Microsoft and Google have been locked in a struggle with both botnets and human networks devoted to cracking both companies' CAPTCHAs for over a year. Security researchers have continued to research more advanced forms of the security test (CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart), but the vast majority of companies that employ CAPTCHAs (including Microsoft) use variations of warped letters on a pixelated background.

CAPTCHAs were initially quite successful at stymieing automatic bot registration; it was big news last year when spammers cracked both Microsoft's and Google's CAPTCHA systems. Microsoft resecured its own with a new algorithm, but the company's renewed security has been short-lived. Spammers have cracked Windows Live Hotmail once again in a countermove that will have Redmond scrambling for its own response.

The typical CAPTCHA-cracking process occurs one of two ways. In some cases, a zombie PC is used to register for the initial account up until the point where the CAPTCHA is displayed. The image is then sent to a remote server, decoded, and sent back for input. If the decode process is successful, the zombie registers the account and continues on to its next directive. In some other cases, as we've previously discussed, the first part of the account registration process is handled by a zombie, but the actual CAPTCHA-cracking is done by teams assembled in foreign countries expressly for this purpose. CAPTCHA-cracking companies appeared last year in India and China, often advertising their ability to crack thousands or hundreds of thousands of CAPTCHAs in a single day. This growth in available human capital has not diminished the attractiveness of automated cracking services given that the former have to be paid while the latter don't.

Microsoft has adapted the algorithms that Windows Live Hotmail uses several times in the past year, but none of the company's adaptations have held for more than a few months at a time. The hackers, according to Websense, don't need anything like a perfect success rate in order to make their attempts worthwhile—the company estimates that malware authors have a current success rate of 12.5 to 20 percent, which is more than high enough to justify the time. Websense also reports that bot masters have begun encrypting the communication data flowing from the zombie PC to the attack server, which makes the illicit traffic that much harder to detect or trace.

"As we've seen from previous patterns, spammers just attack whatever system is in place," said Carl Leonard, Websense's European threat research manager, according to Infoworld. "They are financially motivated to get hold of details, and will increase the sophistication of attacks, in a persistent cycle." Despite numerous attempts, researchers have yet to find "CAPTCHA 2.0;" of the numerous systems proposed, many strain the legitimate, human component of the process too much to be considered practical. Even in the event that researchers find a new CAPTCHA system, the presence of dedicated cracking teams in other countries will continue to be a problem.

For now, it's business as usual, and Microsoft will undoubtedly rotate its algorithms again in its increasingly short-lived attempts to resecure the gate. Long-term, I'm not sure CAPTCHAs have a real future in the war against spam. They still act to reduce the total number of spamware accounts—blocking seven out of eight registration attempts is better than blocking none of them—but their effectiveness in reducing the overall amount of SPAM out there seems to be decreasing.