Microsoft Windows Live Mail's CAPTCHA defense falls to spam bots

Microsoft Windows Live Mail's CAPTCHA defense falls to spam bots

Summary: Microsoft's Windows Live Mail is being targeted by spammers adept at eluding CAPTCHA protection, according to Websense.According to Websense, spammers have created bots that are capable of creating random Live Mail accounts and then using them to launch attacks.

SHARE:
TOPICS: Windows, Microsoft
17

Microsoft's Windows Live Mail is being targeted by spammers adept at eluding CAPTCHA protection, according to Websense.

According to Websense, spammers have created bots that are capable of creating random Live Mail accounts and then using them to launch attacks. In other words, the CAPTCHA defense doesn't work. A CAPTCHA is a program that protects websites against bots by generating tests that humans can pass but current computer allegedly programs can't.

wbsn1.pngIn its blog, Websense says the whole bot-as-email-account process is automated. For instance, Jay's email account to the right was created by a bot. Websense added:

Websense believes that there are three main advantages to this approach for the spammers. First, the Microsoft domain is unlikely to be blacklisted. Second, they are free to sign up. And third, it may be hard to keep track of them as there are millions of users worldwide using the service.

Here's how the bot works:

1. The bot goes to the Live Mail registration page and fills out the form fields (just as you would do) with random data;

2. When the CAPTCHA verification comes up, the bot sends the image to its breaking service.

3. The bot gets the answer and plugs it in.

4. Now spammers add a few gazillion accounts for malicious endeavors.

5. The spam barrage ensues. Here's an image courtesy of Websense, which features a lot more on its blog.

wbsn.png

Websense estimates that about 30 percent to 35 percent of these CAPTCHA killing attempts works. Websense has the screen shot walk through. It's a fascinating--and totally evil--bot. Websense also reckons that these attacks could extend to other Live services including Messenger and online storage.

Topics: Windows, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

17 comments
Log in or register to join the discussion
  • I'll second that...

    They, or someone, has also figured how to do the same with Yahoo accounts. One of my email accounts, not Hotmail or Yahoo, gets 5 - 10 spams a day from Hotmail, Yahoo US, Yahoo UK, Yahoo Taiwan, etc.

    What a revolting development........
    Taz_z
    • One of two possibilities

      Free accounts are one possibility.

      Another possibility is that they're just faking the return addresses. Our current email system has no protection against forgery. Just because an email claims to be from Yahoo does not mean it's ever touched a Yahoo server.
      CobraA1
  • RE: Microsoft Windows Live Mail's CAPTCHA defense falls to spam bots

    Use RECAPTCHA.
    Rick_R
  • You knew it was only a matter of time

    Anything that man can think of to thwart unwelcome activity, someone else can think of a countermeasure that will get around it.

    Expect all sites that use the scrambled screens to start being hit, if they are at all worthwhile hitting.
    Confused by religion
  • RE: Microsoft Windows Live Mail's CAPTCHA defense falls to spam bots

    Captcha doesn't work on Yahoo Messsenger either. There was about a one week lull in the bots in chatrooms, then it was back to where it was before.

    Too bad, I thought initially it might be what we were looking for.
    dhindublin
  • Microsoft sucks! (NT)

    NT
    nomoremicrosoft
    • Re: "Microsoft sucks! (NT)"

      ...and you are a childish bore with a single digit IQ.

      Please go the Hannah Montana web site to add your comments from now on. It's more on your level.
      IT_Guy_z
    • Really?

      Well if they suck so bad, how come they manage to earn more money in a day than you'll see in a lifetime and at the same time support more charitable institutions than you (or the US government) has heard of. You should be careful, cos one day when they replace all stupid people's brains with software, they'll probably test yours and realise it can't run anything beyond Windows 95.
      wez@...
      • By THAT logic, Dick Cheney is a better human being than Al Gore

        Guess which one won the Nobel Prize, and which one has an impeachment groundswell building around him....
        drprodny
  • BUWAHAHAAHAH!!!

    This is a banner year already for Microsuck...

    Save XP petition
    Vista SP killing George Ou's machine
    Now this...

    Keep on coming Microsoft...Ballmer's bald head is about to pop.
    itanalyst
    • How soon we forget!

      Remember! It was Microsoft that saved us from Apple's claim to
      the "windowing" patents.
      Who is going to be our next corporate underdog?
      kd5auq
  • I don't think that too many new virus are being made

    It's probably old virus renamed.These hackers have a whole bunch of irons in the fire and hacking isn't the biggest return for them.
    BALTHOR
  • RE: Microsoft Windows Live Mail's CAPTCHA defense falls to spam bots

    What does this mean for real people who may just have (theoretically of course) signed up for the whole Windows/Office/Small Business Live -enchilada? That email address is what ties it all together....can't just cxl and move on if it gets impossibly full of cr*p.
    Can they fix it?
    Will they?
    karen.bosso@...
  • Normally, I'd agree

    In this case though, it is CAPTCHA that sucks.
    It has been widely known for over a year that there are bots that can break 30% to 40% of CAPTCHAs.
    That is why Carnegie-Mellon uni has been developiong a next-gen CAPTCHA.
    WebWatcher
  • Windows Live???

    Windows Live Mail is just another in the never ending attempts by Microsoft to take control of the web.
    You can have a hotmail account, which is, supposedly, sufficient to use WLM, but unless you are using a windows OS, you can not use WLM. A friend of mine is always sending me crap from WLM, and the only reason I can decipher the stuff at all is the fact that the gif/jpg files are sent along as attachments.
    Were Microsoft ever to make WLM user friendly, it might be worth looking into, but that AIN'T going to happen
    The best thing that could happen to WLM is that it totally crashes and burns.
    LonnieRM
  • It was only a matter of time before someone put OCR in

    With OCR getting to almost perfection.. its a wonder this didnt happen sooner.
    Been_Done_Before
  • RE: Microsoft Windows Live Mail's CAPTCHA defense falls to spam bots

    It seems like M$ makes it so easy because their code is so full of holes. So, yeah outsource the program, because again, you can't write it.
    atari8bit@...