Either the spammers are either very stupid or they have figured out a way to hack the visual captcha plugin (created by James Seng) I installed in my Movable Type blog (sample image to right). The reason I say this is that my blog has been receiving spam comments over the past several months that are the exact same text and I've seen this exact text on other blogs as well.
The spam text reads:
I totally agree with what you're saying. I wish more people felt this way and took the time to express themselves. Keep up the great work.
<name>
<website>
The spam text is "generic" enough and even complimentary to the blogger that a naïve blogger that hasn't some across this spam may let the comment stay on the blog. In any case, it's always this exact text, but the IP address varies (could be open proxies) and the website is always different which indicates multiple spammers using the same script & text template. It could be one spammer with hundreds of domains, but it seems to me that this comment spam text is so common that there must be some sort of script out there that can get around the captcha. James Seng's captcha is pretty popular, so perhaps a hacker/spammer has devised an OCR (optical character recognition) algorithm to detect the numbers and created a script to automate this?
I Googled this spammy text with a portion of it in quotes (exact match) and found at least 114 results. A slightly less strict search reveals 765 Google results. Now granted, the spammers could be simply copy/pasting their script into the Comments body and then manually entering the random numeric captcha code. But if they are going to go through the effort of copy/pasting to dozens of blogs in hopes of raising their Google Page Rank, why not come up with 10 text templates instead of just 1 text template? (not that I should be giving them any ideas) Eventually, even the naïve blogger is going to catch onto this spam text and delete it. So why waste the effort? You'd think a spammer smart enough to hack the captcha code would modify his/her text template. Then again, if a script does exist to hack the captcha, it's probably script kiddies borrowing the hacker's original script and so damn lazy they don't even change the text.
Actually, I've also seen some slight variants on this spam such as these:
Hello! You have very interesting blog! I enjoy reading you blog... keep it up guys! Respect you. Good luck you!
This one is interesting, because if you Google it by clicking here, you will see the "variants" of the exact text with the only text changed being the part in RED. Could be one spammer with hundreds of domains, who knows?
Thanks for this great post. You've got some really good info in your blog. If you get a chance, you can check out my blog on {copiers} at http://www.XYZ.com.
Some of the "red" keywords include: free credit reports, inkjet printer ink, mortgage brokers, donate, and more.
You gotta love the poor grammar they use by the way. I actually find it
amusing to read such tortured English. Though I hope this isn't
Americans using such poor grammar. After all, isn't the controversial No Child Left Behind supposed to help with that?
And yes, I know I used the word "gotta".
We have two possibilities here.
1) spammers are using a script that can visually see the numbers in the captcha code and the script automatically posts a comment using the same text template.
2) spammers aren't "hacking" the captcha but rather they are manually entering their crap on people's blogs and manually entering the captcha code (if installed) and using the same damn text template. My only question is "Is this one annoying spammer or dozens doing this?"
Either option makes these spammers (spammer?) look like the dumbest spammers that ever walked God's green Earth. Thankfully, spammers tend to be the bottom of the genetic gene pool and are more "lucky" than "smart" when it comes to making money on the Internet. Their "shotgun" approach to spamming the entire Internet as opposed to using a more refined "sniper rifle" attack just might be a blessing. Just imagine if they actually had some intelligence in their spamming methods. Might make spam filters irrelevant, which would really suck since I spend at least 30 minutes a day going through spam on my blog and email accounts.
That reminds me - you know those stats that tell you you spend X number of years sleeping, X number of years in a car, X number of years eating, etc.? I wonder how many years the average person loses dealing with spam.
I loathe spammers. Ok, I'll end my Friday morning rant against spammers.
Spammers hack captcha to post blog spam comments?
Categories:
Technorati
Del.icio.us
Slashdot
Digg
twitter- Related Entries to Spammers hack captcha to post blog spam comments?
- Enabled Comments from AOL/AIM, Yahoo, Movable Type, WordPress, LiveJournal, OpenID, or Vox users - Jun 27, 2008
- Upgraded to Movable Type 4.2 - Jun 13, 2008
- uPhoneBlog enables Email to Blog Posts - Oct 22, 2007
- Related Entries with Images & Recent Assets Linked to Entries - Jan 02, 2009
- WordPress 2.7 released - Dec 10, 2008
- Calling All Bloggers! Free Blogging on TMCnet.com - Nov 14, 2008
- Zemanta on Movable Type - May 21, 2008
- Email Subscribe to Blog posts - Jan 04, 2008
- Blog Redesign - Mar 28, 2007
- Internet Explorer 7 doesn't work with Movable Type - Jul 05, 2006
Listed below are links to sites that reference Spammers hack captcha to post blog spam comments?:
Spammers hack captcha to post blog spam comments? TrackBack URL : http://blog.tmcnet.com/mt/mt-tb.cgi/22333
7 Comments
Leave a comment
Related Entries
- Enabled Comments from AOL/AIM, Yahoo, Movable Type, WordPress, LiveJournal, OpenID, or Vox users
- Upgraded to Movable Type 4.2
- uPhoneBlog enables Email to Blog Posts
- Related Entries with Images & Recent Assets Linked to Entries
- WordPress 2.7 released
- Calling All Bloggers! Free Blogging on TMCnet.com
- Zemanta on Movable Type
- Email Subscribe to Blog posts
- Blog Redesign
- Internet Explorer 7 doesn't work with Movable Type
-
View my Microsoft MVP Profile:
Spam Blogs are Splogs, Comment Spam is Spomment, how about trackback spam? Spamback or Trackspam? Please vote here.
Come on... automated visual (and even audio) captcha decoding has been implemented by spammers for years. Check out http://sam.zoy.org/pwntcha/ for the most complete decoder probably in use by every spammer today.
For an excellent Audio Captcha decoder, look at http://vorm.net/captchas/, in my tests, I could break MSN audio captcha's 100% of the time.
(I'm not a spammer incidently, I'm into VoIP and needed a way to do speaker recognition for voice dialing (instead of DTMF dialing))
Keep up the good work, I'll leave off my url
John,
Yeah, I was aware that hacking captcha was do-able using OCR. However, I've used regular OCR software to scan documents and they are generally inaccurate. I guess I figured OCRing a captcha wouldn't be worth the trouble or wouldn't be that accurate. You'd have to keep hammering my MT blog entry, OCRing the captcha until the comment finally posted.
I suppose Scode (what I use) is a fairly common captcha, so once the script is written, it can hammer all Movable Type blogs that use it. Of course Scode uses very basic fonts + layout, so I figured this captcha was fairly simply to break. Thanks for the link that states 100% accuracy in breaking Scode. Wonderful. Time to move to a new captcha perhaps.
what about http://www.captchasolver.com ? it's an automated captcha solving web service.
Nice article, In my opinion each not-hackable system can be hacked in one way or another, same is true for the Captcha system.
For example this article describe how to hack simple Captcha words:
http://j2ee-now.blogspot.com/2008/03/captcha-hack-part-1.html
If you dont like those spam comments I suggest and I currently use spamwow, which stops those pesty spammers, It is by far the best one out there!
Nice post....Good discussion going here......