The CAPTCHA has been pwnd!

So, you think CAPTCHAs would cut your spam comments in half? Well, think again.

Just a little over a year after Google let loose audio CAPTCHAs (the most common implementation of which is an accessibility icon next to visual, or image CAPTCHA, that play a recording of a series of numbers and/or letters, dumbed down by some background noise) to the brewing security-conscious public, it appears that this, too, has been defeated. Security company BitDefender reports identifying a new Trojan, dubbed Trojan.Spammer.HotLan.A, taking over and zombify-ing machines, using unsuspecting users’ computers to generate Yahoo! and Hotmail accounts which in turn send out advertisements for pharmaceuticals, presumably the same underground ones who hired these spammers. If you’ve maintained a blog or so for at least a month, you should be familiar with these advertisements. Thankfully, Akismet takes care of most of them. Most of them.

If you happen to have a [email protected] email address with zero spam controls (like mine, and sadly, most of the other services out there), you know how painful it can get dealing with unwanted mail. The series of events have become all too familiar: you post your [email protected] address on a public blog; tomorrow, swarms and swarms of ads rain down on your latest post; the day after, your [email protected] is taken over my gazillions of spam mail. Unfriendly spider bots, it appears, would not settle for a second to Google’s indexing bots that try to track each of the hundreds of new blogs that get created everyday.

Whether or not CAPTCHAs do so much to ward off unwanted traffic, or whether CAPTCHAs are needed at all, and if they are, where they are best implemented are questions that have no straight-up answer for all situations. I personally get annoyed when a blog implements CAPTCHAs for every comment posted, even when you have registered and are already signed in to the blog. As always, moderation is the key. For now though, we are left with little choice, even more so when these technologies that “read” and “listen” to CAPTCHAs come full circle and render them eventually useless.

Originally posted on July 10, 2007 @ 3:40 am