Revenge of the Captcha! (Reverse Captcha, Ransom Notes and Image Spam)
for months now, images have been increasingly seen in spam, reaching up to 30 to 40 per cent of all spam total. for a while, counter-measures have been in play, developed by many different folks, some we know, some we don’t. from system administrators developing signatures to a team at spamassasin working on an ocr system to break these images and check their text for spamishness.
when first encountered, a friend of mine was as excited as me: “why, it’s exactly like a captcha, only in reverse!”
hence the term i just coined – reverse captcha.
as it’s a cat and mouse game of escalations and counter-measured by bad guys and good guys, the bad guys learn and make our lives more difficult. i will try to explain what a reverse captcha is to me (and no, it’s not a special type of turing test, although we touch on that below).
captchas are the annoying images (or audio?) you are asked to observe and later on, type in characters that match what you see or hear, to verify you are human rather than a bot. there are more advanced types of captchas, but you get my drift. captcha are often described as a “reverse turing test”.
i suppose these images in spam (actually, the spammers) liked the idea, and as most not black/gray listing related spam filters are content-specific, the use of images to deliver the spammy message makes sense. a computer can’t read it.
this write-up, coming up with the same term “reverse captcha” not very long ago, describes potential tests computers can deal with, but humans can’t:
this is an interesting variation on the turing test, in which humans generate and grade tests that most humans can pass, but current computer programs cannot pass. is there another variation in the future, in which computers generate and grade tests that computers can pass, but humans cannot pass?
in our case however (referencing “reverse captcha”), the captcha is the same as the ones used on web sites to prevent spam bots from posting. it tests for a human being a human, only that the computer avoided is not a remote attacker (multiple attackers), but a local centralized filter. the main difference other than avoiding a guard rather than multiple hordes of bots is that the captcha now helps the bad guys. it’s used by the other side.
naturally, the spam filters stated utilizing ocr much like the spammers using bots did when trying to bypass our protections. so, our lovely friends the spammers started obfuscating their spam messages, even creating images looking like ransom notes in the attempt to get through these filters.
indeed, it is not the technology which is evil, it is its uses. i find this battle extremely interesting, and participate as well as observe as much as i can.
nowadays ascii art spam is seen more and more often.. new tricks are invented daily, as well as new battle fields. the idea for “revernge of the cpatcha” was taken from coderman on the funsec list.