« Kickin’ it old school
I’ve always wondered about that »

You can, we can, everybody can spam

Think you’re safe from spam with captchas? Think again.

the attack took 10 minutes. out of a list of 99 blog posts, it successfully posted comments to 94. the 5 that were missed either did not allow comments or the bot failed to guess the CAPTCHA image five times in a row. my guess is that most of them did not have comments turned on. i say this because the bot succeeded 94 times out of 212 attempts. about a quarter of those fails were retries for the sites that did not allow comments. so the accuracy for guessing the CAPTCHA was above 50%, probably around 66%. meaning it would correctly guess the CAPTCHA at least 1 out of 2 attempts.

The lesson: simple transformations aren’t enough. Nearly anything that can be generated by one simple algorithm can be decoded by another, usually more complicated algorithm.

This entry was posted on Saturday, February 26th, 2005 at 11:25 am and is filed under general foofiness. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

One Response to “You can, we can, everybody can spam”

  1. Jeff Identicon Icon Jeff Says:
    February 26th, 2005 at 3:00 pm

    Speaking as someone who has implemented a CAPTCHA on his web log, I don’t think I ever had any illusions that they are foolproof. From what I can tell, there have been several proof-of-concept cases of computers cracking CAPTCHAs.

    In my opinion, the value comes not in their being impossible (or even difficult) to crack, but in being just enough work as to require individual attention. The author of the article talks about being able to post to 94 out of 99 blogs attempted. The trick is, it looks like all of them used the same CAPTCHA generator. My current hypothesis is that if I can make my site significantly individual, then this type of automated attack becomes much more difficult. The author’s system makes several assumptions about the CAPTCHA’s properties. Violate those assumptions, and I’m betting the success rate drops dramatically.

    Now, my current CAPTCHA generator isn’t particularly sophisticated, but I did take a couple of steps to be sure it isn’t exactly “stock”. If someone happens to find an automated way through it, I’ve got a couple more tricks up my sleeve to make the spammers’ lives more difficult. I look at this kind of like using one of those “club” steering wheel locks on a car. It won’t stop someone who specifically targets my site, but it will be just enough of a deterrent to keep the random automated attempts away.

    So far, it has worked brilliantly. The CAPTCHA literally stopped 100% of the comment spam on my log.

Leave a Reply