EarthLink CAPTCHAs

Richard Clayton, February 2006

EarthLink, the US ISP, provides its users with a number of spam blocking and filtering systems. One of these systems, deployed since 2003 or so, is a so-called "Challenge-Response" system.

EarthLink's web pages provide full details of the system, but to summarize:

The default spam blocking system for EarthLink users is called "Known Spam Blocking" and involves placing spam into a special folder. Up to 500 messages will be preserved, with old ones deleted automatically. A second system, which is off by default, is called "Suspect Email Blocking" and for all the email that the "Known Spam" system didn't block then, if the (purported) sender is not in the user's address book, a challenge email is sent.

These systems are used not only by "earthlink.com" users but also by the users of "mindspring.com", "ix.netcom.com", "supernet.com" and many other brands as well.

The challenge

Unless you're in the habit of writing to random strangers who use EarthLink as their ISP, then the first you will learn of these systems is when a spammer borrows your identity and sends their junk to an EarthLink user who has enabled the "Suspect Email Blocking" system. Assuming that the spam isn't detected by EarthLink's filters (and they do seem to miss quite a lot) then your in-box will receive an email rather like this one (with the names changed to protect the guilty):

Return-Path: <spamblocker-challenge AT bounce.earthlink.net>
From: example AT earthlink.net 
Date: Thu, 2 Feb 2006 11:04:53 -0500 (EST)
Subject: Re: Re: Get your viagra here
Reply-to: nobody AT earthlink.net
Errors-to: nobody AT earthlink.net
Precedence: auto_reply
To: "Fred Person" <person AT example.com>

I apologize for this automatic reply to your email.

To control spam, I now allow incoming messages only from senders I
have approved beforehand.

If you would like to be added to my list of approved senders, please
fill out the short request form (see link below). Once I approve you,
I will receive your original message in my inbox. You do not need to
resend your message. I apologize for this one-time inconvenience.

Click the link below to fill out the request:

https://webmail.pas.earthlink.net/wam/addme?a=example AT earthlink.net&id=etc

Should you decide not to ignore the challenge, you have received then following the https:// link from within the email leads to a page like this:

EarthLink 'Challenge' webpage

The response

If you then fill in this page -- because you refuse to let strangers dump their spam filtering costs onto you -- then the EarthLink user will receive an email along these lines (I expect it's pretty HTML, but I don't have a copy to hand, since I'm not an EarthLink user):

From: spamBlocker AT earthlink.net
Sent: Feb 2, 2006 11:50 AM
To: example AT earthlink.net
Subject: Allowed Sender Request from "Fred  Person"

AllowedSenderMessage DeletionDays="14"            
E-mailAddresses="person AT example.com" 
FirstName="Fred"            LastName="Person" 
           
Message="Your tedious challenge-response system sends junk to me
whenever you receive spam. Turn it off!"      
     
MessageParms="&fromDisplay=Fred+Person+"            
MessageUidl="1f4GX37cN3Nl34j1"           
Subject="Re: Get your viagra here"

As you can see from this email, there's a limitation in what you can say in 100 characters, but I try and do my best to express the problem that I perceive! I've had a couple of (short) interchanges with EarthLink users as to whether they propose to take my advice. Those who have written have declined -- exploiting some limited, albeit direct, vocabulary in doing so. I like to think that the several hundred others (I have received a LOT of these challenge responses) who have not shared their thoughts with me have seen the error of their ways.

Automating the response

Now of course, visiting the website and typing in my words of advice gets very boring and time-consuming (that's why challenge-response proponents think these systems are effective, although they're wrong). Hence, I decided to automate my responses by creating a small Perl script to process the emails (exported from my email client in Berkeley mailbox format).

The difficulty with automating the challenge responses is (intentionally by EarthLink) the need to transfer the text from the "CAPTCHA" image into the POST response. The Perl script does this by asking for help from a human (me) by means of a little Tk request window:

Tk widget for EarthLink CAPTCHAs

EarthLink's mistake

My aim was to develop some image processing to take the human (me) out of the loop. However, it currently looks as if this will be a waste of effort because, despite my having fetched nearly 300 of them, EarthLink currently appear to only have 31 distinct CAPTCHA images:

01 EarthLink CAPTCHA 01 02 EarthLink CAPTCHA 02 03 EarthLink CAPTCHA 03
04 EarthLink CAPTCHA 04 05 EarthLink CAPTCHA 05 06 EarthLink CAPTCHA 06
07 EarthLink CAPTCHA 07 08 EarthLink CAPTCHA 08 09 EarthLink CAPTCHA 09
10 EarthLink CAPTCHA 10 11 EarthLink CAPTCHA 11 12 EarthLink CAPTCHA 12
13 EarthLink CAPTCHA 13 14 EarthLink CAPTCHA 14 15 EarthLink CAPTCHA 15
16 EarthLink CAPTCHA 16 17 EarthLink CAPTCHA 17 18 EarthLink CAPTCHA 18
19 EarthLink CAPTCHA 19 20 EarthLink CAPTCHA 20 21 EarthLink CAPTCHA 21
22 EarthLink CAPTCHA 22 23 EarthLink CAPTCHA 23 24 EarthLink CAPTCHA 24
25 EarthLink CAPTCHA 25 26 EarthLink CAPTCHA 26 27 EarthLink CAPTCHA 27
28 EarthLink CAPTCHA 28 29 EarthLink CAPTCHA 29 30 EarthLink CAPTCHA 30
31 EarthLink CAPTCHA 31

These challenges do not appear randomly. At present (early February 2006) the distribution of the 293 challenges I have been able to respond to looks like this:

 29, TZSLK
 26, VPXMN
 21, VMPZR
 20, XBXRH
 20, VHKZR
 19, VXPBV
 19, TVNST
 16, VTKPP
 15, XHTFS
 14, TSKXS
 11, TNVKP
 10, XSPNV
  9, XXNLN
  9, TMLZL
  9, THPNZ
  8, XMVVP
  8, SPXRZ
  7, SXMVZ
  4, ZPNBT
  4, SSXTH
  3, ZLHLT
  3, RXBBS
  2, ZVZRT
  2, ZFLKK
  2, SLRPR
  2, BBHZZ
  1, PTHTN

There were also 24 other occasions when I received a challenge, but the EarthLink site reported that it was "too late" to respond :-(

Note that graphing the distribution gives an almost straight line -- which ought to give a hint about the way EarthLink decides (or messes up trying to decide) which challenge to issue.

Gratuitous advice

  • To EarthLink: you should use more CAPTCHAs, there's no challenge here!
  • To EarthLink users: turn off "Suspect Email Blocking", you're just sending junk to strangers who never emailed you in the first place :-(
  • To email server owners: use a variant of my Perl script to automate response to EarthLink challenges. That allows you to discard the challenges as junk without inconveniencing any users who, however rarely, might be challenged for something that they sent!
  • To spammers: you are forbidden from using this technique! (there, that ought to stop them!)

Download

Here's the Perl script I developed. It is provided AS IS without instructions or any guarantees whatsoever that it will do what you wish. If you cannot work out how to run it without my help then it is NOT for you!

Download Perl Script

Return to Main Challenge Response Page

last modified 12 FEB 2006 -- http://www.cl.cam.ac.uk/~rnc1/cr/earthlink.html