Captchas are images used by online service providers to prevent automated sign ups. Ideally characters in these images can only be identified by a human. Spammers have been working hard to created a program which can identify captcha characters. They can then randomly create email accounts and then use it for bulk spamming! Since the mail is a genuine email from a well known email provider(Gmail, Hotmail) anti-spam providers cannot block them.
Websense is reporting that spammers have finally managed to write captcha decoding programs for Hotmail which takes only few seconds to decode the characters! The success rate is over 10% and is good enough for spammers. Here is how spammers make money from this,
1. Spammer releases the automatic signup bot as a virus.
2. An unprotected machine on the Internet gets infected by this bot virus.
3. Bot creates multiple hotmail accounts from victim’s machine using captcha decoding logic.
4. Bot sends advertising messages to multiple mail addresses using the newly created hotmail account.
5. When millions for spam messages are sent, fairly good percentage of them brings business and spammer makes money through affiliate cut.
Whoever wrote this must be pretty good since the Hotmail captcha is pretty difficult interpret even for a human. For example, consider the captach (displayed on the right side) I got when I tried to signup to Hotmail!
Weak captchas have caused havoc earlier. For example, PhpBB forum software captcha was so weak that was hacked in a few days. So if you have a popular forum which is running on PhpBB 2.0, you will soon find majority of new users are from automated signups! It was complicated by the fact that a signed up account can have a live link in the profile.
I think one way to handle the bots will be to have very big set of different captcha styles which will reduce the success rate to below 0.01%. Another way will be to introduce new type of captcha every day so that any decoding program will become obsolete in a day!