Last year spammers were reduced to using stripper images to tempt users into helping them crack "CAPTCHA" anti-scam filters, but now UK researchers have developed a simple, low-cost way of automatically bypassing the system on Microsoft's online services.
CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) systems are used by Microsoft, as well as Yahoo, Google and others, to stop automated systems from registering web-based email accounts (which can then be used as spam relays), filling blog comments sections with spam and guessing passwords.
The systems typically present users with a series of characters that can be deciphered by humans, but not by image-recognition software.
The research follows on from a report by Websense in February that spammers had managed to find a way to reliably crack Microsoft's anti-spam tool.
Microsoft's system is used for services including Hotmail, MSN and Windows Live. In attacking it, researchers Jeff Yan and Ahmad Salah El Ahmad of Newcastle University focused on "segmentation" - reducing the CAPTCHA image into discrete characters.
Once an image is segmented, interpretation of the individual characters is relatively easy, according to the researchers.
Microsoft's CAPTCHA is designed to be particularly resistant to segmentation, but the researchers developed a technique that achieved a segmentation success rate of more than 90 percent against the scheme.
A system with a 1.86GHz Intel Core 2 chip and 2GB of RAM took about 80 milliseconds to carry out segmentation, according to the researchers' white paper.
"For the first time, we show that a CAPTCHA that is carefully designed to be segmentation-resistant is vulnerable to novel but simple attacks," wrote Yan and El Ahmad. "Our work shows that the MSN scheme provides only a false sense of security."
They estimated the scheme could be broken with an overall success rate of more than 60 percent.
The researchers noted that, by contrast, Microsoft's stated design goal was for automatic scripts to achieve a success rate of under 0.01 percent.
"Our results show that it is not a trivial task to design a CAPTCHA scheme that is both usable and robust," the researchers wrote.
They said the techniques for and understanding of CAPTCHA tools are in their infancy, and predicted that CAPTCHA would grow more sophisticated in response to the growing sophistication of attacks.
Last month researchers found that spam from Gmail accounts doubled, indicating success in cracking Gmail's CAPTCHA system.
In January, a researcher reported success against Yahoo's system. Yahoo has since said it has updated the system to make it tougher.
Last year spammers used a virtual stripper as bait to dupe people into helping criminals crack CAPTCHA codes.
Security researchers warned that a series of photographs shows "Melissa" - no relation to the 1999 worm by the same name - with progressively fewer clothes and more skin each time the user correctly enters the characters in an accompanying CAPTCHA codes.
Forrester said recently that spammers are increasingly using artificial intelligence tactics to get their junk delivered to email users.
The booming image spam pandemic is merely the tip of the iceberg when it comes to spammers' use of AI, Forrester said.
The only way to prevent a repeat of the image spam surge as new models using AI come to light, Forrester analysts said, will be for technology vendors and their customers to abandon the current filtering-heavy approach and instead battle the roots of the problem.
Find your next job with techworld jobs