Ars Technica is reporting that spambots have cracked Hotmail and Gmail CAPTCHA, allowing spammers to open thousands of email accounts and flood our inboxes with even more SPAM. It takes less than 1 minute for the spambot to crack Hotmail’s CAPTCHA .

Spammers are using these new email accounts to spam advertisements for “lottery tickets and watches.” Apparently the current economy’s state has not had any effect on the demand for lottery tickets and watches. Go figure.

More importantly, this questions the effectiveness of CAPTCHA to stop spammers and bots. While creating more advanced CAPTCHAs might thwart spambots in the short term, eventually they will find a way to crack them. In addition, if these CAPTCHAs get any more complicated, users will complain. Typing in a string of random letters and numbers all mixed up can be annoying as is, I can only imagine what a harder to crack version would be. So what can Hotmail and Gmail do?

Create a Better CAPTCHA
If you think about the evolution of media on the internet, video CAPTCHAs are the next logical step. I can see it now, YouTube CAPTCHA. Watch this short clip and answer a question. Using YouTube’s huge library of video with user supplied tags and descriptions, there is enough data to create thousands of computer generated clips and answer keys. Can users suffer through a 5 second video and answer a question? What about visually impaired users?

Limit the Number of Accounts per IP
If these spambots are running on unsuspecting users’ machines, limit the number of email accounts that can be created for each IP. Only a bot would create 1400 email addresses a day and log into each account and send out email. How long until they figure out a way around this one?

Make Users Confirm Their Account
Use phone call back to confirm the account. Sure its annoying, but would you trade that one simple step for a world with a lot less SPAM?

Of all the homepage/start pages, I have love NetVibes. Their latest release has added some great features, allowing for the social networking component and for the creation of individual or company universes.

Check out our Universe on NetVibes. Read what we read. Comment on our wall. Have an overall good time.

I am at a loss for words.

Personal SPAM is one thing. Business SPAM, coming from your online forms, is another. It is best to understand the problem before attempting to implement a solution. Generally, I classify form SPAM into 1 of 2 categories:

1. Form hijacking attempts
2. Automated scripts

Strategies to tackle both types rely on tightening form validation and security. Hijacking attempts are much more of serious problem, because the attack is trying to use your form and mail server to send out SPAM to hundreds or thousands of other people. Identifying hijacking attempts can sometimes be tricky, but if you see a lot of bounced back SPAM originating FROM your servers, you should definately start investigating.

Here are some things you can to do to curb your form SPAM issues:

1. Enforce tight server side validation - Javascript validation is lazy and useless. Most of these attempts come from automated scripts that won’t ever hit your javascript.
   1. Make sure form values don’t include email header data
   2. Validate form data based on type and strip out HTML code
   3. Limit the number of characters to something reasonable
   4. Check for certain words, phrases, or code that might lead you to believe its SPAM
   5. Never pass critical mailing data as hidden fields (such as the mail to address)
2. Use CAPATCHA - makes the submitter enter in some words, letters or numbers in an image before submitting the form. This ensures that the form is being submitted by an actual person and not an automated script.
3. Validate user sessions - for each visitor, create a unique session. Store a random and unique value on the server. Include that value as a hidden fields on the form, and validate it against the value stored on the server. If it is an automated script completing the form, that value will most likely be wrong.
4. Log IP addresses - chances are that someone at an IP is not going to submit your form multiple times over a short period of time. Keep track of this and use some validation to restrict and detect.

Tightening your validation is the most critical step in stopping form SPAM. If you have a vulnerability in your form, adding CAPATCHA won’t stop someone from exploiting it. Post your form if you want us to run some checks.

We had an interesting discussion over here yesterday. The question was: does Google use keyword, behavioral, and/or aggregate data from Google Analytics as part of its algorithms? There were two sides to the argument:

1. Yes, it provides a 360 degree view of the search experience which it can then use to improve the final search experience (and make more money).
2. No, it would violate privacy and would generally be wrong and there is no need to use that data for the company’s gain.

After some research into the Google Analytics Terms of Service, we discovered that using that data would not be a violation.

6. INFORMATION RIGHTS AND PUBLICITY . Google and its wholly owned subsidiaries may retain and use, subject to the terms of its Privacy Policy (located at http://www.google.com/privacy.html , or such other URL as Google may provide from time to time), information collected in Your use of the Service.

We cannot confirm whether or not the data is actually part of their algorithms, but it would be extremely hard to believe that Google, a company that’s primary purpose is to store, organize, and rank data, keeps each of its products in their own little bubble. So how could this data be used to enhance search results?

1. Google can better understand user behavior at an industry and keyword level (average time on site, average time for conversions, total conversions, etc) and set benchmarks
2. Understanding behavior past the search engine, they can better predict relevancy factors (Quality Score, overall positioning), click fraud and ways to maximize revenue

So assuming your site is well optimized for both search engines and conversions (because Google Analytics or not, Google knows a crappy site when it sees one) the ultimate question is could running Google Analytics give you an extra boost?

We don’t full understand how all these variables impact your SEM, but we believe they are all pieces of the puzzle.