Newer Spammer Tricks

As the public becomes aware of spam, and more resistant to it, the spammers have to be creative. It may take 10,000 pieces of spam to get one hit (an actual inquiry from a possible victim), rather than 1,000 (as it might have, a year ago). Spammers started out sending email, but now they have adapted to changing times.

Some people have given up on email, for commication with anybody that they really care about. They will use an Instant Messenger for direct, real time communication with individual friends, and broadcast information of general interest by blogs or other websites. With Instant Messaging, you can choose, at any time, who is allowed to send you messages. With blogs or websites, you can selectively browse those belonging to people that you know. If you have a lot of friends, you can automate checking your friends websites using a syndication feed newsreader.

So rather than just sending out email, spammers, too, are using Instant Messaging, and blogs.

Now, the email system is rather old, and was originally designed with very little restrictions in the network. Every server that transports email will accept email from any server sending, and send to any server receiving. The reality of spam has necessitated changes in that philosophy, but basically, any restrictions are patches on top of a pretty spam friendly infrastructure. And email travels at a level not seen by most users of the email.

But with email spam being less productive for the spammers, they’ve had to send more spam to get the same amount of money. This is not a problem – spammers don’t send email directly from their computer, they use botnets as email relays.

Blogs and Instant Messaging and websites, on the other hand, are much more obvious to the users. It’s harder to get any volume of spam through either of those, so the spammers have to be creative.

One of the ways the spammers are being creative is handling Captchas. Now, even if you don’t know what a Captcha is, I’m sure you’ve used one. If you’ve setup an email account, or a website, or posted a comment in a guestbook anywhere, you’ve had to deal with one.

A Captcha, or “Completely Automated Public Turing test to tell Computers and Humans Apart”, is a word puzzle. Generally you’ll see a set of 6 to 8 alphanumeric characters, jumbled and mangled, in a box, and you’ll be asked to type those characters into another box. If you type the correct sequence of characters, you’ll be allowed to do what you want to do, open an email account. The idea here is that a spammers automated computer program won’t be able to read the Captcha content, even though we humans can.

So the spammers are using people to read the Captchas, and type the answers. And there’s no shortage of people to do this, even as they don’t realising what they’re doing. Captchas are so common these days that any time we see one, and we’re doing something intentionally, such looking at pictures of dancing pigs, we solve it.

The spammers program, while setting up another email account, takes a copy of a Captcha, which has been presented to it for solving, and presents that same captcha on its website. We, the website surfer, see the Captcha, and being eager to see the dancing pigs, obediently type the answer. The spammers website routes the answer back to the email setup program, and on to the email setup server as if a person just intentionally typed the answer. The spammer gets another email account, and we get to see the dancing pigs.

Think this is fiction? See the Google video by Luis von Ahn of Carnegie Mellon Institute: Human Computation.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: