Last year spammers were reduced to using stripper images to tempt users into helping them crack "CAPTCHA" anti-scam filters, but now UK researchers have developed a simple, low-cost way of automatically bypassing the system on Microsoft's online services.

CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) systems are used by Microsoft, as well as Yahoo, Google and others, to stop automated systems from registering web-based email accounts (which can then be used as spam relays), filling blog comments sections with spam and guessing passwords.

The systems typically present users with a series of characters that can be deciphered by humans, but not by image-recognition software.

The research follows on from a report by Websense in February that spammers had managed to find a way to reliably crack Microsoft's anti-spam tool.

Microsoft's system is used for services including Hotmail, MSN and Windows Live. In attacking it, researchers Jeff Yan and Ahmad Salah El Ahmad of Newcastle University focused on "segmentation" - reducing the CAPTCHA image into discrete characters.

Once an image is segmented, interpretation of the individual characters is relatively easy, according to the researchers.


Microsoft's CAPTCHA is designed to be particularly resistant to segmentation, but the researchers developed a technique that achieved a segmentation success rate of more than 90 percent against the scheme.

A system with a 1.86GHz Intel Core 2 chip and 2GB of RAM took about 80 milliseconds to carry out segmentation, according to the researchers' white paper.

"For the first time, we show that a CAPTCHA that is carefully designed to be segmentation-resistant is vulnerable to novel but simple attacks," wrote Yan and El Ahmad. "Our work shows that the MSN scheme provides only a false sense of security."

They estimated the scheme could be broken with an overall success rate of more than 60 percent.

The researchers noted that, by contrast, Microsoft's stated design goal was for automatic scripts to achieve a success rate of under 0.01 percent.

"Our results show that it is not a trivial task to design a CAPTCHA scheme that is both usable and robust," the researchers wrote.

They said the techniques for and understanding of CAPTCHA tools are in their infancy, and predicted that CAPTCHA would grow more sophisticated in response to the growing sophistication of attacks.

Find your next job with techworld jobs