Spammers use free porn to bypass Hotmail protection

Summary:Update: Spammers have found an ingenious way to bypass the protection put in place by Hotmail and Yahoo to stop bots from opening email accounts - they're offering free porn

Spammers are bypassing a security protection that is designed to stop automated bots from automatically opening Web mail accounts, by offering humans access to free porn.

Free Web mail services such as Hotmail and Yahoo are often used by spammers to send unsolicited emails. But because of the sheer quantity of emails that are sent, spammers require thousands of accounts and employ Web bots to automate the account-opening process.

In order to combat this automation, Web mail companies started using the Captcha test (Completely Automated Public Turing test to tell Computers and Humans Apart), which creates a graphically distorted representation of a simple word that can easily be read by a human but not by a machine. The word is often written in an unusual font and presented on a patterned background to further confuse the bots.

To open an email account, the applicant is asked to read the word contained in the Captcha graphic and then type that word into an application form. Because the disguised word is virtually impossible for a computer to read, spammers need a human to intervene, which ruins their automation process.

However, as first noted in the BoingBoing blog earlier this year, some spammers have found an ingenious way to bypass the Captcha protection.

Firstly, the spammers open and advertise a Web site containing pornography. Visitors to the porn site are asked to enter the word contained in a Captcha graphic before they are granted access. In the background, spammers have already used scripts to automate the Web mail account opening process to the point where they need a human to "read" the Captcha graphic. The Captcha graphic from the Web mail site is transferred to the porn site, where the porn consumer interprets the Captcha word. As soon as they enter the correct word, the script can complete its application process and the visitor is rewarded with free porn.

Simon Perry, vice president of security at Computer Associates, said that security is always a "moving target" and as soon as a company like MSN uses a new technology to secure a product or service, it is only a matter of time before it will be bypassed.

"Each little improvement makes it a little bit more difficult for the spammers. This is an exercise in continually moving up the bar," he said.

According to Perry, the only way to make a real difference is to combine technology with legislation and enforce that legislation. However, he said that even though spammers may have found a way past the Captcha, it is still slowing them down.

"Before the Captcha those bots could open a million Hotmail accounts a day, but now, if they can attract 10,000 people to their free porn site, they can set up 10,000 accounts, which is a lot, but still an order of magnitude less," said Perry.

A Microsoft spokesperson said that the fight between Hotmail and the spammers is a game of "cat and mouse" in which spammers are continually innovating and creating more sophisticated methods to escape detection.

"We must continue to invest in R&D to advance anti-spam technologies and not only stay ahead of the curve, but eventually turn their incentives upside down and make it no longer profitable to send spam," the spokesperson said.

Yahoo would not comment on the issue.

Topics: Security

About

Munir first became involved with online publishing in 1998 when he joined ZDNet UK and later moved into print publishing as Chief Reporter for IT Week, part of ZDNet UK, a weekly trade newspaper targeted at Enterprise IT managers. He later moved back into online publishing as Senior News Reporter for ZDNet UK.Munir was recognised as Austr... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.