Researchers Aim to Fortify CAPTCHA Against Spammers

Security researchers say new approaches are needed to keep spammers from abusing free e-mails systems now that hey have found ways to circumvent the CAPTCHA test protocol used by many Web sites. Microsoft is involved in two research projects aimed at making it harder for spammers to crack CAPTCHA.

One of the well-reported security trends of 2008 was the defeat of CAPTCHA systems for a number of Web-based e-mail services, including Yahoo and Gmail.

With spammers increasingly finding their way around these safeguards, making the hurdles spammers have to jump just a little higher is an important security concern.

By circumventing CAPTCHA tests, which attempt to keep out automated responses, spammers can abuse free, Web-based e-mail services to more easily send out their wares because the reputable domain being used is less likely to be blocked by a spam filter. According to an end-of-the-year report by MessageLabs, now a part of Symantec, the amount of spam coming from Webmail accounts peaked at 25 percent of all spam in September 2008 and averaged about 12 percent for the rest of the year.

Click here to read more about the assault on CAPTCHA systems.

Spammers are using a variety of techniques to accomplish this. Some of their success is due to their use of "mechanical turks," people who either directly or indirectly create accounts traded online. Other spammers, however, rely on software to crack CAPTCHA. It is in this area that CAPTCHA researchers are focused.

Right now, Microsoft is investing in enhancements to its CAPTCHA system to make it both more readable for users and less susceptible to automated attacks. Some of the improvements include new image distortion logic, overlapping characters and dynamic monitoring to observe attacks in real-time in order to make the necessary adjustments.

Researchers at Microsoft are also at the center of two CAPTCHA-related projects. One, dubbed Asirra, asks users to identify 12 photographs as either cats or dogs. The images come from Petfinder. The other project is called Inkblot Authentication, and it works by asking the user to form semantic associations with a set of randomly generated inkblot-like images. The image associations are then used to authenticate the user.

Neither project has a firm timeline for product development, though Asirra is currently in use in prototype form by a number of organizations.

"It seems common for people who are not CAPTCHA researchers to think that the main challenge in designing a CAPTCHA is to find a task that is easy for humans but difficult for computers," said John Douceur, a researcher at Microsoft. "However, this is not very challenging at all."

Instead, the challenge is twofold, he said. First, there must be a way of generating several unique instances of the task. Second, it must be possible for the system to easily determine whether the user answered the CAPTCHA correctly, even though the CAPTCHA is hard for computers to solve.

In the case of Asirra, there are currently about 4 million images in the database, which contains all images that have ever been on Petfinder, not only the currently active images.

"The current research prototype uses only half of those 4 million images, partly because we have not yet implemented all of the security features that we have designed for Asirra," Douceur said. "If someone cracks our current version, we can implement the additional security features and switch over to the other half of the database without suffering any long-term problem."

Another CAPTCHA approach used to thwart spammers is using animated text, such as letters and numbers that scroll.

"The more complex CAPTCHAs are not as easily solved, but other, non-automated techniques are highly effective against them," said Gartner analyst Andrew Walls. 

For example, there are outsourcers in various countries that market CAPTCHA-solving services, he said. On the plus side, doing so raises the cost of the attack for the spammer, therefore increasing the effectiveness of the CAPTCHA mechanism, he added.

"These vendors have a group of employees that solve CAPTCHAs that are forwarded to them by automated means," Walls said. "A spammer that wants to defeat CAPTCHAs can put together code that attempts to enter a protected site and have the code forward a copy of the CAPTCHA to the outsourcer for solving. The solution is returned in a few seconds, the CAPTCHA is defeated and the spammer moves ahead."

In the short term, MessageLabs Senior Analyst Paul Wood predicted that the majority of CAPTCHA techniques will be similar to what is common today, with some adoption of approaches such as animated text.

"As more sites add more and more rich functionality ... they become increasingly attractive to the bad guys who can exploit these tools to their advantage," Wood said. "If the only thing protecting them from the bad guys is the CAPTCHA, then the rewards are often sufficient for the criminals to continue developing means to defeat them."