Yahoo's CAPTCHA security reportedly broken

  • Article

I read about a week ago that Yahoo's CAPTCHA security has reportedly been broken, and those of us with email accounts should be expecting an upsurge in spam from Yahoo.  To summarize the issue, before you sign up for a Yahoo account, they make you read the squiggly text in a box and then type it in clear-text and click Enter.  The idea is that a human can read the squiggly text but a machine cannot.

I'm sure you all know where I'm going with this, but if an automated method mechanism existed to create these accounts, then a spammer could automate the creation of Yahoo mail accounts.  They could then start sending piles of spam to end users.  Because many mail recipients and blacklists are reluctant to list the big players like Yahoo, Hotmail, Gmail or AOL outbound mail servers, the spammer has one less thing to worry about in order to achieve delivery to the victim's inbox.

The breaking of CAPTCHA's has been a problem for more than just a week.  I get spam from Gmail, presumably from broken CAPTCHA's, for a long time.  My friends at Hotmail have known for a long time that spammers have been attempting to game the system.  It's one of the bigger problems that Windows Live has nowadays.

I don't really have a solution for stuff like this.  Maybe two CAPTCHAs?  Or maybe, they should use the one from Microsoft Research and get them to identify dogs and cats instead of reading words.  Or maybe, they should get them to read a sentence instead of only a word.

Of course, spamming "from" Yahoo has never really been a big problem.  Yahoo doesn't do SPF, so conceivably, a spammer could send from anywhere and claim to be sending the mail from Yahoo.  The advantage this gives spammers is that they are sending internally.  I would then think that Yahoo has some outbound spam detection somewhat akin to what Hotmail does - doing rate limiting to throttle the amount of mail that a user can send out within a particular time period.  Not perfect, but better than nothing.