Eyetests, general knowledge questions, treasure hunts or similar are not anti-spam. There is nothing in them which is trying to detect or combat spam for being spam in any way.

I think you are being a bit pedantic here but I can only speak from my own experiences. I was receiving spam from my forms and I decided to try stop this using some form of anti-spam measure. I tried the question system I described above and it has worked for me 100% so for me it is anti-spam, without question.

Even a moderately customised bot can beat them

Well there can't be many of them around if they have failed to find any of my many forms in more than two years. Can anyone provide an example of a simple question system like this having been beaten by a bot?

I will accept that it may not work for Yahoo, Gmail or Hotmail or any system that spammers are individually and specifically targetting but it works for me beyond any shadow of a doubt so it is an effective anti-spam measure.

CAPTCHA is alive and well for me and there's no doubt that it helps, although stacking up technologies, as RogerD points out, is the optimum route. On it's own it isn't enough.

I don't have an audio CAPTCHA system for the hard-of-sight, but we do have an email address on the form suggesting that if anyone gets stuck to drop us a line and we'll finish the account creation for them, usually within 24 hours.

I get about 3 emails a year requesting this so I don't consider it a big problem.

I put all my forms on a wierd URL and only link to them via flash. This way only humans go there. If the pages ever get found by the spam lice then it's simple, I will change the addresses but so far it's never been necessary. Giving any URL a name with 'form' in it is obviously asking for trouble.

I don't have an audio CAPTCHA system for the hard-of-sight, but we do have an email address on the form suggesting that if anyone gets stuck to drop us a line and we'll finish the account creation for them, usually within 24 hours.

I get about 3 emails a year requesting this so I don't consider it a big problem.

Do you happen to have the same captcha in the said form? ;)

Do you happen to have the same captcha in the said form?

No, just on the form page ;)

It clearly isn't a viable security measure though - not just because it's easily cracked. If the information/asset/resource the CAPTCHA is protecting is valuable enough it's pretty simple just to hire someone willing to work for $5 an hour to sit there, look at the CAPTCHA and enter the code. This cracks CAPTCHA's, secret questions and anything else around today designed to prevent non-humans from filling out a form.

While, in theory, that's correct, real world experience shows that EITHER (a) it ain't so or (b) few spammers can spare $5.00 per hour.

In practice, for most people, It clearly IS a viable security measure.

"CAPTCHA can be beat" is not the same as "CAPTCHA is frequently being beat" - because it obviously isn't being beat routinely.

I'm a simple Earthican; YMMV

[edited by: Quadrille at 1:59 pm (utc) on July 18, 2008]

Bots are usually targeted at widely used CAPTCHA approaches. If your form matches their requirements then form may be "hacked".
So protecting a site with non-wide-spread method would be very effective.
Looks like most forms are protected with CAPTCHA image. So there are tons of bots trying to hack CAPTCHA image. In this case adding simple textual CAPTCHA (who said CAPTCHA can be image only?) like BeeDeeDubbleU did would be the best.
IMO CAPTCHA is not dead yet.

Quadrille wrote:

Whatever the 'theory', CAPTCHA works. Maybe not in 100% of cases - but close enough for 99% of sites. [...]
By all means propose alternatives that work - the more the merrier - but why the need to pretend that captcha doesn't work, when it so very obviously does?

CAPTCHA doesn't work, in theory or practice. Read the W3C paper, read the usability studies... It never fights spam properly and it often has collatoral damage (the disabled, minority browsers and others, depending on which tool you're using). Any spam-reduction experienced is temporary and accidental.

If your site was attractive enough, an appropriate cracker tool would be used against it very quickly. BTDTGTTS. If a widely-deployed CAPTCHA tool is working on your site, it's probably no more attractive than its competitors and so your site is probably failing. In other words, using a common CAPTCHA is a big "this site is failing" label. Why pretend CAPTCHA works? Are people paying well for snake oil these days?

trillianjedi - 3 requests in a year... Guess what? Those of us who fail eyetests don't bother to complain much these days. There have been too many webmasters who give the "it's anti-spam" reply and fail to help. Glad to read that you do help, but it still seems like the equivalent of the shopkeeper bringing goods to the door for someone who can't climb, instead of putting a ramp over the doorstep.

Given the choice, I'll go to a more welcoming competitor unless the site is unique or really a lot better. No-one likes getting second-class service and few people can be bothered with the hassle of complaining to someone who has hung this modern "discriminatory" sign on their website. I mean, just look at the flak I'm taking here from the CAPTCHA-fans... ;-)

[edited by: phranque at 6:01 am (utc) on July 23, 2008]

I mean, just look at the flak I'm taking here from the CAPTCHA-fans... ;-)

Only, I suspect, because what you claim flies in the face of everyone else's experience. :)

While I support the case that everyone who offers CAPTCHA should offer an alternative to people who cannot use CAPTCHA, and I am sympathetic to the frustration such people must feel when there is no alternative, I think your premise that we should totally reject a very effective defence (the ONLY very effective defence) purely on 'political correctness' grounds, to be unfair, unreasonable and unworkable.

On that basis, we should have scrapped the PC from its inception, as early models were utterly unusable by people with visual access issues.

Much better, surely, to campaign for better and more sophisticated methods, while accepting that what we have is imperfect - but a necessary defence for many websites.

Just because a defence CAN be overcome does not mean it always will be (Castles were very effective for centuries after the catapult was invented, though theoretically their defences were limited!).

Also CAPTCHA's value may well be temporary - but it is simply not true to claim it is accidental.

You seem to giving a lot of flak, but none is getting through to you ;)

[edited by: Quadrille at 1:07 pm (utc) on July 21, 2008]

Only, I suspect, because what you claim flies in the face of everyone else's experience. :)

Sure. I'm an idiot and so is the W3C. I suspect many CAPTCHA-victim webmasters have nothing to compare it to. Credit to the CAPTCHA protection racket: the marketing is far better than the product. It's only now that things like Akismet and Typepad are giving them a run for their money.

I am sympathetic to the frustration such people must feel when there is no alternative, I think your premise that we should totally reject a very effective defence (the ONLY very effective defence) purely on 'political correctness' grounds, to be unfair, unreasonable and unworkable.

It's all well and good being sympathetic, but that's little comfort if you argue in favour of continued barriers against humans. This isn't about political correctness - it's about social justice. Do you call race equality "political correctness" too?

CAPTCHAs are far from the "ONLY" effective defence - there's content scoring, source blacklisting, content clearinghouses, tarpits, moderation, multi-step forms, nonces and email verification just off the top of my head. I've been CAPTCHA-free for years and I still don't get much spam, but I use real anti-spam methods like those.

On that basis, we should have scrapped the PC from its inception, as early models were utterly unusable by people with visual access issues.

Huh? The PC had standard, documented interfaces like DIN plugs. From pretty early on, people replaced displays and keyboards with specialised ones that were easier to use if you couldn't see well. It wasn't always great, but it worked. It's simply not possible to do that with most image-CAPTCHA-crippled websites today.

It's not the visually-impaired who have "visual access issues" - it's really the clueless webmasters who ignore the excellent advice out there. I hope your eyesight never fails and I hope your customers wake up before they get sued by one of the activists who fight the "no Irish" signs directly.

Can your CAPTCHAs and move to better methods: content scoring, source blacklisting, content clearinghouses, tarpits, moderation, multi-step forms, nonces, email verification and so on. Real anti-spam works better than eyetests, although there is no perfect solution.

Not W3C, but a W3C working group. Quite specific on that.

From pretty early on

Sure. Well, with captcha we're 'pretty early on', too. You don't dispute what I said ("On that basis, we should have scrapped the PC from its inception, as early models were utterly unusable by people with visual access issues."), so why are you so unwilling to give captcha a chance?

For the record, I never called you an idiot, or implied that you were. My only worry is that you seem to putting political correctness forward as the only issue, which I find rather limits any hope of moving the discussion forward to a more positive outcome.

I also - like most people - use 'captcha' in its widest sense, not referring purely to the Turing images, but to related developments (your W3C working group did too).

It may be, in fact, that that's where the problem lies with this discussion; when I refer to CAPTCHA, I really mean "Completely Automated Public Test to Tell Computers and Humans Apart", rather than the more specific (and accurate!) "Completely Automated Public Turing test to Tell Computers and Humans Apart". If that's the case, please accept my apologies for the confusion.

But I and almost everyone else in this thread has made it clear that they include developments / related / similar tests.

Anyway, I've said all I can say on this matter, so until a better test comes along, then we'll simply have to agree to disagree.

As it happens, my eyesight is declining, and families being what they are, I expect that to accelerate. But I wouldn't expect the Internet to accommodate spammers on my account, and I pray that I don't change my mind on that issue in the future.

I'll say Goodbye!

Sure. Well, with captcha we're 'pretty early on', too. You don't dispute what I said ("On that basis, we should have scrapped the PC from its inception, as early models were utterly unusable by people with visual access issues."), so why are you so unwilling to give captcha a chance?

How big a chance should I have given it? CAPTCHA has been around for 8 years now. We definitely had better accessibility on PCs after 8 years than we have on any CAPTCHA I've seen yet. So, I feel that CAPTCHA has had its chance and it's been obsoleted by better anti-spam methods. Sadly, lazy webmasters and snake-oilers continue to hawk it around the web, to the disservice of everyone.

My only worry is that you seem to putting political correctness forward as the only issue, which I find rather limits any hope of moving the discussion forward to a more positive outcome.

I already explained above that this is about equality and non-discrimination, not political correctness. I've also explained that no CAPTCHA is anti-spam because it's not examining the submitted data for spamminess in any way. The eyetests affect me most and often seem clearly illegal where I live (UK), so they're my usual example, but all CAPTCHAs are going to block some humans.

I think it's the consistent return to extremist claims like "political correctness" and "CAPTCHAs [are] the ONLY very effective [spam] defence" which has hamstrung this discussion. Now that I've actually listed some truer anti-spam methods, it's "end of thread" - nice trolling.

Useability wise I always hated catcha's I think there horrible to use and I always get them wrong and often give up.

In most cases form validation provides an answer. But I did write a solution on one site that didn't use catcha or validation and has recieved zero spam at all, maybe I should sell it?

Sadly, lazy webmasters and snake-oilers continue to hawk it around the web, to the disservice of everyone.

I am obviously not as well educated as you in spam detection methods but what I cannot understand is why major companies (like Google et al) with all the resources and technology they have at their disposal don't seem to agree with you?

Now that I've actually listed some truer anti-spam methods, it's "end of thread"

Oh well then, perhaps we better all move on, blindly (no pun intended) accept what you are saying and do what we are told. ;)

Credit to the CAPTCHA protection racket: the marketing is far better than the product.

Huh? Did I really just read that? Marketing and protection? We're talking about a technology that is going to exist no matter what you call it. It's a logical solution to an obvious problem. There's no organization or group responsibile for it.

Just for accuracy, Slef some of the anti-spam methods you say you use yourself are in fact CAPTCHAs.

I really mean "Completely Automated Public Test to Tell Computers and Humans Apart", rather than the more specific (and accurate!) "Completely Automated Public Turing test to Tell Computers and Humans Apart".

For practical purposes a Turing Test is any test that uses interaction to tell a computer and a human apart. So in fact you were using the acronym correctly. :-)

In most cases form validation provides an answer. But I did write a solution on one site that didn't use catcha or validation and has recieved zero spam at all, maybe I should sell it?

You should write up the key step(s) somewhere quietly first and see whether people think it'll really work or whether you just got lucky.

what I cannot understand is why major companies (like Google et al) with all the resources and technology they have at their disposal don't seem to agree with you?

You can't tell whether or not Google agrees with me or not. Most major companies like Google are essentially mercenaries. While they believe that it's cheaper to block some humans, they'll do it. It's a less horrendous variant of General Motors deciding not to fix the Chevrolet Malibu's fuel tank (Anderson v General Motors in California about 1999).

Just for accuracy, Slef some of the anti-spam methods you say you use yourself are in fact CAPTCHAs.

I don't think any of them block special-purpose clients, including bots even, and I don't care whether it's a human or a bot submitting to my site, as long as it's not spam.

From the user point of view, I'm not fond of captcha. But I'm willing to go through it, once, for a site I'm already persuaded is worthwhile.

That obviously divides webmasters into three groups:

(1) Those with little or no reputation, who can't afford to use captcha because they'll drive away potential users.

(2) Those with a bit of reputation or web presence, who have to use some form of captcha and/or security-by-idiosyncratic-obscurity because they're vulnerable to shotgun-spammers looking for soft targets.

(3) Those with a real reputation, who have to use defense in depth, probably including captcha (gmail) -- but who are specifically targetted by malicious spammers who WILL pay the $5.00/hour to break their security.

Mileage differs: the Brinks truck has all sorts of security of one sort or another; whereas my neighbor's Vette has another kind of security, and my other neighbor's ten-year-old Nissan has yet a different kind. Furthermore, all three of these would probably adjust their security to match the local conditions, if they were parking in a different neighborhood.

(4) Those with both reputation and clue, who have to use defence in depth, but who want to tackle spam head-on and avoid using "spam as collatoral damage" methods that discriminate against disabilities.

Also, from earlier in the thread:

We're talking about a technology that is going to exist no matter what you call it. It's a logical solution to an obvious problem. There's no organization or group responsibile for it.

The organisation responsible for it is captcha.net, a project of Carnegie Mellon University. It's not exactly going to look good for them if everyone realises that CMU have just demonstrated yet again what Albert Einstein meant by his famous saying:

For every problem there is a solution which is simple, obvious, and wrong.

... methods that discriminate ...

Uding the word "discriminate" is a bit OTT in this context. There is no prejudice involved.

I just checked (Collins English Dictionary) and prejudice isn't required by "discriminate". I don't care whether you build a low wall to keep out wheelchairs or keep out foxes - it still keeps out wheelchairs just the same.

Nevertheless, if you suggest a word you find more acceptable for blocking people on the basis of poor eyesight, hearing or other attributes, I'll edit my previous post to use it. Thanks.

The organisation responsible for it is captcha.net, a project of Carnegie Mellon University. It's not exactly going to look good for them if everyone realises that CMU have just demonstrated yet again what Albert Einstein meant by his famous saying

Ah I see, the Carnegie Mellon Conspiracy. I hadn't heard about that yet.

... it still keeps out wheelchairs just the same.

People in wheelchairs cannot get to the top of mountains but they could if we built chair lifts to the top. Why don't we do this? Isn't this discrimination or do we have to draw the line somewhere?

Let's get this clear, no one is deliberately blocking anyone on the basis of poor eyesight. Captchas may be a problem for people with poor eyesight but Captchas are not designed to deliberately block them.

I happen to be very hard of hearing. I wear two hearing aids but when I am in a situation where my defective hearing causes a problem I do NOT blame anyone else for this. I understand that my hearing problem is a bit inconvenient at times but that I have to live with it. If I am on a website with sound where the volume is not high enough for me to hear comfortably should I complain?

Actually I am happy to acknowledge the fact that I have the problem. It's not my fault but it's certainly not anyone elses fault and I do not expect everyone else to do somersaults in some futile attempt to appease me for the sake of political correctness.

You do handicapped people no favours by implying that the rest of the world must adapt 100% to accommodate them. Most people with handicaps know that a handicap is a handicap and that it is going to cause them some problems. Providing wheelchair access in a shopping mall is one thing. Providing the same access to the top of every mountain is another.

People in wheelchairs cannot get to the top of mountains but they could if we built chair lifts to the top. Why don't we do this? Isn't this discrimination or do we have to draw the line somewhere?

It doesn't seem much like refusing to build a lift to the top. It's more like building a mountain for your site to sit on, to try to keep out things that can't climb mountains. The CAPTCHA mountain is an artificial construction unnecessary for the site.

Image-based captchas are designed to deliberately block "things" with poor eyesight, based on the idea that nearly all spambots have poor eyesight. I'm amazed that anyone is arguing about that. It doesn't care whether the "thing" is a bot or a human - it's not trying to check that. Just whether the thing can recognise a distorted image.

If you're using a website with sound where the volume is not high enough for you to hear comfortably, turn up the volume. If the webmaster has found some way to prevent you turning up the volume on your computer, then yes, I think you should complain about their misuse of your computer! But there is no "undistort" control like a volume control, so that doesn't seem like a similar problem.

By the way, the mountain lift example was broken before I got here: last summer, I was in Austria. I climbed the Kitzbühler Horn (I think that's how you spell it) and guess what? There are lifts all the way to the top, if you want/need them. It's not "political correctness" (again that silly phrase) - it's great business for the neighbouring towns that their mountain is open to all. Let's do better business on the web and build chairlifts over the captcha chasms!

Image-based captchas are designed to deliberately block "things" with poor eyesight, based on the idea that nearly all spambots have poor eyesight. I'm amazed that anyone is arguing about that.

Actually it has nothing to do with eyesight. Some bots have more than sufficient ability to "perceive" an image. It's interpretation that is being tested.

And, along with most image based turning tests, you will find an audio alternative to accomodate the blind.

If you are both blind and deaf then god bless you.

There are lifts all the way to the top, if you want/need them.

When I was writing my last reply something told me that you would tell me about "that" mountain. What about all the rest or do you want me to point out a single website with no Captchas to prove my point?

Image-based captchas are designed to deliberately block "things" with poor eyesight

As Ian has rightly pointed out this is just not true but I think you already know that.

Where is this going? :(

That's hardly the only mountain with lifts. Look at which mountains are busier: the ones with lifts. If you want your website to be up a lonely mountain, go for it, but if anyone needs to use it, you're being unfair.

I regard interpretation of the seeing-through-distortion sort to be a function of eyesight. Also, I'm neither blind nor deaf, but my eyesight is failing as I age and my hearing is damaged. I'm surprised that so many CAPTCHAs lock me out, too. I'm not *that* damaged compared to some.

I don't know whether this is going. The captcha-clingers seem blind to reason and keep making more false claims (CAPTCHAs are anti-spam, CAPTCHAs don't discriminate between some groups of humans, mountains shouldn't have lifts, and so on) which seem worth correcting or clarifying.

Whatever.

What a great interesting conversation that I myself have spent a ton of time considering. This is actually the 1st time I've ever read a thread that inspired me to actually join a forum ... well done WebmasterWorld community!

To fully understand the needs for captchas you truly have to look at them from a spammer's prospective. Basically it's a numbers game. They are only interested in busting captchas that are widely used which is why you will frequently see yahoo's, google's, phpbb's, etc captcha broken and posted online. Why? Because the more sites use these scripts and that gives them more opportunities to drop links.

I myself wrote an "animated gif captcha" (<< google that phrase if interested) about a year and a half ago, unlike the re-captcha people who previously posted I won't spam my link here. I will say that I know from friends more mischievous than I that their captcha is broken on a regular basis because the technology it is built on is widely used.

If you want your forms to be secure, you have to really think outside the box and do something unique. A few that I've found to be effective are

css captcha - pretty simple by concept, make a 9 box grid (think tic-tac-toe here) and place different shades of hex colors inside each box. In a few of the boxes make them different shades of blue (or whatever) and ask the user how many blue boxes are in the above grid. Processing the hundreds of hex colors and assigning them a "generic" color is just not something that spam artists will do, it's possible but not likely.

Drawback - much like "what is the color of blood" there are only so many answers the user will give, in this case 1/9 ... so it's not good odds but still better than a standard gd library created jpg that can be OCR'd

flash captcha - plenty of code over at phpclasses.org that can power this type of captcha system and the means to break it down are not readily available to the common cracker. This is a good & solid way to secure your forms but comes with a very significant downside.

Drawback - flash is not installed by default on computers so you are essentially locking out a certain percentage of users.

^^ Javascript captchas have the same issues that flash ones do. However, javascript is ignored by programs (spam bots) so it has that going for it from the get go.

Using an animated gif that has the text slide back and forth or up and down, defeats OCR software in almost every case.

wouldn't they just scan the first frame of your animated gif - so moving around would annoy a human being but not the bot?

animated gif captcha - after much deliberation, this is the direction I chose to go for the security of my forms, I also release it for free (lgpl) to anyone who wants to use it.

Benefits:
1. gif's are visible by default in all browsers (except lynx).
2. random # of frames and length of frame visibility to keep spammers guessing
3. no distortion of the letters/numbers inside the captcha
4. simple math (what I chose to use) so it's not language dependent
5. not a single frame flat image (jpg or png)
6. not built by the gd library so no software dependencies

Again, I'm not attempting to drop my links here, I'm just sharing the hours of brainstorming, research & advice from (shady) industry professionals I have accumulated for the development of this project.

.... ooh yea, and it works. Old people (and those with depleting sight) love it because it's easy to view and comprehend.

I'm not kidding myself saying this form of captchas are unstoppable but it does have one thing going for it, it is very different. Spammers really have to go out of their way to break this down as each captcha has literally hundreds of slides to decipher. To the naked eye, it looks very simple .. not so for bots.

Another big plus is that it's not mainstream (currently). I'm sure it would be much different if something like wordpress or phpbb picked it up. Then there would be a big payout for spammers breaking it ... hopefully this day won't come soon.

cheers

hopefully this day won't come soon.

When that day does come you will just come up with a new CAPTCHA and be safe again for a few more years. :-)

I've never needed to even go as far as animated GIFs (though they are a great solution). Simply using unusual image obfuscation is enough for 0% successful spam.

CAPTCHAs dead... pshh.

[Added: Welcome to WebmasterWorld!]

[edited by: IanKelley at 7:26 am (utc) on July 30, 2008]

welcome to WebmasterWorld [webmasterworld.com], erect!
thanks for joining - i think you'll find a lot of interesting and useful exchange here.
nice first post..