EarthLink has just 31 challenge-response CAPTCHAs

February 12th, 2006 at 18:00 UTC by Richard Clayton

EarthLink, the US ISP, provides its users with a number of spam blocking and filtering systems. One of these systems, deployed since 2003 or so, is called “Suspect Email Blocking” and is one of those tedious and ineffective “Challenge-Response” systems. They might have made sense once, but now they just send out their challenges to the third parties whose identity has been stolen by the spammers.

Since the spammers have been stealing my identity a LOT recently — and since Earthlink is failing to detect their emails as spam — I have received several hundred of these Challenge-Response emails :-( Effectively, EarthLink customers are dumping their spam filtering costs onto me.

Well I’m now mad as hell and not going to take it any more. So I’ve been responding to these challenges, and whenever possible I’ve been sending along a message that indicates the practical effect of the system. Of course this will mean that the spam will be delivered (and the forged email address will be whitelisted in future) which is hardly what is desired! Since this should be quite noticeable, if everyone was to spend a few minutes each day responding to the challenges then Challenge-Response systems would die out overnight! So please join in!!

Howver, responding is rather tedious (the idea, after all, is that the spammers won’t be able to afford to do it — though in practice they would be able to keep sending their more profitable spam by using labour from the Third World). To avoid this tedium I’ve been working on the automation of my responses. However, the EarthLink web page on which you respond contains a visual CAPTCHA — specifically so as to prevent automatic responses to the challenges. Nevertheless, I got a lot slicker at answering the questions when I wrote some Perl and put up a little Tk widget to collect the answer to the CAPTCHAs.

TK widget for EarthLink CAPTCHAs

The idea was to move on to some fancy image processing since there’s been a lot of success at this (see here and here for starters)… However, that won’t be necessary. It turns out, nearly 300 challenges later, that EarthLink only have 31 CAPTCHAs in total… although since some turn up a great deal more more rarely than others, it may be that there’s a few more to be collected!

01 EarthLink CAPTCHA 01 02 EarthLink CAPTCHA 02 03 EarthLink CAPTCHA 03
04 EarthLink CAPTCHA 04 05 EarthLink CAPTCHA 05 06 EarthLink CAPTCHA 06
07 EarthLink CAPTCHA 07 08 EarthLink CAPTCHA 08 09 EarthLink CAPTCHA 09
10 EarthLink CAPTCHA 10 11 EarthLink CAPTCHA 11 12 EarthLink CAPTCHA 12
13 EarthLink CAPTCHA 13 14 EarthLink CAPTCHA 14 15 EarthLink CAPTCHA 15
16 EarthLink CAPTCHA 16 17 EarthLink CAPTCHA 17 18 EarthLink CAPTCHA 18
19 EarthLink CAPTCHA 19 20 EarthLink CAPTCHA 20 21 EarthLink CAPTCHA 21
22 EarthLink CAPTCHA 22 23 EarthLink CAPTCHA 23 24 EarthLink CAPTCHA 24
25 EarthLink CAPTCHA 25 26 EarthLink CAPTCHA 26 27 EarthLink CAPTCHA 27
28 EarthLink CAPTCHA 28 29 EarthLink CAPTCHA 29 30 EarthLink CAPTCHA 30
31 EarthLink CAPTCHA 31

For rather more detail, and the current totals for each CAPTCHA (some have turned up nearly 30 times, some just once) please see the detailed account which I’ve placed on my own webspace.

By the way: If you’re an EarthLink user reading this — then please turn OFF “Suspect Email Blocking”! You’re just annoying everyone else :-(

Entry filed under: Security economics

6 comments Add your own

  • 1. Tyler Moore  |  February 13th, 2006 at 11:09 UTC

    So now we have peer-to-peer spam filtering! No longer do ISPs have to make the blocking decision or carry the costs of filtering; they’ve shifted liability onto end users. Such a liability shift would only make sense if users were better placed to invest in spam defence than ISPs, which they clearly are not. ISPs are better placed to fight spam because they examine much more email than a user ever could and they have the authority to filter spam out in the first place.

    So this technique creates an added inconvenience, transferring spam from the original recipient to the spoofed originator. The net effect on spam is nil (if you equate the original spam with Earthlink’s spam response). Though interestingly, enabling ‘Suspect Email Blocking’ makes sense to an individual Earthlink user since it diverts all of its spam over the Internet. Only with widespread adoption will the individual benefits of the blocking strategy diminish, as the Earthlink users begin receiving fake challenges from AOL, Hotmail, and Gmail users.

  • 2. Chris Walsh  |  February 13th, 2006 at 16:57 UTC

    I am very happy to have learned of this blog, and want to thank you in advance for all the good things you will be treating us to.

  • 3. Justin Mason  |  February 13th, 2006 at 20:46 UTC

    Nicely spotted. ;)

    I have a good SpamAssassin ruleset which blocks these — mail me if you’d like a link. It catches almost all of these mails. I still hand-confirm the ones that get past, of course, as a protest against the offensive cost-shifting that C/R represents.

  • 4. Richard Clayton  |  February 13th, 2006 at 22:04 UTC

    Blocking the EarthLink Challenge-Response emails is hardly rocket science… and has been described in many places such as here. It is of course an EarthLink specific detection rule (useless on other systems) — and failing to accept these messages does nothing towards getting the EarthLink customers to turn them off! So although it would help me to block these messages, it does nothing to help the rest of the Internet. Which is where we came in!

  • 5. Stiennon  |  February 14th, 2006 at 15:48 UTC

    While I applaud your vigilance I am appalled that you had time to capture 32 CAPCHTA’s from Earthlink.

    Thank you for spending time the rest of us don’t have to discover this.

  • 6. Richard Clayton  |  February 14th, 2006 at 16:04 UTC

    I’m appalled that EarthLink’s spam detection is such that they have now sent me 325 challenges in the period since the 20th December. If they knew it was spam, they would not challenge. Nevertheless, to an academic, time spent educating users [turn the system OFF!] can surely never be time that is wasted?

Leave a Comment

Required

Required, hidden

Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Subscribe to the comments via RSS Feed


Calendar

February 2006
M T W T F S S
    Mar »
 12345
6789101112
13141516171819
20212223242526
2728