Spammers break BlogSpot CAPTCHA, load up on garbage sites

By Angela Gunn | Published November 7, 2008, 4:23 PM

The weary war against net scum continues, as Google's much-abused BlogSpot service finds its CAPTCHA tech hamstrung and malicious Web sites spread like stinkweed.

The October report from MessageLabs (PDF available here) confirms what blog aficionados had suspected for several weeks: Spammers have figured out a way to get around certain implementations of CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) and thus abuse BlogSpot as well as CAPTCHA-guarded e-mail services such as MobileMe.

Google's track record with CAPTCHA is not so impressive in recent months. A similar breach involving Google Sites' implementation turned up in MessageLabs' monthly survey back in July, and Gmail's CAPTCHA was popped back in February -- in part, as security researchers at WebSense discovered, because spammers utilized humans to supply the data that led to automated cracking abilities.

Before that, though, Google's use of the squiggly-word images for differentiating between spambots and humans was fairly effective -- in fact, as Google chose to implement it, more effective than that used by either Windows Live Mail or Yahoo.

With MobileMe cracked, spammers can diversify their approaches. MessageLabs spotted MobileMe addresses used to send recipients BlogSpot links, which in turn open onto sites for whatever foolishness is being spam-peddled, but they also saw MobileMe addresses used to trick social-network users into thinking they've gotten buddy requests. The "buddies" are of course fake -- but the pages they build on such sites at Bebo.com sometimes turn up in Google searches, thus propagating the problem.

Sites harboring malware, spyware and adware proliferated in October, with MessageLabs reporting an average of 5,424 new trouble sites every day. That's an increase of over 48% since September and may also reflect the CAPTCHA breakdown.

Comments

Coolbuster

Nov 11, 2008 - 8:25 AM edited

so this is the reason why users are having a hard time posting comments in blogspot blogs.

btw. you are wrong @ Aires. visit my blog http://coolbusteratyourservice.blogspot.com and see for yourself that blogspot is not all porn.

Score: 0

|

Post Reply

Aires

Nov 10, 2008 - 12:57 PM

Blogspot = amateur porn blog. It's basically the new Angelfire.

Score: 0

|

Post Reply

internetworld7

Nov 8, 2008 - 5:52 PM

Google and everyone else should be using Mac OS X servers to prevent these types of attacks.

Score: 0

|

Post Reply

davewalden

Nov 9, 2008 - 4:46 AM

Troll

Score: 0

|

Post Reply

davewalden

Nov 9, 2008 - 4:46 AM

Troll

Score: 0

|

Post Reply

mdotwills

Nov 9, 2008 - 6:43 AM

Yes, troll indeed.

To tell you the truth, as wonderful and beautiful as those Mac servers are, they are not going to bring peace to the internet tomorrow...
I'm sure the MobileMe servers are running Mac anyway...

Score: 0

|

Post Reply

BadIronTree

Nov 10, 2008 - 9:15 AM

don't feed the troll!!!

Score: 0

|

Post Reply

Briantist

Nov 8, 2008 - 7:04 AM

I guess if you use humans to read the CAPTCHA and route the requests though a bot network there is not much that can be done as the Turing bit does not detect malice...

Score: 0

|

Post Reply

mjm01010101

Nov 8, 2008 - 11:31 PM

Sure there is: charge a fee for the service. refund it in a year or x time. Problem solved?

Score: 0

|

Post Reply

orimata

Nov 9, 2008 - 4:26 AM

PayPal is using this approach and I think this is a good solution - however, the "tax" for protecting the service goes to the custome rthis way.

my comments at http://www.commentino.com/orim

Score: 0

|

Post Reply