July 9, 2007
Mechanical Turks
In the nineteenth century, a huckster made an "automaton" known as "The Turk", supposedly a chess-playing machine capable of beating most human opponents. Turns out there was a guy hiding underneath, and it wasn't automatic at all.
Well today a security company has announced that it seems that spammers have finally overcome the captchas intended to prevent automatic generation of Yahoo! and Hotmail email accounts, as about 15,000 of them have been created in fairly short notice. The company, BitDefender, points to a trojan dubbed Trojan.Spammer.HotLan.A, an says it's creating about 500 accounts an hour.
That isn't very many. Which suggests one of two things. Either 1) the machine's software is essentially a calculated brute-force approach that happens to be a bit better than an un-calculated one, or 2) we've got a mechanical Turk on our hands. It occurs to me that if it's possible to make money using Chinese goldfarmers, you can probably make money using those same guys to churn out crappy email addresses.
When labor is expensive, automation is the way to go. But when labor is cheap, do everything by hand. Why spend a lot of time and money coming up with an algorithm that can solve a problem computers are notoriously bad at when you can pay 100 Chinese geeks 15 cents an hour for better results? I'm guessing that $15.00 can probably get you 6,000 accounts, easy. Match that with a trojan spam device and for an extra $10.00 you've probably just sent 6 million emails. If 1% of people respond and 1% of those give you money, you're just parted 600 fools from their money.
Actually, I expect it is something "in between" total human involvement and total automation. My understanding of the simple way to do this is (1) program goes to create an account, and gets a captcha, (2) program then proceeds to provide captcha to an unsuspecting human who is going after something they want that they're willing to "pay for" by just solving a captcha (e.g., porn), (3) program then tries human response gathered from secondary operation as solution to primary operation, (4) program repeats until the human gets it right, and (5) program moves on to creating another one, etc.
Yes, human involvement, but not directly in the crating of the account, rather just as the AI part of the puzzle only.
--
RDS
Yeah, a lot of the comments on /. indicated something similar. I guess it's a question of how cheap the spammers are. If they don't want to spend any money on it, they can have random losers solve captchas for them, but their output will fluctuate and might only be a few hundred addresses an hour. But $15 on Chinese captcha farmers at $0.30 an hour... I don't want to think about it.
Posted by: ryan at July 9, 2007 3:10 PMAs a rabbit trail from this post, I was curious enough that I was reading all about "The Turk" chess playing machine.
This thing made the rounds in Europe and America for over a hundred years, playing chess against some of the world's most powerful people and most brilliant minds. And (with the notable exception of Edgar Allen Poe,) no one was skeptical of it being a big hoax. They were actually willing to believe that a box with a series of clogs and wheels was able to play chess, have conversations, speak different languages; and all the while, it's a midget in a box.
My favorite anecdote from the whole affair is the story of Napolean playing chess with The Turk, and taking a cloak and draping it over the wooden carved face of the dummy, so that the wooden Turk could not see the chess board. Brilliant.
Posted by: isaac at July 10, 2007 8:18 AM