A spammer’s worst enemy is an educated user. Here are five easy ways to make sure you’ll never be a spammer’s best friend:

1.  Don’t display your email address as plain text on your website. A contact form is best, since it protects your email address from harvesting bots, but if you must display your actual email address, display it as an image. The bots can’t “see” text in images so they won’t be able to grab your address.

2. Don’t sell your mailing list. It may seem tempting as a way to bring in some extra income, but think twice. Even though your customers may have opted in and consented to having their email addresses given to third parties, you can’t control what those third parties might do with it.

3. Don’t respond to spam. Resist the urge to tell them off and ignore any unsubscribe links. If your email doesn’t bounce, it will simply tell the spammers that your address is active and responsive to spam.

4. Invest in a throwaway email address. Sign up for a free account on Yahoo, Hotmail, Gmail or other free provider. Use it instead of your main account for registering on websites, shopping online, and so on; then ignore it. This keeps your main inbox free of spam.

5. Watch your ports and relays. If your company isn’t using it, block port 25 and make sure your network isn’t hosting any open relays. This will eliminate two popular spam tools and keep your domain from ending up on a blacklist.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

5 Ways To Make a Spammer Hate You

South Korea recently announced plans to fight the country’s growing spam problem by asking all ISPs to block all port 25 traffic - something that’s already done in Canada, many European countries, and by some ISPs here in the U.S. The reason blocking port 25 helps cut down on spam is because to use alternate ports like 587 or 465 requires authentication, something botnets simply can’t provide. Although it seems simple enough there are a few catches. For example, companies often use port 25 for authenticated access and requiring ISPs to block it completely would cause serious problems for workers who telecommute or must log into their company’s intranet from a remote location. It’s also likely that, like most other anti-spam solutions, it would wind up being only a temporary fix as spammers are sure to either find some way around it or find new ways to exploit webmail instead. Also, some critics say it punishes too many legit users.

I suppose the same could be said about CAPTCHA, which many users despise. Some visually impaired users find it impossible to get past and even those with perfect vision often find them frustrating -I know I have. Sometimes they are so distorted or close together that it’s nearly impossible to decipher!

My ISP – Road Runner – doesn’t block port 25, and at last count I had 150 spam messages in my junk folder. Coincidence? Maybe. How do you feel about blocking port 25? Do you think it’s a good idea? Would it interfere with your business in any way? Please leave a comment and share your thoughts!

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Blocking Port 25 Really Does Thwart Spammers

That’s right, we are talking about CAPTCHA.

CAPTCHA, or Completely Automated Public Turing test to tell Computers and Humans Apart, is a simple challenge-response test given to make sure that whoever is filling out an online form is actually a human being, not a bot trolling the Internet for victims. Those bots are usually looking for email or contact forms that they can spam, or trying to register for services that they can use to send spam.

So despite the fact that many humans had trouble reading CAPTCHA phrases and entering them correctly, we put up with these little tests because it helped fight spam.

Little did we know that CAPTCHAs can easily be thwarted.

Past Problems with CAPTCHA

Most people have encountered that one site with a CAPTCHA code so illegible that they try time and time again to enter it only to be met with: “Incorrect code, please try again.”

After too many unsuccessful attempts, people grow frustrated to the point that many web designers nowadays don’t recommend using CAPTCHA as a method for preventing spam. One designer used the analogy:

“Using a CAPTCHA code on most sites is like using a Humvee to crack an egg”

to show how overly aggressive this technique can be.

In addition to user frustrations, these codes haven’t always been the solution to problems with spam.

In 2008 Google found that bots were being used to create thousands of fake Gmail accounts despite their practice of using CAPTCHA to block fake, computer generated registrations. Microsoft also found their Live Mail service was being targeted by bots which were also creating fake accounts.

Both of these instances proved that CAPTCHA had been broken. And like any responsible security service, the folks who developed CAPTCHA went to work on fixing the holes that were used to bypass their security measures.

But that only lasted so long as well. In addition to fighting scammers who use technology to exploit the vulnerabilities in CAPTCHA there is also the problem of outsourcing.

Spammers who don’t want to fight the system via superior technology have simply taken to paying people in China, India, Bangladesh and other developing countries to register by hand. These people sift through the jumbled text diligently typing each character into the box and hitting submit all for a whopping 80 cents per 1000 boxes deciphered. Some pay as high as $1.20 per 1000 and jobs like this are plentiful on the many freelancer sites out there.

New Vulnerabilities Found

Luckily, a good number of vulnerabilities are found by researchers whose intentions are to make security products better. People with phenomenal programming skills and the ability to think outside the box spend hours researching ways they can defeat computer systems in order to make them more secure.

So when a research team out of Stanford University claimed that they have found a way to defeat a number of CAPTCHA systems with a program called Decaptcha, people had to take notice.

The team, consisting of Elie Bursztien, Matthieu Martin, and John Mitchell, created a five step process that removes all of the distortion and noise from the images so that the computer can more easily read the challenge so that it can provide the correct response. And the results are pretty interesting. Visa’s Authorize.net was beat 66% of the time, Blizzard Entertainment’s CAPTCHA system was bypassed 70% of the time, other sites like CNN, eBay and Wikipedia also saw high success rates.

The only ones that were not beat by Decaptcha were those used by Google and reCaptcha.

The Stanford team said they have no plans to release Decaptcha to the public, however their findings mean that it is only a matter of time before criminal organizations find new ways to circumvent CAPTCHA yet again without having to exploit armies of third-world employees to do their dirty work for them.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

CAPTCHA Cracked Again

New Zealand’s Anti-Spam Law Being Surveyed

http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=10734862

Travelodge Apologies for Data Theft Related Spam

http://www.infosecurity-magazine.com/view/18938/travelodge-uk-confirms-no-financial-data-has-been-breached/

Japan Bans Spam

http://www.dailymail.co.uk/news/article-2005891/Japan-passes-law-viruses-spam-emails-carrying-years-jail-time.html

Researchers Crack Audio CAPTCHA

http://www.geekosystem.com/audio-captchas-defeated/

FBI Shuts Down Coreflood Botnet

http://www.computerworld.com/s/article/9217883/Feds_claim_victory_over_Coreflood_botnet?taxonomyId=17

Have a story you’d like to share or have something to say about one of the ones we’ve listed? Leave a comment – we’d love to hear it!

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Spam News Roundup

I usually enjoy reading John C. Dvorak’s rants on popular technology so when he took on challenge-response anti-spam solutions I knew that it would be another great read.

Like Dvorak, I find the growing popularity of using a challenge-response solution to spam annoying. For those of you who have never seen this in action, here is a quick overview of how it works:

1. You send an email to someone: a client, business colleague, friend, co-worker, etc.
2. Their email system, using a challenge-response, holds your email.
3. You are sent a response email asking you to perform a simple task to prove that you are not a spammer.
4. You take time and complete the task.
5. Your original email is delivered successfully to the recipient and your email is added to the whitelist.

Sounds like a silver bullet solution right? After all, if we all used this spam would eventually be eliminated. Yet while that sounds good on paper, Dvorak brings up a rather obvious point. If I am using a challenge-response system and you are using one, then what happens when I send you an email? Your email will respond with a challenge to my email, that will in turn respond with a challenge to your email. The process will continue and neither of us will ever have communicated with one another. Now imagine if that original email was a legitimate job offer that doubled your salary!¹

While this scenario pointed out in Dvorak’s article may seem a bit extreme, the challenge-response method of fighting spam does have some more realistic issues associated with it.

Other criticisms

• Forged email addresses

We all know that spammers not only rely on fake email addresses, but they also make use of forged email addresses to help sneak past DNS block lists. Challenge-response in this situation would now create email backscatter for the person that owns the forged email address.

• Missing out on automailings

Most challenge-response systems don’t play well with automated mailers so when you change a password, you may never receive the appropriate link or information to do so. Expecting a receipt or delivery confirmation for something you bought online? It may never make it to your inbox. Still waiting for that online newsletter you subscribed to? Consider that blocked by your challenge-response.

• Social shortcomings

The quickest way to alienate someone is to ask them to do extra work when they are trying to give you something. Email is still the number one method of business communication and asking someone to add a couple of numbers or enter a CAPTCHA code just so the email they sent you can be delivered is saying, my time is much more important than yours.

• Reverse engineering

As challenge-response systems are used more often, spammers have taken notice. However they haven’t quite given up on their efforts, in fact they have used this technology to their benefit. Challenge-response messages are forged by spammers and sent to their email lists. Those who respond to the challenge are not only verified email addresses, but the spammer also knows that this person will read their email messages and they have a high probability of taking action without knowing who the sender of the message is.

In theory, this can also be applied to a denial of service attack against a forged email address/server. By sending a flood of challenges to a specific user or organization an attacker could easily render a mailbox or mail server useless and shift blame to the company that employs the challenge-response system.

The way I see it, challenge-response is a lazy way to fight spam. There are so many viable solutions to dealing with unwanted email that does not shift the burden onto the backs of legitimate senders. The more people use systems like this, the more attractive other forms of communication become. Having users rely solely on sms messaging, social media communication or even good old phone conversations can be a nightmare for archiving and compliance.

¹Most high end challenge-response systems employ an explicit ringing detector to make sure that scenarios like the one mentioned do not happen. However, not all challenge-response systems are implemented with this type of technology, or they are not configured properly in all cases resulting in a constant ping of messages between systems.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

5 Criticisms of the Challenge-Response Solution

In case you are hard-pressed to put together concrete plans to combat spam, I’ve outlined a number of antispam projects that you can easily put into action – and make a difference in your organization.

1. Implement CAPTCHA and Feedback Forms

What better way to kick start a brand new year than to set up a first line of defense against spam right at your company’s website?  In spite of the avalanche of spam that we are experiencing today, a surprisingly high number of websites and blogs still do not implement any defense against comment spam and the automated harvesting of email addresses.  While certainly not foolproof, the use of CAPTCHAs should eliminate the majority of comment spam, and are relatively easy to implement.

And all it takes to thwart a spammer from harvesting email addresses from a website is to create a feedback form to hide the email addresses from spammers.  Moreover, brute force attempts can be easily negated by coding in the appropriate logic to bar against repeated submissions from the same IP addresses. Care must be taken to periodically check that the form is still functioning correctly, of course, and that personnel changes are updated appropriately.

2. Ditch client-based filtering for a centralized solution

If you’ve not implemented a centralized spam filtering solution yet, be sure to put it in your plans for the year.  While many anti-malware products and even email clients incorporate some form of anti-spam capabilities these days, they are often ineffectual or end up generating a high percentage of false positives.

On the other hand, a centralized solution allows businesses to incorporate advanced functionalities that will better equip businesses to defend against the evolving techniques of spammers.  This could range from outright blacklisting of known spammers using DNSBL, to Bayesian filtering algorithms implemented on a powerful central server.  An alternative centralized option would be to go for hosted spam filtering.

3. Adopt an aggressive stance towards patching

While not directly related to stopping the appearance of spam in your mailbox, it is a well-established fact that the majority of spam proliferate via remotely commandeered client endpoints.  The same applies to servers, which are sometimes targeted by spammers for use as a control node for a botnet or simply as a more powerful spamming machine.  In addition, local nodes used to distribute spam can consume precious bandwidth too, or cause your company’s IP address to be blacklisted.

The best way to defend against such malware would be to adopt an aggressive patching strategy.  This entails some initial work collating an exhaustive list of software used by your company.  Once done, have someone assigned to check regularly for the availability of security patches for these software, and to also ensure that operating system updates are installed.

4. Protect your email account from hacking

In a bid to spread spam, some spammers have been known to break into email inboxes to get their hands on new email addresses.  This works for cloud-based inboxes or Exchange hosted emails where emails are stored on the servers, which allows the spammers to harvest “fresh” email addresses for their nefarious objective.

To avoid being a victim, companies that have a “Recover forgotten password” feature need to make sure it doesn’t employ the use of easily guessable information such as the name of their pets or special dates – information easily recovered via social networking sites these days.  Best of all, implement a system that sends the reset information to a mobile phone, not a user-supplied email address.

I hope the above pointers prove useful to you.  Do feel free to pick any one of them (or all of them) as the basis of your next project implementation.  If you have additional ideas for anti-spam projects not mentioned above, do share about them in the comment field below.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Four Simple Anti-Spam Projects to make a Difference

Researcher Jonathan Wilkins published a paper recently that included an analysis of reCAPTCHA’s security. In automated attacks he conducted against the system, he reported he had an alarming success rate of 17.5 percent.

CAPTCHA–which stands for Completely Automated Public Turing test to tell Computers and Humans Apart–is a method for foiling automated attacks by spammers on Web sites. Before a Net surfer can perform at a site a task, such as setting up an email account or adding comments to a blog posting, he or she is presented with the image of a word or phrase that has been distressed in some way. The warped image is intended to thwart scanners and optical recognition software programs used to automate the compromising of web sites by spammers. The idea is that humans can read the characters in the image and type them into a form while machines can’t.

Some simple math reveals just how alarming Wilkins’ findings are. The operator of even a modest botnet of 10,000 machines would be perfectly happy with a success rate of 0.01 percent. That would mean 10 new gmail accounts could be created every second or 864,000 new accounts a day from which spam could be launched.

Google counters that Wilkins test targeted an old form of reCAPTCHA from 2008 that’s been changed. “[T]his study does not reflect the effectiveness of reCAPTCHA’s current technology against machine solvers,” a Google spokesperson told The Register. “We’ve found reCAPTCHA to be far more resilient while also striking a good balance with human usability, and we’ve received very positive feedback from customers.”

Wilkins acknowledged that his initial tests were on an older version of reCAPTCHA, but since that time, he has conducted tests on the new images produced by the system and found them to be even weaker than the older ones. In one of his original tests on the system, his success rate was five in 200. When that test was run on the new reCAPTCHA, the rate was 23 in 100.

The major difference between the old and new versions of reCAPTCHA, according to Wilkins, is the use of horizontal lines to obscure the characters in the image. While the use of the lines makes it harder for machines to recognize a reCAPTCHA phrase–although Wilkins asserts the lines can be subverted easily by spammers–it also makes the phrase harder to read by humans, too. New reCAPTCHA images drop the lines but add distortion to the image. They’re easier to read for humans, but, alas, they’re also easier for machines to crack.

Unlike most CAPTCHA systems, Google’s uses images with two words. That’s because Google uses reCAPTCHA for two purposes. Like other CAPTCHA systems, it’s designed to frustrate spammers, but it’s also incorporated into Google’s efforts to digitize books. When a word in a book scan can’t be recognized by Google’s OCR software, it’s sent to the reCAPTCHA pool. So when a person enters a reCAPTCHA phrase into a form, Google can discover what its OCR program couldn’t, without having to hire human editors to review scanning results.

One weakness of CAPTCHA schemes, though is that they use words that can be found in a dictionary. This makes it easier for machines to crack the phrases because they have something to compare them to for errors.

In addition, reCAPTCHA uses a “one-off” system. That means a letter in a word can be incorrect, and it will still be accepted by the system.
So if the reCAPTCHA phrase contains the word “meat” and a Webster enters “peat,” his or her response will still be interpreted as a valid one.

Some alternatives to CAPTCHA avoid words entirely. Microsoft, for instance, has developed a scheme called Asirra that is totally based on images of cats and dogs. To perform a task protected by Asirra, a netizen is presented with an array of 12 pictures and asked to identify each as either a canine or feline. This method is called Human Interactive Proof, or HIP.

To be effective, HIP systems need to be supported by large databases that tax the computational power of an attacking spammer. Microsoft does that by using the picture database at Petfinder.com, which contains some three million photos.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Google reCAPTCHA cracked

CAPTCHA, for example, initially created an effective barrier to spambots, an automated means for spreading electronic effluent throughout the Internet. The technology–Completely Automated Public Turing test to tell Computers and Humans Apart–requires human intervention to open an account or comment on web content. No problemo, declared spammers, who hired thousands of wage slaves to crack the codes.

Now spamfighters are turning to video to block their nemesis. A company called NuCaptcha has developed a platform that does just that. The videos display a line of distressed text that pans across the screen. Within the line is a word in red that a viewer is asked to type into a form field. It’s important to note that the text is only slightly distressed and very readable. That’s important because as spambots have become more proficient at cracking CAPTCHAs, CAPTCHA makers have made the CAPTCHAs harder to read by severely distressing the text in them and adding “noise” to confuse OCR-based bots. The result is annoyed users who just toss their hands in the air in frustration and move on never to return to a site again. One of the most commonly used CAPTCHA systems, Google reCAPTCHA, for example, has a failure rate of 23 percent.

Video CAPTCHAs can baffle spambots and “cracktations” better than static CAPTCHAs, according to NuCaptcha. CAPTCHA is designed to foil spambots in a couple of ways. First, it uses the image of a word instead of characters. Second, it degrades the letters in a word and, in some cases, adds noise to the image. Those things make it difficult for optical recognition technologies to interpret the letters and words in the image. NuCaptcha adds a third element to the mix: motion.

          “We innately decode motion all the time,” explained Greg Mori, an associate professor at the School of Computer Science at Simon Fraser University in Burnaby, British Columbia, Canada. “If you see cars driving on a busy highway there is no confusion. Each car is distinct and separate from the others. Points that move together are automatically grouped together in our minds.”

“By animating the positions of letters in a NuCaptcha it is simultaneously easier for humans and more difficult for software,” he continued. “It becomes easier for humans because our minds automatically group the points representing individual letters together as they move. We no longer see a static group of pixels representing five letters jumbled together. Instead we see five individual letters that are moving.”

“It becomes more difficult for software to segment because NuCaptcha can pack the letters closer together with significant overlap,” he added. “This commingling of letters is very difficult for software to segment. More tightly packed letters that are moving are perceived as easier to read than less tightly packed letters that are static.”

Moreover, NuCaptcha is designed to be highly variable. That means that each NuCaptcha that appears at a site looks different to an attacking spambot. It’s as if each NuCaptcha was created by a different CAPTCHA system.

That’s all well and good, but what happens when a spammer deploys humans to break the NuCaptchas? The answer is the NuCaptchas will be solved. But the makers of NuCaptcha have figured out how to make that work to their advantage, too.

Marshalling a horde of low wage laborers to crack CAPTCHAS is an expensive proposition. To make economic sense, the CAPTCHAS have to be solved quickly. Typically, an ordinary web surfer takes about 10 seconds to solve a CAPTCHA. Cracktation workers break CAPTCHAs much faster than that–less than four seconds. While no CAPTCHA system can keep humans from solving their output, it really isn’t necessary. All that has to be done is increase the time it takes to solve CAPTCHAs. The economics of the business will take care of the rest.

          “NuCaptcha thwarts groups of human solvers by increasing their costs to prohibitive levels,” Mori observes. “The duration of a NuCaptcha animation can be varied, for instance [an] eight or 12 seconds pass before the code string appears. This alone will double or triple the cost of using human solvers. No other image-based Captcha can provide this type of defense against human solvers.”

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Videos used to foil spammers

An interface used by wage slaves to break CAPTCHAs.

To curb the exploitation by spammers of webmail and the comment sections at websites, White Hats created an ingenious system called CAPTCHA–”Completely Automated Public Turing test to tell Computers and Humans Apart.”

The system is simple but effective. It displays some distressed text on a computer screen and asks whoever wants to register at a website, set up a webmail account, comment at a blog or such to type the letters into a form. The theory is that a machine won’t be able to pass the “test,” while humans won’t have a problem with it.

That assumption, in large part, has proven to be correct. Although spammers have developed automated techniques for cracking CAPTCHAs, those techniques have proven to be too expensive for run-of-the-mill spammers to use. What the spam fighters didn’t count on, though, was for human wave attacks to be mounted against their CAPTCHA systems. Those attacks are created by services that employ hundreds of workers paid slave wages to crack CAPTCHAs hour after hour.

An operator of one of those CAPTCHA plantations was recently interviewed by researchers at the University of California, San Diego–Marti Motoyama, Kirill Levchenko, Chris Kanich, Damon McCoy, Geoffrey M. Voelker and Stefan Savage–for their paper “Understanding CAPTCHA-Solving Services in an Economic Context.” The operator, who agreed to talk with the boffins on condition of anonymity, is referred throughout the paper as “Mr. E.” Here are some of the insights he gave the researchers about his business.

As might be expected, Mr. E discounted the value of automated CAPTCHA systems. To his mind, websites reacted too quickly to automated attacks to make them cost effective. “It is a big waste of time,” he told the researchers.

The academics explained the economics governing the situation like this. Suppose it costs $10,000 for an automated solution that’s only 30 percent accurate in breaking CAPTCHAs–not an untypical accuracy rate for such software. Some 65 million attacks would have to be mounted before the approach bested hiring a service using human labor at a common rate of 50 cents per 1000 CAPTCHAs cracked.

However, research indicates that “CAPTCHA providers are well able to respond before such amortization is successful.”

“For these reasons, software solvers appear to have been relegated to a niche status in the solving ecosystem–focusing on those CAPTCHAs that are static or change slowly in response to pressure,” the researchers wrote. “While a technological breakthrough could reverse this state of affairs, for now it appears that human-based solving has come to dominate the commercial market for service.”

A problem with using cheap labor for any economic activity is that there’s always another place in the world willing to undercut your business. A survey by the researchers of advertising for CAPTCHA breakers from 2007-2009 shows how wages have declined as the popularity of the services have grown. In 2007, a common rate for cracking CAPTCHAs was $10 per 1000. By the middle of 2008, it had dropped to $1 per 1000. A year later, it was 75 cents per 1000. Today, it’s common to find crackers working for 50 cents a thousand.

“This downward price pressure reflects the commodity nature of CAPTCHA solving,” the researchers explained. “Since solving is an unskilled activity, it can easily be sourced, via the Internet, from the most advantageous labor market–namely the one with the lowest labor cost.”

“We see anecdotal evidence of precisely this pattern as advertisers switched from pursuing laborers in Eastern Europe to those in Bangladesh, China, India and Vietnam,” they added.

To offset the pressure to shrink wages and squeeze profits, operators like Mr. E have forged partnerships with spamware makers. Indeed, he confessed to the researchers that such deals have become a primary profit center for his business, and he has designed a variety of revenue-sharing offerings to attract those kinds of partners to employ his services.

In a typical arrangement, a maker of software for bulk creation of accounts on places like Gmail, Yahoo or Craigslist or for spamming blogs and website forums will hook up with a CAPTCHA busting service to present spammers with a total package. The sell is, “We’ll break the CAPTCHAs and deliver your spam for you.”

That kind of turnkey solution allows Mr. E and his ilk to boost their retail rates. The typical retail market rate for a naked CAPTCHA cracking service $2 per 1000, but it can be as low as $1 a thousand, the researchers revealed. Couple that service with a spamware partner, though, and the rates rise to $7 per 1000 and in some cases, they’re as high as $20 per 1000.

In the case of Mr. E, whose pricing is in the middle of the pack, that can mean big bucks. He told the researchers that 50 percent of his revenue is profit, 10 percent is used to pay for servers and bandwidth and the remaining 40 percent goes into wages for workers and incentives for his spamware partners.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

“Mr. E” breaks CAPTCHAs for a living

TYPE-IN uses ads instead of the random words and phrases, or in reCAPTCHA’s case, words from scanned in books. The ads include a slogan in quotes and the user is asked to type that slogan in. Solve Media, the company behind this new platform says TYPE-IN saves users time and brings added revenue to publishers. To foil spammers, the pixels in each ad are manipulated slightly, which keeps automated programs from reading them.

There’s nothing in this new platform that will keep those spammers from hiring people to type in the slogans for them though so the problem isn’t entirely solved.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

New CAPTCHA Alternative Uses Ads Instead of Random Words

The reason behind it is simple – spammers use spiders (much the same as search engines do) to crawl web pages looking for email addresses in the familiar something@something.com format.  When they find one they will add it to their address database and start sending it spam.

It’s true, and if you were to list your email address on your website it would quickly be discovered and you’ll start receiving spam.  Of course it’s also true that most email addresses will receive spam shortly after they are created thanks to the many ways in which spammers find your email address.

The 4 techniques proposed by Techbusy.org fall into either the “security by obscurity” category (also known as “things that make you feel more secure but really don’t help”), or the “makes it harder for real people to email you” category.

The former is wasted effort, and the latter is not good for businesses who want to hear from potential customers via email.  So let’s take a closer look at the 4 tips.

Write it differently – This means writing the address in a non-standard way, such as paul[@]exchangeserverpro[dot]com.  The idea is that by avoiding the @ symbol a web crawler won’t detect that it is an email address.

This technique is poor in two ways – firstly, spammers aren’t silly and will look for other text patterns that indicate it is an email address.  Changing @ to [at] is pointless if the crawler also looks for [at].  Secondly, it means a customer has to interpret your obscured email address into its real form and manually type it out, rather than just being able to click a link to send you an email.

Display it as an image – This means making an image such as a JPG that contains the email address and embedding that in your web page.

This technique is also poor in two ways – firstly spammers now use character recognition software in their harvesting arsenal and so can read text in images as well (just as anti-spam products can).  Secondly, you are once again making it harder for customers to email you.

Obscure it with Javascript – This means using a special script in the HTML web page that will display the email address to web browsers but hide (or obscure) it in the underlying HTML code.

This technique is at least friendly to your customers who want to email you.  Unfortunately it is ineffective against any moderately sophisticated web crawler.  Often the script will fall back to a plain text version of the email address for visitors without Javascript enabled, in order to maintain accessibility.  This also tends to include the spammer’s crawlers.  Sometimes the fallback version is obscured with [at] but as mentioned earlier this is also quite ineffective.

Use a CAPTCHA – This means hiding some or all of the email address until the visitor solves a CAPTCHA challenge.

CAPTCHA is a popular spam prevention method on most web forms such as the signup form for a free webmail service.  The idea is to present a challenge that an automated process cannot defeat, but is intended to be easy for a real human to defeat.

Unfortunately CAPTCHAs are often broken by spammers either by cracking a flaw in the underlying code, by reading the CAPTCHA text with character recognition, or simply by tricking other humans into answering them.  On the other side of that are some CAPTCHA systems that are so sophisticated that spammers cannot defeat them, but this also makes them more difficult for humans which once again can impact your customers.

So for all 4 of these tips there seem to be either serious downsides or they are simply ineffective in stopping spammers.  You might be wondering then how you can go about protecting email addresses while still making it possible for customers to reach you.

In a previous post I suggest the use of contact forms.  These forms can have strong anti-spam features built into them, such as blocking form submissions from the same sorts of IP addresses that you find on email block lists such as Spamhaus.

If you must publish email addresses on a web page where spammers can discover them, you should certainly invest in effective anti-spam filtering for your network.  A good anti-spam product will block spam no matter how the spammer discovered your address in the first place.  Implementing such a system will be of far more benefit to your email users than simply trying to obscure email addresses on web pages.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

4 Ways to Protect Email Addresses on Websites, That Don’t Really Work

Webwail is a sophisticated engine that has library updates, a scripting engine and the ability to crack CAPTCHAs in 30 seconds or less. The engine also reports errors back to its command server so changes can be made quickly. Currently it’s being directed to create Hotmail accounts.

Captcha cracking is a hot business thanks to engines like Webwail. Botnet hearders and spammers advertise for people willing to crack them for .60 to .80  per 1000 CAPTCHA solved. Spammers want the free webmail accounts they can get by solving them so they can spam from an address not likely to be blocked by a spam filter.

Bredolab spent the holidays delivering the Zbot banking Trojan. Considered simplistic in the botnet world, Bredolab is little more than a “loader” that connects to a remote server, collects files, and executes them. Some experts think such loaders could be our next big threat.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Bredolab Pushing New Spam Engine

The Koobface botnet is distributing a new variant of its Trojan that forces the user of the computer it infects to solve a CAPTCHA. The user is presented with a Windows pop up directing them to solve the CAPTCHA provided or their system will be shut down. The solved CAPTCHA is then sent to the botnets C&C channel and used to create a fake Blogspot blog which is populated with content from Google News. Koobface uses SEO techniques to insure these blogs are packed with hot topics and sure to appear at the top of search engines. The links in these fake blogs redirect to a fake Facebook page where the user is directed to download a “flash player update” which is really the Koobface Trojan. The same technique is used to create fake Gmail and Facebook accounts which are also used to distribute the malware. Once Koobface infects a system it steals credit card numbers and other personal information.

The underground economy of human driven CAPTCHA solving is booming as well, further weakening the effectiveness of CAPTCHA systems. Services offering bulk orders of solved CAPTCHAs for Web 2.0 and social media services are exploding and prices are lower than ever. One service offers 1 million solved CAPTCHAs for $800. However, with Koobface taking CAPTCHA solving into its own hands, other malware distributors may follow suit, leading to the CAPTCHA solving industry’s demise.

Google denies that their reCAPTCHA is flawed, claiming the data used in the report is outdated.

           “Therefore, this study does not reflect the effectiveness of reCAPTCHA’s current technology against machine solvers,” said a Google spokesman. “We’ve found reCAPTCHA to be far more resilient while also striking a good balance with human usability, and we’ve received very positive feedback from customers.”

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Researchers Find Flaws in Google’s reCAPTCHA

          The new puzzles could be built around a site’s theme — for instance, cartoons at a Disney site, or objects for sale at eBay, said Rich Gossweiler, a senior research scientist at Google who led the team that developed the system. It can be put in place rapidly, he said, and has an almost limitless supply of images. “Our technique expands the vocabulary of captchas” beyond obfuscated characters, he said. “And it might make the process less of a chore. It’s fun to solve a puzzle.”

Since the traditional text based captchas have long since been cracked by scammers, this new image based type might be just what the doctor ordered. Text based captchas are easily solved by machines and in some cases, the scammers simply pay real people a few cents for every captcha they solve. This leads to thousands of fake email accounts being set up and used for spamming or phishing.

A new kind of audio captcha, used for people who are unable to handle the text or image varieties due to disabilities, is also being tested. This one uses phrases from old radio shows instead of random words. Researchers say this makes it much harder for machines to understand and solve.

Will these new captchas save the day and make the technology valuable again? Only time will tell.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

New Image Based Captcha Being Tested

While Bob in Accounting has few dealings with people outside of the business and doesn’t mind a strong spam filter protecting his email account, there is a good chance that Helen in Sales doesn’t feel the same way.  The sales team wants to receive new opportunities via email without the risk that a spam filter will block a message and lose them a valuable lead.

Oftentimes this means that an email address is publicly advertised on websites and marketing literature so that sales enquiries can be received.  Something nice and generic like sales[at]contoso.com is used, and the Sales team asks the email administrator to make sure no genuine enquiries are blocked.Although most spam filtering methods such as connection filtering are not likely to block a genuine sales enquiry there is a greater chance that content filtering will.  To avoid this possibility some organisations I’ve dealt with have simply excluded their publicly promoted email addresses from any kind of filtering.

This approach certainly achieves its goal – no genuine sales enquiry will be rejected as long as emails to sales[at]contoso.com are never checked for spam.  Of course the trouble with this is that since it is a publicly disclosed email address it is more likely to attract spam.  Spammers will simply harvest the address off the company website and start bombarding it with junk emails. The problem now becomes sorting out the genuine enquiries from the spam.  To solve this problem an organisation needs to take a different approach to offering email contact to the public at large.

One approach is to make use of email obfuscation anywhere that an email address is being displayed on the company website.  Email obfuscation uses server-side code on the web server to conceal email addresses from spam harvesters while still making them accessible for regular visitors.  It is an effective approach but requires coding to be used anywhere an email address is going to be displayed.

Another approach is to use a contact form instead of displaying an email address.  A contact form gives a visitor a preset series of fields (such as name, email address, phone number, and a space to write their question or request) to fill out, and the web server then sends the enquiry on to an email address within the company.  Because the receiving email address is not displayed anywhere on the form it is safe from harvesting by spammers.

However, contact forms themselves can also be exploited by spammers.  If the form is coded in an insecure manner it could be used to send spam to the company, or to other recipients on the web, or even to send viruses in file attachments.  To avoid these issues the form developer must use techniques such as input validation and CAPTCHAs to prevent exploitation.

Provided that the contact form is securely coded this method has the opportunity of allowing an email administrator to simply trust all emails originating from the web server’s IP address.  The risk then becomes preventing the web server itself from being exploited as an open relay.

As you can see preventing spam to publicly disclosed accounts is not a simple undertaking.  The best approach in my opinion is to use contact forms that send to an undisclosed email address, and to subject that email address to the same anti-spam filtering as all other email communications.  To reduce the likelihood of genuine enquiries being lost I recommend either using an anti-spam product that has easy to use end-user quarantine management, or alternatively configure the anti-spam product to only tag suspected items instead of blocking them entirely so that the end user can sort likely spam from genuine emails with greater ease.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Reducing Spam for Publicly Disclosed Email Accounts

This leads to the question: are CAPTCHAs doomed? I suspect that the answer is, yup, there is very little doubt that CAPTCHAs will become a thing of the past. Here’s why:

1. I seriously doubt that it will be possible to devise a CAPTCHA that cannot be broken. Yup, people are working on CAPTCHAs which they claim will be much more difficult to break, but I don’t think that they’ll succeed. Where there’s a will there’s a way and, given enough inentive, the bad guys will almost certainly be able to find a back door.

2. CAPTCHAs are a major inconvenience (to humans, at least). They waste people’s time – and time is money. I suspect that many people do as I do when faced with a hard to read CAPTCH and simply give up (who wants to spend 15 minutes struggling with a CAPTCHA simply to be able to comment on a blog post?). And then there’s the issue of the problems that they present to people with visual impairment. Yup, I know that there are workarounds – audio CAPTCHAs, for example – but they are still inconvenient (and can, of course, be broken as easily as other CAPTCHAs).

So, if CAPTCHAs will not work, how can abuse/spam be blocked? The answer, I suspect, is that it cannot. Not completely, anway. As with email spam, the best that we can probably hope for is to be able to bring about a substantial reduction. And there’s a couple of ways that this could realistically be done.

Quotas would seem to be a cheap and effective method of combating spam. Instead of permitting social networkers to send an unlimited number of messages to other users, why not impose a cap? The cap could be reviewed once people have, over a period of time, established that they are a real, valid user.

Using spam filters would also seem to be a viable solution. Why not automatically block sent comments and messages that are tagged as spam? The solution may not be perfect (no filter can block 100% of spam) but, to my mind, it’s certainly a lot better than a CAPTCHA.

These are not, of course, the only ways of solving the problem. In some situations, using email validation and/or simple moderation may be highly effective.

What do you think? Is the CAPTCHA in terminal decline? And, if so, what’s the best solution?

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Are CAPTCHAs Doomed?

The system was developed by social website Yuniti.com. It works by asking users to identify 3D objects rather than words or numbers. There are three objects to be identified and the list is endless, making it even harder for scammers to guess correctly.

This seems like an excellent idea. The current Captcha have lost most of their effectiveness. The ones that do still seem to work often frustrate legit users, and the last thing you want are potential customers leaving your site in disgust because the Captcha image they need to solve is too difficult to decipher. This costs you business and can lead to negative word of mouth among other potential customers.

You can try the new 3D Captcha at Yuniti.com. There’s no word yet on when it will be available for widespread use.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

3D CAPTCHA Technology Unveiled

According to security researcher Sumeet Prasad this is how it’s done:

          In this attack the CAPTCHA-breaking host or bot server injects encrypted instructions onto a compromised machine. The encrypted code includes templated sign-up instructions with the spammers’ predefined credentials, such as a Windows Live ID, password, first name and so on, along with CAPTCHA-breaking instructions such as “image send and code receive.”

The bot-infected client then decrypts and follows the instructions from the CAPTCHA-breaking host or bot server and connects to the Live Hotmail site to sign up for an account. The bot continues to the secured Live Hotmail signup page, where it attempts to fill in all predefined credentials. The compromised machine sends the CAPTCHA image request to the CAPTCHA-breaking host. The compromised machine receives the scrambled CAPTCHA code from the CAPTCHA-breaking host, descrambles it and completes the signup process.

The bot repeats this process over and over, potentially creating multiple accounts.

These accounts are then used to send millions of spam messages, many of which may contain malware designed to add even more machines to the spammer’s botnet. Spammers make such an effort to crack CAPTCHA systems because they know that their spam is unlikely to be blocked if it comes from a reputable domain. In fact the CAPTCHA cracking game has become a profitable business in countries such as India where spammers actually pay real people to solve CAPTCHA puzzles. There are automated cracking systems available in the shady cyber underground as well. Researchers are working hard to come up with new, more sophisticated CAPTCHA systems, but they have a delicate balancing act to master: producing a system that will foil hackers without frustrating legit users or making it impossible for visually impaired ones to get past it. There are several in development but so far no one has found just the right balance yet.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Microsoft’s CAPTCHA Cracked Again