There have been a couple of stories lately suggesting that spammers may have created bots capable of cracking Gmail's registration CAPTCHAs, but that isn't exactly the case.
A CAPTCHA, which is short for Completely Automated Public Turing test to tell Computers and Humans Apart, is an image file that displays warped or visually obscured characters that supposedly only a human can decipher.
Obviously if spammers could create bots capable of solving CAPTCHAs it would be bad news, but the latest attack seems to still rely on humans.
The Register, Ars Technica and Slashdot all point to an article on the Websense Threat Blog, with the headline: "Google's CAPTCHA busted in recent spammer tactics."
However, if you read through to the end of the article, Websense points out that the bot system uses a webpage (in Russian) offering money to anyone who will solve the CAPTCHAs presented.
In other words, the bots are harvesting Gmail's CAPTCHAs and sending them back to be solved by humans. Websense estimates that 1 in 5 bot-based registrations is successful.
Which is not good news, but at this point the problem isn't the bots, it's the humans solving the CAPTCHAs.
Still, while Websense's headline may be misleading, it would overly optimistic to suggest that bots won't get into Gmail. They've already cracked through Yahoo, Live Mail and plenty of BB Forum CAPTCHAs. Spam is, regrettably, only going to get worse.
Given that CAPTCHAs suffer from a number of useablity drawbacks and really aren't that effective anymore, perhaps it's time for something a bit more sophisticated, like the system proposed by xkcd:
[via Slashdot]
