Hotmail and Yahoo had previously used the Captcha test, a method developed by a computer science group at Carnegie Mellon, to keep spammers from automatically opening thousands of email accounts at one time. The Captcha test presents a distorted graphic that only humans can understand, usually a graphic that vaguely disguises a word that the email account holder must re-enter before proceeding with the account process.
Although spammers have taken aim at cracking the Captcha test using the ever-tantalizing offer of free porn in exchange for the missing human element, the ability to read the disguised word in the Captcha.
According to security experts, spammers first open a porn website and advertise the site to attract visitors. When a user comes to the site, they are asked to re-enter the word in the Captcha in order to enter the site and get their free porn. But what the users don't realize is that the Captcha script has been transferred over from the email account opening process at either Hotmail or Yahoo. As soon as the word is re-entered by the user, the spam bot's email application process is complete and the security barrier has been broken.
"The ingenious crack is to offer a free porn site which requires that you key in the solution to a Captcha – which has been inlined from Yahoo or Hotmail – before you can gain access," said Russ Kick, author and blogger on numerous technology issues. "Free porn sites attract lots of users around the clock, and the spammers were able to generate Captcha solutions fast enough to create as many throw-away email accounts as they wanted."
The consensus among spam security companies is that the shelf life for any security test or product is limited in today's scope of things, but that this latest free porn scheme still makes it difficult for spammers to open the same high volume of free accounts that they once were able to before the Captcha was used.
"Each little improvement makes it a little bit more difficult for the spammers," Simon Perry, vice president of security at Computer Associates told ZDNet. "This is an exercise in continually moving up the bar. Before the Captcha those bots could open a million Hotmail accounts a day, but now, if they can attract 10,000 people to their free porn site, they can set up 10,000 accounts, which is a lot, but still an order of magnitude less.
The Captcha test was originally developed in 1950 by computer scientist and Carnegie Mellon professor Alan Turing, which consisted of an interrogation game where a human questions one human and one computer. If the questioner cannot tell the difference, then the computer passes the Turing Test.
The concept was later broadened and re-titled the Completely Automated Public Test to tell Humans and Computers Apart (Captcha), a process designed to differentiate between human users and computers by presenting complex patterns that only humans can understand. To break the test, a computer program must acquire pattern recognition ability comparable to the human mind.
Captcha authors, Luis von Ahn, Manuel Blum, and John Langford, have made the code and data public to encourage programmers to break the test.