Websense is reporting in a blog article that Google’s CAPTCHA has been broken with a one in five success rate. More interestingly, they have a lot of technical details about how the botnet members coordinate with two different computers during the process. They believe that the second host is either trying to learn to crack the captcha or that it’s a quality check of some sort.
The article cites four motivations for targeting Google. I’ll respond with my comments. It should be noted that while I am specifically referring to Google, all of these could equally refer to Microsoft (Live Mail), Yahoo and AOL.
- Signing up for an account with Google allows access to its wide portfolio of services. This is kind of a double-whammy. One of the types of spam that has resurfaced during the past two weeks is blogspot spam, that is, spam with a link to a blogspot account. Most recently (and this is very ironic, so much so I find it a little humorous), spammers are pumping out spam for Windows Vista Ultimate with links to blogspot accounts.
- Google’s domains are unlikely to be blacklisted. I call this diplomatic immunity. Other ISPs and email services are unlikely to blacklist Gmail’s outbound IP servers, and URL blacklists are unlikely to list blogspot. In other words, spammers are abusing the good will that Google has with other services. They are hiding behind, or within, someone else’s reputation.
- They are free to sign up.
This makes it cost effective for spammers. Let someone else foot the bill for your spamming while avoiding the hassle of setting up domain names. All you have to do is pay the antimalware CAPTCHA crackers for the use of their service.
- It may be hard to keep track of them as millions of users worldwide are using various Google services on a regular basis.
It’s one thing to keep track of a few thousand accounts. It is quite another to keep track of a few million, with tens of thousands coming online every single day. Ultimately, I think that these email services will move towards automated monitoring and error on the side of caution, that is, they will trade off false positives for less spam. I think that they can justify it by saying that they are giving the service away for free.
The good news is that the four major players mentioned above know that this is a problem and are taking some collaborative steps to correct it. The bad news is that spammers, like bacteria, will evolve and take on some new tactic.