Hi there achshar,

Doesn't sound like the captcha is working to me if you are getting that amount of spam entries a day. How are you validating it? Is it a case of enter what you see in the box, or add these two numbers together? Personally I don't think as It matters how much distortion you have around the displayed image, it how the char's or int's are printed to screen.

I think as its a good thing to make the submitted data case sensitive.

Sorry I'm not more constructive, but it sounds like the captcha you are using is failing regardless of the image it sits on.

There are some pretty decent 'plugin' captcha's out there, so I am of the opinion, why re-invent the wheel :)

I assume that the code you posted is attached to the src="" part of the img tag, hense the use of the header function?

As you say it is functioning, maybe there is another issue with the checks you have post submit.. just a thought..

Cheers,
MRb

hello well yes even i think that the captcha isnt working... although it is literally working like when you enter the wrong chars it returns a false.... but the bots easily crack it because i have no distortion to the text. its just a common font which is easily available... so they crack it.. no doubt you are right

also the plugins you are talking about. i am familiar with them but i want to keep it as a last resort. i know re-inventing the wheel sounds really stupid.. :P but its for the information sake.. :)

like who minds getting some more knowledge..
just for curiositys' sake.. how to make those waves..? i didnt find any standard php func.

I'm more inclined to believe your site is so popular that some grunts at low pay in some country somewhere are defeating your captcha.

Is this forum or comment spam?

If either of the above, then require a double opt in (with reply to auth code) for subscribed members to reply. More work, of course, but that's what works for me. After all, I'm only looking for serious commentary!

hmmm thanks tangor... your reply makes me feel good... :) but it is not a very popular site either.. hardly 10 uniques a day!.. thats a real bad number... :(

and it is both comment and a sms(like text messages) insertion spam.. they seem to be normal bots who just fill every form they find on net... sometimes maybe just for fun.. coz many of them dont contain any link to any site at all... or may be my 'strip_tags();' removes them for me..

also one more thing... at my stats in cpanel.. there is an unknownbot which has the highest hits on my my site yahuslurp 127+24 and this unkown has 702+30 you can see there is a huge diffrence between first and second position...
same with browsers and OS

IE has 301 hits and this unkown browser has 2214. again a massive diff bet. the highest and second highest

windows has 625 hits and some unkown OS has 2415!

note: all the stats are of my main domain only, excluding all of the sub domains and my most of the content is scattered on sub-domains.. and also it is for this month only just these 8 days..

A CAPTCHA may help, but keep in mind there are other things you can do to prevent spamming that may be just as effective, and don't inconvenience users. One technique I like is to blowfish or base64 encode a timestamp and store it in a hidden form field. When your form is submitted, decrypt/decode the timestamp and compare it to the current time. This should give you an idea of how long ago the form was submitted. If the difference is more than, say, an hour ago, just ignore the submission.

Another good technique I've used in the past is a "trap" field. Put a textarea or textbox input on the page with a juicy name like "comment" that bots will try to fill out. Now, to prevent real users from seeing it, hide it using CSS--preferably in an external stylesheet rule, as a few spambots check for and ignore fields hidden by inline CSS. If you get a form submission with data in that input field, chances are that the submitter was a spambot.

Third, if you don't mind enforcing a Javascript requirement on users, you can mask the form's target file. Give the form an action such as action="/nofilehere.php" and use Javascript to change the value after the page loads to the location of your actual form data processing page. Bots usually don't execute Javascript, so they won't get the correct value.

I might post more later. Hope this helps!

@WesleyC WOW.. those are realy flashy and smart ways of it... specially the js one..
i now use recaptcha.. was just looking around my post and found this..
great ides pal!
plus as a matter of fact i already have js imposed coz it is one of those js working sites... i use js to hide most of the unused info temporarily..
thanks..:)

captcha image code and i just want to make the code more effective. as i get more than 100 spam entries a day

Then your CAPTCHA proves something I've always believed, they are little more than a patch for an underlying problem. Fear not, the big dogs suffer as well, I've **seen** the vBulletin CAPTCHA's beaten by bots. All a CAPTCHA does, really, is present one more barrier to your users.

Another thing to keep in mind is that spammers visit your form once. after that the processor is accessed via direct input from a command line using their robots. Anything you do in the form itself is likely to get circumnavigated.

The problem is in the input. The hidden field trick is a good one, but even that is temporary, spammers can figure out that the hidden field is the one they need to ignore. Another approach is setting session variables for field names and making them unique every time the page loads.

These may give you relief, it may stop completely, or it may stop only temporarily. One of the tactics is to hammer a site only once or twice a month then go away for two months, making you think whatever you did worked.

Here is the fix, and it's a relatively permanent one: what is their motivation? Understand this, and your site will become too much trouble and they will move on to greener pastures, which is the best we can hope for.

You didn't say whether your script is a blog, message board, or contact form, so I'll use contact forms as an example. There are several motivations:

1. Inject data in such a way as to use YOUR server to send spam. Two common examples are a comma separated list in the email input field, or input data in such a way as to create their own BCC header, or inject a multipart content so that there is a "second email" attached to the input. In these two cases, you'll get one email, AOL or whatever gets 1000. You get blacklisted when they're done with you.

2. Submit the form only for the purpose of getting at your "real address" to add you to a spam list.

3. Spam links.

There are more, but simple solutions to these:

1. Filter your input. Accept what you want, throw everything else away. This will effectively break injection attempts. Pay special attention to any data going into the mail headers: to, subject.

2. Make all your responses come FROM a no-reply address. Make everything sent to this no reply address REJECT emails sent to it, do not set it up with an auto responder or that will get abused too.

3. Before doing regular filtering of input, check all input data for particular patterns that reveal their motivation. Spam links from bots come in very predictable patterns: [a href . . . . [url=.... . . .<a href . . . . etc. You can even filter for http, unless it's a link contact form, there's no real reason for a link to be dropped in a contact form. When the patterns are found, exit the program with a curt message: "no email was sent." Don't get snarky, you do NOT want to p*** off spammers. :-)

And the #1 thing you need to do, above and beyond all else, log all data input from your forms. In a private location, open a file, append to it, when it gets to a certain size, have your script overwrite it. I can't express how valuable this is, access logs don't cut it when it comes to spam input. Log input data, review it regularly, see what they are up to. This will reveal their motivation, and that's the key.

More ideas here [webmasterworld.com], and many more threads on this board, it is well discussed. Try some of them, try all of them, but never assume there is any single no-spam solution, there isn't. It's usually a combination of three or four things that will make you too much trouble to spam.