Search Engine Watch
SEO News

Go Back   Search Engine Watch Forums > Search Engines & Directories > Google > Other Google Issues
FAQ Members List Calendar Forum Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
Old 05-26-2008   #1
sitetruth
Member
 
Join Date: Feb 2008
Posts: 138
sitetruth is on a distinguished road
Gmail and Blogspot use by spammers

Both Gmail and Blogspot are widely exploited by spammers. Gmail provides a way to get a free, anonymous return address, and Blogspot provides free hosting with redirection capability.

Google tried to prevent this with a CAPTCHA, but it's been broken. Look up "Jiffy Gmail Creator" ("Who Else Wants to Create Unlimited Gmail Accounts in Seconds Flat Without Breaking a Sweat?") This is a commercial product sold to spammers.

Building on that capability, there are now tools for spamming Craigslist. To spam Craigslist, one needs many email accounts, and Jiffy Gmail Creator makes that possible. Craigslist is collapsing under the incoming tide of spam. I just had an article on Techdirt about this.

http://www.techdirt.com/articles/200...27151211.shtml

The spammmers have broken through the CAPTCHA (with OCR), the posting limits (with multiple accounts), the IP address checking (with proxies), the email reply checking (with Jiffy Gmail Creator), the duplicate posting check (with random text), and the flagging system (with automatic reposting.) Craigslist is trying phone verification, which is starting to crack too.

The Black Hat SEO forums indicate that similar tools are available or being developed for other social network and free ad systems. This could destroy a broad range of free services.
sitetruth is offline   Reply With Quote
Old 05-26-2008   #2
AussieWebmaster
Forums Editor, SearchEngineWatch
 
AussieWebmaster's Avatar
 
Join Date: Jun 2004
Location: NYC
Posts: 8,154
AussieWebmaster has a brilliant futureAussieWebmaster has a brilliant futureAussieWebmaster has a brilliant futureAussieWebmaster has a brilliant futureAussieWebmaster has a brilliant futureAussieWebmaster has a brilliant futureAussieWebmaster has a brilliant futureAussieWebmaster has a brilliant futureAussieWebmaster has a brilliant futureAussieWebmaster has a brilliant futureAussieWebmaster has a brilliant future
Re: Gmail and Blogspot use by spammers

Great find SiteTruth - that post is worthy of more green rep....

I blogged about it as well.
AussieWebmaster is offline   Reply With Quote
Old 05-26-2008   #3
sitetruth
Member
 
Join Date: Feb 2008
Posts: 138
sitetruth is on a distinguished road
Re: Gmail and Blogspot use by spammers

I didn't just find that article. I wrote it. I'm John Nagle, the author of the TechDirt article and the owner of "sitetruth.com".

The real find was discovering the Craigslist threads on the "Black Hat SEO" site. Read that site and weep. (I'm not going to provide a link, but you can find it. It's not hidden in any way.) The level of effort being applied to spamming on ad and social networking sites is quite high. There's a whole ecosystem of products and services. There are "how to spam Craigslist" videos on YouTube. Packaged desktop spamming software. Offshore services. The comprehensiveness of the attacks is impressive.

Craigslist is sinking fast under the spam. It's over 90% spam in some Craigslist categories. Flagging against tools that automatically repost is futile.

Worse, under current law, all this spam is probably legal. Sure, it violates Craigslist's terms of use, but all they can do is sue for actual damages. The CAN-SPAM act is narrowly written and doesn't apply, and it's not really wire fraud.
sitetruth is offline   Reply With Quote
Old 05-27-2008   #4
beu
 
beu's Avatar
 
Join Date: Sep 2004
Location: Atlanta, GA U.S.A.
Posts: 2,197
beu is a name known to allbeu is a name known to allbeu is a name known to allbeu is a name known to allbeu is a name known to allbeu is a name known to all
Re: Gmail and Blogspot use by spammers

Yeah, CAPTCHA breaking isn't that much of a problem and some folks have been doing it for two or more years just in other industries. What do you think about CAPTCHA math problems and/or questions?
beu is offline   Reply With Quote
Old 05-27-2008   #5
sitetruth
Member
 
Join Date: Feb 2008
Posts: 138
sitetruth is on a distinguished road
Re: Gmail and Blogspot use by spammers

Quote:
Originally Posted by beu View Post
What do you think about CAPTCHA math problems and/or questions?
I know someone whose personal web site requires users to solve a linear equation before e-mailing him, but that's simply because he doesn't want to be bothered by dumb people. Solving math problems automatically is well understood. (I used to work on automatic theorem proving, so I know.) If any major site started doing that, someone would write a program, and it would be better at math than most of the population.

There are picture-based CAPTCHAs (pick the three hottest women, pick the kittens, etc.) but it takes a huge library of pictures to prevent a brute force attack. If you only have a hundred pictures of kittens on file, human tagging will quickly accumulate the info needed to break the system.

If you make CAPTCHAs too hard, many humans can't resolve them. Even today's CAPTCHAs have problems with that. (Is that a letter O or a digit 0, and does the site care?) Misery is answering a case-sensitive CAPTCHA where the letter sizes are randomized.

Phone authentication by unique phone number looks more promising, but it's not free for the site. It still costs something to make phone calls in bulk. Also, you have to defend against schemes which try to get users of some other site to answer the verification calls. That's already being done by a Craigslist attack system - there's a "free ringtone" site which requires a "verification call". The call comes from Craigslist, which is given the number of the ringtone site user, calls them, the user types the number into the ringtone site, and the attacker has another "verified" Craigslist account. This works partly because the phone call from Craigslist has a generic messaage; it doesn't say it's from Craigslist. That was dumb, and Craigslist will presumably fix it. Some fraction of the people called will still type in the numbers no matter what the message says, of course.

Proposals to "charge the user" don't work, either. It's hard to get someone to put in a credit card number, which is a risk to the customer. There's an "age verification" racket with porno sites that request credit card numbers and then charge them forever. For the site operator, all the rules for credit card processing have to be complied with, which runs up costs. If Myspace required a credit card number, Myspace would become a much smaller site.

This is about to become a big, big problem for "social networking", blog, and advertising sites. The fact that Google hasn't been able to prevent bulk account generation for either GMail or Blogger indicates that there's no quick fix.
sitetruth is offline   Reply With Quote
Old 05-27-2008   #6
AussieWebmaster
Forums Editor, SearchEngineWatch
 
AussieWebmaster's Avatar
 
Join Date: Jun 2004
Location: NYC
Posts: 8,154
AussieWebmaster has a brilliant futureAussieWebmaster has a brilliant futureAussieWebmaster has a brilliant futureAussieWebmaster has a brilliant futureAussieWebmaster has a brilliant futureAussieWebmaster has a brilliant futureAussieWebmaster has a brilliant futureAussieWebmaster has a brilliant futureAussieWebmaster has a brilliant futureAussieWebmaster has a brilliant futureAussieWebmaster has a brilliant future
Re: Gmail and Blogspot use by spammers

Sitetruth remind not to piss you off....
AussieWebmaster is offline   Reply With Quote
Old 05-27-2008   #7
beu
 
beu's Avatar
 
Join Date: Sep 2004
Location: Atlanta, GA U.S.A.
Posts: 2,197
beu is a name known to allbeu is a name known to allbeu is a name known to allbeu is a name known to allbeu is a name known to allbeu is a name known to all
Re: Gmail and Blogspot use by spammers

Quote:
Originally Posted by sitetruth View Post
This is about to become a big, big problem for "social networking", blog, and advertising sites. The fact that Google hasn't been able to prevent bulk account generation for either GMail or Blogger indicates that there's no quick fix.
Very interesting stuff, thanks for posting!

Any work on video and/or Flash CAPTCHAs that you are aware of or how they work? In other words, it seems like one video could have multiple answers to different questions. This is one of the cases where you can't really stop abuse but, you can make it more difficult.
beu is offline   Reply With Quote
Old 05-27-2008   #8
sitetruth
Member
 
Join Date: Feb 2008
Posts: 138
sitetruth is on a distinguished road
Re: Gmail and Blogspot use by spammers

Quote:
Originally Posted by beu View Post
Very interesting stuff, thanks for posting!

Any work on video and/or Flash CAPTCHAs that you are aware of or how they work?
Here's a demo of a Flash CAPTCHA: http://www.dracon.biz/captcha.php

This is just too annoying for most users. It might work on a game site.

CAPTCHA R&D continues. Here's an experimental one from Carnegie-Mellon: http://www.captcha.net/cgi-bin/esp-pix

This class of CAPTCHA is vulnerable if the number of images in the test set is small.

There's an upper limit to what users will tolerate, and both of those systems are probably above it.
sitetruth is offline   Reply With Quote
Old 05-27-2008   #9
AussieWebmaster
Forums Editor, SearchEngineWatch
 
AussieWebmaster's Avatar
 
Join Date: Jun 2004
Location: NYC
Posts: 8,154
AussieWebmaster has a brilliant futureAussieWebmaster has a brilliant futureAussieWebmaster has a brilliant futureAussieWebmaster has a brilliant futureAussieWebmaster has a brilliant futureAussieWebmaster has a brilliant futureAussieWebmaster has a brilliant futureAussieWebmaster has a brilliant futureAussieWebmaster has a brilliant futureAussieWebmaster has a brilliant futureAussieWebmaster has a brilliant future
Re: Gmail and Blogspot use by spammers

Quote:
Originally Posted by AussieWebmaster View Post
Sitetruth remind not to piss you off....
I was joking in case anyone thinks I was serious
AussieWebmaster is offline   Reply With Quote
Old 05-27-2008   #10
beu
 
beu's Avatar
 
Join Date: Sep 2004
Location: Atlanta, GA U.S.A.
Posts: 2,197
beu is a name known to allbeu is a name known to allbeu is a name known to allbeu is a name known to allbeu is a name known to allbeu is a name known to all
Re: Gmail and Blogspot use by spammers

Quote:
Originally Posted by AussieWebmaster View Post
I was joking in case anyone thinks I was serious
I think everyone knows you weren't serious
beu is offline   Reply With Quote
Old 05-27-2008   #11
beu
 
beu's Avatar
 
Join Date: Sep 2004
Location: Atlanta, GA U.S.A.
Posts: 2,197
beu is a name known to allbeu is a name known to allbeu is a name known to allbeu is a name known to allbeu is a name known to allbeu is a name known to all
Re: Gmail and Blogspot use by spammers

Quote:
Originally Posted by sitetruth View Post
Here's a demo of a Flash CAPTCHA: http://www.dracon.biz/captcha.php

This is just too annoying for most users. It might work on a game site.

CAPTCHA R&D continues. Here's an experimental one from Carnegie-Mellon: http://www.captcha.net/cgi-bin/esp-pix

This class of CAPTCHA is vulnerable if the number of images in the test set is small.

There's an upper limit to what users will tolerate, and both of those systems are probably above it.
Interesting research for sure, seems like openid could be used in conjunction?
beu is offline   Reply With Quote
Old 05-27-2008   #12
j0nyDzine
Member
 
Join Date: Mar 2005
Location: Atlanta, US
Posts: 96
j0nyDzine has a spectacular aura aboutj0nyDzine has a spectacular aura aboutj0nyDzine has a spectacular aura about
Cool Re: Gmail and Blogspot use by spammers

I want to verify just how evil some of the captcha software out there is...
One of the apps I saw personally was grabbing about 12-20 pages at a time in tiled windows, and was cracking them at a pretty stupid rate. They have to basically dial-in the time they want to wait per screen so that it emulates human behavior and it doesn't crack the captcha in a 1/4 of a sec, which some sites are set to recognize...
Seriously, evil.
On top, I figured this might just be some pretty simple OCR, but when the more complicated images came out in the last year or 2 this was able to just as quickly read images that were warped, in patterns, color changes, etc... This has been going on for a while, I've seen it for over 2 years, and not sure how long it had been around before then. I was surprised talking to people that most seemed to think that Captcha was relatively safe. It also ran a rotating IP bank,and this system was at the time pretty full-proof for what it was doing...
It sucks seeing a service like Craigs getting nailed like this...
I will say, the stuff that drove me nuts that I'd see was the endless pages of splogs. It sucks when you spend weeks at a time creating a real blog-campaign and you see a fly-by night competitor set up and throw down like 500 pages overnight and start hitting the engines with nothing but page upon page of meaningless words, I was glad to see that go and I really pray not to see that kind of stuff come back... ugh. Those things seriously chapped me...
j0nyDzine is offline   Reply With Quote
Old 05-28-2008   #13
Dan01
Member
 
Join Date: Nov 2005
Posts: 516
Dan01 is just really niceDan01 is just really niceDan01 is just really niceDan01 is just really nice
Re: Gmail and Blogspot use by spammers

I had to stop accepting g-mail, hotmail and a couple other top emails at my forum. At my regular site, I have to delete tons of spam, but that is before it can get past me. I think some people are using "content wizards" to spam. The wizard will change a few words so the content is original and then they use an automated submission program to submit it. What a mess.

The spammer can have 30 or 40 versions of the same article with the push of a button. If they push the limits, the actual content doesn't make much sense.
Dan01 is offline   Reply With Quote
Old 05-28-2008   #14
AussieWebmaster
Forums Editor, SearchEngineWatch
 
AussieWebmaster's Avatar
 
Join Date: Jun 2004
Location: NYC
Posts: 8,154
AussieWebmaster has a brilliant futureAussieWebmaster has a brilliant futureAussieWebmaster has a brilliant futureAussieWebmaster has a brilliant futureAussieWebmaster has a brilliant futureAussieWebmaster has a brilliant futureAussieWebmaster has a brilliant futureAussieWebmaster has a brilliant futureAussieWebmaster has a brilliant futureAussieWebmaster has a brilliant futureAussieWebmaster has a brilliant future
Re: Gmail and Blogspot use by spammers

People try to invent "quick" ways when they could just use the time and intelligence to do it the right way and get much more out of it... hey if it were not for spammers think how far behind the curve Google would be... they use spam as a way to tighten their system
AussieWebmaster is offline   Reply With Quote
Old 05-29-2008   #15
tupperware
foodlove
 
Join Date: May 2008
Location: down under
Posts: 12
tupperware is on a distinguished road
Re: Gmail and Blogspot use by spammers

Quote:
Originally Posted by AussieWebmaster View Post
People try to invent "quick" ways when they could just use the time and intelligence to do it the right way and get much more out of it... hey if it were not for spammers think how far behind the curve Google would be... they use spam as a way to tighten their system
Got your point Aussiewebmaster.
tupperware is offline   Reply With Quote
Old 06-17-2008   #16
sitetruth
Member
 
Join Date: Feb 2008
Posts: 138
sitetruth is on a distinguished road
Re: Gmail and Blogspot use by spammers

Here's an update.

Craigslist tightened up their CAPTCHA system by requiring a CAPTCHA for each posting, not just for each new account. They started using the CMU high-grade CAPTCHA, the one that uses words their book scanning project couldn't recognize. They put phone verification on new account signups. They disallowed phone verification for more marginal phone service providers.

The spammers are feeling the pain, but overcoming the problems. CAPTCHA checking is being outsourced to a "Mr. Captcha" service, which has a few thousand low-wage workers solving captchas for about 2 cents each. (30 second response or your money back!) A rogue phone service provider that usually provides "number portability" services is offering a special deal: ("We have the solution for you! Our phone numbers are ALL fixed lines and work with Craigslist!" $5/month/number, $0.01 call minute.)

Since these services cost money, some of the low-rent spammers are being filtered out, and Craigslist spam is down. Many of the bulk posting tools have stopped working, especially the low-end ones.

However, Google doesn't seem to have done anything to make it harder to create GMail or Blogger accounts in bulk.
sitetruth is offline   Reply With Quote
Old 06-17-2008   #17
beu
 
beu's Avatar
 
Join Date: Sep 2004
Location: Atlanta, GA U.S.A.
Posts: 2,197
beu is a name known to allbeu is a name known to allbeu is a name known to allbeu is a name known to allbeu is a name known to allbeu is a name known to all
Re: Gmail and Blogspot use by spammers

Quote:
Originally Posted by sitetruth View Post
They started using the CMU high-grade CAPTCHA, the one that uses words their book scanning project couldn't recognize.
Man, I've got some hand writing samples they might be interested in checking out... Maybe there is hope for me yet, I could be a CAPTCHA writer!

Seriously though, that is good news! Folks don't realize how serious of a problem this is and how much $ it costs consumers every year.
beu is offline   Reply With Quote
Old 06-19-2008   #18
mokmok69
Newbie
 
Join Date: Jun 2008
Location: BASILAN
Posts: 4
mokmok69 is on a distinguished road
Re: Gmail and Blogspot use by spammers

I think even wordpress and yahoo is use by the spammer why they did not use spambog for spamming?
mokmok69 is offline   Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off