Paid Advertising
web application security lab

If the title of this post sounds awfully spammy, that’s because it is. Someone sent me a link to and today. Both of which are tied together into one system that allows someone to purchase a robot and the human CAPTCHA breaking necessary to create accounts in some of the largest social networking sites out there.

These include MySpace, Hi5, Facebook, Youtube, Gmail, and on and on… This reminds me a lot of XRumer which is also designed for the same purpose, but more for message boards and the like. Making hundreds of accounts, for spamming is getting more commonplace and accessible. Just plunk down your stolen PayPal or Google Checkout IDs and you’re off to the races! CAPTCHAs aren’t working folks - we’re just creating another micro-industry.

15 Responses to “”

  1. Steve Says:

    What alternatives to CAPTCHAS and the like do you recommend? I’ve used CAPTCHAs (and more recently reCAPTCHA), reverse captchas and the online tool akismet often all at the same time in order to combat spamming and automated signups but nothing ever works 100%. As long as there are people out there that make money off of automating accounts and spamming they’re always going to be willing to take the time to figure out a way in.

    All we can do is try our best to reduce that breach by as much as possible.

  2. Jonathan Moore Says:

    The funny thing is they sell tools with “CAPTCHA bypass” for hi5 which dose not use any CAPTCHA. What is the chance that the hole site is a scam.

  3. mateus Says:

    And they are vuln to XSS =D

  4. ChrisP Says:

    I’d say CAPTCHAs are working. They’re meant to prevent _scripts_ to perform actions at predictable URLs while allowing humans to complete the process. In the example you posted, there’s a _human_ answering the CAPTCHA.

  5. Awesome AnDrEw Says:

    Anyone with less than a single week’s knowledge of something as simple as Visual Basic could have one of these bots up and running, and the partner service only makes it more accessible.

  6. RSnake Says:

    @Steve - I dunno, I’ve managed to have my site up for 2+ years without spammers getting the better of the site, and nary a CAPTCHA to be found! We probably get somewhere between 500-1000 spam blog posts a day and I would say one a month may slip through or less. And even then I usually catch them after the fact.

    @ChrisP, does it matter to a spammer if a human solves 500,000 CAPTCHAs or if a script does? I call them broken. Irreparably broken, even, unless someone figures out a way to make a CAPTCHA only solvable by a person who is actually part of the transaction, instead of just randomly solving any old CAPTCHA.

  7. Ben Maurer Says:


    I think you’ll agree that the sites on are bigger targets than For one, most of your audience isn’t gullible enough to take action on scams one might put on your site.

    As for the second point, you are correct that a solved captcha is a solved captcha regardless of who solved it. However, when a humans solve it, there’s a higher marginal cost per CAPTCHA. This means that other layers of spam mitigation can do a better job.

    Keep in mind that just because a post was made by a human doesn’t mean it is not spam. Just as I could hire somebody to solve a CAPTCHA, I can hire somebody to create a fake profile. That doesn’t make it any less spammy. Spam is about posting genuine, relevant content. However, that’s something we can’t filter as well as we’d like. Thus, we rely on approximations like CAPTCHAs. These approximations serve sites very well and prevent the vast majority of spam.

  8. RSnake Says:

    @Ben - in total number of attacks, yes, those sites are bigger targets, in terms of sophistication and percentage, no, this site blows them all away. Spam, however, is the same pretty much everywhere. I do think CAPTCHAs slow down attackers, but no, I must disagree that they are solving spam. They are actually creating industries that reduce the overhead in solving them and technical innovation around their eventual solutions. Basically they are just wasting the bad guy’s time, and adding penicillin to the spamming ecosphere leaving only the people who are monetizing the spam properly to continue their efforts. Basically we are building better bad guys.

    So sure, they do prevent the vast majority of spam - except for the spam that’s been placed there by the people who are the most likely to be using it for the largest gains. And, we still haven’t solved the problem for our deaf-blind brotheren. We’ve added a hurdle for robots while creating another impossible hurdle our most vulnerable users. Use them all you want, I’m not going to tell anyone not to, I just don’t think they actually solve the problem that most people think they do, at least not in the way they think.

  9. Dave Says:

    They’re not perfect, but they are a good first line of defence. It also depends what you’re using them for. For preventing blog comment spam, I agree with you - they’re not necessary, you can easily write a script that will stop 99% of it getting through; in fact on a site that hosts a lot of blogs that I run, a simple count of URL’s is usually enough. For larger more complex sites though it becomes very difficult to detect potential spammers through automation, and CAPTCHAs on registration are very necessary.

  10. RSnake Says:

    @Dave - so you’re saying that the spammers are being thwarted on registration by CAPTCHAs? Did you look at the robots linked to in the blog post? Why do you think that CAPTCHAs are necessary, exactly, that they couldn’t be replaced by alternatives, like Authentify, or snail mail, or SMS verification or any of a thousand other out of band communication mechanisms? I hear a lot of people talking about CAPTCHAs as if they are actually stopping bad guys, and I haven’t seen any actual proof of that. What I see in sites like the one mentioned in the post and other similar sites like is that spammers are simply shifting tactics.

    Line of defense, yes, necessary, no.

  11. Steve Says:

    Yeah things like Authentify, snail mail and SMS verification are all very good alternative measures for verification but in 99% of the projects that I work on they’re just not viable options. Forcing a person to give up personal information like an address or phone number is fine if we’re talking about eCommerce or healthcare based sites but what about the multitude of others?

    Social networking sites or even just personal/company websites need a way to filter the spam without requiring much additional work for the end user. I agree that CAPTCHAs and the like aren’t stopping it completely but there’s nothing out there that can stop it completely while not requiring the user to provide unnecessary information.

    All in all, I think (like anything else) CAPTCHAs have their place and can do a pretty good job, but in instances where 100% of the spam and automated accounts have to be stopped OOBA methods would have to be used.

    You bring up a good point referring to deaf-blind users and CAPTCHAs, I strive to make web presences that are both accessible and secure but sometimes it seems like trying to achieve both is impossible. At least for now, you have to give up a little of one for the sake of the other. I guess that’s another instance where decisions are based on the situation.

  12. Zack Says:

    ٍSo 10% of spammers can now bypass CAPTCHA? 90% are filtered, we should keep it the way, instead of letting it wide open for both retarded brainless spammers and technically aware ones who are willing to pay money aswell..

  13. RSnake Says:

    @Zack - said just like a spammer who wanted to keep their competition away. ;)

  14. Zack Says:

    @RSnake - LOL, didn’t mean it to sound like this, all I’m saying, most of the spammers would think it ain’t worth it :]

  15. Kyo Says:

    On my website, I the same IP to sign up once a day. (’cause after that, the entries of which ips have already been used are deleted)
    It can be bypassed by proxies and that stuff, but not in large proportions. Sure, it might cause trouble in households with two people wanting to sign up at the same day, but that’s not going to happen too often, plus, if they really want to join the site, they can wait a day (or do a router reset)