CAPTCHA and Spam

Posted on March 14, 2008

Spammers have been busy at work trying to machine read CAPTCHAs (Completely Automated Public Turing test to tell Computers and Humans Apart). If you don’t happen to know the term, those are the twisted, contorted images you have to read the letters and/or numbers from to provide authentication on a lot of sites, proving you are human and not a machine. This is designed, of course, to cut down on spammers. By the way, a truly wonderful acronym, huh?

It’s hard to believe spammers could generate with any success a machine response to the image based authentication. I mean, it’s often that I have to refresh to get a new image on some of these things. Some are very clear and I could imagine there would be a certain measure of success with those. But there are some that I just find amazing if there has been a very high success rate in reading some way other than human.

Google’s Gmail is now being attacked by the spammers and there are some reports that they are reaching a success rate of 25%. Since Gmail doesn’t restrict account creation, they attempt to fend off the bad guys by using a captcha. The success rate for creating spammy accounts may be more human than machine though. Machines can be used for auto creation of accounts and then the forms can be passed off to a group for human entry. This is known to exist in some countries where a person hires on to be a captcha filler.

If this becomes too big a problem, services like Gmail will have to use other approaches like limiting the quantity of email that can be sent from an account after its creation. They could gradually increase the permissions and then cap the account at a very low level which would send the spammers running. Permission via personal request could then be given to increase outgoing messages to say 500 a day or such. There’s not many users with a Gmail account that legitimately would use that many emails in a day. Something else to ponder — Google does such a great job handling spam coming in, why can’t they handle spam going out? Seems like they should be able to block the originating spam with the same efficiency.