Block Spam Bots With Free CAPTCHA Service

← Back to Stories (view on slashdot.org)

Block Spam Bots With Free CAPTCHA Service

Posted by timothy on Wednesday November 12, 2003 @05:55AM from the screwtape-and-pals-shriek dept.

Chirag Mehta writes "I just released a freeware service called BotBlock (barebones demo) that lets site owners copy/paste a few lines of PHP code and insert a CAPTCHA image-verification system into any web form. The amount of form spamming by bots is on a rise. While remedies exist for MT blogs, a more efficient solution is to use image-verification or text-identification. Used for a while by sites like Yahoo! (scroll to bottom), Hotmail and patented in 2001 by AltaVista, CAPTCHAs are now being used more widely. PARC also came up with two algorithms Baffletext and Pessimal Print. The technology always existed, but until now required the site owners to install image libraries and understand how to generate images that cannot be OCR'ed. With BotBlock it is like inserting a page counter."

56 comments

Min score:

Reason:

Sort:

What about blind people? by FattMattP · 2003-11-12 05:58 · Score: 4, Interesting

What about people who are blind or visually impared? Does your implementation take that into account?

--
Prevent email address forgery. Publish SPF records for y
1. Re:What about blind people? by Phoenix+Dreamscape · 2003-11-12 06:05 · Score: 2, Informative
  
  They have one that generates sounds. You're in trouble if you're blind and deaf, though.
  
  --
  Scratched Emulsion
2. Re:What about blind people? by FattMattP · 2003-11-12 06:12 · Score: 1
  
  They have one that generates sounds.
  Where on his demo page does it allow me to hear a sound? There's no mention of it on the main page either.
  
  --
  Prevent email address forgery. Publish SPF records for y
3. Re:What about blind people? by Glass+of+Water · 2003-11-12 06:33 · Score: 5, Interesting
  
  What they should do is use a question, written out in regular HTML text that is easy for a human to answer but hard for a computer. Example: What color is the sky on a cloudless day? Another example: My name is Joe Frank Smith. What are my initials?
  Think those are easy for basic AI bots? Then try them with one of the existing online bots.
  Seems like the problem with this (as opposed to generating pictures) is that it's hard to generate question/answer pairs where there is a one-word or obvious single answer. You don't want to use yes/no questions or questions where the answer is a word in the question ("Which is heavier, lead or cotton?").
  
  --
  There are no trolls. There are no trees out here.
4. Re:What about blind people? by J+x · 2003-11-12 06:46 · Score: 1
  
  Wouldn't it be amusing (chilling?) if, in an effort to circumvent your proposed security measure, spammers stumbled upon true AI ?
5. Re:What about blind people? by Jerf · 2003-11-12 07:19 · Score: 2, Interesting
  
  What they should do is use a question, written out in regular HTML text that is easy for a human to answer but hard for a computer. Example: What color is the sky on a cloudless day?
  
  I'm afraid I'd have to recommend against using that question for blind people.
  
  Might want to pick your examples a bit more carefully ;-)
  
  (Not that it's absolutely impossible they'd know the answer, but it's mere meaningless trivia to someone who has been blind from birth; I don't think I'd remember it.)
  
  Think those are easy for basic AI bots?
  
  Remember, you're not going up against the bots, you're going up against the bots as a proxy for a spammer. If you create a pattern "My name is $random_first $random_middle $random_last. What are my initials?" then the answer is something like
  
  perl -pe 's/My name is (\w)\w* (\w)\w* (\w)\w*. What are my initials\?/$1$2$3/g'
  
  (Try it on your question. Be sure to type the question precisely.)
  
  Now you're back in an arms race against the spammers; the whle point is to avoid the arms race in the first place.
  
  BTW, before criticising this 'solution', be sure you understand what an arms race is. I know you could further obfuscate it. But you could also further de-obfuscate it. And believe me, with a halfway intelligent system I can keep pace with you; for instance, if I write my cheating spammer so it brings things to my attention in real time as it can't figure them out, I can build a solution bank pretty quickly, not quite as quickly as you can create new challenges (well, maybe, if I'm better then the challenge writer), but certainly faster then you could deploy the new challenges. If you're not bypassing the arms race entirely, you're not winning, you're losing long term.
  
  This is a common failing of understanding when thinking about these technologies. You're not going up against a machine, you're going up against an augmented human. (It's why I still think Bayesian filtering will fail eventually, too; the spammers can augment themselves with the same technology, fortunately they just haven't correctly figured it out yet. The clock is probably ticking, though.)
6. Re:What about blind people? by hbo · 2003-11-12 07:52 · Score: 1
  
  I'm already getting SPAM that gets through SpamAssasin's Bayesian filter. They include lots of non-spammish words as white text on a white background. Then they break up the SPAM spew with unbalanced, bogus closing tags. For example:
  "En</figure>large yo</allowed>ur me</plastic>mber!"
  which helpful HTML renderers will print in glorious spamavision. (As Slashdot's did until I enclosed the example in an ecode block.)
  
  Your point is well taken. If you come up with a suite of questions. the spammer can come up with a suite of responses. If you change the questions, it gives you relief for a while, but then the spammers will catch up. The problem is, questions that a computer can't do semantic analysis on can't be generated by computer, either.
  
  --
  "Even if you are on the right track, you'll get run over if you just sit there" - Will Rogers
7. Re:What about blind people? by Carnildo · 2003-11-12 08:13 · Score: 1
  
  Either the filter will learn the bogus tags, or SpamAssassin will get a spam test that assigns a high score to the tags.
  
  --
  "They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
8. Re:What about blind people? by hbo · 2003-11-12 08:23 · Score: 1
  
  It would have to be the latter, since the tag text could be any dictionary word whatsoever, except some currently open tag.
  
  Assigning a high score merely to "bogus" closing tags would be bad too, because of XML. You could score a large number of poorly formed (in the XML sense) tags as suspect. Doing so for only one or two might catch fat-fingered, but otherwise innocent coders. 8)
  
  --
  "Even if you are on the right track, you'll get run over if you just sit there" - Will Rogers
9. Re:What about blind people? by dubious9 · 2003-11-12 08:30 · Score: 1
  
  perl -pe 's/My name is (\w)\w* (\w)\w* (\w)\w*. What are my initials\?/$1$2$3/g'
  (Try it on your question. Be sure to type the question precisely.)
  
  What is the perl code for arbitrary questions? The spam programmer doesn't have access to your question. Nobody has programmed a bot that can correctly answer arbitrary question. There is no current way to de-obfuscate (er.. clarify?) this problem. All everybody has to do is write a unique question the a normal person would understand.
  
  Then you are on the leading edge of the spam war. You don't apdapt to spamming tactics, spamming tactics adapt to you. Except they can't
  
  Also, there is no way that spammers can adapt to Bayesian filtering. It's different for everybody. You can't overcome an arbitrary filter, unless your spam looks exactly (including headers) like the mail that gets by most filters. But then a human probably couldn't discern the mail as spam either and throw it away, thus losing all its value.
  
  --
  Why, o why must the sky fall when I've learned to fly?
10. Re:What about blind people? by Anonymous Coward · 2003-11-12 09:21 · Score: 0
  
  Good point, but BaffleText is pretty hard for a sighted person to use (at least for me). They have a survey -- try it and see if you do any better.
  
  http://www2.parc.com/istl/projects/captcha/captc ha s.htm
11. Re:What about blind people? by Carnildo · 2003-11-12 10:10 · Score: 1
  
  Does any e-mail software use XML rather than HTML for formatting e-mail?
  
  --
  "They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
12. Re:What about blind people? by Glass+of+Water · 2003-11-12 10:38 · Score: 1
  
  The way I see it, we win either way (unless these spammer-created bots become our new overlords).
  
  --
  There are no trolls. There are no trees out here.
13. Re:What about blind people? by Glass+of+Water · 2003-11-12 10:50 · Score: 1
  
  Might want to pick your examples a bit more carefully ;-)
  Uh, Oh! It's harder than I thought!
  Your criticism of generating question/answer pairs is insightful. Don't forget that the bots can also learn to read the pictograms (I think there's a paper on this linked off the captcha.org home page). Whatever type of turing test you come up with, there are likely to be holes in it.
  I'm also aware that even a small hole can be just as bad as a big one. I guess the question is whether you can have enough of an advantage in the race to make it worthwhile. My position is that it's worthwhile. You just have to have a good enough way of generating question/answer pairs.
  The whole of security is an arms race. Some quarters have it pretty well figured out, and others are relatively clueless. You can buy a cheapo firewall appliance and have it do its job perfectly. There are other ways an attacker can mess with you, but it still is good to have the firewall.
  We shall see. I hope someone tries it, because I'd like to see how they come up with the q/a pairs. Maybe you could scrape sentences off of the news sites and use them for input.
  Enough blabbering...
  
  --
  There are no trolls. There are no trees out here.
14. Re:What about blind people? by dbullock · 2003-11-12 12:16 · Score: 1
  
  That's what alt tags are for.
  
  --
  http://www.bullnet.com
15. Re:What about blind people? by herrvinny · 2003-11-12 12:28 · Score: 4, Insightful
  
  The problem is, generating all those sentences. The sentences have to vary, they can't all be: My name is Barney Big Purple Dinosaur. What are my initials? My name is Einstein Mozart Bach Quartet. What are my initials? Then a spammer could just use regular expressions to handle that. Even Java introduced an easy-to-use regex package a few versions ago. Another problem is, you would have to generate literally billions of them, because a spammer may theoretically just hit a service with billions of requests - who's to say that the requests are real or not? And then the ultimate problem: How are we going to generate all these questions? A computer, of course, but the problem is again, how does a computer generate billions of these things so only a human and not a computer can interpret it? At that point, you're approaching true AI. And if we had AI, forget the spam problem: Just have the AI process each and every email.
16. Re:What about blind people? by Glass+of+Water · 2003-11-12 13:33 · Score: 1
  
  Yeah. That's definately the challenge.
  I really didn't mean to use the same format question and just change the insignificant bits. It just so happens that the examples I chose are bad. I really mean you have to have a supply of question/answer pairs where the answer is obvious and not contained in the question.
  That this is a problem only AI can solve has not been demonstrated. It's clear that it's a hard problem, though.
  Maybe you could come up with a model for simple things that people understand and then use data available on the web to generate the questions.
  
  --
  There are no trolls. There are no trees out here.
17. Re:What about blind people? by herrvinny · 2003-11-12 14:51 · Score: 1
  
  What about running the email through SpamAssassin, then strip out all HTML tags and run the message itself through it? That should kill it. Or just switch to text email.
18. Re:What about blind people? by herrvinny · 2003-11-12 14:58 · Score: 1
  
  *Nods I agree. Arms races are fine, they may even be beneficial, because in this race, each side works harder and harder to increase the capabilities of a computer. That can only be a net good, because someday something good is going to come out of all this anti-spam research. But for now, we have to concentrate on this arms race. As long as we can keep a small advantage over spammers, keep them reacting to us, we hold the advantage. Some military general once said that you have to keep the enemy reacting to you, because once the enemy has to react to you, they have no time to force you to act. I think the good guys have a small advantage now with Bayesian filtering, but we have to start pushing the spam back so it doesn't clog the inbox. That's why challenge/answer on a web page is better: network resources won't be used up to send spam.
19. Re:What about blind people? by Jerf · 2003-11-12 15:13 · Score: 1
  
  I'd reply, but I already have.
  BTW, before criticising this 'solution', be sure you understand what an arms race is. I know you could further obfuscate it. But you could also further de-obfuscate it. And believe me, with a halfway intelligent system I can keep pace with you; for instance, if I write my cheating spammer so it brings things to my attention in real time as it can't figure them out, I can build a solution bank pretty quickly, not quite as quickly as you can create new challenges (well, maybe, if I'm better then the challenge writer), but certainly faster then you could deploy the new challenges. If you're not bypassing the arms race entirely, you're not winning, you're losing long term.
  
  This is a common failing of understanding when thinking about these technologies. You're not going up against a machine, you're going up against an augmented human.
  Read it again, more carefully. (If you'd replied to the issues with some sort of support or evidence of comprehensive, I'd be less snarky, but you show every sign of keyword-based comprehension.
  
  Hmm, are you an AI?)
  
  Also, there is no way that spammers can adapt to Bayesian filtering. It's different for everybody.
  
  And on that you're just empirically, provable (and proven) wrong. (Same link I posted in the first message.)
20. Re:What about blind people? by Anonymous Coward · 2003-11-12 16:23 · Score: 0
  
  What about users that are blind, deaf, and really stupid?
21. Re:What about blind people? by hbo · 2003-11-12 17:01 · Score: 1
  
  That's possible, but difficult. The bogus tags themselves reveal why that's so. They are not valid HTML, but they have the form of valid closing tags. Though I don't know the pre-XML (read fairly current) HTML spec very well, and being too lazy to look it up at this hour, I nevertheless seem to recall that it says browsers should ignore tags they don't recognize. In any event, browsers are notoriously liberal about what they will render, so as to make the "user experience" nicer, and the job of standardization impossible. 8) All of this makes it tough to strip out bogosities. However I think that it's a requirement to do that if Bayesian filtering is to survive the current round of slime-bucket SPAM-mongering countermeasures.
  
  The other countermeasure I've seen get through SpamAssassin is stuff like this:
  Hey, how's it going? You know, you were right about <a href="slime-sucking-spam-site.com">that site!</a> They <em>do</em> have erection meds for much less. How do you think they get away with it? Cheers, Your low-life SPAM-sluicing buddy.
  This was predicted in Paul Graham's original Plan for Spam. Quoting:
  
  To beat Bayesian filters, it would not be enough for spammers to make their emails unique or to stop using individual naughty words. They'd have to make their mails indistinguishable from your ordinary mail. And this I think would severely constrain them. Spam is mostly sales pitches, so unless your regular mail is all sales pitches, spams will inevitably have a different character.
  
  There's still grist for the Bayesian mill in messages like the example, but it's thin grist, indeed.
  
  --
  "Even if you are on the right track, you'll get run over if you just sit there" - Will Rogers
22. Re:What about blind people? by Anonymous Coward · 2003-11-13 14:55 · Score: 0
  
  Give them Linux.
23. Re:What about blind people? by silentbozo · 2003-11-13 21:22 · Score: 1
  
  Well, there is the final solution - whitelisting. Unfortunately, like the atomic bomb, it may render the the battlefield unfit for human consumption...
24. Re:What about blind people? by Ed+Avis · 2003-11-17 07:14 · Score: 1
  
  In this case the obvious cure is to render the 'HTML' to plain text first and then do spam-checking on that. Of course if you use a lame mail reader that really wants to display the lovely red colours and FONT SIZE="+9" then you still have a mismatch between what is checked and what is displayed, but not such a big one.
  
  --
  -- Ed Avis ed@membled.com
much better by capoccia · 2003-11-12 05:59 · Score: 2, Informative

much better than blacklists and captcha is a bayesian filter.

blacklists are innaccurate: blacklisted words can be misspelled and pass through.

captcha discriminates against the disabled and cuts them off from online discussions.

James Seng has crafted a good bayesian filter for movable type.
okay class, pencils down by Phoenix+Dreamscape · 2003-11-12 06:03 · Score: 2, Interesting

Some of the examples on their site take a lot more time and mental effort than just looking at a word and typing it. I would be very bothered if I had to take one of those little tests just to fill out a form.

--
Scratched Emulsion
1. Re:okay class, pencils down by AllUsernamesAreGone · 2003-11-12 07:03 · Score: 1
  
  Even better then: it not only stops spammers, it ensures that only people with a real need actually fill the form in.
  
  Maybe it could be modified so that only people with >120 IQ can fill in the form too.... hmmmm.....
what about accessibility? by Peter+Winnberg · 2003-11-12 06:03 · Score: 0, Redundant

How will people with a text-based or non-visual web browser be able to site the site?
1. Re:what about accessibility? by Anonymous Coward · 2003-11-12 06:15 · Score: 0
  
  <img alt="november oscar india delta echo alpha">
2. Re:what about accessibility? by lynx_user_abroad · 2003-11-12 06:21 · Score: 1
  
  Works just fine for me. Of course, the text browser has to be tied into a graphical imager (like Gimp) to display the one small image, but it was surprisingly intuitive.
  
  --
  The thing about things we don't know is we often don't know we don't know them.
3. Re:what about accessibility? by GreenHell · 2003-11-12 06:37 · Score: 1
  
  <img alt=november oscar india delta echo alpha>
  
  There's two problems with that:
  
  First no alt text is provided in the linked to implimentation.
  
  Secondly, by doing so you've just eliminated the usefulness of the image as a spam bot blocker. I mean, how long would it really take someone to fix up the code on their spam bot to check for alt text and swipe the first letter of each word in it to deal with that kind of situation?
  
  The entire point of the image was that it couldn't be read by machines, by providing alt text you've just removed that restriction and the image's usefulness along with it.
  
  --
  "I won't mod you down - I feel the need to call you a twit explicitly, rather than by implication."
Botcheck by BrookHarty · 2003-11-12 06:09 · Score: 1

I tried to sign up with a forum this weekend, and I couldnt tell the letters, Couldnt tell the Zero from an "O". Only a minor problem, still has a few bugs to be worked out. But its nice to have real time authorization, instead of waiting for email to authorize the accout.

Also lots of services, are there any good free downloadable php addons?
Blatent Plug by gavinroy · 2003-11-12 06:16 · Score: 2, Informative

For my GPL'ed PHP Captcha sofware:

http://sourceforge.net/projects/session-captcha/
Patented? by orthogonal · 2003-11-12 06:18 · Score: 2, Interesting

patented in 2001 by AltaVista

If AltaVista patented it, does BotBlock license the patent? Or will this service be rather short-lived?

--
Opinions on the Twiddler2 hand-held keyboard?
1. Re:Patented? by Goo.cc · 2003-11-12 08:05 · Score: 1
  
  That's what I want to know. It would seem that this software is violating the patent.
I'm neither blind nor deaf, but... by jcwren · 2003-11-12 06:37 · Score: 2, Interesting

...the images here here are absolutely unreadable. If I had to use this to subscribe to a site or forum, or fill out a form, I'd just say "screw it", and wander on down the 'net.
1. Re:I'm neither blind nor deaf, but... by Curien · 2003-11-12 07:03 · Score: 1
  
  You sure? Looks fine to me. Takes a small bit of effort, perhaps, but it's definitely readable.
  
  --
  It's always a long day... 86400 doesn't fit into a short.
2. Re:I'm neither blind nor deaf, but... by recursiv · 2003-11-12 07:35 · Score: 1
  
  absolutely unreadable? try reloading. i haven't found one yet that was remotely challenging.
  
  --
  I used to bulls-eye womp-rats in my pants
YHBT by recursiv · 2003-11-12 07:38 · Score: 1

The entire point of the image was that it couldn't be read by machines, by providing alt text you've just removed that restriction and the image's usefulness along with it.

The poster knew this. It was either a joke or a troll, or both.

--
I used to bulls-eye womp-rats in my pants
1. Re:YHBT by Anonymous Coward · 2003-11-13 14:57 · Score: 0
  
  it spells out no idea, you big dummy.
BotBlock looks breakable by JukkaO · 2003-11-12 08:18 · Score: 1
Not that I really looked at how configurable this is, but...

...seems to me this BotBlock thingy wouldn't be that hard to decode, juding by the example, at least.
- The font is fixed-width with black outlines on each letter
- The background consists of single-color filled ellipses and/or circles.
- Clicking the image gives you a new pic with the exact same codeword.
Ssooo, I bet it's feasible to figure out where the codeword starts on the pic. And since the font is easy I guess you can figure out each of the letters.

And if all this fails, get what you have, make your bot click the image and try again :)

Leaves me wondering whether the point of these things is to actually make it impossible to programmatically figure out the text or just make it hard enough so that most spammers won't bother.

Now having it make sounds, as mentioned somewhere above, that'd be really interesting.
--
.SIGSEGV
1. Re:BotBlock looks breakable by maxconsulting · 2003-11-12 08:59 · Score: 0
  
  not only fesible, easy-to-do in fact.
This can work at a low level by jtheory · 2003-11-12 08:48 · Score: 1

If you come up with a suite of questions. the spammer can come up with a suite of responses.

You (and parent poster) have some good points here. Something you're missing, though -- you're still thinking in terms of a large service that can be reused by lots of websites.

Suppose the system only offered the framework, and you had to provide (and rotate) the questions yourself for your own website. I'm thinking of writing a filter question into my forms, since I hate those text recognition things (my eyesight's not very good, so obscured text with negligible contrast is very difficult to read)... I'd just ask the user to enter in the last word on the bottom of this page, or the name of this website, or something like that.

Because I did it myself, and it's using questions specific to my website, it would be very difficult for a tool to:
a) detect that I'm using a filtering mechanism
b) answer any of the questions (since they would NOT match familiar patterns)
c) successfully submit any form without human attention to configure it.

The weak point of any spambot is that it must scale. It must be able to successfully spam millions of forms to make up for the poor response rate. Anything we can to do defeat scaling will help.

My approach is a little dicey as a general solution, since it depends on the site developer or maintainer to write good questions... any suggestions? What about a field that must be left blank, or the form will be rejected?

--
There are only 10 types of people: those who understand decimal, those who don't, and, uh, 8 other types I forget.
1. Re:This can work at a low level by Carnildo · 2003-11-12 12:14 · Score: 1
  
  The simple fact that you're doing the forms yourself will stop 99.9% of all spambots. A spambot usually doesn't download the page and fill it in, it takes a list of pages known to have submission forms of a known type (usually found by a google search) and submits pre-filled forms to them. Since you're doing a custom form, a spammer would need to find your form, and then spend the time to tell his spambot how to fill it out -- a much less productive use of time than finding more customers to spam for.
  
  --
  "They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
BotBlock --- EZ to OCR by maxconsulting · 2003-11-12 08:56 · Score: 0

BotBlock offers the easiest to OCR CAPTHCA I ever cracked! Is there a market for selling a BotBlock crack as a web services to spammers?
The new Turing test? by G4from128k · 2003-11-12 09:20 · Score: 1

It seems like all these clever bot deflectors are really intelligence tests of one form or another. That they discriminate against the blind, non-English-speakers or people with lower IQ is a shame. Bot makers will now work hard to OCR given classes of text-image-disruption algorithms or answer given classes of common sense questions. This means we will have an arms race of smarter bots and tougher tests.

At some point the tests will be so tough and the bots will be so good that many people will be thwarted while many bots will get through. At that point will we concede that computers have passed some form of Turing test?

--
Two wrongs don't make a right, but three lefts do.
1. Re:The new Turing test? by Anonymous Coward · 2003-11-12 09:24 · Score: 0
  
  Nah, they will just outsource the job to India. Some poor person will be served up thousands of distorted words a day and expected to get 95% of them correctly entered within 10 seconds.
2. Re:The new Turing test? by herrvinny · 2003-11-14 04:33 · Score: 1
  
  Then we'll ban all IP's from foreign countries. I do it already with email.
Unique CAPTCHA Implementation by madstork2000 · 2003-11-12 10:32 · Score: 2, Informative

I'm working on another version, which I believe is unique at this point. (At least I didn't find anything like in on Google a few weeks ago).

See a sample at the link below. (DISCLAIMER:: This site is a small self run hosting company, and has "sales" links, and is of commercial nature. So if you're going to get all pissed off because I am trying to feed my kids please do not click through. The sample does not collect or log anything outside of what Apache routinely collects. ) http://webshowhost.com/main.php?smPID=PHP::ui_huma n_verify.php&caseFlag=SAMPLE

What makes this implementation unique is that in the pattern user must identify color and characters. It combines multiple levels of recognition. The user must understand the concept of COLOR and the characters. This should make it particularly difficult for SPAM bots to dicipher, since color is very subjective. I am posting this here mainly to establish prior art (as I have not seen any test use these concepts before) in case some joker tries to patent this variety of CAPTCHA.

My variety integrates into a toolkit I've developed, but basically uses imagemagik montage to fuse pre-rendered image bitmaps into a single JPEG.

It is obviously weak in the sense that it discriminates against blind folks and illiterate folks. On the bright side it has definately eliminated ALL of my spam!

If your interested in this contact me at captcha1@webshowpro.com ** Note you'll have to verify yourself with the prototype system to sendmail to that account.

I'll do my best to provide you with the relevent code. I don't have time at this point to lead a project (as my company is a oneman show barely scraping by at this point). So my apologies in advance if I cannot support the code to your satisfaction.
1. Re:Unique CAPTCHA Implementation by madstork2000 · 2003-11-12 11:50 · Score: 1
  
  I forgot to mention I am working on a version for blind folks, that works pretty much the say way,but instead of stitching together images, it will stitch together sound bytes of the alphabet to make the pass phrase. To help avoid confusin I started with "A - Alpha", "B - Bravo" "C - Charlie", etc though I don't have enough done to test however average users respond to this format.
  
  There has not been much demand, so I have not made much progress since my initial tests.
  
  Overall it will be a little weaker in that I cannot have a "red" voice, "blue" voice etc. But I'll probably be able to add some other sort of verbal instruction to trip up the bastard bots! At the very least I can probably use a female and male voice, and perhaps synthetic voices as well.
  
  Chances are the pass phrase can be a little longer, if the audio loops. That would help make up for the audio version being weaker.
  
  There will still be a problem with non-english speakers, but if the content is english, what good is it for them to visit or send email?
  
  Anyway, non english speakers, can use these methods to create CAPTCHAs in their own native tongue for their target audience.
2. Re:Unique CAPTCHA Implementation by Carnildo · 2003-11-12 12:27 · Score: 3, Insightful
  
  A few things to keep in mind:
  1) Colorblind people (10% of the male population of the world). By far the most common form of colorblindness is red/green, so as long as you stick with easily-distinguished colors like black, red, and blue, you should be fine. You could probably add yellow and a medium grey to the mix, but yellow can be hard for normal people to read, and on some monitors, grey can be mistaken for black.
  2) Increase the overlapping of the characters a bit. Right now, the characters can usually be separated out by color into three images, at which point a spambot can simply pick the one that matches the color of the instruction image.
  3) You can make an audio CAPTCHA harder for computers to recognize by adding noise to the sound, or by using recordings of a person with a strong accent (or better still, a variety of accents)
  
  --
  "They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
Terminator 4: Rise of the Spambots by Channard · 2003-11-13 02:27 · Score: 1

The way I see it, we win either way (unless these spammer-created bots become our new overlords).
And if they do, the worst they'll do is try to sell us penis enlargement pills, which is still preferable to a Terminator style apocalypse.
Not a perfect solution by Eric+Savage · 2003-11-14 06:46 · Score: 3, Insightful

Even if you had an image that was 0% readable by OCR, image verification only stops "pure bot" spamming. It does not stop someone writing a helper or proxy app that presents them with a list of 1000 images that they type out in a very efficient manner. This could mean the difference between a million and a thousand spams per hour, but that's still a thousand spams per hour. And if you dismiss this as something that nobody would bother to do, you obviously don't know anything about spammers...

--

This is not the greatest sig in the world, this is just a tribute.
1. Re:Not a perfect solution by Anonymous Coward · 2003-11-15 02:34 · Score: 0
  
  You're right. I'm not going to give you any more info than this, but I've posted stuff in MT comments for promotional purposes. It works surprisingly well, and even if I can only do 50 in an hour, that's still FIFTY backlinks from Google I've probably picked up. An hour a day for a couple of weeks will put you way in advance of all but the heaviest competition. I don't even bother with robots.. my posts tend not to get deleted because of the seemingly 'human' element.
2. Re:Not a perfect solution by Anonymous Coward · 2003-11-18 09:25 · Score: 0
  
  Insightful my ass.
  
  Spammer: Even if I get a thousand through, it's still worth it.
  
  Spam-Fighter: I'm getting millions through now, but if I can only reduce this to thousands it's not worth it.
  
  Dumb. Just because there isn't a perfect solution (short of yanking the network cable out) does not mean that you shouldn't implement something that gives you an improvement of several orders of magnitude.
  
  5 spam a day instead of 50? I'd love that.