Gmail falls prey to spam bots

Spammers are able to fool Google's spam-prevention system into thinking they are humans.

Updated 4:25 p.m. PST with additional Google comment.

Spammers have cracked the captcha mechanism Gmail uses to make sure you are a human before you can open an e-mail account, leading to a huge increase in the amount of spam sent from Gmail last month, security firm MessageLabs says.

We've all been subjected to captcha programs when signing up for Web services. They typically consist of a box with some characters, either distorted or displayed against some noisy background, and you have to type the letters and numerals in exactly as you see them before the system will accept your sign-in.

MessageLabs created this graphic that shows how a bot fakes out a captcha and uses the newly created e-mail accounts to send out spam. MessageLabs

They are designed to catch, or stop, automated programs called bots that are written to create new accounts for spammers to use. Annoying as the captcha systems are, they have been successful in keeping bots out, until recently.

Yahoo Mail and Hotmail captcha mechanisms were broken in July 2007, according to MessageLabs. And now, Gmail has succumbed.

As a result, the proportion of spam sent from Gmail accounts doubled from 1.3 percent in January to 2.6 percent in February, mostly promoting adult-oriented Web sites, MessageLabs says.

A Google representative said she could not confirm or deny that the captcha method used in Gmail had been broken, but did confirm that there had been an increase in spam recently.

The Gmail captcha problem was reported in late February by another security firm, Websense.

Gmail is an attractive target for spammers because a Google account is free and offers access to a wide range of services. Also, Google domains are unlikely to be blacklisted, Websense says.

This screenshot shows network analysis of a bot cracking Gmail's captcha mechanism, a more sophisticated attack than one used to crack Live Mail's captcha technique, Websense says. Websense