PChucks Network: Newer Spammer Tricks

As the public becomes aware of spam, and more resistant to it, the spammers have to be creative. It may take 10,000 pieces of spam to get one hit (an actual inquiry from a possible victim), rather than 1,000 (as it might have, a year ago). Spammers started out sending email, but now they have adapted to changing times.

Some people have given up on email, for communication with anybody that they really care about. They will use an Instant Messenger for direct, real time communication with individual friends, and broadcast information of general interest by blogs or other websites. With Instant Messaging, you can choose, at any time, who is allowed to send you messages. With blogs or websites, you can selectively browse those belonging to people that you know. If you have a lot of friends, you can automate checking your friends websites using a syndication feed newsreader.

So rather than just sending out email, spammers, too, are using Instant Messaging, and blogs.

Spam blogs, or splogs.
IM spam, or spim.

Now, the email system is rather old, and was originally designed with very little restrictions in the network. Every server that transports email will accept email from any server sending, and send to any server receiving. The reality of spam has necessitated changes in that philosophy, but basically, any restrictions are patches on top of a pretty spam friendly infrastructure. And email travels at a level not seen by most users of the email.

But with email spam being less productive for the spammers, they've had to send more spam to get the same amount of money. This is not a problem - spammers don't send email directly from their computer, they use botnets as email relays.

Blogs and Instant Messaging and websites, on the other hand, are much more obvious to the users. It's harder to get any volume of spam through either of those, so the spammers have to be creative.

One of the ways the spammers are being creative is handling Captchas. Now, even if you don't know what a Captcha is, I'm sure you've used one. If you've setup an email account, or a website, or posted a comment in a guestbook anywhere, you've had to deal with one.

A Captcha, or "Completely Automated Public Turing test to tell Computers and Humans Apart", is a word puzzle, that "humans can solve, but computers can't". Generally, you'll see a set of 4 to 8 alphanumeric characters, jumbled and mangled, in a box, and you'll be asked to type those characters into another box. If you type the correct sequence of characters, you'll be allowed to do what you want to do, and open an email account (for instance).

So the spammers are using people to read the Captchas, and type the answers. And there's no shortage of people to do this, even as they don't realise what they're doing. Captchas are so common these days that any time we see one, and we're doing something intentionally, such looking at pictures of dancing pigs, we solve it, without thinking about what we're doing. In this case, we're helping the bad guys.

The spammer's program, while setting up another email account, is presented with a Captcha - as you are, when you setup an email account. The spammer uses you, and others like you, to solve the Captcha.

The spammer's computer takes a copy of a Captcha, which has been presented to it for solving, and displays that same Captcha on its website.
You surf to that website, which has a link
Check out the dancing pigs!
Eager to see the dancing pigs, you click on the link.
You see the request
In order to continue, please enter the scrambled text from box A into box B.
You obediently type the answer, so you can see the dancing pigs.
Your answer is compared with the others answers.
With any number of identical, independently provided, answers (from you and / or the others), that identical value is used as the answer to the captcha.
The spammers website routes the answer back to the email setup program, and on to the email setup server, as if an actual person had just intentionally typed the answer.
The spammer gets another email account.
You, and the others, get to see the dancing pigs.

Think this is fiction? See the Google video featuring Luis von Ahn of Carnegie Mellon Institute: Human Computation, and read about a commercial product that uses a script to bypass captcha protection.

For a description of an alternative technique for breaking CAPTCHAs, that uses lots of money and CPU processing, see Dancho Danchev's Blog: Spammers and Phishers Breaking CAPTCHAs.

a great example of the adaptation process

That would have to be some pretty unimaginative spammers, to spend mucho bux on a CAPTCHA breaking system, when they could just use folks who want to see dancing pigs.