CAPTCHA Ready For Retirement?

Spammers are hitting Google’s Blogger service hard, using botnets to create hundreds of fake pages. The pages are full of spam ads, obviously, but some also redirect the viewer to a porn or other spam site. In essence, they are using Blogger as a way to avoid being caught by security software and spam filters, knowing that the service is unlikely to ever be blacklisted. The fact that the service has such a huge number of pages overall also helps the spam sites stay undetected longer.

According to Websense, the specially coded instructions the spammers send to their bots tell a compromised PC how to register accounts on the service and also helps it get past the CAPTCHA system. The PC sends a request to an external host that tries to solve the CAPTCHA and sends the answer back to the PC. So far it is estimated to have a success rate of about 13%.

While no one has yet figured out exactly how the CAPTCHA gets solved, some experts believe spammers are paying actual humans in third world countries to solve them. The pay is estimated to be roughly $3 for every successful solution. However, since security researchers have managed to develop methods that help computers increase their success rate, it wouldn’t be surprising if hackers and spammers have also figured out those methods.

A rapid rise in spam accounts on MSN, Yahoo, and Google is a strong indicator that CAPTCHA technology is no longer an effective means of preventing spam. So what’s next? IMAGINATION. Developers at Penn State have developed this new generation of CAPTCHA that is based on ALIPR (Automatic Linguistic Indexing of Pictures). Here is how Computerworld describes it:

This is an image-based system. In it, you’re first required to pick out the geometric center of a distorted image from a page that’s filled with similar overlapping pictures. Then, if you get that right, you’re presented with another carefully distorted image and asked to pick a word to describe what you’re seeing.

Intrigued? You can try it out for yourself here. Will it be more effective than CAPTCHA? That remains to be seen but so far it is getting rave reviews. Will it annoy your customers who already find CAPTCHA irritating? Probably, but better for them to be momentarily annoyed by an anti-spam measure than repeatedly annoyed-or worse-by spammers.