Never mind their discriminatory nature (eg against people with poor eyesight or even just a poor display) and thus their potential illegality.

Rgds

Damon

I have them on every single form myself. not to mention that most form mails, that my clients are paying for, wind up in spam ..

I wonder how many paople cannot solve the captchas ..

A sound defense does not rely on a single weapon. The wall that protects my forms is made of many bricks. Catcha is just one of them and one I know stops a great deal of automated spam.

Something I have noticed popping up which is interesting is captcha forms request I enter the text in reverse order... the first time I came to one I didn't read it and it wouldn't validate my text.. I tried three more times before actually reading the entire error message telling me to enter it in reverse order.

To me it seemed like an ok solution but how long until the bots start trying it. Soon I foresee them asking things like enter the text in alphabetical order or to unscramble a word. Could become annoying or could become like a game.

What would really be neat if they gave you a flash game and you had to get a certain score to submit the form... maybe like Galaga or Pacman, or something like that... of course this does nothing for the seeing impaired.

Isn't an imperfect defense, one that slows down but doesn't block spam, is a win in the larger scheme of things?

First we learn to manage HIV/AIDS, by mastering the treatment of it symptomatically, all the while looking for a cure.

A method I like that includes the seeing impaired is a very neat one.

You have a form it contains input boxes.

Let us say you want to have 2 fields.... name and email

So in your form you create 4 text boxes... 2 of them have their visibility set to hidden but are still of type "text" you name these two fields "name" and "email".... then you have the other 2 text boxes set to visible and name them "abc" and "xyz"... when a person comes to the form they will fill out the visible fields "abc" and "xyz" and the "name" and "email" fields will be empty... when a bot fills out the form it will see the non-visible fields as it is looking at source and it will submit the form with values.

If I have a form that is submitted with the "name" and "email" fields then I know it was not a human... of course this doesn't always work but it does help filter out a lot of bots.... again just another way of doing it... this is nice for the seeing impaired problem though.

Demaestro,

Hidden fields are another brick I use (and many others use this technique also, it is a well-known defense method).

This whole argument seems based on captcha as the sole defensive method which is not reality.

[edited by: Jon_King at 4:04 pm (utc) on June 11, 2007]

---- "name" and "email" fields then I know it was not a human---

what about thouse toolbars that pre-populate form for you?

Yea, that's not the way to do hidden fields. This is not the topic of the thread... but a quick search at WebmasterWorld will yield the proper method.

I just have a little bit of code that says what is 2+2? If the answer is = to 4 then send the email!

Mind you things like that would not work on a large website but works on small websites so I have not had any spam yet using it!

RJ

I just have a little bit of code that says what is 2+2? If the answer is = to 4 then send the email!

I use that too and it stops spam registrations 100% for now. But that's the problem, soon the spammers are going to start writing software that analyzes questions and can provide answers too. However, human operators will be able to craft questions that the programs will not be able to answer for some time yet . . . as long as you don't use 2+2=4. It's an arms race!

Never mind their discriminatory nature (eg against people with poor eyesight or even just a poor display) and thus their potential illegality.

The NY TIMES article covered that. (Some sites have audio captchas for the visually impaired.)

Still not very helpful for a low-colour mobile display, eg a phone, however able-bodied/sighted/hearing the user is.

Rgds

Damon

OK, silly article because it too narrowly focuses on a single type of captcha. Maybe you should retitle it that STUPID captchas are dead because all that garbage string character stuff BY ITSELF is old school.

Squiggly numbers are just one type, one that I don't use, and I stop a ton of bots cold with the simple "What's 10 + 2?" type of CAPTCHA.

Easy to read, easy to answer, handicapped accessible.

However, you have to implement OTHER methodologies to stop the bots such as obfuscated javascript for the entire form since bots don't use javascript, using javascript event tracking to verify someone actually typed in the response field vs. posting the data, require POST vs GET for the submission of the data and so on and so forth. Besides all that, tracking site access and bouncing submissions to the CAPTCHA when the visitor hasn't been to any other page on the site, or lacks referrers, yada yada.

The true trick is random CAPTCHAs of varying types so that the spammers can't target just one method. If you use the squiggly text method, used several of them and mix it up with plain text questions in javascript, randomize the input text field per access so the bot doesn't know the proper field name, random pictures with drop down lists of answers, and much more.

I stop bunches of bots daily that try to hide as a human browser with a simple captcha combined with javascript and so far it's very effective, so CAPTCHAS are far from dead but narrow minded small thinking on what defines a CAPTCHA is obsolete.

[edited by: incrediBILL at 9:59 pm (utc) on June 11, 2007]

Spam is easy to detect - if there is more than one URL
in a post/email flag it for moderation. 90% of the time it's spam.
If there are three or more urls, it only gets more likely.
(the only time this this doesn't work is stock spam)

The day they start throwing spammers (and the corporations that hire them) in prison with long term sentences, that's the day 90% of it will stop.

Spam is internet terrorism.
Repeat that enough and maybe it will get government funding to hunt the spammers down.

[edited by: amznVibe at 11:21 pm (utc) on June 11, 2007]

<<Repeat that enough and maybe it will get government funding to hunt the spammers down.>>

That's the concern, really.

Spam has become a very general term that not many understand. Big can of worms!

I like the captcha alternatives which go something like this:

Robert's brother Tom has a son named Mark Woodford.
What is the full name of Mark's uncle?

Can computers figure that sort of thing out? If so, how?

Apart from captcha after facing lot of spams on few sites/forums we figured out a solution to add some common questions in addition to captcha which will be randomly displayed to an end-user.

For Example:
1 + 1 =?
(Please type the answer in box above)

2 + 2 =?
(Please type the answer in box above)

What comes after Monday? Tuesday or Wednesday
(Please type the answer in box above)

And around 50 more common questions, which is now way too easier to fool bots questions are randomized and changed once a month..

But there needs to be an alternative to captcha..

I find trivia captchas are very effective. The main trouble is one of scale: what works well for a multitude of smaller websites is coming up with a variety of different types of question, because as long as they're all different it's not worth the spammer's while to solve them all individually. But once you get a large and popular website that everyone wants to spam, it gets tougher because you need a much larger pool of trivia questions or a different method altogether.

The other problem I foresee is the way a lot of captchas tend to rely on similar styles of questions, which a bot could solve: simple maths is getting more common, as are "spell _____ backwards" questions. Keeping on top of this will be a matter of getting creative with captcha solutions, and steering clear of the methods most other webmasters are using.

captchas are dead right after they pull the last voight-kampff machine from rick deckard's cold, dead, broken fingers...

The other problem I foresee is the way a lot of captchas tend to rely on similar styles of questions, which a bot could solve

That's why I said above you include technology the common bots don't use today, like javascript, and a variety of javascript tricks in your simple captchas.

They don't even see the captcha and just keep going in circles, it's quite amusing.

I have tried completely separately Akismet as sole defender of one site and a simple Captcha as sole defender of another and, frankly, pretty much zero spam on either one. It's actually a bit astonishing to me to see how effective "2+2" still is for the time being (I had an image captcha but then tried simple math and it was equally effective)

captchas are dead right after they pull the last voight-kampff machine from rick deckard's cold, dead, broken fingers...

Sure, but then you just crank up the old Penfield to 888 and everything will be okay. (To those who don't know the ins and outs of Rick Deckard's life and the workings of the Penfield Mood Organ, 888 is the desire to watch television no matter what's on).

I just entered in a captcha on MySpace....so much for them being dead....

I like the captcha alternatives which go something like this:

Robert's brother Tom has a son named Mark Woodford.
What is the full name of Mark's uncle?

Can computers figure that sort of thing out? If so, how?

Trouble with questions like that is that they would be too hard for real users to answer quickly. It's almost like a riddle.

I didn't say anything earlier, but I have to say that when I saw that captcha, my first thought was that it's also culturally specific.

Despite ten years married into an ethnically Chinese family, I still haven't figured out exactly how Chinese names work with the family name, the generational name and the individual name. I think Chinese people get our system easier, but so many things are cultural like that.

I remember being in an English-language bookstore in Asia. Falkner was next to Shakespeare, not next to Fitzgerald. Obvious right? Depending on your cultural background, maybe, but maybe not.

Note to Captcha/other deterrent creators

Leave no fingerprints!

My slight solution: On the small number of forms i've created, i encrypt a time value, with the encryption dependent on the time of day. it seems most auto-form-fillers just scrape static hidden values (which quickly become outdated)