Monday, July 9, 2007 11:54 AM
Some of you might have seen this message while searching on Google, and wondered what the reason behind it might be. Instead of search results, Google displays the "We're sorry" message when we detect anomalous queries from your network. As a regular user, it is possible to answer a CAPTCHA - a reverse Turing test meant to establish that we are talking to a human user - and to continue searching. However, automated processes such as worms would have a much harder time solving the CAPTCHA. Several things can trigger the sorry message. Often it's due to infected computers or DSL routers that proxy search traffic through your network - this may be at home or even at a workplace where one or more computers might be infected. Overly aggressive SEO ranking tools may trigger this message, too. In other cases, we have seen self-propagating worms that use Google search to identify vulnerable web servers on the Internet and then exploit them. The exploited systems in turn then search Google for more vulnerable web servers and so on. This can lead to a noticeable increase in search queries and sorry is one of our mechanisms to deal with this.
At ACM WORM 2006, we published a paper on Search Worms [PDF] that takes a much closer look at this phenomenon. Santy, one of the search worms we analyzed, looks for remote-execution vulnerabilities in the popular phpBB2 web application. In addition to exhibiting worm like propagation patterns, Santy also installs a botnet client as a payload that connects the compromised web server to an IRC channel. Adversaries can then remotely control the compromised web servers and use them for DDoS attacks, spam or phishing. Over time, the adversaries have realized that even though a botnet consisting of web servers provides a lot of aggregate bandwidth, they can increase leverage by changing the content on the compromised web servers to infect visitors and in turn join the computers of compromised visitors into much larger botnets. This fundamental change from remote attack to client based download of malware formed the basis of the research presented in our first post. In retrospect, it is interesting to see how two seemingly unrelated problems are tightly connected.
37 comments:
Hmm. Maybe you guys should switch over to the reCaptcha (http://recaptcha.net/) system instead? So something productive gets done when people enter the captcha?
What would you have to search for to receive the error message?
I never got that error yet, but interesting to know why if I ever do get it.
I got this error once after I - as I interpreted it - searched "too fast". I am working an a Linux box behind a broadband router and I am not aware of any worm or other maleware. Is it possible to trigger this captcha by hand?
It's happened to me a couple of times when using the froogle service (probably because its amount of uses before a CAPTCHA is lower than the usual search feature), though the problem for me was due to my ISP putting everyone in an area through an invisible proxy.
We often see this from where I work because we have thousands of computers behind a proxy server. I'd be grateful if someone from Google could contact me to discuss how we can avoid this happening.
Could it be because I am using OpenDNS? I run 4 anti-virus, and 4 anti-spyware progs. and i can pretty much guarantee that this machine isn't infected. What say Google?
All nice theories, but my case won't be explained by any of those.
I'm falling victim of a false-positive result obviously.
I'm not using a proxy, have fixed IP, work on a normal XP machine using IE7, no aggressive firewall on my part, functinal security and privacy settings meaning I accept all cookies, no browser helpers and plugins added, I'm alone on my tiny home 3-computer home network surfing Google groups or other Google services when this happens.
I have some half-baked theories involving the perennial cache pehonmenon we see at least in Groups, and maybe crossed sessions due to high overall activity (not mine), but I certainly can't put my finger on it.
Not sure if this has been fixed yet, but the last time I ended up getting the page in question, there was no option for an audio CAPTCHA. Could this be added for accessibility purposes?
I get message after 20 pages I look at. What's up with that?
I'm a Systems Administrator responsible for a cluster of proxy servers that provide service for about 15,000 users, and we're intermittently seeing the "Sorry" message affecting all our users.
Some advice on how to configure a legitimate proxy server to prevent this would be most welcome.
I must say, I'm not a techie, but I do know that I am no longer using Google as my search engine of choice as a result of these annoying captchas.
As many searches as I do in a day, I don't have the time to spend on steps that hinder my productivity when searching the web.
I really hate to say this, as I have been a huge proponent of Google since I first found out about it. Sorry Google, but this is goodbye.
What happens if this CAPTCHA screen gets no response? Presumably the IP is barred from accessing all Google sites?
I've been unable to access any Google sites from my home (cable access) PC for some weeks now, and all I can think is that the CAPTCHA page isn't reaching me.
It's not malware related as far as I can see.
Kevin
IF you have other search engines installed in de little search box at the right top hand of ie7, Google may receive multiple queries.
Delete all accept google .com and the error will be gone. You might have to run winsockfix or winsockxpfix to get the connection working again.
If not, and also if win update does not work, use wurtbeta
Kind regards,
Mart.
While I can certainly understand the desire to minimize "bot" searches, We're being hammered by this, and the only reason I can figure is that we're being a massive proxy farm that serves many pages, not only for our school (of about 1000 users) but also for other schools in the area.
If you're going to do something like this, please have there be a way for hostmasters to contact you for to have exceptions added in to the system.
I can imaging that our proxy is hitting google at least a couple times a second.
So please, Google... How Can I contact you to get this sorted out? It's driving a lot of our students away from you.
We are now seeing the same issue.
We have about 2500 users behind our corporate firewalls and we do not use a proxy. This is not an issue we have ever experienced and nothing has changed as far as our internet connection.
We monitor all internet traffic and there is nothing abnormal happening from our network.
Unfortunately we have been unable to contact anyone at Google to get this resolved. We have now blocked Google completely by redirecting all Google requests to MSN. Even now after 5 hours of no-one being able to access Google except me and one of my technicians the error page is displayed every time Google is opened.
I just think it a shame that Google could get something so wrong yet am so unaccountable. Maybe the press needs to be involved to ensure that this is given the attention it requires.
Our organization has around 7,000 clients connecting through 2 squid proxy servers. Never had a problem until today many clients reported receiving the captcha message during Google searches. We are looking for malicious traffic from our end, but haven't found any yet. I wish Google could share what 'anomalous queries' from our network they have detected. It would aid our search.
I get this all the time and I deleted all other search engines and did all I can do: virus check, spy ware etc. It's still the same.
That's why I believe it is some battle between Google and the competition where basically there are no rules. Seems Google is having hard time...
In other words: Welcome to the No.2 Yahoo...
I get these on a home network running a fresh Ubuntu install, mostly when googling to reinstall firefox extensions. It's very annoying. Can I suggest as an improvement not asking again for a while after we verify we're not robots? It gets even more annoying with repetition.
"It gets even more annoying with repetition."
Boy is THAT an understatement!
This only started relatively recently with me (few days ago maybe), but seeing how I'm a "Power Googler", doing many, many searches one after the other (each with minor variations of keywords, spelling, etc) in order to find the highly technical information I'm looking for, these frequent "We're Sorry..." responses are beginning to GET ON MY NERVES! >:(
I sure wish Google would FIX THEIR LOGIC so ordinary HUMAN BEINGS (and not robots!) like me and others can do their searches without this EXTREMELY ANNOYING web page popping up all the time! Sheesh! Enough already.
-- Fish
(David B. Trout)
Since Google has not seen fit to even answer any of the comments here for the last 6+ months, it is probably useless to post anything at all here. But being optimistic, I will try.
This "Sorry you're a bot" thing is pretty stale by now. I understand that many less savy users have been wasting lots of hours scanning their machines. My machines are clean. i do relatively infrequent search requests. but last February and again today, I am being declared a bot for no good reason.
The explanation provided both here and on the "Sorry your a bot" page is at best inadequate and certainly misleading. For Google to do security by obscurity, is wasting legitimate user's time in the hopes of "catching" a bot???
Given the periodicity of these posts and that of my getting mis-identified as a bot, it appears that Google changes their tactics on occasion.
I really suspect that Google has perhaps something else in mind with all of this. And that is is definitely related to information gathering. Certainly the session cookies enable individual tracking until they are removed, as they do not disappear by them selves.
Very disappointed & concerned.
Folks - this drives me bonkers, and I will have to evaluate whether to keep with Google going forward if it keeps up. I live by research and internet searches. I use no bots or auto stuff and there is zero spyware or virus on my PC's. All of a sudden today, I start getting these annoying things upon every new search session. If this keeps up, I'll have no other option but to get info in other places.
It is so damn annoying getting these captchas. I've started using ASK.com instead of Google, and will likely change my start page if you folks don't figure out a better way of doing this.
I am getting this on damned near ALL of my request using the search box on Firefox.
I run Kaspersky AND McAffee on my Winbox, and its locked down tight behind an OpenBSD based firewall.
This also affects my Linux (Ubuntu) machine and Firefox as well.
So its not that I got pwned. Its that your coders are idiots in that they erred and created false positives far above an allowable level.
I cleared cookies, I cleared the cache, and your idiot engine STILL throws a captcha up at EVERY damned request I submit through my search box on Firefox.
Google FIX THE FALSE POSITIVE CRAP, or start losing eyes and Yahoo here I come.
FIX IT.
Totally tired of this! I am so close to switching my search engine preference. I have done all the things suggested to rid me of this problem, but not one seems to work.
To think I thought Google was so good.
Google is my homepage, so when I got this on my home PC I freaked out and systematically went through the process of checking for spyware and viruses etc. I also, deliberately avoided entering in the CAPTCHA just in case...
Guys, you might want to consider re-designing the page so it looks like more of an authentic error message? The Google logo, for instance looks very strange and the download links left me suspicious. Just some food for thought.
Apparently like everyone else with a proxy server that covers thousands of users, we experience "We're Sorry" messages both with and without CAPTCHAs every month or two. Given that you have so much other cool technology, this scores about 11.5 on the 1 to 10 scale of lameness.
Also annoying is when it shuts down Google Maps, and in order to get it working again, on a per-computer basis, you have to know to load an individual map tile so that you can answer the CAPTCHA for it.
I don't know what you need to do, but can you please try to address this for corporate and educational proxies? It's just pathetic.
I work at a library which has to use internet filtering. Therefore all our internet activity goes through a proxy server. This seems to be triggering the Google error on an increasingly frequent basis.
This is becoming a major concern for us and yet Google's response has been "learn to live with it because we aren't making any changes."
I find the comments saying that people are considering changing their search preferences to other engines very interesting. We may be forced to do this as well.
Our small business uses a proxy server, and this has finally gotten so bad that we've started telling our users to go to ask.com instead. We haven't put in a redirect yet, but at this point it's a very likely end. At home my wife and I both have stopped using google for searches as well. There comes a point at which you're alienating valid users for the sake of a little extra security, and that is something that, in the end, will cost you far more than it gains.
Google Groups has tossed me around like a ragdoll for the past couple days. It keeps sending me to the sorry page without any CAPTCHA. The lockout is for Groups alone, as I can still access other Google services. Each time I get "sorry", I must sign-out, clear cookies, sign-in and access the groups page again in order to get a CAPTCHA.
I believe that Groups uses "sorry" in place of a file download cap. When I try to access files within Groups too quickly, it will lock me out, regardless of my actual queries.
If my theory is correct, the download cap should have a separate page in order to not mislead users.
If my theory is incorrect, then the bot detection contains serious flaws of logic. Not only do I get "sorry" with no CAPTCHA, but even when I do finally get a CAPTCHA, it often unlocks me only to view a single page and then locks me out again.
our office, which uses a single proxy for about 100-150 employees, started getting these "Sorry"-Captchas today. We didn't see this last week, and our job is internet searches.
so google, please increase the tolerance, to lower false-bot-positives.
it's mainly advanced users getting annoyed by this, and you cannot want advanced users to move to yahoo, etc.
could any body fix this I am just sick of it all hahah even you want to post comment here you have to have to enter the character below what irony
Post a Comment