Terry Zink: Security Talk

Discussing Internet security in (mostly) plain English

More on CAPTCHA's (Google's in particular)

More on CAPTCHA's (Google's in particular)

  • Comments 5

Websense is reporting in a blog article that Google's CAPTCHA has been broken with a one in five success rate.  More interestingly, they have a lot of technical details about how the botnet members coordinate with two different computers during the process. They believe that the second host is either trying to learn to crack the captcha or that it's a quality check of some sort.

The article cites four motivations for targeting Google.  I'll respond with my comments.  It should be noted that while I am specifically referring to Google, all of these could equally refer to Microsoft (Live Mail), Yahoo and AOL.

  1. Signing up for an account with Google allows access to its wide portfolio of services.

    This is kind of a double-whammy.  One of the types of spam that has resurfaced during the past two weeks is blogspot spam, that is, spam with a link to a blogspot account.  Most recently (and this is very ironic, so much so I find it a little humorous), spammers are pumping out spam for Windows Vista Ultimate with links to blogspot accounts.

  2. Google’s domains are unlikely to be blacklisted.

    I call this diplomatic immunity.  Other ISPs and email services are unlikely to blacklist Gmail's outbound IP servers, and URL blacklists are unlikely to list blogspot.  In other words, spammers are abusing the good will that Google has with other services.  They are hiding behind, or within, someone else's reputation.

  3. They are free to sign up.

    This makes it cost effective for spammers.  Let someone else foot the bill for your spamming while avoiding the hassle of setting up domain names.  All you have to do is pay the antimalware CAPTCHA crackers for the use of their service.

  4. It may be hard to keep track of them as millions of users worldwide are using various Google services on a regular basis.

    It's one thing to keep track of a few thousand accounts.  It is quite another to keep track of a few million, with tens of thousands coming online every single day.  Ultimately, I think that these email services will move towards automated monitoring and error on the side of caution, that is, they will trade off false positives for less spam.  I think that they can justify it by saying that they are giving the service away for free.

The good news is that the four major players mentioned above know that this is a problem and are taking some collaborative steps to correct it.  The bad news is that spammers, like bacteria, will evolve and take on some new tactic.

Leave a Comment
  • Please add 2 and 3 and type the answer here:
  • Post
  • PingBack from http://www.biosensorab.org/2008/02/28/more-on-captchas-googles-in-particular/

  • Sorry this replies to your tangent instead of main thread.

    "Most recently (and this is very ironic, so much so I find it a little humorous), spammers are pumping out spam for Windows Vista Ultimate with links to blogspot accounts."

    That's not irony.  This is irony:

    A few years ago, spammers were pumping out spam for Windows XP, Office, etc., with Hotmail addresses.  The "from" headers had the usual forged addresses but the Hotmail addresses were in the body of the message, where spammers solicited replies so that spammers could proceed to instruct suckers on how to send money to the spammers.  Several times I reported those to Microsoft's abuse and piracy administrators.  After Microsoft's abuse administrators replied with their usual garbage a few times, I stopped reporting those to Microsoft's abuse and piracy administrators.

  • After thinking more about this:

    > Google’s domains are unlikely to be blacklisted.

    > I call this diplomatic immunity.

    OK sure some spamming cooperators will decline to blacklist Google due to shared undiplomatic immunity.  However, why would that be true of everyone?

    Some spam-only ISPs blacklist Yahoo, some spam-cooperating ISPs blacklist Yahoo (this includes Yahoo blacklisting Yahoo), some blacklist ATT, etc.  So why wouldn't some blacklist Google?

  • mxlogic is blocking some gmail IP's, as of last week

  • Yeah, Google is starting to get blacklisted (yet again, has happened numerous times in the past few years). I wish it was a much wider blacklisting though, as it does cause issues on the recieving end with end users when relitively few systems around the world are doing the right thing and shutting down a major spam attack. Makes users ask why do we stop them if no one else does, is it really a problem?

Page 1 of 1 (5 items)