Having recently conquered the Windows Live captcha used by Hotmail, spammers have now performed the same feat with Gmail’s system.

Websense, an Internet security company has reported that the spammers have designed bots which can sign up and create random Gmail accounts for the purpose of spamming. They were able to defeat the Captchas, making it very likely that the same group of spammers is responsible for both recent attacks.

Catpchas, an abbreviation for Completely Automated Public Turing test to tell Computers and Humans Apart are used to prevent unauthorized creations of accounts. Users have to manually identify and enter letters contained in an image to ensure the request is coming from an actual human, not an automated program. For years, hackers have been devising techniques to facilitate automatic signups to email accounts by companies such as Gmail and Yahoo! Spammers are becoming even more successful; for example, more than 500,000 spam Hotmail, Gmail and Yahoo! email accounts have been created since the HotLan Trojan first appeared on the scene in July 2007.

Websense believes the recent Gmail captcha hack is one of the most sophisticated ever created. This hack involves two compromised hosts to defeat Gmail, unlike the one host used to hack the Hotmail Live Mail captcha. Both of the two compromised hosts employ a different technique to analyze the captchas. Because the captcha images contain variations, one of the hosts often fails when attempting to break the code. In this case, the second captcha-learning host will attempt to learn and break the code.

Because of variations included in the Google CAPTCHA image, chances are that host 1 may fail breaking the code. Hence, the spammers have a backup or second CAPTCHA-learning host 2 that tries to learn and break the CAPTCHA code.

Although the new system employs two separate techniques, there is still a one in five success rate for breaking the Gmail captchas. This is a relatively low success rate, but one that is still workable for automated attacks.

The spammers justify their extreme effort by gaining access to a large number of working Gmail accounts for many reasons. First of all, they are able to gain access to Google’s services. They also obtain free addresses whose domains are very unlikely to be blacklisted. This helps them to defeat one aspect of the anti-spam defense.

Websense also reports that many captcha-breaking services are hosted on one of the
US domains.

Programmers fromCarnegie Mellon University have created a new service to reduce spam while enabling individuals to digitize books.

The service is called ReCaptcha which is a variation of the commonly used Captcha technique for reducing spam via email or posted blog comments. Users must pass visual pattern recognition tests by reading words that have been obscured or distorted. ReCaptcha enables users to digitize the scanned images containing words the computer can’t decipher.

This adds an element of productivity to Captchas that was non-existent up until now. Ben Maurer, the chief architect of the project and undergraduate at Carnegie Mellon University, recently announced the project on his blog: “Not only can you solve your problems with spam, you can help preserve mankind’s written history into the digital age.”

Luis von Ahn, the “executive producer” of ReCaptcha and assistant professor at Carnegie Mellon revealed the immediate success of the program: “Since the project launched Tuesday, 150 web sites have begun using it. In just the first half of Thursday, the project had digitized 8,000 words.” This is just one great example of how large numbers of individuals can harness their collective energy on the Internet. News sites such as Slashdot and Digg and iStockphoto, a company which sells stock photography are others. Von Ahn estimates that 60 million Captcha tests are completed by individuals every day. Therefore, ReCaptcha can be used to digitize a very large quantity of words. ReCaptcha can also block email addresses from computers that collect them in order to create spam mailing lists.

This is how the service works: users view two words. One is from a conventional Captcha, whereas the other is an unknown word unrecognizable by computerized optical character recognition. When a user correctly identifies the word in the Captcha, the program assumes the individual has also decoded the unknown word. Von Ahn adds that ReCaptcha requires three different people to digitize the same word before the program considers it to be correct.

You can obtain ReCaptcha via an application programming interface that can be integrated into your website. Google Code hosts software plug-ins required to use the API via open-source software packages.