Spammers are again attacking Microsoft’s CAPTCHA system and so far have a 10-15% success rate. They’re using automated bots to defeat the system, which was revised and revamped after it was attacked successfully earlier this year. Experts have found that the process involves three stages. First, instructions are sent from a host machine to one on its botnet. The infected machine then begins to attempt to crack the CAPTCHA system, and then the bot uses the successfully created Live Hotmail accounts to send large amounts of spam.

Services like Live Hotmail and GMail have become favored targets for spammers and phishers because of the DomainKeys and Domain Key Identified Mail email authentication they use, which lets a sender’s reputation determine email delivery. The more reputable the sender, the less likely mail from them will end up in a spam filter or blacklist. The messages and senders are authenticated with a digital signature and private key. The server receiving the message decrypts the signature with a key obtained thtough the DNS of the sender’s domain (hence the name DomainKeys) to determine if it matches the email message. Once the message and sender are determined to be authentic, the sender’s reputation is used to decide the delivery status. Senders with bad reputations or messages with missing or fake signatures stand a very strong chance of being rejected while those from reputable senders and good signatures are usually delivered. While most ISPs haven’t adopted this technology yet, many web based email providers and services have, including Yahoo, GMail, Ebay, and Paypal.

Understandably, spammers and phishers are eager to abuse this because they know it’ll help their junk and malware laden emails get into more inboxes. Their attack on Microsoft’s CAPTCHA isn’t really surprising, but their automated method is. India has a booming underground economy of human CAPTCHA crackers who are paid $2 for every 1,000 CAPTCHAs they solve, and since an actual human is doing it, the success rate is quite high. However, this time around they seem to prefer the automated approach and smaller success rate. Perhaps the human method simply looked too obvious and they figure the low success rate will help them avoid detection? Researchers and security experts aren’t sure but one thing is quite clear…CAPTCHA technology simply isn’t working anymore, at least not in its current version. New image based ones are in the works but have yet to be widely tested or adopted.