February 2008

A security researcher has revealed that spammers have created a way to block Microsoft’s attempts to prevent them from generating a huge volume of Live Mail accounts. The vice president of security research at Websense, Dan Hubbard, revealed that the spammers had designed a bot to break Microsoft’s CAPTCHA defences – the scrambled and distorted codes used by many online services to block the automated registration of as many as thousands of accounts at one time.

Hubbard went on to explain how the bot captures the CAPTCHA image and sends it to the server used by the spammers. This is where the image is “read” until a clear text match is produced. The text is then sent back to the Live Mail server where it is entered into the relevant box where users type the characters for the CAPTCHA.

According to Hubbard, the bot generates the correct response and manages to create a Live Mail account 30 to 35 percent of the time. He attests to the ingenuity of this method: “This is the first time that we’ve seen a bot like this, at least one that does the full loop of coming up with the CAPTCHA and registering an account.”

Hubbard also admits that the actual specifics of the account-creation scam remain unclear. It’s not yet known exactly what happens at the server of the spammers. One possibility is that the spammers may be running the captured CAPTCHA image through a type of optical character recognition or OCR process once it reaches the servers or by using a CAPTCHA “buster” tool. People may also be viewing the images before typing in the character codes, although this is an unlikely option.

Apparently, the motivation behind the bot’s creation is the desire for spammers to generate a very large volume of free email accounts. The spammers can use each email address once or for only 1 to 2 days before disposing of it. According to Hubbard, that is the typical lifespan of a spamming address. These types of accounts tend to get shut down very quickly or they appear in the list of spam filtering products.

Spammers often target free services such as Yahoo! Mail or Microsoft’s Live Mail because anti-spam tools are unable to block their domains. The fact that these companies control literally millions of email accounts also makes it much easier for spamming addresses to remain hidden amongst the legitimate addresses.

Although the CAPTCHA is in danger because of the success rate of the bot, no technology exists to replace it, particularly in high-volume settings such as Yahoo! Mail or Live Mail. As Hubbard indicated: “You have to make something that’s simple and easy enough for people to accept, but too difficult for a computer to do on its own. That’s a fine line.”

The discovery made by Websense reveals the second CAPTCHA-cracking claim in a period of less than 3 weeks. In January 2008, a Russian programmer going by the name John Wane posted a decoder he claimed was able to crack the CAPTCHA system used by Yahoo! with a 35 percent success rate.

        There is a helpful new tool designed to fight in the ever-increasing amount of worldwide spam. Spammers often use programs called robots to surf the Internet and collect any published email addresses. The goal of Anti-Spam is to foil the attempt of the spammers to collect valid email addresses to add to their growing databases. Anti-Spam works by forcing spammers to manually clean up their list of email addresses. They won’t be able to resell their spam database to other individuals or companies because of the worthless fake email addresses it contains.

This innovative program works by constantly rotating a list of fifty email addresses that are randomly generated. If you visit the site and press refresh, new ones will continue to appear. The bottom of the home page contains another link to the page which reloads it; this enables the program to collect an even greater number of fake email addresses. The spam bots or programs that attempt to collect the valid email addresses are sent into an infinite loop when they follow the link located at the bottom of the page. This sends more and more fake email addresses into their spam databases.

Spam is currently the biggest problem when it comes to the electronic world. In fact, statistics reveal that approximately one-third to one-half of all Internet email is spam. This costs individuals and businesses lost time and money because of reduced Internet link capacity, lower productivity and additional required server storage space.

No one has invented an absolutely foolproof method to block all spam. This doesn’t mean that companies aren’t trying to invent ways to reduce this common problem. Fortunately, you can help fight back against spam! The pages of Anti-Spam reduce the profitability of spam.

If you want to join the effort to wipe out spam, be sure add a link to the Anti-Spam site. Just copy and paste the following simple code on your site: <a href=”http://www.auditmypc.com/freescan/antispam.html” target=”_blank”>

Every time a spam bot program visits your website, it will scan every page that you link to in order to collect valid email addresses. By linking to this page, the programs used by spammers will end up at the Anti-Spam site.

So, add the Anti-Spam link to your website and wait for spammers to gather those fake email addresses from your site. You can do your part to protect your website and join the fight against spam!