Home / Blogs

Circumstantial Evidence of Yahoo's CAPTCHA Being Broken

Terry Zink

A couple of weeks ago, I read an article on Yahoo that some outfit in Russia claimed to have broken Yahoo's CAPTCHA for creation of new email accounts. Another blogger wrote that it was unlikely that the spamming outfit had achieved 100% success at breaking the CAPTCHA.

Yet, in the past couple of weeks, I have noticed something that would seem to confirm the theory of CAPTCHA's being broken. By broken, I don't mean that it can be defeated entirely but that even a small percentage, say 5-10%, can be solved via an automated tool. I have a Yahoo account, a Gmail account and my own Frontbridge account. Over the past few weeks I have seen an increasing amount of spam from Yahoo, Gmail and Hotmail. I have also seen a few discussion threads talking about spam being relayed through Yahoo/Google/Hotmail's outbound servers; in other words, people getting accounts through those services and then sending spam.

If a CAPTCHA really was (partially) broken, then this is the type of behavior I would expect to see. Thus, it appears that there is some prima facie evidence for the confirmation of this story. On the other hand, an increase in spam from these services does not necessarily lend credence to this theory. Perhaps some types of malware are infected on people's systems that send out spam through their pop accounts.

By Terry Zink, Program Manager
Follow CircleID on
Related topics: Email, Malware, Spam
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

Re: Circumstantial Evidence of Yahoo's CAPTCHA Being Broken Gary Osbourne  –  Feb 16, 2008 3:48 PM PDT

Over the past few weeks I've had a few (not all) of the CircleID Weekly Wrap newsletters show up in my yahoo.com email Bulk (yahoo thinks it's likely spam) folder. Additionally, all of my weekly The Register news headlines wind up there. I've also had other legitimate mail wind up there on an increasing basis.

The yahoo filter does work well in terms of actual spam, I think I've only had one show up in my inbox in 8 years. There seems to be something else atypical going on though. The amount of actual spam has noticably decreased recently.

I don't use yahoo.mail for anything mission critical and until I registered a domain name using that address (usually I use another throwaway) a couple of years ago, I got no spam at all, so I haven't paid any of this much attention. Ya, I should have contacted CircleID and The Reg to let them know, but I figured if it was happening to me, then…

But what really tore it for me happened a few days ago. I sent an email to myself, that is to and from the same yahoo.com address (why isn't relevant) and it wound up in my bulk folder!

So, dunno if this relates but there's definitely something weird going on. Anyone else having similar strangeness? -g

PS: This doesn't relate but I wrote Yahoo about my mail being trashcanned (haven't checked if other yahoo users are missing my mail) and also mentioned CirleID and The Register, and got a response that they know 'SpamGuard', their filtering system, isn't perfect, but that I can help by marking messages as Spam or Not Spam. Other than that I can add senders to my address book and they'll get the proper treatment. Well, my yahoo address which got blackholed is already in there.

So, I'd already looked for a 'Not Spam' link and didn't find it, so I looked again. Still couldn't find it. Aha, I'm using the 'Classic' email, I haven't switched to the 'new' one. If it ain't broke… So tried that. Ya, gotta set my resolution to at least 1024 x 768 so they can show me more ads and otherwise clutter up the screen. And there's my new The Register email in the Bulk, guess my email wasn't acted on. Didn't they learn anything from Coca~Cola? I haven't tried to go back to Classic. To continue with my Coke analogy I guess my incoming yahoo.mail will soon be read by Zero semi-sentient beings, at least not this one. Better to get out ahead of MS assimilation anyway. The two are already looking and acting more alike. :)

To post comments, please login or create an account.

Related

Topics

Cybersecurity

Sponsored byVerisign

IP Addressing

Sponsored byAvenue4 LLC

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byAfilias

DNS Security

Sponsored byAfilias