Spammers turn to free porn to beat Hotmail security

By offering free porn, spammers are using internet surfers to bypass a security protection designed to stop bot software from automatically opening web mail accounts.

Free web mail services such as Hotmail and Yahoo! are often used by spammers to send unsolicited emails but because of the sheer quantity of email sent, spammers require thousands of accounts and employ web bots to automatically open them.

To combat this automation, web mail companies started using the Captcha test (Completely Automated Public Test to tell Humans and Computers Apart), which creates a graphically distorted representation of a simple word that can easily be read by a human but not by a machine. The word is often written in an unusual font and presented on a patterned background to further confuse the bots.

To open an email account, the applicant is asked to read the word in the Captcha graphic and type it into an application form. Because the disguised word is virtually impossible for a computer to read, spammers need a human to intervene, which ruins their automation process.

However, as first noted in the Boing Boing blog earlier this year, some spammers have found an ingenious way to bypass the Captcha protection.

First, the spammers open and advertise a website containing pornography. Visitors to the porn site are asked to enter the word contained in a Captcha graphic before they are granted access.

In the background, spammers have already used scripts to automate the web mail accounts opening process to the point where they need a human to "read" the Captcha graphics. The Captcha graphics from the web mail site are transferred to the porn site, where the porn consumers interpret the Captcha words. As soon as they enter the correct word, the script can complete its application process and the visitors are rewarded with free porn.

Simon Perry, vice president of security at Computer Associates International, said security is always a "moving target," and as soon as a company like MSN uses a new technology to secure a product or service, it is only a matter of time before it will be bypassed.

"Each little improvement makes it a little bit more difficult for the spammers. This is an exercise in continually moving up the bar," he said.

According to Perry, the only way to make a real difference is to combine technology with legislation and enforce that legislation. However, he said that even though spammers may have found a way past the Captcha, it is still slowing them down.

"Before the Captcha, those bots could open a million Hotmail accounts a day, but now, if they can attract 10,000 people to their free porn site, they can set up 10,000 accounts, which is a lot but still an order of magnitude less," Perry said.

Neither Microsoft's Hotmail nor Yahoo! would comment on the issue.

Munir Kotadia writes for ZDNet UK