Gmail crack causes spam flood

The software tool used by Google's Gmail to stop spammers has been cracked, leading to a big increase in spam sent from Gmail accounts last month, according to security firm MessageLabs.

Most Web services use a type of "Captcha" programs when signing up users for an online account. They typically consist of a box with some characters, either distorted or displayed against some noisy background, and you have to type the letters and numerals in exactly as you see them before the system will accept your sign-in.

MessageLabs created this graphic that shows how a bot fakes out a captcha and uses the newly created e-mail accounts to send out spam.
(Credit: MessageLabs)

They are designed to catch, or stop, automated programs called bots that are written to create new accounts for spammers to use. Annoying as the captcha systems are, they have been successful in keeping bots out, until recently.

Yahoo Mail and Hotmail captcha mechanisms were broken in July 2007, according to MessageLabs. And now, Gmail has succumbed.

As a result, the proportion of spam sent from Gmail accounts doubled from 1.3 percent in January to 2.6 percent in February, mostly promoting adult-oriented Web sites, MessageLabs says.

A Google representative said she could not confirm or deny that the captcha method used in Gmail had been broken, but did confirm that there had been an increase in spam recently.

The Gmail captcha problem was reported in late February by another security firm, Websense.

Gmail is an attractive target for spammers because a Google account is free and offers access to a wide range of services. Also, Google domains are unlikely to be blacklisted, Websense says.

This screenshot shows network analysis of a bot cracking Gmail's captcha mechanism, a more sophisticated attack than one used to crack Live Mail's captcha technique, Websense says.
(Credit: Websense)

• Related stories

• Alerts

Add your opinion

1. Send the morons to Jail Anonymous -- 10/03/08

   If tracking down the spammers is too hard, go after their customers.
   
   Granted it will not stop the fraudsters but it will cut down on all the unsolicited junk from home mortgages and online university degrees to porn, Viagra and replica watches!!!
   
   Fine those scum bags out of existance or better yet, jail them.

   • Reply to comment
   • Reply to story
   • Report offensive content

2. terrible screenshot Anonymous -- 10/03/08

   screenshot was useless. has nothing to do with captcha cracking. nice try.

   • Reply to comment
   • Reply to story
   • Report offensive content

   1. Actually it has everything to do with CAPTCHA cracking... Kaph -- 12/03/08

      The second screenshot shows conections to two machines that process the CAPTCHA image. Host 1 does the primary analysis and host 2 can be likened to a failsafe if host 1 fails in its attempt to break the CAPTCHA.
      The original Websense article states:
      "To be specific, host 1 has a similar concept that was used to attack Live mail CAPTCHA. This involved extracting an image from a victim's machine in the form of a bitmap file, bearing BM.. file headers and breaking the code. Host 2 uses an entirely different concept wherein the CAPTCHA image is broken into segments and then sent as a portable image / graphic file bearing PV..X file headers as requests. "
      I do think however a link to the Websense article should have been included, so here:
      http://www.websense.com/securitylabs/blog/blog.php?BlogID=174

      • Reply to comment
      • Report offensive content

3. how I dealt with a spammer Anonymous -- 29/03/08

   I got spammed for some sales site, looked up their ISP and called to complain. I was politely informed that yes, sending such advertisements violated their terms of service and the matter would be looked into. My reply of "this violated FCC regulations. What are you going to DO about it?" was met with stunned silence, after which a supervisor came on and told me the matter would be dealt with promptly. I checked back a week later and the website was gone.
   
   We do not need to rely on the authorities for this. If you get spammed, look up the domain registry for the site, call their ISP and complain. If enough complain, especially when mentioning federal regulations, the ISPs will pull the sites. Together we can slap a chilling effect on those who hire spammers to advertise for them. To learn how to get a sites ISP and the phone# to call, google "domain name lookup" or use www.whois.net

   • Reply to comment
   • Reply to story
   • Report offensive content

• Just In

• Most Popular

• Most Discussed

Hot Spot - What's Important

Footy Club switches to Single Business Communications Solution

Connect growing business demands using Next Dimension Working™

Click here to find out more about Telstra's single solution vendor capabilities

Find out how to combine network connectivity with mobile broadband and IP telephony

Reader Services

Popular Topics

Essentials