The CAPTCHA security system that Yahoo, and many other email service providers adopt to prevent spam, may not be secure, according to Russian security researchers. The researchers claim to have found a way in which the security system can be compromised. This would result in a huge increase in spam coming from Yahoo! and other email accounts.

CAPTCHA, which stands for Completely Automated Public Turing test to tell Computers and Humans Apart, is a technique adopted by Yahoo!, Google, and Microsoft (News - Alert) among other service providers to prevent automated software programs from posing as humans and signing up for new accounts. It presents text that is easy for humans to comprehend but difficult for automated programs and as a result protects Web sites from bots. The first CAPTCHA was invented at the Carnegie Mellon University to be used by Yahoo. CAPTCHAs have other applications like preserving the authenticity in online polls, preventing comment spam in blogs and preventing dictionary attacks in password systems among others.

E-mail service providers are finding improved techniques to solve security issues and provide a robust service to users. While most email service providers use CAPTCHA, the scheme used by the top email service providers are considered to be difficult for machines to recognize. If the claim by the Russian security researcher who identifies himself as "John Wane" is true, Yahoo! and the other email service providers may have to speed up up their research and find better ways to improve their defense mechanisms and protect themselves from spam and other malicious software.

"A few months ago, we received information that [a] Yahoo! CAPTCHA recognition system exists in the wild with the recognition rate about 30 percent," Wane says in a blog post. "So we decided to conduct few experiments. We explored Yahoo CAPTCHA and designed a similar system with even better recognition rate (about 35 percent)."

"We are aware of attempts being made toward automated solutions for CAPTCHA images and continue to work on improvements as well as other defenses," a Yahoo spokesperson said in an e-mailed statement.

John Orbeton, strategic product manager, IronPort, said that if the software works, "it could be used for spam. It could be used for phishing. It depends on the motivation of the attacker." The claimed rate of success, 35 percent, he said, "could create a fairly significant number of e-mail accounts." It is ironic, Orbeton added, that image-recognition technology, which is being used to defend against the current generation of image spam, should be used by spammers to create more spam.

Not that there's any shortage of the stuff. "In 2007 we saw spam volumes increase 100 percent," Orbeton said. "That comes out to around 20 spam messages per day for everyone on the planet, whether they have e-mail or not."

The vulnerability of the defense mechanisms adopted by service providers is high since automated programs run many thousands of trials per day and can find ways to break into systems that do not have a high degree of accuracy.

Radhika Raghunath is a TMCnet Contributing Editor

Mark your calendars! Internet Telephony (News - Alert) Conference & EXPO—the first major IP communications event of the year—is just days away. It’s not too late to register for the event, which takes place in Miami Beach, FL, January 23–25, 2008. The EXPO will feature three valuable days of exhibits, conferences and networking that you won’t want to miss. So what are you waiting for? Sign up now!