Slashdot

One of the best 'exploit' related articles I've seen on /. for awhile. There is actual evidence, and actual screenshots of the exploit in action! No journalists here referring to "magic interweb programs". I wish there was more of this kind of stuff in the news, frankly I'm tired of articles full of statistics but nothing on the tech.

KittenAuth, Hot or Not, simple math, word tests, anything to get rid of those pain in the ass CAPTCHAs.

What we need is a reliable way of determining the age of an account. I would like to refuse mail from any account created less than a week ago. Same for domains. Maybe have a way for finding out that a domain has moved to 10 different IP addresses in the last year as a negative score in spamassassin.

http://www.johnmwillis.com/other/top-10-worst-captchas/ [johnmwillis.com]

Pretty soon we'll realize that anything a human can discern on the internet a computer can discern. For about the last year I've noticed that CAPTCHA's have gotten so bad that I can barely read them and they've become an impediment to my surfing. It's ridiculous and it's the same way that studios use DRM: you stop the illegitimate use by making it harder on everyone, including legitimate users.

While kitten auth is an interesting concept, it won't last forever, and it's still a pain in the ass for the users. What happens when a computer learns the difference between a cat and a kitten? Are they going to start pushing the relative ages closer? distorting the image? Put a wav file of a "meow" on the page and make you tell them the cat's last meal? Have a customer service agent chat with you for a few minutes?

They need to start banning based on use and patterns. 1400 accounts created from the same IP on the same day? Cat knowledge or no, that's suspicious behavior. 90% of the emails from that gmail account are getting marked as spam on the other end? Send them an email and ask them what's going on. Every single one of their emails is to 1000 recipients, don't pass a spell check on any words at all, send these five or more times a day and they're suspiciously familiar? Block it.

No one has cracked ReCAPTCHA [recaptcha.net] yet. (This CAPTCHA had a Slashdot article a few months ago.) As it uses text digitized from old books that the best OCR technology couldn't read, it's continually different and already demonstrated to be unintelligible to machines.

Plus, using ReCAPTCHA instead of other solutions also helps Carnegie-Mellon digitize old books for posterity.

From TFA: Microsoft, Google, and all other websites that currently use CAPTCHA, need to find a solution that puts them a step ahead of the spammers. This may well be it.

Why are they allowing the same computer multiple accounts in the same day?
Why are they allowing the same account creation attempt to fail over three times?

Still... I guess as computers get smarter, this is unstoppable.

All my accounts are white-listed. If I don't know you, I don't see your email.

From TFA:

You've got to be kidding! hotmail.com (and all it's other TLDs) has been banned from my game four, maybe 5 years ago. I've been giving every mail from a hotmail account an automatic 2 points in SpamAssassin for at least three years.

For as long as I can think, hotmail has been a spam source. "not blacklisted"? My ass.

When a product is released you can usually assume it WILL be cracked. Why not use this for the good of all?

I certain there are many things in the field of AI where human input is needed. Maybe image recognition or something. When a project is thought up use THAT as the captcha. I'm sure captchas have helped propel text reading applications. I can barely read them sometimes, if they have been cracked this code can be easily applied to text readers. Lets move on to something else.

If it holds you win, if it gets cracked you win and switch projects.

Oh Boy - here come the endless "we should do THIS" scenarios.... we should pay for each e-mail... we should all whitelist... we should throttle how many messages a person can send each day... we should outlaw webmail like Yahoo or Gmail...

Problem is that none of them really will work in the Real World (RW).

In the RW people like webmail. In the RW people like to change e-mail addresses, or create new ones for specific needs. In the RW some people like "real" e-mail, downloaded to a local PC, and others like Google or Yahoo or Hotmail and keeping everything on the host server.

In the RW a lot of people and businesses send a lot of bulk e-mail, very legitimate opted-in e-mail. In the RW a lot of people get important messages from entirely new people, people who haven't been whitelisted, and who are unlikely to bother going through the whole "If you want to e-mail me you need to click the link below and prove that you exist" process. After all, clicking links in e-mail is something that we teach people to NOT do.

And in the RW the spammers always stay one step ahead of the ISPs and mail providers anyhow.

No, what's needed is a real ground-up redesign of how e-mail works. we need something that encompasses the ease of current POP/IMAP/Webmail services, but which somehow includes ways to authenticate and/or block mail without user intervention, and which does so with near perfect reliability. And which maintains some backwards compatibility for at least a few years.

Adding more hoops or captchas or whitlelists to the existing mail sysytems just isn't going to solve the problem.

I'm actually surpried no one uses this. Google was close with their SMS registration but this could work just as well.

when you register, it gives you 2 easy to read captcha's (a verification number and password if you will), a simple picture and a 1-900 number thats $1.00 a call. When you dial it, it asks you to enter your verification number. then it asks for the password, which you would have to decode from the phone. (IE the password is vndka and you would have to enter 86352) finally it asks you what the picture is and you would have to say it (if the picture is a cat, you would say Cat, the 1-900 number then says "did you say cat?" in which you say yes or no. if it's a cat you're registered if not it says sorry, asks you to refresh your registration page to get a new challenge password and picture and hangs up.

The big advantage to this is it would be hard to script the phone conversation since you can change the prompt timing with random hold times and other voice information, and no spammer would want to pay the $1.00 a registration via script especially if there's any chance the script could fail. Of course a problem with this is a bot using your PC to ram up your phone bill, But it's not anything new in the spyware business since dialers have been around for years and if their already in your box dialing, they might as well skip spamming altogether and have you dial an offshore 1-900 in the middle of the night for $99.95 a minute.

Unbreakable CAPTCHA Replacement: Which of the following would you most prefer? A: a puppy, B: a pretty flower from your sweety, or C: a large properly formatted data file?

I think I see a wonderful circle here. The basic problem is spam. It's a problem, because we can't seem to make a computer program which can reliably determine whether an email is spam.

Wait a second. We can't make a computer program which can reliably tell if an email is spam. So that's your CAPTCHA right there -- present the user with a selection of emails, approximately half of which are spam, and ask them to identify which is which. Since computers are not good at this task (thus the entire problem!) it seems this would be the ideal challenge.

What is absolutely wondrous about this, is that if the spammers try to solve this problem, what they will create is basically a program which can reliably distinguish spam from non-spam. No spammer would ever do that, because if that piece of miracle technology ever got out in the wild, it would render the spam problem obsolete.

We never had to worry about things like CAPTCHA. The Internet was such a free place back then. We never had to worry about losing our ISP or trying to come up some unique algorithim to overcome barriers. Of course this was in 1993 when there were only about eight people surfing the web and Mr. T eating balls was as high tech as it got. Back then everyone loved spam, it was about the only email we got. In fact we didn't even call it spam back then, we called it spurkey. The only problem we had was trying to figure out how to use the key to get the lid off.