On Wed, Jul 28, 2010 at 14:15, Brion Vibber brion@pobox.com wrote:
There are service firms that simply employ lots of people to type in captchas on your spambot's behalf.
A number of porn sites work this way. When someone tries to access the freebie section of a porn site, they see a captcha. It's copied from the site they are trying to attack. The attack is conducted live as the porn site user tries to get in. That user types the captcha content which is passed along to the attacked site. The attack is successful and the porn viewer gets a little reward. It works because the attack is made when a user is available, so the captcha usually will not expire in that short time frame. As long as the people doing the attack understand the security mechanism of the target site, they can replicate it on their porn site and get other humans to do it for them, for a little reward.
Defeating this can be hard to do. The attacks are usually relayed through botnets. So all the accesses look like they are just coming from random home users (and not a bunch from one common IP address). There is relatively little lag between display of the captcha or whatever other mechanism is used, and the response of that user, so it looks like normal timing from a human (because it really is).
Anyway, people don't need to be employed to do this. There are lots of hormone starved teenagers willing, for a little reward.