February 7th, 2008
Microsoft Windows Live Mail's CAPTCHA defense falls to spam bots
Microsoft’s Windows Live Mail is being targeted by spammers adept at eluding CAPTCHA protection, according to Websense.
According to Websense, spammers have created bots that are capable of creating random Live Mail accounts and then using them to launch attacks. In other words, the CAPTCHA defense doesn’t work. A CAPTCHA is a program that protects websites against bots by generating tests that humans can pass but current computer allegedly programs can’t.
In its blog, Websense says the whole bot-as-email-account process is automated. For instance, Jay’s email account to the right was created by a bot. Websense added:
Websense believes that there are three main advantages to this approach for the spammers. First, the Microsoft domain is unlikely to be blacklisted. Second, they are free to sign up. And third, it may be hard to keep track of them as there are millions of users worldwide using the service.
Here’s how the bot works:
1. The bot goes to the Live Mail registration page and fills out the form fields (just as you would do) with random data;
2. When the CAPTCHA verification comes up, the bot sends the image to its breaking service.
3. The bot gets the answer and plugs it in.
4. Now spammers add a few gazillion accounts for malicious endeavors.
5. The spam barrage ensues. Here’s an image courtesy of Websense, which features a lot more on its blog.
Websense estimates that about 30 percent to 35 percent of these CAPTCHA killing attempts works. Websense has the screen shot walk through. It’s a fascinating–and totally evil–bot. Websense also reckons that these attacks could extend to other Live services including Messenger and online storage.
Larry Dignan is Editor in Chief of ZDNet and Editorial Director of ZDNet sister site TechRepublic. See his full profile and disclosure of his industry affiliations.
