Spammers bypass Google's Gmail signup security

By Michael Hatamoto | Published February 27, 2008, 4:27 PM

An Internet research firm discovered spam bots are now able to register on Google's Gmail for spamming purposes. This latest attempt by spammers has been the most sophisticated recorded attempt to get around CAPTCHA, using both humans and bots.

The Completely Automoated Public Turing test to tell Computers and Humans Apart (CAPTCHA) test is designed to stop bots from being able to register on Web sites and Internet e-mail services to spam users. CAPTCHA technology is the jumbled letters in a small box that you must enter before being able to finish registration on most popular Web sites.

Google is the ideal target for spammers for a number of reasons, including a wide variety of services that can be targeted. Plus, it's free to register, and Google services are very unlikely to get blacklisted by companies.

Gmail will also remain a viable target since it's free and has a large number of users from around the world.

Just 1 out of every 5 bots is successful at registering through Gmail, but it appears the bigger problem is the organized group requesting humans help them slide by the CAPTCHA for a small sum of money.

Security research firm WebSense published a detailed look into how the CAPTCHA system is manipulated.

The Microsoft Windows Live Mail CAPTCHA defense was also compromised several weeks ago, using the same methods as Google.

Researchers have been looking into new anti-spamming technologies to offer a backup to CAPTCHA, but progress has been slow gowing. The problem with many new technologies, including CAPTCHA in some cases, is that it does deter spammers but also manages to deter many users trying to legitimately register for an e-mail account.

Comments

View comments by with a score of at least

I wondered why I'm getting more spam in my Gmail inbox lately.

Score: 0

|

here is a clue:

captcha needs to evolve.

Score: 0

|

I just tried to sign up for Google apps and the CAPTCHA was unrecognizable. I couldn't get past it.

Score: 0

|

I hope Google crushes them like the little pests they are!!!

Score: 0

|

So they're not really making bots that can read CAPTCHA images... instead they're getting bots to complete everything else in the sign-up and then paying real people to go through the CAPTCHA images for the bots and type in the right letters.

And here I was thinking someone invented a VERY cool AI or advanced OCR program.

Score: 0

|

I was considering moving from the CAPTCHA-type system to one that, even if farmed out to loads of humans, won't work.

I was going to change the system to show perhaps symbols of basic objects (like a fruit machine) is displayed and a question be asked about them in the local language.

Given that the networks of people at the moment simply have to read and replicate the letters, asking for the correct spelling of basic objects (fruit etc), numbers and colours would prove that user is at least spamming to their own culture!

Another idea would be to do basic math, so have 12+4-6 requireing the answer "ten" for an Enlgish site, "dix" for a French one, "????" for a Greek one etc.

As a final method, I propose the system of cultural questions, like an Android Robinson does on the Weakest Link. "Who was the 42nd president of the USA" would be hard in the UK, whereas people outside the UK would struggle to know who Dot Cotton was, or at least in which programme starting with a E she appear.

There are also quite useful culture-specifics like "rhyming" (depends on accents), "slang" (local knowledge) etc

Score: 0

|

Not everyone knows their stuffs well.

Score: 0

|

The problem with this is that you're basically discriminating by culture... not every person uses the same slang or rhyming scheme, and cultural questions can easily be botted. Same with basic math... it's not hard at all to have it give text answers instead of numeric...

Basically, you're making life more difficult for the real people, while making it easier for the bots to move ahead.

Score: 0

|

Ahh, lovely spammers ruining the internets.

Score: 0

|

Google Chrome 4: Yes, it's fast, but is it usable?

As Betanews readers have responded to our stories about Chrome's JavaScript superiority...Does that mean we'd actually use this browser? Well...

Video: Netflix on PlayStation 3

Netflix has come to the PlayStation 3 via Blu-ray and BD-Live.

Verizon Wireless launches new Android, Chocolate, and ruggedized phones

The lower-priced Eris joins the Droid, while the Chocolate gets a touchscreen and more music playback.

Early sales figures for Windows 7 nicely high, but do we know why?

Fans of triple-digit surges in figures quoted by Betanews will love this one, as it appears Microsoft rediscovered how to pull off a software launch.

Myka announces its latest Linux-based 'net top box'

Myka's ION brings Boxee, XMBC, and much more to HDTVs.

What hath Mac wrought? A remembrance after a quarter-century

The reason there's a Macintosh today is not because of some brilliant flash of engineering genius, but because Apple had the audacity to learn from its mistakes.

Early build of Moblin 2.1 improves connectivity, but not device support

The Linux Foundation's Atom-centric OS yesterday received a major overhaul with the project release of Moblin 2.1 for netbooks and nettops.

The iPhone's China syndrome: Sales of 5,000 and climbing

There's actually a country where Apple's device is not a godsend, where sales can be measured in the dozens.

New European counterpart to FCC will ensure 'a more neutral net'

Late Thursday night, the ruling telecom administrators of the EU's member nations signed away their final authority to a new entity overseen by the EC.

Sophos study suggests Windows 7 UAC's default setting is self-defeating

Without any anti-virus installed, a Sophos test showed, User Account Control was only capable of thwarting just one malware package out of ten samples chosen.

Indiscreet tweet trips awareness of Web SSL vulnerability

A group of high-level security engineers had been making progress on thwarting a low-level threat to the Web, until somebody blurted it all out on Twitter.