Forum Moderators: phranque
Or posts within your forums and blogs where the content is just a single image?
It is an ingenious way of circumventing even the better Bayesian method based spam filters. There is nothing to review - it is binary data, and all but the most sophisticated anti-spam tools can do OCR (optical character recognition) on the fly in a speedy fashion, prior to reviewing content.
The images are - text converted to simple GIF or JPG file, with a slight fuzzy and colored backgrounds.
What do these images remind you of? CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) images. Distored text, required to be entered by humans at various verifications.
The presumption is that automated processes, often created for spamming, will not be able to read it (convert it from image back to text) in a timely fashion.
The identical problem presented to anti-spam software.
I predict that anti-spam developers will come up with new methods to convert those pesky image-based spams for classification.
I also predict that spammers will beta test it, by implementing it in their captcha-defeating online spam tools.
So long CAPTCHA. your long (6 years?) Internet life was indeed a pleasure, while it lasted.
Are you making the illogical leap from "spammers can make captcha-like images" to "therefore spammers can defeat captcha"?
If not, apologies.
but if you are, you are missing the point.
Spammers can already defeat captcha-type systems, it is just not a practical solution for them. And so long as captcha evolves too (which it seems to be doing), it may be premature to predict its demise.
Additonally, savvy webmasters do not just use captcha - they use a selection of methods to slow down spammers, and so defeat the mechanical systems.
Nothing ever defeated the idiots who are prepared to join a forum, via captcha, email confirmation and much else, just to drop a link which is nofollow and will last a few minutes - they need medication, or growing up - not technology!
Hearing from a lot of new friends lately? You know, the ones that write “It’s me, Esmeralda,” and tip you off to an obscure stock that is “poised to explode” or a great deal on prescription drugs......Much of that flood is made up of a nettlesome new breed of junk e-mail called image spam, in which the words of the advertisement are part of a picture, often fooling traditional spam detectors that look for telltale phrases. Image spam increased fourfold from last year and now represents 25 to 45 percent of all junk e-mail, depending on the day, Ironport says.
Spam Doubles, Finding New Ways to Deliver Itself [nytimes.com]
I thought this was a well written explanation in the NY Times.
I am simply stating, that
1. e-mail spammers are using the graphic obfuscation to hide their spam
2. anti-spam vendors will find a faster and more efficient way to "decode" and recognize such graphic spam
3. forum/blog/discussion spammers who now have to use other methods to post spam on CAPTCHA or MAPTCHA protected sites, will take that technology, and defeat (kill) at least the CAPTCHA protective solution.
The #2 step is what will resolve the problem you stated - making it practical.
i.e. e-mail spammers trigger a solution to be developed by e-mail anti-spam vendors - which in turn provides a tool for discussion spammers to defeat CAPTCHAs.
Are you making the illogical leap from "spammers can make captcha-like images" to "therefore spammers can defeat captcha"?If not, apologies.
but if you are, you are missing the point.
Spammers can already defeat captcha-type systems, it is just not a practical solution for them. And so long as captcha evolves too (which it seems to be doing), it may be premature to predict its demise.
[edited by: Tapolyai at 6:30 pm (utc) on Dec. 6, 2006]
Personally I have been using a simple question on my forms to validate them, like, "What is 5 + 4". Someone in here told me about it and I know it all sounds too simple but it has worked for me so far.
That works well - but once the graphics is converted to text, there is nothing preventing the discussion spammer to feeding that information "automagically" to ... Google?
[google.com...]
[edited by: Tapolyai at 6:26 pm (utc) on Dec. 6, 2006]
I'm guessing the only thing holding something like this back is all the companies at the top of the ISP food chain who want to control the definition of a standard. So some open source genius needs to come long, write up the business processes and develop the prototype. Then the buzz of a working prototype would really get the attention of ISPs who would line up to get such a system developed.
And it really doesn't have to be a single protocol. It could be on a per-country basis, just like standard postal mail. Each country could control it's methods but in order to get their email delivered internationally then an interoperability layer would be required.
Just some thoughts. If I didn't have a full plate of greedy capitalist development projects I'd give it a go myself.
Sean
The only practical solution is to charge for email.
Already being done...
Email Optimization Consultant
[webmasterworld.com...]
e-mail spammers trigger a solution to be developed by e-mail anti-spam vendors - which in turn provides a tool for discussion spammers to defeat CAPTCHAs.
Wishful thinking ;)
Gmail already spots 90%+ of the image spams; it doesn't have to READ them, just recognise them.
CAPTCHAS have to be read to be defeated.
We're safe for a while yet!
1. e-mail spammers are using the graphic ofuscation to hide their spam
Do your mailservers still accept messages where there is only graphical content? I don't.
The only practical solution is to charge for email.
Nonsense. The most practical solution is to keep increasing the penalties for spamming.
I'm with SpamHaus as far as the definition [spamhaus.org] is concerned:
Spam is an issue about consent, not content.
How about: if you can't prove you have consent, you end up in jail? This might focus the mind as far as spammers are concerned....
/Gmail already spots 90%+ of the image spams;
1% of a million is too much. :)
We're safe for a while yet!
The key words are "a while"...
Do your mailservers still accept messages where there is only graphical content? I don't.
There are some systems and users that e-mail nothing but images. I know of some poor-man's-medical-imaging solution which uses image-only e-mail. Some security systems use image-only e-mail. And of course grandma sending pictures from her vacation trip... ;)
if you can't prove you have consent, you end up in jail
I'm with SpamHaus as far as the definition is concerned.
I see lots of progress being made in the Bonded Sender program which is now the Sender Score Certified program certified by TRUSTe...
Within the EOC topic, there are a host of other providers in this area. They are growing and they will continue to grow while the current protocol remains in place. It's the logical next step working with existing tools.
Email Optimization Consultant
[webmasterworld.com...]
If you don't have at least an SPF record, there is a good chance that up to 50% or more of your mail is not being received. And since your system is flagging and deleting those failed mail responses, you may not know the magnatude of what is happening.
Now, back to CAPTCHA's. They fail in the Accessibility area.
Nonsense. The most practical solution is to keep increasing the penalties for spamming.
That's part of it - but the key to successful law enforcement is not tougher sentencing - it's increasing the likelihood of beong caught.
Curremtly, only a tiny percentage of spammers get caught, let alone charged and convicted. That has to change. Plus I need a licence to hang them from lamp posts! :)
certified by TRUSTe...
Do **you** trust TRUSTe? I don't trust them at all:
TRUSTe’s Fact Sheet (2006) reports only two certifications revoked in TRUSTe’s ten-year history...
ouch...
According to TRUSTe’s posted data, users continue to submit hundreds of complaints each month. But of the 3,416 complaints received since January 2003, TRUSTe concluded that not a single one required any change to any member’s operations, privacy statement, or privacy practices, nor did any complaint require any revocation or on-site audit
Just what do TRUSTe actually do? ... apart from earning $$$?
But it is a lot easier to parse and answer a mathematical question, once you're in the mirror of an spammer who will create an special tool for defeat your site.
It doesn't have to be a math question. It can be any unambiguous question at all, e.g. "What colour is blood".
I remember when I got a certificate from Verisign, they almost asked me written permission from my mom. But well, that is what they are supposed to do, to verify your identity.
Ha, it's so unlikely to happen it's laughable. Because it's big business. Who's going to jump in the way of that revenue stream? The monster CC providers, the governement, apparently don't care and move so slowly anyway nothing will get done for years... tick tock time runneth out.
Spam is already eroding email's usefulness to a large degree. The problem is the protocal that email relies on was developed in a different time, an innocent time. Now it just looks naive it's so vulnerable.
As for SPF - let's see we need SPF, but then a different version of SPF for Hotmail, Domain Keys for Yahoo, an SPF record with whitelisting "begging" instructions for AOL... and on and on. The processes are completely opaque so you never really know what email is actually being delivered or not. There's just no transparency and all email publishers are guilty until proven innocent.
Hey I'm not complaining - this is the reality for email publishers. Time to look for alternatives.
Is it that bad for you?
I get 30-50 spams a day, 90%+ filtered out, the ones that get through (none on a good day) being really obvious - just new to gmail.
I've spent longer typing this than it takes to deal with a week's spam.
There's excellent spam filters at zero cost to users; looking takes awhile, setting up can do, too. But it's a once-a-year job, tops.
This means that you have to periodically chack your spam box for legit emails. Which is worse spending an hour looking over a spam box every once a month, or spending a split second deleting them immediately every day.
Why would the banks not want to stop spam, nobody is immune. And single individuals don't want to spend their morning looking at spam any more then I do. I don't care if the "bank" makes money off it somehow in some indirect way down the road. And I would be perfectly willing to dispense with it even if it took a bite out of profits.
The real solution is simple and really quite elegant. Many of us have pushed for this type of solution for over 15 years.
1) Require all ISPs to block port 25 to keep their users from sending directly from their dynamic IP computers. Don't allow anyone to send domain email through a server if that domain is not hosted with that service. This also kills off 98% of viri that transport via built-in SMTP servers. Your business domain host should be setup for authenticated SMTP which not only requires a password, it uses a different port number.
Static IP accounts hosting their own mail servers would be required to follow through with step 2. This would also require them to run a quick test on their server config to ensure they have correct filters & security in place and proper rDNS (reverse DNS) records setup correctly.
2) Either push a global "sender verification" standard or require legit mail servers to be registered just as nameservers are currently created with the registrars. Then have all mail server software updated to check the "registered mailserver" lists just as they currently query the various RBL (real time blacklists). Technically a root servers query should be part of this if the servers are registered similar to nameservers.
3) Support the privatization of ICANN and have their SWIP policy enforced with severe penalties for any company not identifying who is using the IP subnet ranges assigned. (ok, I slipped this one in there so we security freaks can better identify the morons attempting exploits).
That takes care of over 80% of the flood of spam, phishing and exploit/viri mail on the Internet. The rest will die off because their servers will be identified quicker when they try to register & spam from them. If you have access to monitor IP and mail traffic on your networks/servers, you would be astounded at how much bandwidth would be reduced by blocking unauthorized mail servers. The spammers will find another venue, but we'll worry about that when it pops up.
I am a big fan of "sender verification" but I think we should be harder on misconfigured mail servers and service providers. Company administrators need to learn how to properly manage their mail servers or the servers should be blacklisted.
The entire Internet community has to band together for any solution. Without total unity, you end up with JoeBob using his home DSL connection with dynamic DNS for his mail server and non-U.S. servers doing whatever they want so they can continue to spew garbage across the Internet.
Did I mention that HTML email should die a horrible death?
And email attachments?
sigh, people using email for 20MB file transfers, that still chaps me.
Ok, time to end my rant and get more coffee.
The only practical solution is to charge for email
That's entirely untrue as the solution(s) are available that could virtually eliminate spam but it would require everyone to upgrade their email gateways to eliminate most of this stuff and the problem is convincing everyone WHICH new email protocol to adopt because lack of compliance to a single solution is what perpetuates the problem.
Now, back to CAPTCHA's. They fail in the Accessibility area.
They fail stopping spam too... or at least will in time. I saw some examples posted on a University website where they were getting about 33% success rate with images that were hard for me to even read and my vision is 20/20. Just a matter of time before such technology reaches the spammers.
I'm a firm believer in the question for forum registrations as the other person posted above. I have a smaller forum that was getting about 2 spam registrations a day and since instituting the question have had 0 in about 5 months. The forum mod I'm using can have multiple random questions either text or images or a combination of both. I've simply used a single question about content on the page. Impossible for a bot to understand under any circumstances and completely accessible to anyone. I've even removed the captcha as I don't need it anymore.
I am a big fan of "sender verification" but I think we should be harder on misconfigured mail servers and service providers. Company administrators need to learn how to properly manage their mail servers or the servers should be blacklisted.
true, couldn't agree more, but we need an open standard for sender verification that can ensure misconfigured servers are identified as such. Right now SPF is only a good idea, it's not truly practical because it's not widely enough adopted. And as the technology evolves newer, better protocols are created (like Domain Keys, imo).
If we could move towards a standard that blacklists those moronic company mail server admins that have no clue how to control spam... so then they put the burden on the end user and legit publisher ... if there was a way to shift the burden of responsibility to them (where it belongs) then we'd be living the good life. As it is, they're clueless and we're banging our heads against the wall in frustration most of the time. At least I am :-)
e-mail spammers trigger a solution to be developed by e-mail anti-spam vendors - which in turn provides a tool for discussion spammers to defeat CAPTCHAs.
Not neccessarily - on the antispam side it would be enough to know that a given graphics is offending (e.h. lots of text on fuzzy background) - without being able to read this text.
Btw: why don't those sofiticated Programs throw out mail with nothing but a pic and some garbage text?
That's entirely untrue as the solution(s) are available that could virtually eliminate spam
Educate me. I don't know of any such system.
Sean
