Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
The Internet Security

Evolution of the 'Captcha' 383

Posted by CmdrTaco from the why-can't-i-even-read-them-half-the-time dept.
FireballX301 writes "The New York Times is running an article about the small word puzzles various sites use in order to defeat automated script registration while still letting humans through. It seems many people can't actually solve them anymore, so new alternatives (image recognition) are being created. This, of course, seems breakable as well — is there a feasible alternative to the captcha, or are we stuck jumping through more and more hoops to register at places?"
This discussion has been archived. No new comments can be posted.

Evolution of the 'Captcha' More

Evolution of the 'Captcha'

Comments Filter:

  • I am torn (Score:5, Funny)

    by jollyreaper ( 513215 ) on Monday June 11, 2007 @08:40AM (#19463983)
    As a Christian fundamentalist, I cannot in good conscience believe that catchpas have evolved, yet at the same time since I can never figure out what to type to make them work, I cannot believe any intelligence was involved in their design.

    • Re:I am torn (Score:5, Funny)

      by dattaway ( 3088 ) on Monday June 11, 2007 @08:46AM (#19464025) Homepage Journal
      Here in Kansas, captcha evolution has been subject to legal review. Kansas City's Road Runner is employing packet shaping to eliminate the evolution of captchas. You might not see the captcha, but others believe it exists.

    • woah (Score:2, Insightful)

      by weighn ( 578357 )
      +5 Funny in 7min 15sec AND frost pist!
      Come to think of it - its great to see fp without some sort of script bollocks - welcome back to /.

    • Re: (Score:3, Interesting)

      by lcoughey ( 975892 )
      I thought I could avoid using Captcha's by simply request the user type in their IP address that I showed in at the bottom of the screen. I know that bot can easily get the IP address too...I was thinking that my request was vague enough that the bot wouldn't understand the question. My guess is that the bot didn't understand the question and reported the error to its writer. The writer must have explored my website, found the source of the error and then added a subroutine to deal with my question.

      Th

  • Knowledge tests... (Score:3, Interesting)

    by Anonymous Coward on Monday June 11, 2007 @08:41AM (#19463991)
    The other day I saw a system that posed the question:
    'Germany is a country in Africa?'

    Your duty to prove you were human was to change it to the proper continent and the question mark to a period. Seems pretty fool proof, especially if you combine it with things like "and make 'country' all capitals."

    • Re:Knowledge tests... (Score:5, Funny)

      by CrazyTalk ( 662055 ) on Monday June 11, 2007 @08:52AM (#19464075)
      Ummm I dont think this would work in the US, where (considering our educational system) some people might answer "yes". In fact, some celebrity (I forget which) recently thought that Japan was a country in Africa, which is why Africa has the best sushi.

    • Re:Knowledge tests... (Score:5, Funny)

      by bobmarleypeople ( 1077639 ) on Monday June 11, 2007 @09:05AM (#19464195) Journal
      I've seen several sites using questions similar to yours except they were more obvious. An example was:

      Which is a food?
      A) pink
      B) car
      C) Britney Spears
      D) Hamburger

      There is of course the possible registration by a disturbed and horny male who would say "Britney Spears" but you get the idea.
    • These have a limited supply of questions, which means they be bruteforced in various ways.

      • Re: (Score:3, Informative)

        by lazlo ( 15906 )
        You know, as a security sort of person, I tend to agree in principle. I do, however, find it fascinating how principle and reality don't quite line up all that often. A case in point, one of the blogs I read fairly regularly uses captchas. He doesn't really obscure it too much, and it's always the same 3 character string, related to the name of the site. Any spammer who actually posted more than once could easily figure it out. So far, none have. He wrote about his experiences with this here. [shamusyoung.com] So mayb

        • Re: (Score:3, Informative)

          by TodMinuit ( 1026042 )
          You can get away with that if you're a little site. But if you're Google, or Slashdot, or Facebook, then it'll last about two days.

    • Re: (Score:3, Interesting)

      by thePowerOfGrayskull ( 905905 )
      I've used something similar -- requiring a question that can only be answered by people with a genuine interest in the forum/site they are registering for. I have gone from 7-12 spam registrations a day, down to zero [spam regs] since doing so, while people who are legitimately registering still get through.

  • Alternative? (Score:3, Insightful)

    by morgan_greywolf ( 835522 ) on Monday June 11, 2007 @08:41AM (#19463995) Homepage Journal
    In my mind, anything that can be put out by an automated system for purposes of determine whether the communications on the other end is from an automated system can, with enough ingenuity, be answered by an automated system. IOW, all 'captchas' and similar methods are ultimately defeatable. It's an arms race, just like DRM: clever people will always figure out how to defeat what protections you put in place no matter how clever your protections are.

    • Re: (Score:2, Interesting)

      by thetroll123 ( 744259 )
      Nonsense. There are plenty of things humans are good at that computers are rubbish at. How about displaying four photographs with the question "which image contains a bottle?"

      • Re:Alternative? (Score:5, Insightful)

        by moranar ( 632206 ) on Monday June 11, 2007 @08:58AM (#19464115) Homepage Journal
        Doesn't work well: a bot will be right 25% of the times, just by answering at random. And more pictures mean difficult layout, or small picture size. Plus, it becomes an undue hassle on real users.

        • Re: (Score:2)

          by AmIAnAi ( 975049 ) *
          Rather than just showing four pictures and asking which is the bottle. Why not display four pictures, each rotated by a random, non-integer amount. Then ask what (e.g.) image 3 contains. The images would have to be selected so the object was the obvious focus, but maybe with a noisy background (e.g. grass).

          You would also need to mask each image with a circular apperture, to prevent bots doing some guess work.

          I appreciate this doesn't help blind users (as another poster commented) but then that is true o
        • Actually, that is exactly the direction captchas are going, with a more elegant solution. If instead of picking one, in which case you are right - there's a 25% chance a bot will choose correctly, what if it were instead: select which pictures are of a cat? Now, with only 4 images, you have 1+1+4+4+6+6 = 22 different possible outcomes, while having the problem remain trivially easy for a human.

          • Re: (Score:3, Informative)

            by Mr2cents ( 323101 )

            Now, with only 4 images, you have 1+1+4+4+6+6 = 22 different possible outcomes, while having the problem remain trivially easy for a human.
            Each image either shows or doesn't show a cat, so that are two possibilities. With 4 images that makes 2^4 = 16 possibilities. I don't know where you got "1+1+4+4+6+6" from, but it doesn't make any sense to me.

            (Or maybe I misinterpreted).

          • Re: (Score:3, Insightful)

            by Goaway ( 82658 )
            As the previous poster pointed out, your maths is wrong, and it's 16 possibilities. This means the spam bot just has to try 16 times instead of 1. It can easily do that if it wants to.

            Meanwhile, you have shut out all users who do not speak English well can can't figure out your instructions.

      • How about displaying four photographs with the question "which image contains a bottle?"
        Couldn't a bot just download all the photographs, have members of the bot operator's porn site catalog them in exchange for access to more porn, and then compare challenges to this photo database to find the bottle? And what would be the blind-friendly version of this?

      • How about displaying four photographs with the question "which image contains a bottle?"
        Flowers.jpg? Nope. Piglet.jpg? Not that one either. Probably not EiffelTower.png, so must be the other one.

        I figure somebody somehere must have implemented a captcha system where the name of the image file was the same as the word.

      • Re: (Score:3, Insightful)

        by JesseMcDonald ( 536341 )

        Nonsense. There are plenty of things humans are good at that computers are rubbish at. How about displaying four photographs with the question "which image contains a bottle?"

        Your search space wouldn't be large enough -- you can only have a limited number of photographs, since they have to be manually generated, and once the correct answers have been identified the captcha-breaking algorithm would reduce to "which image is closest to something in this set", a fairly trivial image-matching problem. This

      • Nonsense. There are plenty of things humans are good at that computers are rubbish at. How about displaying four photographs with the question "which image contains a bottle?"
        I can't find the linky at the moment, but I remember reading about a photo application with object recognition such that it would tag your photo's automatically. Why couldn't something like that be used in this case? This avenue already seems dead.

    • Re:Alternative? (Score:5, Insightful)

      by twistedsymphony ( 956982 ) on Monday June 11, 2007 @09:16AM (#19464305) Homepage
      What ever happened to email validation?

      You give script your email address, it sends you an email and you follow a validation link within the email. Implementing this on my website where I had a captcha before got rid of 100% of the spam.

      There are also other little dirty tricks you can do to ensure it's a human on the other end, one of my favorites is to check the referrer URL when accepting a comment... if it's not being referred from my entry forum then it just happily throws the request away. Even if it's not spam it's probably something malicious anyway.

      Another thing I used to use that worked really well in conjunction with registration is "approving" any account in which the first post doesn't contain any links or any words on a "spam list". If the first post of the newly registered account contains any links or spam words at all, it's held for moderation and must be approved manually. A vast majority of the legit people leaving comments for the first time wont be including any links or talking about viagra on a tech site, no links or spam words means they've been validated as "not spam" and if they've included links it only takes a human a few seconds to qualify if the account should be canceled as spam or approved as a non-spam account. This one obviously takes some man power so it only really works on smaller sites. It might be easy for a spam bot to counteract this but the way it validates is not apparent, not to mention this is already after an email has been validated.

      • Re: (Score:3, Interesting)

        by The G ( 7787 )
        Get rid of the captcha by implementing the one verification scheme more annoying than a captcha! Good job!

        Email validation requires people to give you something -- their email address -- that may consider more valuable that the ability to post on your forum. You'll lose all those people, who are probably rather more numerous than those who would be turned away by an annoying captcha.

        In addition, email response is far more automatable than captchas. I am currently experimenting with an automated confirm-l

      • Re:Alternative? (Score:4, Funny)

        by Poromenos1 ( 830658 ) on Monday June 11, 2007 @11:10AM (#19465723) Homepage
        I've found that not even this is necessary, I run a site with about 1000 visitors per day and the spam messages fell to zero when I included a field that said "Type in the box to prove you're human:".

      • Re: (Score:3, Insightful)

        by merreborn ( 853723 )

        What ever happened to email validation?

        You give script your email address, it sends you an email and you follow a validation link within the email. Implementing this on my website where I had a captcha before got rid of 100% of the spam.

        In many circumstances, email validation will cause users who would have otherwise filled out your captcha, to leave your site without contributing.

        For example, I'll gladly solve a captcha to comment on a blog, but 90% of the time, if email validation is required, I'm just go

    • Re: (Score:3, Interesting)

      by MickDownUnder ( 627418 )
      I agree, which is why I wrote a framework for text based CAPTCHAs [mblmsoftware.com] that allows web developers to combine their effort to counter spammers.

      The goal of the framework is to provide mechanisms for securely presenting and validating answers to text based CAPTCHAs in a way that is easily customised, configured, monitored, and extended. A key feature of the system is a plugin enviroment that allows developers to easily add, configure and write plugins for the system. For each request the system chooses a rando

  • Great idea (Score:3, Insightful)

    by grimdawg ( 954902 ) on Monday June 11, 2007 @08:41AM (#19463997)
    What word did you have to type to prove you weren't a bot? A good sample might give us an insight into which words are used: why? I had to type 'interest' - which seems to have no real distinguishing feature.

    Are they chosen for any good reason, or are they completely arbitrary? Are there letters that bots have trouble with? Fonts? Who knows?

    The only thing that's sure is that every protection will eventually be broken.

    What's more, maybe if you can't solve a simple word puzzle, I don't want you registering at my site...

    • Re:Great idea (Score:5, Insightful)

      by Turn-X Alphonse ( 789240 ) on Monday June 11, 2007 @08:44AM (#19464007) Journal
      So people with eye sight problems aren't welcome on your site then?

      I have perfect vision and I struggle to tell if some S/5/Zs are one of the letters. The fonts and distortion is getting worse and worse to the point where it's usually 2 or 3 attempts before I can get one correctly, purely because letters are so distorted in them these days.

      • Re:Great idea (Score:5, Insightful)

        by 0123456 ( 636235 ) on Monday June 11, 2007 @09:05AM (#19464189)
        Indeed: these things are getting to be an appalling nuisance. If I see a site that use them I increasingly just say 'fuck it' and leave; particularly the sites that keep asking for another one every few pages.

        Meanwhile, having an automated system feed them to Chinese people on $0.50 an hour can't be too hard, and they'll have at least as good a chance of getting the correct result as I do.

        • having an automated system feed them to Chinese people on $0.50 an hour can't be too hard
          There goes my business plan, goshdarnit!

        • Re: (Score:3, Interesting)

          by Jupix ( 916634 )

          Heh, I remember once having to enter some cryptic captcha string into a text field at rapidshare or some nameless file hosting service. I think the problem with it was there was no discrimination between O and zero, or something to that extent. Anyway, the captcha sucked so much I misread it three times, in which the site replied with "You are a bot!" and shut me out of the system. Funny way of showing appreciation and respect to customers.

          By the way - since I started typing on this subject - I run a coup

  • Inverted problem (Score:5, Funny)

    by sveinb ( 305718 ) on Monday June 11, 2007 @08:46AM (#19464015)
    Ask the user to perform a task that only a computer is likely to succeed at, like factorizing a 6-digit number. If the user gives the right answer, and this is the cunning part: Then it's not a human!

    MAN, I feel clever some times.
  • We recently heard (someone else will post the link) that scanned books would be used for an experimental captcha program since machines aren't picking everything up. So I guess there's still differing opinions here ...

  • Captcha too hard (Score:5, Insightful)

    by aepervius ( 535155 ) on Monday June 11, 2007 @08:50AM (#19464049)
    OK, I am a bit shrotsighted, but still, some of the captcha are so garbled with bright color random pixel/forms while the font color of what was to be read was light gray/pink/blue on white background (and naturally distorted) that frankly I swore loudly while trying for the 5th time to enter the correct random combo of lower case, upper case and digits.

    I am not sure if a picture is better, but it is defintively a step forward if I don't have to spend 5 time retrying.

  • worst captchas ever (Score:3, Funny)

    by escay ( 923320 ) on Monday June 11, 2007 @08:51AM (#19464057) Journal
    I find some of the most cryptic captchas on the ticketmaster site. granted that the site deserves a stringent bot control given the risk of scalpers but some of their patterns border on the ridiculous. TFA mentions someone who achieved 25% success in deciphering those ticketmaster ones and I am thinking, "how does he do that?!"
    • The funny thing is I have a client that pulls 10mbs all day every day getting tickets out of ticket master and the like and then auctioning them off. I talked to him once and he uses a mix of computer and human analysis to defeat them. Capcha's do not work when you can pay somebody a few cents to do the work to buy a tens to hundreds of dollars in tickets.

  • Stop testing the Humans, test the Robots (Score:5, Insightful)

    by Anonymous Coward on Monday June 11, 2007 @08:53AM (#19464077)
    I always get annoyed by captchas.. its like a forced human intelligence test.
    We know that humans are more intelligent than scripts, so I always thought it should be easier to test the lack of intelligence in scripts than proving intelligence in humans.

    For example just use a simple honeypot in a html form. Put a dummy input field in a form. You can hide the field with CSS/noscript tag or just mark it: "This field should be left intentionally blank" or something of that nature to make it more human friendly.

    Seeing that all form fields are generally blank, the spambot/script will fill your dummy field. On server side check if the field has data, ignore the submission. It would be a VERY intelligent script that could COMPREHEND the purpose of any particular html input field.

    my anonymous 2c

    • Re:Stop testing the Humans, test the Robots (Score:5, Interesting)

      by jimstapleton ( 999106 ) on Monday June 11, 2007 @08:57AM (#19464113) Journal
      have a random or semi random set of field names, with an associated "key" field. Use the key field to retrieve the field names of interest. Also have a "name" and "password" field set up so they are invisible to a normal user.

      Block any IP submitting a non-blank "name" or "password" field.

    • Re:Stop testing the Humans, test the Robots (Score:5, Informative)

      by Kijori ( 897770 ) <ward.jake @ g m a i l . c om> on Monday June 11, 2007 @10:09AM (#19464881)
      The problem is that the solutions are being coded for individual sites not one size fits all. A custom solution would have no problem with that system at all.

    • Re:Stop testing the Humans, test the Robots (Score:4, Informative)

      by CodeBuster ( 516420 ) on Monday June 11, 2007 @02:28PM (#19468153)
      It would be a VERY intelligent script that could COMPREHEND the purpose of any particular html input field.

      Not really, considering that most of these scripts are targeted at large sites (yahoo, hotmail, etc) OR common site frameworks (PhpNuke, Drupal, Blogger, etc) where common hidden field input patterns would very quickly be tested and coded around by the script writers. The whole point of CAPTCHA in the first place was that it presented a random and dynamic test which was easy enough for users to solve (at least in theory) while hard enough to foil simple analysis by script. This might work on a small custom website where it is not worth the trouble of the script writers to code a version specifically for the hidden input pattern of your site, but this hidden field stuff was tried and failed on big sites even before CAPTCHA was in common use.

  • It seems many people can't actually solve them anymore, so new alternatives (image recognition) are being created.

    Especially with provisions of Section 508 [wikipedia.org] and the ADA [wikipedia.org] (and foreign counterparts) that ban discrimination against blind people, who use computers through screen readers that render text as speech or braille.

    • audio captcha (Score:3, Informative)

      by weighn ( 578357 )

      Especially with provisions of Section 508 [wikipedia.org] and the ADA [wikipedia.org] (and foreign counterparts) that ban discrimination against blind people, who use computers through screen readers that render text as speech or braille.

      some sites are including an audio option.
      examples are here [captcha.net] (under Guidelines > Accessibility) and here [accessibilityblog.com]

      • Re: (Score:2)

        by tepples ( 727027 )

        blind people, who use computers through screen readers that render text as speech or braille.
        some sites are including an audio option.
        That's a good step forward for accommodating people who use text to speech. But what about those people who use text to braille? And what about those people who use text to speech on a machine where Apple® QuickTime® brand software is unavailable?

    • Re: (Score:2)

      by EMeta ( 860558 )
      TFA mentioned that many sites now have audio captchas--forcing the user to make out words amongst static and background noise. You really only want those for the blind community, however, since most of us would rather have a mute internet experience. I'm not the only one on here at work.

  • Digital Certificates are the answer (Score:3, Insightful)

    by rtobyr ( 846578 ) <toby AT richards DOT net> on Monday June 11, 2007 @08:57AM (#19464111) Homepage
    One day, everybody will have a digital ID. You know, the kind used to digitally sign e-mail. If you had to digitally sign your request to create an account with a certificate issued from a trusted CA, then using a bot creates the potential of the user having his digital certificate revoked.

  • Why register? (Score:2, Interesting)

    by the_kanzure ( 1100087 )
    With the likes of BugMeNot.com, which people can use to distribute usernames and passwords for websites, there is little incentive to collectively continuously register. Look at how many websites are eating us [google.com] and desperately trying to hold our attention to feed them users. Maybe there is another model, one better than subscription-based?

    • With the likes of BugMeNot.com, which people can use to distribute usernames and passwords for websites, there is little incentive to collectively continuously register.
      And bots operated by web sites that require registration can spider bugmenot and ban all accounts that are listed there.

  • Right now this is a cat and mouse game. I've come across captchas that I cannot do. However, in 2020 computers are supposed to be as smart as a human. So, when that happens, how can we then differentiate between them?

  • My father is partially sighted. He has enough trouble reading the actual page (try navigating around advertising with a very limited field of view). Captchas just lock him out of the site.

  • Instead of asking use to recognize visual things, why not use sentences, like questions, to which only humans could correctly reply, like, for example, What's yellow and dangerous?

    Seriously, only limiting captchas to recognizing something in an image makes it pretty limited, they might wanna try asking questions to the user, if they haven't tried that yet.

    • Re: (Score:2, Insightful)

      by JDHannan ( 786636 )
      I don't think many people know that its a canary with a machine gun. And i'm not sure i want that many people knocked off the internet in one swell foop

      • Re: (Score:2)

        by mpe ( 36238 )
        I don't think many people know that its a canary with a machine gun. And i'm not sure i want that many people knocked off the internet in one swell foop

        But would it consider "a canary with a Kalashnikov" to be a valid answer? The problem with word games is that they can have more than one "correct" answer.
    • "What's yellow and dangerous?"

      Kim Jong Il?

      Seriously, I'm quite sure it's not the expected answer, but I just can't find it. I'm not natively english speaker (but I don't think it matters for that particluar riddle), went through college (SW degree), and I believe I have a reasonably large and varied culture (please forget my nickname, I swear, I'm 30 and watch other things than cartoons), so I would like to volunteer as a living example that someone's easy question can be someone else's trick.

    • Re: (Score:3, Funny)

      by Chatterton ( 228704 )
      Yes, users need to answer riddles like in notpron [deathball.net]. The kind you need 10 hours to find the solution /Grin/ :D

  • Filtering by reputation (Score:3, Interesting)

    by G4from128k ( 686170 ) on Monday June 11, 2007 @09:06AM (#19464199)
    Between ever-better computer image recognition algorithms and cheap offshore labor, captchas are doomed. Morevoer, captcha's don't even solve the actual problem because the goal isn't to distinguish human from nonhuman, but to distinguish spammer from nonspammer. This means we need some mechanism to identify a registrant and be aware of their behavior.

    Why don't sites band together, share data on abusive registrants, and require each new registrant to provide "references" in the form of their logins to 3-5 other sites. A person with a normal online life could easily demonstrate a pattern of nonspammy behavior. People with no prior history might be placed on probation (their posts are reviewed and may not contain any link-like data). If a registrant posts spam they temporarily (or permanently) lose their accounts on that site and all connected sites.

    At some point in time, the only thing that will work is a system that tracks the identity behind the account, assigns a reputation and ostracizes miscreants.

    • Why don't sites band together, share data on abusive registrants, and require each new registrant to provide "references" in the form of their logins to 3-5 other sites. A person with a normal online life could easily demonstrate a pattern of nonspammy behavior.

      In an odd way, one could suggest that this is exactly what Akismet, an anti-spam plugin for Word Press, does. The deal with Akismet is that comments don't go live until human moderated.

      That may seem dumb until you realize that Akismet has three adva

  • Scraping works too (Score:2, Insightful)

    by zumajim ( 681331 )
    I read some time ago about a guy who wanted to spam a large ISP (Can't recall the company), so he created a porn site, botted the ISP and scraped the capchas, putting them on his porn site where a good old human was waiting to do the work for him. Seems porn can power anything.
  • Perhaps captcha bots will evolve into the first programs to pass the Turing Test [wikipedia.org]?

  • ... if they would just drop the stupid login requirement for reading articles. I can understand needing it to post a comment. But it should be entirely voluntary for reading. Maybe their reporter should be doing a story on this silliness that seems to be rampant among a lot of major newspapers.

  • Replace the mangled-text-and-response captcha with a skill test, like punch-the-monkey. Maybe I could win an iPod while I'm at it.

    Unrelated question....how do you validate the captcha if you are browsing with lynx?

    Mod self -1,weird-mood-on-a-monday

  • The co-evolution of the outsourced Indian worker being paid $1-$2 per hour to solve hundreds of catchpas per hour. Not to mentions various porn sites and warez sites where you have to solve a catchpa to get in, it just happens to be someone else's catchpa. You want a catchpa for someplace like a bank to work? Simple, get the person to input something that was chosen off site and the would know. At best though it would still be security through obscurity and flawed. Catchpas are fundamentally flawed, and a
  • There are somethings that I hate with a passion. Whenver I run into one of these (even the easier ones) these get into my top ten things I really wish the person that designed them has to spend time in a special hell filling out every one of these things successfully before they are allowed into heaven.

  • How abouting using somethign that the brain perceives differently to what is actually measurably there, for example, optical illusions using colour.

    There are some classic optical illusions where the brain percieves a different colour to the one that is actually there, because of backgrounds and other visual clues in the image. an automated program that simply measured the value would give a different answer to the human one.

    e.g the colour perception ones here http://www.echalk.co.uk/amusements/OpticalIllusi [echalk.co.uk]
    • That is, in fact, a very good suggestion. Using animated GIFs might also serve the purpose! Having the viewer interpret the activity in the cartoon perhaps. Further, other optical tricks might be employed such as using layered images where a table cell might have a background assigned and GIF with transparent background on top to create a composite image for a human to interpret might be a good solution... as temporary as it may be.

      In all these cases, it is a finite number of images that could be employe

  • Captcha effectiveness isn't related to difficulty (Score:5, Interesting)

    by Samrobb ( 12731 ) on Monday June 11, 2007 @10:36AM (#19465231) Journal

    Shamus Young (the creator of the "DM of the Rings") recently introduced a captcha on his site to deal with comment spam. In his post about using a captcha [shamusyoung.com] on his site, he notes that:

    ... I used to get many hundreds of spam a day. Traffic here has jumped up since then, and I wouldn't be at all surprised to find I'm getting a couple of thousand a day by this point. But all of them bounce off the CAPTCHA, and I never even see them. I only see a spam make it through about once every other week, and I'm betting the ones that do make it though are entered manually... In any case, these are really impressive results for a CAPTCHA with only one short phrase that never changes.

    Emphasis mine. He's running a fairly popular site, and using a captcha based off of a single, unchanging, three-character phrase. Just the presence of the captcha was enough to effectively eliminate his spam problem. The indication seems to be that just the presence of a captcha is enough to keep spam off of even a moderately popular site.

  • Captcha wastes (human) time and frustrates users (Score:4, Interesting)

    by jeremy f ( 48588 ) on Monday June 11, 2007 @12:54PM (#19467107) Homepage
    So rather than put the burden of proof on humans to prove they're not a machine, put the burden of proof on the machines to prove they're a human?

    Take your average HTML form:

    Rather than have 1 textbox for a field value, have 10. UserName1, UserName2, UserName3, etc.

    Use javascript to randomly assign one of them as visible. The rest are hidden from the user.

    On the server, watch to see which textbox is filled. Presumably, with decent enough javascript skills, and stupid enough bots, your humans will fill out what they see, which is the correct combination. The bots won't.

    Granted, this method can be defeated if the bot checks for field level visibility after the page finishes loading, but even then, with decent enough javascript, you can continue to provide unobtrusive checks to ensure that your user is real -- e.g., unless the bot is running a macro through a web browser itself, your onblur events probably won't be tripped. And so on.

    This puts a burden on the developers to come up with clever ways of defeating the bots, but in reality, that's where the battle is -- html application devs. vs spambot devs. Users shouldn't have to be dragged into the middle.

  • Kittenauth! (Score:3, Interesting)

    by Blackknight ( 25168 ) on Monday June 11, 2007 @04:34PM (#19469831) Homepage
    Captchas are annoying, but systems like Kittenauth [kittenauth.com] are easy for humans to answer while defeating bots. If you have the user perform a task like "Click two pictures of kittens" it's very difficult for a bot to do this.

    Personally I just keep it simple on my site, I have a box that says "Please type 'I am a human.'" into the box below. If that input field is empty or doesn't match then you know it was submitted by a bot.

Slashdot Top Deals

What is research but a blind date with knowledge? -- Will Harvey

Close