Computers crack anti-spam codes

Are you a human or a computer?

Over the Internet, it's getting harder and harder to tell.

Some of the common tests used by Web sites to distinguish between legitimate flesh-and-blood visitors and malicious human-mimicking computers recently appear to have been outwitted.

Last month, the human-verification tests, which typically require users to identify deformed letters set against a cluttered backdrop, were broken by a computer. The computer then repeatedly created free Hotmail e-mail accounts and sent spam from them, according to Websense, the security firm that detected the hacking.

The attack followed similar ones this year against Microsoft's Live Mail accounts and Google's Gmail service. A little over a week ago, the security firm reported a similar attack on Google's Blogger, a blog-publishing system.

"What we're noticing over the last year is that these tests meant to tell the difference between a human and a computer are being targeted by more and more malicious groups," said Stephan Chenette, manager of security labs at Websense, the firm based in San Diego that reported the attacks. "And they are getting better at it."

A $42 billion problem

Spam, or unsolicited e-mails containing offers of Viagra, Rolex watches, pornography and the like, are the ultimate aims of such schemes. Solving the human-verification tests with computers allows spammers to rapidly create new e-mail accounts from which to issue spam, which is estimated by Ferris Research to cost the U.S. economy $42 billion annually.

The problem of telling computers and humans apart has a long tradition in artificial-intelligence theory.

In a landmark paper in 1950, British mathematician Alan Turing proposed that a machine could be said to "think" if it could carry on a conversation — via Teletype — in a manner that was indistinguishable from a human.

But the practice of distinguishing humans from computers has taken on a far more practical role in the Internet age.

The humanity test

Anyone who has signed up for an e-mail account, bought show tickets or created a free blog is likely familiar with these modern tests of humanity: They ask visitors to identify a string of wavy, deformed letters.

The letters are supposed to be impossible for computers to read in the time allotted but relatively easy for humans.

"The free e-mail accounts and blogs are like gold to the malicious attackers," Chenette said. The reason is that spam filters are less likely to block items from these free services.

Yahoo pioneered system

One of the first such tests was developed by Yahoo, which was having trouble with malicious computers signing up for the company's free Webmail service. They dubbed the tests "captchas," an acronym with a nod to Turing: "Completely Automated Public Turing Test to Tell Computers and Humans Apart."

Yahoo's initial system, however, was quickly hacked by computer scientists who programmed their computers with optical character-recognition systems to solve the visual riddles.

To improve the system, Yahoo changed its puzzles from words to random letter strings and set the letters against more background clutter.

The latest reported captcha attacks were not carried out by academics, but by spammers, however.

They were reported by Websense, which deploys thousands of decoy computers around the world — which they call "honey pots" — to attract such attacks.

The attacks on Google's Gmail service and on Microsoft's Live Mail were reported in February. At the time, however, it was difficult to tell from the evidence whether the captchas were being solved by computers or low-wage Russian workers — or both.

A Web page found on the computer appeared to offer, in Russian, small amounts of money for workers willing to crack the puzzles.

Creating accounts

But the speed and repetition of the attack as well as the high error rate in solving the tests, suggested to some at Websense that computers, not humans, were at work.

The attack that most clearly signals that computers were solving a captcha came about a month ago, when Websense detected what appeared to be some malicious traffic from one of its "threat-seeker" honey pots.

Once it attracted the malicious code, the decoy sought repeatedly to create Hotmail accounts.

Six-second response

Over and over, when it was presented with the Hotmail captcha, it sent the letter puzzle to another computer. That computer would respond within about six seconds, a speed that leads computer analysts to think the captcha was being cracked by a computer, not a human.

Microsoft and other Web companies say they are interested in creating human-verification tests that are harder for computers to crack. But there's an inherent difficulty.

Making the tests harder for the computer makes them harder for humans, too.