homepage Welcome to WebmasterWorld Guest from 54.227.222.235
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
Forum Library, Charter, Moderators: phranque

Website Technology Issues Forum

    
Captchas are dead!
A Dog or a Cat? New Tests to Fool Automated Spammers
jbinbpt




msg:3364311
 1:37 pm on Jun 11, 2007 (gmt 0)

From todays New York Times Dog or a Cat? New Tests to Fool Automated Spammers [nytimes.com]

The spamers are winning.

“...60 million captchas are solved every day around the world, which first made me quite happy for myself but then quite sad,” he said. “It takes about 10 seconds to solve a captcha, so that means humanity is wasting thousands of hours solving them."

 

DamonHD




msg:3364328
 2:08 pm on Jun 11, 2007 (gmt 0)

Never mind their discriminatory nature (eg against people with poor eyesight or even just a poor display) and thus their potential illegality.

Rgds

Damon

mifi601




msg:3364370
 2:58 pm on Jun 11, 2007 (gmt 0)

I have them on every single form myself. not to mention that most form mails, that my clients are paying for, wind up in spam ..

I wonder how many paople cannot solve the captchas ..

Jon_King




msg:3364398
 3:24 pm on Jun 11, 2007 (gmt 0)

A sound defense does not rely on a single weapon. The wall that protects my forms is made of many bricks. Catcha is just one of them and one I know stops a great deal of automated spam.

Demaestro




msg:3364416
 3:44 pm on Jun 11, 2007 (gmt 0)

Something I have noticed popping up which is interesting is captcha forms request I enter the text in reverse order... the first time I came to one I didn't read it and it wouldn't validate my text.. I tried three more times before actually reading the entire error message telling me to enter it in reverse order.

To me it seemed like an ok solution but how long until the bots start trying it. Soon I foresee them asking things like enter the text in alphabetical order or to unscramble a word. Could become annoying or could become like a game.

What would really be neat if they gave you a flash game and you had to get a certain score to submit the form... maybe like Galaga or Pacman, or something like that... of course this does nothing for the seeing impaired.

Webwork




msg:3364417
 3:44 pm on Jun 11, 2007 (gmt 0)

Isn't an imperfect defense, one that slows down but doesn't block spam, is a win in the larger scheme of things?

First we learn to manage HIV/AIDS, by mastering the treatment of it symptomatically, all the while looking for a cure.

Demaestro




msg:3364429
 3:50 pm on Jun 11, 2007 (gmt 0)

A method I like that includes the seeing impaired is a very neat one.

You have a form it contains input boxes.

Let us say you want to have 2 fields.... name and email

So in your form you create 4 text boxes... 2 of them have their visibility set to hidden but are still of type "text" you name these two fields "name" and "email".... then you have the other 2 text boxes set to visible and name them "abc" and "xyz"... when a person comes to the form they will fill out the visible fields "abc" and "xyz" and the "name" and "email" fields will be empty... when a bot fills out the form it will see the non-visible fields as it is looking at source and it will submit the form with values.

If I have a form that is submitted with the "name" and "email" fields then I know it was not a human... of course this doesn't always work but it does help filter out a lot of bots.... again just another way of doing it... this is nice for the seeing impaired problem though.

Jon_King




msg:3364448
 4:03 pm on Jun 11, 2007 (gmt 0)

Demaestro,

Hidden fields are another brick I use (and many others use this technique also, it is a well-known defense method).

This whole argument seems based on captcha as the sole defensive method which is not reality.

[edited by: Jon_King at 4:04 pm (utc) on June 11, 2007]

blend27




msg:3364457
 4:09 pm on Jun 11, 2007 (gmt 0)

---- "name" and "email" fields then I know it was not a human---

what about thouse toolbars that pre-populate form for you?

Jon_King




msg:3364464
 4:13 pm on Jun 11, 2007 (gmt 0)

Yea, that's not the way to do hidden fields. This is not the topic of the thread... but a quick search at WebmasterWorld will yield the proper method.

rj87uk




msg:3364551
 5:59 pm on Jun 11, 2007 (gmt 0)

I just have a little bit of code that says what is 2+2? If the answer is = to 4 then send the email!

Mind you things like that would not work on a large website but works on small websites so I have not had any spam yet using it!

RJ

creepychris




msg:3364616
 7:04 pm on Jun 11, 2007 (gmt 0)

I just have a little bit of code that says what is 2+2? If the answer is = to 4 then send the email!

I use that too and it stops spam registrations 100% for now. But that's the problem, soon the spammers are going to start writing software that analyzes questions and can provide answers too. However, human operators will be able to craft questions that the programs will not be able to answer for some time yet . . . as long as you don't use 2+2=4. It's an arms race!

europeforvisitors




msg:3364701
 8:12 pm on Jun 11, 2007 (gmt 0)

Never mind their discriminatory nature (eg against people with poor eyesight or even just a poor display) and thus their potential illegality.

The NY TIMES article covered that. (Some sites have audio captchas for the visually impaired.)

DamonHD




msg:3364758
 8:56 pm on Jun 11, 2007 (gmt 0)

Still not very helpful for a low-colour mobile display, eg a phone, however able-bodied/sighted/hearing the user is.

Rgds

Damon

incrediBILL




msg:3364806
 9:55 pm on Jun 11, 2007 (gmt 0)

OK, silly article because it too narrowly focuses on a single type of captcha. Maybe you should retitle it that STUPID captchas are dead because all that garbage string character stuff BY ITSELF is old school.

Squiggly numbers are just one type, one that I don't use, and I stop a ton of bots cold with the simple "What's 10 + 2?" type of CAPTCHA.

Easy to read, easy to answer, handicapped accessible.

However, you have to implement OTHER methodologies to stop the bots such as obfuscated javascript for the entire form since bots don't use javascript, using javascript event tracking to verify someone actually typed in the response field vs. posting the data, require POST vs GET for the submission of the data and so on and so forth. Besides all that, tracking site access and bouncing submissions to the CAPTCHA when the visitor hasn't been to any other page on the site, or lacks referrers, yada yada.

The true trick is random CAPTCHAs of varying types so that the spammers can't target just one method. If you use the squiggly text method, used several of them and mix it up with plain text questions in javascript, randomize the input text field per access so the bot doesn't know the proper field name, random pictures with drop down lists of answers, and much more.

I stop bunches of bots daily that try to hide as a human browser with a simple captcha combined with javascript and so far it's very effective, so CAPTCHAS are far from dead but narrow minded small thinking on what defines a CAPTCHA is obsolete.

[edited by: incrediBILL at 9:59 pm (utc) on June 11, 2007]

amznVibe




msg:3364856
 11:20 pm on Jun 11, 2007 (gmt 0)

Spam is easy to detect - if there is more than one URL
in a post/email flag it for moderation. 90% of the time it's spam.
If there are three or more urls, it only gets more likely.
(the only time this this doesn't work is stock spam)

The day they start throwing spammers (and the corporations that hire them) in prison with long term sentences, that's the day 90% of it will stop.

Spam is internet terrorism.
Repeat that enough and maybe it will get government funding to hunt the spammers down.

[edited by: amznVibe at 11:21 pm (utc) on June 11, 2007]

Rowan




msg:3364913
 1:03 am on Jun 12, 2007 (gmt 0)

<<Repeat that enough and maybe it will get government funding to hunt the spammers down.>>

That's the concern, really.

Spam has become a very general term that not many understand. Big can of worms!

ronin




msg:3364929
 1:46 am on Jun 12, 2007 (gmt 0)

I like the captcha alternatives which go something like this:

Robert's brother Tom has a son named Mark Woodford.
What is the full name of Mark's uncle?

Can computers figure that sort of thing out? If so, how?

sandyk20




msg:3364936
 2:03 am on Jun 12, 2007 (gmt 0)

Apart from captcha after facing lot of spams on few sites/forums we figured out a solution to add some common questions in addition to captcha which will be randomly displayed to an end-user.

For Example:
1 + 1 =?
(Please type the answer in box above)

2 + 2 =?
(Please type the answer in box above)

What comes after Monday? Tuesday or Wednesday
(Please type the answer in box above)

And around 50 more common questions, which is now way too easier to fool bots questions are randomized and changed once a month..

But there needs to be an alternative to captcha..

Rosalind




msg:3365147
 8:26 am on Jun 12, 2007 (gmt 0)

I find trivia captchas are very effective. The main trouble is one of scale: what works well for a multitude of smaller websites is coming up with a variety of different types of question, because as long as they're all different it's not worth the spammer's while to solve them all individually. But once you get a large and popular website that everyone wants to spam, it gets tougher because you need a much larger pool of trivia questions or a different method altogether.

The other problem I foresee is the way a lot of captchas tend to rely on similar styles of questions, which a bot could solve: simple maths is getting more common, as are "spell _____ backwards" questions. Keeping on top of this will be a matter of getting creative with captcha solutions, and steering clear of the methods most other webmasters are using.

phranque




msg:3365189
 9:36 am on Jun 12, 2007 (gmt 0)

captchas are dead right after they pull the last voight-kampff machine from rick deckard's cold, dead, broken fingers...

incrediBILL




msg:3365195
 9:53 am on Jun 12, 2007 (gmt 0)

The other problem I foresee is the way a lot of captchas tend to rely on similar styles of questions, which a bot could solve

That's why I said above you include technology the common bots don't use today, like javascript, and a variety of javascript tricks in your simple captchas.

They don't even see the captcha and just keep going in circles, it's quite amusing.

ergophobe




msg:3365677
 7:05 pm on Jun 12, 2007 (gmt 0)

I have tried completely separately Akismet as sole defender of one site and a simple Captcha as sole defender of another and, frankly, pretty much zero spam on either one. It's actually a bit astonishing to me to see how effective "2+2" still is for the time being (I had an image captcha but then tried simple math and it was equally effective)


captchas are dead right after they pull the last voight-kampff machine from rick deckard's cold, dead, broken fingers...

Sure, but then you just crank up the old Penfield to 888 and everything will be okay. (To those who don't know the ins and outs of Rick Deckard's life and the workings of the Penfield Mood Organ, 888 is the desire to watch television no matter what's on).

twinsrul




msg:3365791
 9:17 pm on Jun 12, 2007 (gmt 0)

I just entered in a captcha on MySpace....so much for them being dead....

xtom




msg:3373990
 9:34 pm on Jun 20, 2007 (gmt 0)

I like the captcha alternatives which go something like this:

Robert's brother Tom has a son named Mark Woodford.
What is the full name of Mark's uncle?

Can computers figure that sort of thing out? If so, how?

Trouble with questions like that is that they would be too hard for real users to answer quickly. It's almost like a riddle.

ergophobe




msg:3375148
 9:35 pm on Jun 21, 2007 (gmt 0)

I didn't say anything earlier, but I have to say that when I saw that captcha, my first thought was that it's also culturally specific.

Despite ten years married into an ethnically Chinese family, I still haven't figured out exactly how Chinese names work with the family name, the generational name and the individual name. I think Chinese people get our system easier, but so many things are cultural like that.

I remember being in an English-language bookstore in Asia. Falkner was next to Shakespeare, not next to Fitzgerald. Obvious right? Depending on your cultural background, maybe, but maybe not.

brotherhood of LAN




msg:3377365
 3:25 pm on Jun 24, 2007 (gmt 0)

Note to Captcha/other deterrent creators

Leave no fingerprints!

My slight solution: On the small number of forms i've created, i encrypt a time value, with the encryption dependent on the time of day. it seems most auto-form-fillers just scrape static hidden values (which quickly become outdated)

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved