The email security vendor MessageLabs published a report about the increasing number of spam messages originating from Gmail. "Analysis of spam shows that 4.6 percent of all spam originates from Web mail-based services and the proportion of spam from Gmail increased two-fold from 1.3 percent in January to 2.6 percent in February, mainly promoting adult-oriented websites. Yahoo! Mail was the most abused Web mail service responsible for sending 88.7 percent of all Web mail-based spam."
Spammers create accounts at free mail services like Yahoo Mail or Gmail, but to make the process more efficient, they need to automatize it. The major challenge is that most web mail providers use CAPTCHAs ("Completely Automated Public Turing test to tell Computers and Humans Apart") and they are difficult to solve automatically. Last month, Websense Security Labs discovered that spammers managed to create bots that automatically sign up for new Gmail accounts with a success rate of 20%.
We discovered that the CAPTCHA breaking process for Gmail is sophisticated when compared to the Live Mail CAPTCHA break up which was reported in our recent blogs. It is observed that two separate hosts active on same domain are contacted during the entire process. These two hosts work collaboratively during the CAPTCHA break process. Unlike Live Mail CAPTCHA breaking, which involved just one botted host doing the entire job (signing up, filling in details, getting the CAPTCHA request), the Gmail signing process involves two botted hosts (or CAPTCHA breaking hosts).
Jeff Atwood thinks that "there's simply too much money to be made in email spam for the commercial CAPTCHA algorithms, regardless of how good they may be, to survive forever." He suggests to diversify the tests and use more difficult tasks like distinguishing dogs from cats or solving failed OCR inputs, but making the test more complicated will frustrate users.