Terry Zink: Security Talk

Discussing Internet security in (mostly) plain English

Yahoo's CAPTCHA security reportedly broken

Yahoo's CAPTCHA security reportedly broken

  • Comments 7

I read about a week ago that Yahoo's CAPTCHA security has reportedly been broken, and those of us with email accounts should be expecting an upsurge in spam from Yahoo.  To summarize the issue, before you sign up for a Yahoo account, they make you read the squiggly text in a box and then type it in clear-text and click Enter.  The idea is that a human can read the squiggly text but a machine cannot.

I'm sure you all know where I'm going with this, but if an automated method mechanism existed to create these accounts, then a spammer could automate the creation of Yahoo mail accounts.  They could then start sending piles of spam to end users.  Because many mail recipients and blacklists are reluctant to list the big players like Yahoo, Hotmail, Gmail or AOL outbound mail servers, the spammer has one less thing to worry about in order to achieve delivery to the victim's inbox.

The breaking of CAPTCHA's has been a problem for more than just a week.  I get spam from Gmail, presumably from broken CAPTCHA's, for a long time.  My friends at Hotmail have known for a long time that spammers have been attempting to game the system.  It's one of the bigger problems that Windows Live has nowadays.

I don't really have a solution for stuff like this.  Maybe two CAPTCHAs?  Or maybe, they should use the one from Microsoft Research and get them to identify dogs and cats instead of reading words.  Or maybe, they should get them to read a sentence instead of only a word.

Of course, spamming "from" Yahoo has never really been a big problem.  Yahoo doesn't do SPF, so conceivably, a spammer could send from anywhere and claim to be sending the mail from Yahoo.  The advantage this gives spammers is that they are sending internally.  I would then think that Yahoo has some outbound spam detection somewhat akin to what Hotmail does - doing rate limiting to throttle the amount of mail that a user can send out within a particular time period.  Not perfect, but better than nothing.

Leave a Comment
  • Please add 1 and 8 and type the answer here:
  • Post
  • Even though Yahoo doesn't do SPF, they do do DomainKeys, which should prevent spammers from spoofing a yahoo address.

  • It only prevents spammers from spoofing Yahoo if they include the DomainKeys header.  A spammer could simply send as a Yahoo sender, not include the header, and then they have successfully spoofed Yahoo.

  • See Jeff Atwood's posting on this topic:

    http://www.codinghorror.com/blog/archives/001001.html

  • Thanks for the link Jon.  I thought it was a really good article.

  • Spammers have been using GMail and Google's Page Creator service to evade filters for awhile now. I wrote about it here:

    http://www.igotspam.com/50226711/spammers_using_google_to_evade_filters.php

    Amazing that Google doesn't seem to be doing a thing about it!

  • Hi!!! me from a data entry company. Please note currently we can solve 300000+ captcha per day. If anyone is interested to take my service please welcome to khoknaa@yahoo.com or amir4@yours.com

    Lets get the best. Thank you.

  • http://www.flashlightcool.com is the best choice.

Page 1 of 1 (7 items)