A recent slashdot article about how Spammers may now be using humans to defeat captchas caught my attention.
Here’s how it would work: Spammers currently use scripts that make automated posts on forums, wikis, blogs, and virtually any other place where user submitted comments may appear on a website. Their posts include links to their “spamvertised” sites where they sell their junk. They benefit both by “advertising” to people who view their automated post, and by trying to trick search engines into generating more links to their site.
Many sites and programs now include CAPTCHA’s which display an image that is supposed to be difficult for a machine to read. The website confirms that the user enters the correct CAPTCHA solution before saving their post.
This article suggests that spammers are now sending these CAPTCHA images to a real human who will input the solution and send it back to the website, therefore allowing the spammer to post their links.
I’ve actually considered this possibility for a while, and it’s not very difficult at all. To prove the concept, I created a simple web service that a spammer’s automated script could post the image to. The service waits while a human types in the result, and then returns that result to the spammers script, which would use it to submit the spam.
If a human completes one of these every 3 seconds, then they could do about 1200 per hour. If you are paying somebody a couple bucks an hour, then it works out to about 0.17 cents (17/100 of a cent) per message. I’m not sure what the going rate for spam is, but this seems pretty reasonable. Twenty bucks would get you 12,000 links to your site.
The concept is incredibly simple — it took me about and hour to write. Try it out here:
This raises some interesting concerns and questions:
- The “appeal” of spam is that it has virtually no cost. Since hiring a human introduces a cost, does that mean it won’t get used.
- Many CAPTCHAS are supposedly easily defeated by computer programs anyway
Some ideas on how to “really” make sure a human is hitting your site:
- Introduce a minimum time delay between pages. (Ie: a human couldn’t fill out this form in 1 second like a script does)
- Have some page element (that doesn’t look like it does anything) that “validates” that it has been downloaded. Since scripts will usually just fetch the HTML content, and not the graphics, make one graphic on your page that is really a script (that returns an image). If that image hasn’t been downloaded, than it’s not likely a human visiting.
- If you use a common captcha-generation program, change the default file name, or form field name.
- Spammer’s scripts are written to affect the most sites possible. If you make some change on your site, so that it’s not the same as everybody else’s. then automated scripts are less likely to work on your site.
3 thoughts on “Defeating CAPTCHAs”
Upon analyzing this a little more, I’ve decided that spammers probably aren’t using this technique. I was able to program this in about an hour, so spammers have surely considered doing it. I see a couple reasons why not:
1- It’s not free
2- They lack the ability to hire people for a couple bucks an hour
3- It’s difficult for their scripts to identify which image should be downloaded and passed on to their human
1. But its cheaper than buying a domain @ $6 a pop. (Passing a captcha could get you an account on a free webhoster)
2. Check out the freelance sites. I’ve seen 50 hours of captcha answering go for $30.
3. Depends on the application that is being attacked. If they are attacking a registration form, the captcha is *very* likely to be in a consistent place, and easily parsable.
There is already a CAPTCHA solver web service (www.captchasolver.com). It has a programming interface to call the service from any application.