How Spammers Get Around CAPTCHA 0

I’ve written in the past about CAPTCHA, the technology that shows you a picture of a group of letters or words that you must type in before you can log in to some sites, or sign up for free services like Gmail. As annoying as CAPTCH is, the automated Turing Test has stood for several years as a standard way of ensuring that a real person is trying to access a service, instead of just some kind of automated system.

The problem is that spammers and scammers have found more an more ways to get around the CAPTCHA tests to ensure they have access to these systems just as easily as legitimate users do.

Initially, the bad guys just used sophisticated character recognition engines to look at the images digitally, and figure out what the letters or words were. This worked for a time, but then site owners started skewing the letters or adding in “noise” – dummy lines, dots and other static that made it more difficult for a scanning tool to figure out what was part of the CAPTCHA code and what was not.

So, spammers have taken a new route to getting around CAPTCHA. Since the codes are designed to only be human-readable, they’ve been employing humans to read them. Yup, that’s right, you can now hire someone to break CAPTCHA by solving thousands of codes a week for you to use to send spam. See this article for more information on such services.

Social Networking is no stranger to this problem, as thousands of fake blog comments, even entire blogs and RSS feeds full of fake information, are common. Spammers set up thousands of fake Twitter accounts to blast out spam, malware and fake gift certificates, only to create yet more new accounts as soon as the existing ones are flagged and banned. The same thing happens on Facebook, Windows Live and just about every other social network out there, as the spammers simply change their tactics and continue doing what they do, no matter how good the technology to stop them seems to be getting.

How do we stop this? Simple, make it economically inefficient to spam. Most of my readers already refuse to click links in email, or accept links/codes/certificates from anyone they don’t know on Twitter, G+, etc. Now we have to spread the message. Make sure everyone you work and play with knows that they shouldn’t accept offers, click links, or approve blog comments that come from anyone they don’t know. Those coming from people they know should even be suspect.

Set your blogs to require approval for all comments, and weed out the spam. Approve comments but remove URL’s if you’re not sure. If you see tons of spam comments in a blog, alert the author that they need to turn on approvals or they’ll lose a reader.

If you have the ability to flag posts as spam, do it. Same for Tweets, Posts and other social media sharing. Don’t be abusive or obnoxious about it, just flag them and move on.

Eventually, the cost of successfully spamming the world will become greater than the revenue generated by the spamming. Money talks, folks, and if it’s too expensive to make money by spam, people will stop spamming, but not until then.

In the meantime, ignoring links and flagging spam posts and comments will keep you safe from a lot of the malware running around out there.

Photo Credit: yandle