On Captchas, bots v. humans

Over the past several weeks there was a little tempest in a little teacup about Google’s Captchas finally being broken. It was the lone holdout among the big boys - the rest having fallen much sooner. The core problem being - as Captchas fail spam grows - it allows the spammers to grab more fake accounts and send more spam from them. It seems like you can already see the fruits of their labours as there was a report just published that says that spam from GMail doubled from January to February (albeit it was from 1.3% to 2.6%).

It was with interest that I read Jeff Atwood’s analysis of the situation. I think he hits the nail on it’s proverbial head when he says this:

There’s simply too much money to be made in email spam for the commercial CAPTCHA algorithms, regardless of how good they may be, to survive forever.

From that he poses this question:

Beyond diversification, the deeper question remains: how do we tell automated bots from people– without alienating our users in the process? How can we build a next generation CAPTCHA that’s less vulnerable to attack?

But I wonder if that question is coming from the wrong place. That is, is that the question that spammer’s want you to ask? Here’s the thing, there is so much money in getting to the goods that the Captchas are trying to protect that as they become increasingly algorithmically difficult to crack - the spammers will simply start using humans to crack them. So from a gatekeeper standpoint Captchas become simply a means to block the 90% of weekend warrior spammers where the 10% who are serious will still waltz in.

I mean, check it here, a Romanian captcha busting farm has 5 guys who work 12 hours a day solving some 4800 a day per person. The cost to you, the spammer? $9-15 per 1000 solved. Who cares if this is solved algorithmically or not. Justin Mason believes it is an operation like this that is at the root of the Google Captcha bust and whether or not that’s true it certainly could be.

So rather than focusing on making the Captcha’s increasingly hard to break algorithmically, I think something else needs to happen. On the one hand places like Google and Yahoo could start looking much harder at email sending patterns - they must already be looking at something since so many email accounts are necessary and it becomes a delicate balance of stopping spammers and annoying legit customers with false positives.

Another possibility, though, is simply slowing down the Captcha process. Right now, it’s feasible to use these human farms because one person can solve 300-500 every hour, say 1 every 10 seconds. Every doubling of that amount of time doubles the cost to the spammers since it will double the amount of man hours necessary to fill an order. Some of Jeff’s solutions like a math or word problems could help this - it takes time to read and comprehend.

Also, as that Romanian farm article says, it takes time for people to come up to speed - it’s a skill to break 300-500 an hour. If as Jeff says, there was a greater diversity of Captchas perhaps it’d take longer to master it. I don’t know, but it seems to me that simply trying to weed the bots from the people isn’t good enough anymore, since now it’s reasonable to believe that it’s sometimes people doing the dirty work.

More generally, I think that while technical solutions are important they are an ever escalating war that I suspect that spammers will always win. They’ve been doing pretty good so far, right? One still needs to fight it, but perhaps another facet of it should be the “social” side - making it costlier to human solvers to break. While individually, if it takes me an extra minute to sign up for my free email account I probably don’t mind, in aggregate maybe that starts to be problematic for the spammers. If instead of costing them $10/1000 it costs them $100/1000 coupled with faster cracking down on compromised accounts - maybe that starts to put a little crimp in their style.

Mar 12th, 2008 · Comments RSS · · · · · Tags: google · spam