Cheap Labour : Websurfers - GoFuckYourself.com

AnalProbe · 05-07-2004, 06:13 AM

By offering free porn, spammers are using Internet surfers to bypass a security protection designed to stop bot software from automatically opening Web mail accounts.

Free Web mail services such as Hotmail and Yahoo are often used by spammers to send unsolicited e-mails. But because of the sheer quantity of e-mail sent, spammers require thousands of accounts and employ Web bots to automatically open them.

To combat this automation, Web mail companies started using the Captcha test (Completely Automated Public Test to tell Humans and Computers Apart), which creates a graphically distorted representation of a simple word that can easily be read by a human but not by a machine. The word is often written in an unusual font and presented on a patterned background to further confuse the bots.

To open an e-mail account, the applicant is asked to read the word in the Captcha graphic and type it into an application form. Because the disguised word is virtually impossible for a computer to read, spammers need a human to intervene, which ruins their automation process.

However, as first noted in the Boing Boing blog earlier this year, some spammers have found an ingenious way to bypass the Captcha protection.

First, the spammers open and advertise a Web site containing pornography. Visitors to the porn site are asked to enter the word contained in a Captcha graphic before they are granted access.

In the background, spammers have already used scripts to automate the Web mail accounts opening process to the point where they need a human to "read" the Captcha graphics. The Captcha graphics from the Web mail site are transferred to the porn site, where the porn consumers interpret the Captcha words. As soon as they enter the correct word, the script can complete its application process and the visitors are rewarded with free porn.

Simon Perry, vice president of security at Computer Associates International, said security is always a "moving target," and as soon as a company like MSN uses a new technology to secure a product or service, it is only a matter of time before it will be bypassed.

"Each little improvement makes it a little bit more difficult for the spammers. This is an exercise in continually moving up the bar," he said.

According to Perry, the only way to make a real difference is to combine technology with legislation and enforce that legislation. However, he said that even though spammers may have found a way past the Captcha, it is still slowing them down.

"Before the Captcha, those bots could open a million Hotmail accounts a day, but now, if they can attract 10,000 people to their free porn site, they can set up 10,000 accounts, which is a lot but still an order of magnitude less," Perry said.

Neither Microsoft's Hotmail nor Yahoo would comment on the issue.

johnbosh · 05-07-2004, 06:17 AM

wow millions accounts a day that amazngly much

jackson · 05-07-2004, 06:17 AM

yeah hotmail has been exploitable for a while now...

Microsoft said yesterday it had introduced a white list scheme to allow well-behaved email marketing firms to reach its customers without falling foul of its spam filters. Marketing firms who post a cash bond of up to $20,000 through IronPort's "Bonded Sender Programme" will get guarantees that their message will be delivered to the estimated 170 million regular users of Microsoft's Hotmail and MSN e-mail services, providing they follow a strict set of guidelines. Firms who flout the guidelines - standards that exceed those defined in the CAN-SPAM Act - risk losing their money. The approach rewards marketeers who agree to be held accountable for the messages they send. Microsoft has been working on the programme with IronPort for five months but the arrangement was only made public yesterday. With the support of Microsoft, more firms are likely to adopt the scheme. Good news for Ironport's sales team. Microsoft is behind the idea because it wants to reclaim email marketing from criminal spammers. For end users the scheme makes it less likely that messages they have requested from companies they do business with will be blocked (i.e. fewer false positives).

securityfocus

TheMob · 05-07-2004, 06:19 AM

spammers are cool

05-07-2004, 06:13 AM	#1
AnalProbe pain in the Ass Industry Role: Join Date: Jan 2004 Posts: 3,727	Cheap Labour : Websurfers By offering free porn, spammers are using Internet surfers to bypass a security protection designed to stop bot software from automatically opening Web mail accounts. Free Web mail services such as Hotmail and Yahoo are often used by spammers to send unsolicited e-mails. But because of the sheer quantity of e-mail sent, spammers require thousands of accounts and employ Web bots to automatically open them. To combat this automation, Web mail companies started using the Captcha test (Completely Automated Public Test to tell Humans and Computers Apart), which creates a graphically distorted representation of a simple word that can easily be read by a human but not by a machine. The word is often written in an unusual font and presented on a patterned background to further confuse the bots. To open an e-mail account, the applicant is asked to read the word in the Captcha graphic and type it into an application form. Because the disguised word is virtually impossible for a computer to read, spammers need a human to intervene, which ruins their automation process. However, as first noted in the Boing Boing blog earlier this year, some spammers have found an ingenious way to bypass the Captcha protection. First, the spammers open and advertise a Web site containing pornography. Visitors to the porn site are asked to enter the word contained in a Captcha graphic before they are granted access. In the background, spammers have already used scripts to automate the Web mail accounts opening process to the point where they need a human to "read" the Captcha graphics. The Captcha graphics from the Web mail site are transferred to the porn site, where the porn consumers interpret the Captcha words. As soon as they enter the correct word, the script can complete its application process and the visitors are rewarded with free porn. Simon Perry, vice president of security at Computer Associates International, said security is always a "moving target," and as soon as a company like MSN uses a new technology to secure a product or service, it is only a matter of time before it will be bypassed. "Each little improvement makes it a little bit more difficult for the spammers. This is an exercise in continually moving up the bar," he said. According to Perry, the only way to make a real difference is to combine technology with legislation and enforce that legislation. However, he said that even though spammers may have found a way past the Captcha, it is still slowing them down. "Before the Captcha, those bots could open a million Hotmail accounts a day, but now, if they can attract 10,000 people to their free porn site, they can set up 10,000 accounts, which is a lot but still an order of magnitude less," Perry said. Neither Microsoft's Hotmail nor Yahoo would comment on the issue.

05-07-2004, 06:17 AM	#3
jackson Confirmed User Join Date: Feb 2004 Location: New Jersey Posts: 1,094	yeah hotmail has been exploitable for a while now... Microsoft said yesterday it had introduced a white list scheme to allow well-behaved email marketing firms to reach its customers without falling foul of its spam filters. Marketing firms who post a cash bond of up to $20,000 through IronPort's "Bonded Sender Programme" will get guarantees that their message will be delivered to the estimated 170 million regular users of Microsoft's Hotmail and MSN e-mail services, providing they follow a strict set of guidelines. Firms who flout the guidelines - standards that exceed those defined in the CAN-SPAM Act - risk losing their money. The approach rewards marketeers who agree to be held accountable for the messages they send. Microsoft has been working on the programme with IronPort for five months but the arrangement was only made public yesterday. With the support of Microsoft, more firms are likely to adopt the scheme. Good news for Ironport's sales team. Microsoft is behind the idea because it wants to reclaim email marketing from criminal spammers. For end users the scheme makes it less likely that messages they have requested from companies they do business with will be blocked (i.e. fewer false positives). securityfocus __________________ PromO ArS 4 ReAL TeenPicCentral.com icq#303419172 Last edited by jackson; 05-07-2004 at 06:19 AM..

05-07-2004, 06:17 AM	#2
johnbosh Confirmed User Join Date: Aug 2002 Location: The Netherlands, Rotterdam Posts: 8,965	wow millions accounts a day that amazngly much

05-07-2004, 06:19 AM	#4
TheMob Confirmed User Join Date: Jan 2003 Location: 2006 Posts: 8,584	spammers are cool