Seeing too much of this already: spam with the captcha filled. By humans.

Hmm, here’s a spam on the Free Our Data blog, which Spam Karma allowed through: about sharetips. (It’s always flipping share tips these days. A letter from a reader to the Gdn explained why – basically, that you can’t touch the companies involved because their assets are offshore.)

But why did this spam get through SK, which effortlessly swats away thousands of spams pretty much any given day?

Here Spam Karma’s report on the characteristics of how the spam got through. Bad things about it are in red; good ones, in green.
-2.2: Comment contains: 5 linked URLs and 0 unlinked URLs: total link coef: 5 >= threshold (2). Non-URL text size: 1985 chars. Translation: Your comment is full of URLs and junk. I don’t like that.
0.5: Valid Javascript payload (can be fake). You seem to have filled in my comments form on the site.
0: Encrypted payload valid: IP matching. You seem to come from where you say you come from.
5: Successfully filled captcha. Oh, you exist. You’re not a computer.

A human, it seems, took the trouble to key in some letters when Spam Karma metaphorically rubbed its chin and said “Hmm… can you do this, then?” A captcha is one of those annoying forms you have to fill in on Blogger etc – the wavy letters and so on. It’s meant to ensure you’ve got a human at the screen. And we did, here.

Where did that come from, then? The IP address:

Which is, according to whois,

Bharti Televentures Ltd., Broadband and Telephone Service, 224,Okhla Phase III, New Delhi, Delhi, India

Well, now we got trouble. Folk in India being paid by sharepumpers to fill in comment forms on out-of-the-way blogs? That’s really worrying. First that it’s profitable enough; second that they can pay people that little (it’s going to be fractions of pennies per site, yet they have to buy computers and give them internet connections..) and still profit.

What’s the betting for the first uses that the $100 computer will get put to?


  1. Where did that come from, then? The IP address:
    Four letters: DDOS!

  2. I’ve been waiting for this to start to happen. Let’s face it all the call centres are already full of people sitting in front of screens that are internet connected – why not get them to fill in some captchas whilst selling us insurance…..

  3. I think I remember reading about this somewhere a while ago. I guess it makes sense, although I can’t imagine it scales *that* far. Still, annoying if you happen to get stuck with it.

    Does show the limits of captchas though. Eric Meyer did an interesting thing on his blog; required answers to questions that no human could get wrong (e.g. what colour is an orange?). Also limited, but interestingly different, and it might take humans a bit longer to complete that than a normal captcha, hence slowing the process down and making it less effective and more expensive.

    Oh, its a fun old game, isn’t it? No? Fair enough.

  4. What you need is the equivalent of “report as junk” in spam comments.

  5. Chui, why would I need that? I mean, I’ve already *got* it, inasmuch as Spam Karma has a “kill that” option. (And it blocks the IP and so on.)

    Oh, you mean other people could report it? Might work, but I’m more likely to see it first, and anyway, what some people think is junk is not what other people will. I’d rather be the arbiter – I let pretty much anything that’s vaguely related to the topic and non-commercial through.

  6. Sometimes you can trick people into filling in a captcha. Just show the captcha related to another action on another website and you get people filling it in for you for free. My site uses that (but not for evil purposes).

  7. if u help any one help me in the implementing it is very help ful to me.

1 Pingback

  1. Try before you buy

Comments are closed.