiveness of spam catchers, to increase your adaptive filter’s database entries to try and get more valid stuff trapped as spam. When you start getting valid stuff stopped, you are more likely to turn off your filter.

    Either that or to try and confuse the filter so that some stuff gets slipped past later on. Remember it costs nothing (pretty much) to send a billion spam emails, and if you can confuse or crash a spam filter, one piece of spam might get through – and that’s all they are after.

  12. I’ve heard of that crack technique, including the “boobies” idea. The interesting thing about it is that with a sufficient pool of sufficiently motivated humans, there are no anti-computer mechanisms that will work. (You have to “fall back” to normal anti-spam techniques based on the message, not the author.)

    I’ve also seen people claim that nobody is actually doing that, so you encountering that in the wild is actually pretty interesting.

    I’d ask for the link, just out of curiousity, but it’s good odds its already not there anymore.

  13. Shamus says:

    I looked through my history when I wrote this post, but I couldn’t find the link. (The problem is, I don’t remember what the domain was.) I’m curious if it’s still there as well.

  14. Since I started using Peter’s Custom Anti-Spam Image Plugin for WordPress, my comment spam has dropped to a big fat zero, from dozens a day. Works like a charm on WordPress 2 blog, and lets you create a custom word list, so my regular readers can enjoy the little in jokes when they enter the captcha.

  15. hank says:

    “If they really wanted to defeat captcha in volume, they could harvest some boobie pics from around the net”

    This is done already in large volumes by bulltein-board/blog spammers. The page shows you a captcha, your software copies the captcha to another page (the ‘boobie’ page), then when the boobiehunter enters the captcha your software enters it into the original page. Aside the from the boobiehunter, there is no human involvement. And the extraordinarily high number of boobiehunters guarantees that there probably isn’t a millisecond in a day when you couldn’t get someone to solve the captcha for you.

  16. Phlux says:

    A co-worker was just telling me a story about a guy who runs a few websites. He was getting a lot of persistent spam from some cruiseline company or something. He wanted it to stop, but he knew clicking the “unsubscribe” button would only make matters worse.

    So he tracked down the company and the spammers, ask them to take him off the lists, and they kept spamming him. So then he posted information on the internet about how their ads were misleading, they were spamming him, wouldn’t stop and were generally being bad people.

    They sued him for infringing on their freedom of speech. For 3 million dollars. And they won. A judge ruled that the ad was not misleading, provided minimal contact information and that the guy was guilty of libel for damaging the company’s reputation.

    He’s appealing the decision, obviously…but it just goes to show you how in bed our government is with business that they will uphold even the rights of spammers over ordinary citizens.

  17. Ishmael says:

    “…but it just goes to show you how in bed our government is with business that they will uphold even the rights of spammers over ordinary citizens.”

    Actually, I think it just goes to show how retarded some of the people involved in our legal system are.

    Thanks for the article, Shamus… I had always wondered why those damn things used such impossible to read fonts, and now I know. ^^

  18. JOEY345 says:

    To the people still saying captcha is broken, like Jeff says, prove it instead of saying it. Of course someone spending lots of time on it can “break” most captchas but that’s not what we are talking about, we are talking about building a good enough OCR engine into a spambot that can effectively spam people using capcthas.

    If it takes them five minutes per blog to find the text, post the spam, check if it’s posted, read the next image or test the next match it’s no worth it, that would effetively stop their spamming.

    One thing that people seem to miss is that there is no obvious way to automatically determine what image is the captcha image, you would need to test every image on the page.

  19. Adam says:

    First of all, a 5 minute delay would not stop spamming, it’d just slow it down slightly. This could be counteracted by using more than one bot. Also, the captcha image would most likely be the only image on the page which kept changing, so finding it would just be a matter of refreshing the page a few times, then testing the images that changed. In addition, as well as being annoying for people who can see, captchas can make it impossible for blind people (me included) to use certain sites without help. Some captchas provide audio feedback, however the majority do not, so I find myself facing an impossible task; to type in a code which I can’t see, and which has been deliberately designed to be unreadable to computers! This being said, I can see the need for some way of spam protection, but one which doesn’t annoy legitimate users would be nice.

Leave a Reply

Comments are moderated and may not be posted immediately. Required fields are marked *

*
*

Thanks for joining the discussion. Be nice, don't post angry, and enjoy yourself. This is supposed to be fun.

You can enclose spoilers in <strike> tags like so:
<strike>Darth Vader is Luke's father!</strike>

You can make things italics like this:
Can you imagine having Darth Vader as your <i>father</i>?

You can make things bold like this:
I'm <b>very</b> glad Darth Vader isn't my father.

You can make links like this:
I'm reading about <a href="http://en.wikipedia.org/wiki/Darth_Vader">Darth Vader</a> on Wikipedia!