Slashdot Mirror
Why the CAPTCHA Approach Is Doomed
TechnoBabble Pro writes "The CAPTCHA idea sounds simple: prevent bots from massively abusing a website (e.g. to get many email or social network accounts, and send spam), by giving users a test which is easy for humans, but impossible for computers. Is there really such a thing as a well-balanced CAPTCHA, easy on human eyes, but tough on bots? TechnoBabble Pro has a piece on 3 CAPTCHA gotchas which show why any puzzle which isn't a nuisance to legitimate users, won't be much hindrance to abusers, either. It looks like we need a different approach to stop the bots."
So if the CAPTCHA is doomed, what is the next approach? Letting spam bots go rampant over a site is not an acceptable alternative.
Jumpstart the tartan drive.
I have suggested a solution more times than I care to count: impose default caps on sent emails per account, IP, whatever, until the sender has been established as a legit sender of mass mails. That would eliminate spambots running on "regular" people's computers, for example.
I have been blocked from several services because of my IP (DHCP assigned, NATted) fell in a range assigned to an ISP that had too many spambots or portscanners running in its network or somesuch. If this happens to enough people, they'll either leave the ISP or pressure it to clean up its act (other ISPs could play a role).
That system would naturally be susceptible for abuse, but then would any other system. Ultimately you will have to come to a solution, that removes the profit from spamming, for example. Your fourth suggestion would go a long way towards that. I'm sure that many people would be willing to place a deposit to cover a reasonable amount of messages. If I ever send a mass mail, it always goes to a listserv, which does the processing - and everybody on the list has subscribed to it. If I abuse the list, they complain, and I get blocked from it.
There is always a catch in all these, but until we're willing to be educated and act civilized... besides, as someone said, "freedom is messy".
-Dan East
...is the point going right over the author's head.
A CAPTCHA works well enough for the same reason greylisting works well enough. They may be trivial to bypass (for some definition of 'trivial'), buy many applications only need a tiny speed-bump to make a huge difference in undesirable traffic.
...until AI gets smart enough to answer questions intuitively.
"To err is human, to mod Funny divine."
I'm surprized more web developers don't observe the browsing trends of the bots before they subscribe.
For example, if the bot "lands" on the registration page only when it attempts to register, and it hasn't looked at other pages on the site yet, there's a good chance it's a bot.
You could use this information in a few ways. For example, put a stronger captcha for that user (bot) to get through, or somehow flag that registration for review and delay its usage.
I realize this approach is much more complex to implement, but I really think it improves filtering, not to mention better usability for the end-user (maybe you wouldn't even need a captcha for them if their browsing pattern looks legitimate).
Use 3 images on one side, and ask a question about each image on the other side. There must be more then one question for each image as to not have the same 3 images and questions combos popping up. Then, use a 3 strike approach and ban the IP for a day if it strikes out.
That's where the issue is.
I've been a nerd since I was born. Grew up with early computers. Watched them evolve until now. But nothing makes me feel dumber than trying a CAPTCHA 5 or 6 times and failing every time. Its a serious annoyance and I've seen WORSE that I haven't even attempted.
Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
block the I address for 10 minutes, then an hour then a day.
The Kruger Dunning explains most post on
This troll actually gave me an idea. Why not ascii art?
Give an ascii art picture and asc the user to tell what it is.
In this case cock would let you through.
"I don't have to think. I only have to do it. The results are always perfect, but that's old news." - Meat Puppets
... which is another way of saying they really doesn't work at all. Both annoy legitimate customers and users while still allowing those with nefarious motives to do whatever they wanted to do in the first place.
If someone says he and his monkey have nothing to hide, they almost certainly do.
... you are a computer. Life, er, up-time will be easier.
The world is made by those who show up for the job.
This is the answer:
http://www.thepcspy.com/kittenauth
http://www.artsoft.org/phpbb_ka/
Everyone seems to think that the answer to this is to challenge the user somehow. Why isn't a technical solution possible that doesn't require any interaction from a person?
On my own contact forms, I use a really simple obfuscation technique, it doesn't require any user interaction, and I don't get any spam. I've chosen to name my form elements with meaningless names, because obviously automated spammers rely on field names to fill in the blanks. If they see a form like this:
<input type="text" name="email">
<input type="text" name="subject">
<input type="text" name="message">
Obviously it's pretty easy to fill out. If they see this instead:
<input type="text" name="sj38d74j">
<input type="text" name="9sk2i84h">
<input type="text" name="m29s784j">
Then they probably won't even make it past the email validation part, unless they catch the error that my page is printing and try all combinations (or get lucky).
It makes it even more effective when you use fields with good names, but hide them from users with either CSS or Javascript:
<input type="text" name="email" style="display: none;">
That's a honeypot, if it's filled out then it's a robot. You can use the same CSS or Javascript techniques to also print messages informing users not to fill those out if their browser decides to not run my code and instead shows them.
Really simple solution, requiring no user interaction, and is at least if not more effective than a challenge and response type of solution. I don't know why everyone is hung up on a visual challenge when it's a lot easier to distinguish between a real web browser and a scraper that doesn't bother to execute Javascript or apply CSS. I've been saying this for years though, so I don't really expect anyone to start paying attention now.. at least my own inbox is spam-free though.
Because an open ended question would get a million different responses.
And having the user select a radio button would narrow the probability down to 1/X choices. And when you have a million bots, 1/x is more than enough to get your spam out.
Help! Help! I've been captured by captchas! I'm now forced to post as Anonymous Coward so I can enjoy the beauty and wisdom of the Slashdot captcha!
Hee hee ha ha!!! Help I need taken away to Captcha land!! he he ha ha haha!!
has a different take on the subject. Rather than trying to obscure the image with lines or similar measures, it uses a series of letters, some of which are a color. You are then asked to type in the colored letters to proceed.
I don't know if these are static images or generated each time but the owner claims his site has almost no spammers (i.e. people have to do it, not machines).
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
CAPTCHA is to Broken as The Economy is to:
a) Cowboy Neal
b) f*ked
c) RickRolled!
Most CAPTCHAs are hacked because their implementation is amatuerish. They are hacked by resusing session ids or dictionary attacks and nothing to do with actual image itself. Long story short CAPTCHAs reduce the amount of spam by more than 50% simply because it's not worth the effort for a spambot to break it, after all they have the entire internet to spam.
Some are good some are bad and most are downright horrible, but you wouldn't want your favorite forum to be trolled by spambots would ya? Might as well live with it. Nothing works 100% you should know that by now
did you forget to take your meds?
I like the general idea, however a problem I see is that mechanisms that auto-fill forms for you (like your name and email address) may not work on your page - and even worse might populate that honey pot field the same way a bot would.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Already been done.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
Srly - great. :)
we are all just programs living inside the matrix of reality. it then goes to show that the programs we write could therefore exhibit and exploit any traits which we claim make us human, thus making it very difficult to find a simple test to express what is a conscious living human person.
also, "self awareness" is a lie.
It looks like we need a different approach to stop the bots.
Nuke the sites from orbit; it's the only way to be sure.
If "disco" means "I learn" in Latin, does "discothèque" mean "I learn technology"?
Would it really be that hard to have a picture of a rabbit and set it to accept bunny or rabit or even hare?
Their can't be that many possible alternatives to call a single object that a user couldn't get one in three different tries.
(Just to void my moderation which went wrong...)
The more effort someone is willing to put out to prove they are human or are backed by a human willing to be responsible for problems, the more abuse-able services you give them.
For example, e-mail service providers could offer several tiers:
Simple signup/new accounts:
Limited number and size of incoming and outgoing messages.
Verified signup/driver's license with confirmation by paper mail:
Nearly-full, with shutoff or limitations imposed at first sign of abuse.
Verified signup/credit card with confirmation:
Nearly-full, with shutoff or limitations imposed at first sign of abuse.
Established account, with a pattern of usage indicative of a human over a period of several weeks:
Nearly-full, with shutoff or limitations imposed at first sign of abuse.
Credentialed user, backed by a substantial bond or deposit and an explanation of why suspicious behavior really is legitimate:
Full access plus a free pass on "legitimate" suspicious behavior until someone complains, but if it's abused then throttle him and take the costs out of his deposit.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
It's doomed because it's fundamentally flawed. When you can hire someone in India to crack them by the thousands (per day) for cheap wages, it's all moot. It doesn't matter what you do for lettering and whatnot when you have an intelligent human perfectly willing to solve them. They just happen to be in the employ of spammers. They make catchpas on the assumption it isn't worth someones time to crack them, the problem is they are placing value on time / labor expenditure at local rates and not those in India.
I was under the impression that there was some kind of Slashdot policy against submitting links to your own (rather uninsightful) blog. Evidently I was mistaken.
Dislike the Electoral College? Lobby your state to join the National Popular Vote Interstate Compact.
That isn't ascii art - it is a figlet (http://en.wikipedia.org/wiki/FIGlet), which I would guess is much easier even than the image based word captchas
Solve the following math problem to continue:
1/0 = ?
There is a different way to manage obscurity/captchas: simply generate strangely worded questions with obvious answers.
Maybe I've missed something, but wouldn't a bot have significant trouble coming up with the answer to a question like:
What does a person see with? (plural)
Not that anyone would be able to get past the 'who was the n-th president of the U.S' approach.
Ahh, good 'ol ascii art. I have fond memories of compiling the original UT on my old gentoo box and playing it with some obscure compile option (or perhaps library -- any answers more than welcome!) that rendered all the scenes in good 'ol "Base 64".
It's amazingly fun, and arguably looks better now than the old UT graphics do...
My UID is prime. Is yours?
CAPTCHAs are simple Turing tests. As computers get faster and software gets smarter, it will become harder and harder to tell them apart. Also, since humans have a broad spectrum of ability, there will be an increasing percentage of humans who can not pass the tests.
For example, math students who can not tell a Rembrandt from a Picasso, and art students who can't determine the roots of a simple quadratic. (See, I'm not picking on anyone in particular - we are all ignorant in most fields.)
In future we will get to a point where the computers can design CAPTCHAs that no human can solve, but robots can!
It's easier to be a result of the past, but more fun to be a cause of the future! http://www.spacefinancegroup.com/
I recently worked with a kid who was trying to implement a "faptcha" on his imageboard - it displays male or female body parts and you select with radio buttons what it is from a list. Although, this is a pretty M rated solution. Whatever happened to "Cat or Kitten"?
FIGlets are still ASCII art.
text banners, in a variety of typefaces, comprised of letters made up of conglomerations of smaller ASCII characters (see ASCII art).
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
Has anyone ever been to a site where you have to solve a captcha in return for porn? I've seen my share of sites and never found one that does. I guess everybody assumes that somewhere somebody's got to be trying it, but nobody actually is.
One major problem of captchas is that usually blind users can't solve the captcha. So you effectively lock out disabled persons from your website, a fact that is rarely mentioned in association with captchas. I think disabled people have enough problems already, there's no reason to further annoy them with captchas (I'm even annoyed by them as a not-disabled person).
I've found the best method is not relying solely on CAPTCHAs.
1. Build a simple CAPTCHA to catch most spam bots, yet something that my grandma can easily read.
2. Create a form field and set the display style attribute to 'none' to hide it. Bots tend to fill in all fields, so if the field comes back with something in it, chances are it was a bot submission.
I've recently implemented this technique on a very heavily spammed contact form and haven't seen a single bot slide past.
Come on now, I know we've discussed the demise of the CAPTCHA here on /. before. Its simple, though, to see that we'll need to innovate for more solid methods of checking human vs. computer, if you've seen one CAPTCHA you've likely seen 50 different styles, which should be a clear sign that developers are struggling to keep up with the enemy, as usual, but as long as we keep innovating, the spammers will have to continue innovating as well. There won't ever [likely] be a solid, full-proof solution for detecting a human vs. a bot as far as testing the "user" against some set of images or speech even.
If pattern recognition CAPTCHA's don't work, the next obvious step is logic puzzles with type in answers.
Other than that, TPM based browser plugins verifying web submittals are coming from physical human interface devices are all I can think of.
You can't legislate goodness. Let each to his own destiny, by will of his freely made choices.
It seems to me (which admittedly is very limited) that spam comments are only as valuable as google/users allow them to be. Most users can recognize a spam comment and ignore them, but Google can recognize links. Make links have "nofollow" in them.
--chris
Still won't defeat the army of underpaid workers to do it.
Disclaimer: I am not god.
We may not be created equal
But we can be treated equal.
The key is to make the bots/spammers use more resources then they have.
Something like this can be used to slow down email address scanning bots.
Like sending email with hashcash, if you make the scammers work to get the right answer by requiring to compute a computationally complex formula (crypto function random walk distinguished points), they will not be able to keep up.
A website can pre-compute a table of (and continuously add to that table) challange-responses that a visitor must perform. A human will see a 5-15 second delay to registration, to a bot this can be intolorable.
Why not use logic? I've been using it for my sites and it works great! Here's an example:
http://paramountroofingny.com/html/contact.php
Dave
Most posts on this topic have been along the lines of, "Maybe CAPTCHAs as they are implement now don't work, but here is a method that is trivial for people but hard for computers."
TFA's best argument, in my opinion, was that it is trivially inexpensive for a spammer to simply hire people to break CAPTCHAs. So, a method that doesn't annoy people but is hard for computers still won't work because the spammer will just use people. This is not a topic I know a lot about (not being a spammer I don't know what kind of revenue they generate) but would like to hear a response to this. Is the TFA off its gourd and better technology really will solve this problem? Or is gate-keeping for free services essentially pointless?
Hopefully involving...rocket propelled grenades
Sent from my ASR33 using ASCII
Possibilities, misspellings, regional preconceptions, etc. The idea is doomed.
Help fight poverty: Punch a poor person.
Greylisting only works because many sites don't use it; if everybody used it, it would stop working.
The economics of CAPTCHAs are even less favorable, since the cost of breaking a CAPTCHA is small compared to the cost of what the bot actually does after it has broken it.
Because my Lynx browser doesn't support it!
I will not be pushed, filed, stamped, indexed, briefed, debriefed or numbered. My life is my own.
Can't find the story when it made slashdot, but this.
You ask the user a question, transposing letters in the words, and the user must give the answer. Seems hard for a computer to figure out, easier for an actual person than captcha.
I don't understand why we still use CAPTCHA's or Kitty tests. I have been using a method on my service providing site for the past 5 years that fools any bot.
I simply state "Are you Human" yes/no.
You wouldn't believe the amount of success I have since I took down the earlier CAPTCHA technology I was using.
Almost immediately, the amount of customer emails I get daily increased 453%! Many of these customers were offering me things, such as money or drugs! I was also able to buy Viagra at near wholesale prices (and then turn them for a profit on my business trips to Florida).
My traffic has increased too! The amount of people using my free service almost took down my servers. I had to get 3 more! Of course, I am now operating at a loss, but I sleep well knowing that I made a difference in the world by letting so many people access my great service.
If anyone wants the "are you human" technology from me, I will give it away for free! Just email me. Thanks!
Implement a Three Strikes law to spamming. After a computer has been reported to be a spambot several times, make the ISP block it or blacklist the IP (or the ISP, at that).
All the things that contribute to spamming must be made uneconomical: Advertising your business through spam, renting out botnets, letting your computer become infected, and tolerating your users letting their computers become infected.
(I know this won't work. I am just getting emotionally worked up.)
I propose adding a web-wide restriction that all comments be made in person - no bots allowed.
This will allow for easy verification of humanity in nearly all cases, as any who have had any degree of physical interaction with bots can attest.
By the time the bots catch up, I don't know that I'll care too much either way - and at any rate, slight refinements of the test should be quite adequate in detecting botness, at least for as long as it matters...
Of course, by the time bots are capable of passing this test (which should be much harder than the Turing), why would they bother spamming us in the first place?
We will be able to live spam-free forever!
I do harbor some fears that the first attempts at suitable bots may seem to close to me, and I may be screened out by my fellows, but I should manage to survive - at which others may not succeed in case of a revolution.
I watched an amazing mini-documentary about Re-Captcha and really like the concept and the end goal. Basically Re-Captcha uses two words, one known word and one of the words is unknown and comes from book digitization efforts. The known word gets you into the site for whatever you are doing, the unknown one comes from a literary work that OCR couldn't figure out. After a large sampling of people have typed the unknown word the majority answer becomes the text entered in the digitization effort.
My contention is that people like myself who think it is a great cause would happily spend some free/bored time just entering the unknown words on a website without the whole captcha bit. If anyone here is a part or knows anyone on the team please bring this idea up.
http://teasphere.wordpress.com - A little spot of tea
Would it really be that hard to have a picture of a rabbit and set it to accept bunny or rabit or even hare?
When you spell it "rabit", it is.
Puny humans... The bots will not be stopped!
OpenID.
This troll actually gave me an idea. Why not ascii art?
Give an ascii art picture and asc the user to tell what it is.
In this case cock would let you through.
Because if you had read the article, you would know that if it is easy for a human to decipher, then it is easy for a human to get paid to decipher thousands of them.
If you pay a guy in africa a few bucks to do this, then you don't need bots to crack your ascii picture.
Everyone has a great idea for a CAPTCHA, but very few people know what the hell is really going on. Remember that the machine doesn't need to solve the CAPTCHA every time, that machines are infinitely patient and have huge memories, and that another machine needs to make sure the human gave the right answer!
Ideas that won't work:
Really, it's very easy to think you've come up with a very clever CAPTCHA. When you think that, all you've done is stoked your ego and screwed yourself over. It's the same reason why we don't roll our own cryptography: CAPTCHA-making is a very hard problem, mainly because your problem space must be infinite (to avoid an attacking machine simply memorizing answers), the answers verifiable by a machine, but the problems not solvable by a machine.
How many questions can be checked by machines but not answered by them?
Not many; fewer every day. There are no questions that can't be answered by a computer (and which can be answered by a human mind). The Church-Turing thesis [wikipedia.org] has some validity: the human mind is no more powerful than a turing machine, and ultimately, computers and our brains are equivalently computationally. There's nothing a computer can't solve: there are just things we haven't figured out yet.
Web sites are designed for use by people. A person can only hit links and read pages only so fast. Just impliment a process that ensures a minimum time period between requests from a single IP. This will not stop it but it will increase the costs at the other end, only a little but every little bit helps.
Undetectable Steganography? Yep, there's an app fo
That captcha looks painfully easy to break. All a bot would have to do is render the HTML to a image and OCR it.
Here is my home page.
Is this like those things that pop up and ask you to type in what it says? Like letters and numbers? example: htyeopa9876hg.. but it's all fuzzy and you have to try and figure it out?
The Zend Framework (PHP) has a Captcha component which supports what you mentioned, ASCII words, made of many smaller letters. And I'm sure they didn't invented it.
Curiously yours, crip.
I'm not an expert in this field, but what I've learned in all those years studying CS, speech recognition is much harder than image pattern recognition. Mainly because our human brain can easily parse accents and sloppy speaking, computers hardly can.
Now that flash is installed on nearly every machine (and I don't say I approve), would it be too much of a problem to install a "play" button as a captcha, which just speaks a word? Granted, computer generated voice is probably easily crackable too, but lets say google or someone lets 100 people read 10 books each. And they choose a random word from the whole database. That would work I think.
What's the problem with full-on registration?
1) Form for username, password, email.
2) Stored in a DB where registered is NULL
3) Send an email asking user to visit link to complete registration
4) Set registered = yes
5) Weekly purge DB where registered is NULL
Captchas could also be questions like, "Paris is the capital of what country?" "What's the third menu item on this page?" "If you have four apples and one bicycle, how many pieces of fruit do you have?"
Even the perfect anti-auto captcha doesn't get around teams of people creating accounts manually to spam blogs.
Ascii art is even easier to crack than squiggly words what we need is to use penial Biometrics now that can't be faked or duplicated by a bot.
Carters Vault
Vault's Computer Voice: Welcome to the inner vault, Penial identification required.
Quagmire: Let me handle this.
BEEP BEEP vault opens.
Peter: Thats amazing how the hell did you match it.
Quagmire: Oh, I didn't match it, I just stuck it in there and boke it.
Frankly, that's what I've always thought, too. I guess it's not widely enough implemented (and/or the targets aren't high enough profile) to bother.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
I'll agree that artwork open to interpretation won't work, ascii or otherwise.
But what about simple rebuses? Only two to three images that when spoken aloud sound like another word. A little more mental effort, perhaps, but easier on the eyes and virtually impossible for present-day computers.
I'm asking for opinions as to what is the (current) best alternative? I am currently (literally...which is actually the reason I looked specifically at this article) working on putting in reCAPTCHA for my site because I figured I'd wait to annoy my users until bots started hitting it...which they started doing a few days ago. I've now had ~50 or so bot accounts get signed up. Although they haven't responded to my confirmation email (and aren't able to login) it is really annoying and each account causes a few emails to bounce.
Anyway, I'm genuinely interested in what people have done for small scale sites. I figure when/if my site starts really growing the solution will change. That said, I'd prefer something simple and easy to implement and I can move to more sophisticated solutions when the need arises.
When I have a kid, I want to put him in one of those strollers for twins and then run around the mall looking frantic.
lapin, liÃvre.
Oh damnit Slashdot, get into the 21st century and support UTF-8 already.
That was supposed to be:
lapin, lièvre.
I had to use the è HTML entity to pass my accented character.
On the message board I administer, I had pretty good results by changing the way CAPTCHA worked... rather than a fill-in-the-blank method. People were provided with an image that had a well-known sentence or domain name, as well as the list of possible answers. So they'd see an image that looked like:
___ chase cats
dogs budgies kittens
and were told "fill in the blank". In this case, the expected answer was "dogs". Something that was ridiculously easy for a human to solve, but required actual comprehension rather than simple text recognition.
Unfortunately, we ended up updating the forum software to phpbb3, and I have yet to get off my ass to hack the captcha to do what I want again.
As others have said, using ASCII art is too difficult. Too many different ways to spell things, and if you embed the spelling you're looking for in the image, then you're back at square 1.
If you believe everything you read, you'd better not read. - Japanese proverb
SPAM is sent from compromised computers. If you make people pay for posts then the owners of compromised computers will be billed - not the real senders of SPAM. Billing would help minimize the problem, but we would still receive a pile of SPAM. And a pile of people who only use their computer once a week would have to foot the bill.
Confusing if not impossible for people who don't use the website language as their native one.
Also, won't somebody think of the rednecks? (cue "They took our jobs" guys from South Park. I bet they say words differently than you, for example)
I generally don't have a problem with CAPTCHAs, as it has gotten to the point where it is now rare to sign up to anything on the web and not encounter a CAPTCHA, and generally they're easy enough to get past so I just don't find them a big deal.
However, when I do have a problem with CAPTCHAs is when they're ridiculously hard to pass because they're so horribly obfuscated. For example the CAPTCHA that MegaUpload currently use. I cannot for the life of me successfully get past it, and have yet to succeed a single time, and so have sworn off using their website anymore because it is just too much of a hassle.
Can I leave this box empty?
but until something better than captchas is developed, we have to keep using captchas, since a leaky captcha is better than no captcha
so i await the slashdot story trumpeting the brand spanking new approach that works much better than captchas. which is obviously difficult, or we wouldn't be posting about this
until then, nothing changes
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Mod parent +1 billion, insightful.
You can't give access to some unknown users and block access to some other unknown users.
Would it really be that hard to have a picture of a rabbit and set it to accept bunny or rabit or even hare?
Their can't be that many possible alternatives to call a single object that a user couldn't get one in three different tries.
Not to mention the fools that would type "hair" and expect to get in.
This page was really helpful for us.
http://www.phpbb.com/community/viewtopic.php?f=1&t=427852&start=0&st=0&sk=t&sd=a
For smaller forums and niche boards, a board-appropriate question and answer is usually sufficient to stop nearly all spam accounts.
I'm a member of a guild for an online game and a couple of years ago we were seeing alot of spam accounts created on our phpBB forums. After reading the above site, we then installed Registration Authorization Code (RAC) and asked a game-related question in addition to using CAPTCHA for account creation.
We assumed most bots create spam accounts based on the default account creation settings in phpBB. By inserting our question into the account creation process, we've probably stopped 99% of the bots. But if it was an actual human creating a spam account, asking a simple question via RAC would be an ineffective deterrent. Therefore, we used a question requiring a game-specific knowledge (appropriate for real applicants and nearly impossible for spammers).
After implementing the above, we've had no more spam accounts created while having no problems with real account registrations.
But as a means of producing a bot to pass the Turing test, it's coming along swimmingly.
When the PHPBB2 CAPTCHA became completely useless and I was seeing hundreds of bot registrations on a forum I ran, I built something else. I added a simple extra text field to the registration form. I ask a plain English question, giving away the answer, and require the user to write it in the blank.
i.e. What is the common name for a domesticated feline? (Starts with "c" and ends with "at" This is an anti-spam measure)
The field is checked for the right answer on the post-processing. This stopped 100% of the fake registrations. I ended up doing this on practically every web-accessible form I have built since then, and I've seen the method pop up on other people's websites as well (certainly parallel evolution rather than "they got it from me").
While that may be effective for the moment, as soon as a webmail provider starts using it, it'll be cracked overnight.
Run the CAPTCHA on a java applet!
This imposes a time delay for each attempt! (plus the bots have to install java.)
Make it a complex applet that does encryption and uses that DRM that microsoft uses to steal our own monitors away from us... Don't have DisplayPort? then your a bot... can't stand waiting a minute for the applet to load? then your a bot... come back a week later after giving up (because you didn't want to install java) then you are human. ;-)
Democracy Now! - uncensored, anti-establishment news
Sometimes, the captchas are ALWAYS unsolvable, like one site that uses complimentary colours of the same intensity. That works well unless you can't read text on a complimentary colour background, in which case you're always fscked. I am one of those.
Sounds like an animated captcha could be an alternative approach, since here you could vary the intensity over time. Of course the animated captcha should only be server generated series of bitmaps or vectors, and not be client generated (Flash would fail), for obvious reasons.
Jumpstart the tartan drive.
Pfft. Like rednecks are going to sign up for anything that requires a captcha to begin with. I'd be surprised if more than 10% of them knew how to turn on the "magic thinking box" (nevermind get online).
So why is it the African guys can't write good King's Money emails?
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
I'm surprised no one mentioned this so far: Why treat a symptom, when it does nothing to the disease? As long as spam is a problem, and profitable, any deterrent will be overrun just like DRM. It's just a matter of time.
The entire system of how email works right now needs to be thrown away. It was great for ARPAnet, but it wasn't built to scale in this fashion. Go ahead --- someone reply with the "Your approach to spam won't work, blah blah blah" copypasta.
Then I have no idea how you would explain This.
Why is it so hard to only have politicians for a few years, then have them go away?
good riddance its beyond annoying trying to guess the captcha words half the damn time other times they throw random symbols and dashes in there that arent even part of the hidden word and yet u still input them and you get an error msg and forced to guess again /boo
Visit my Forums?
+10 Funny! LOL
-dZ.
Carol vs. Ghost
It's worse than that. Any free or recipient-pays message system is subject to exactly the same amount of abuse. When sending a message costs nothing, the marginal cost of advertising is zero. As long as the marginal gain is non-zero, however small, volume will go to infinity. You can filter and legislate to reduce the volume of this advertising, but you'll never actually eliminate it. These countermeasures just bring the marginal cost of email up to slightly above zero --- but not nearly high enough to discourage spam.
Email isn't special. SMTP is fine. There was fax-machine spam long before even Compuserve. Today, we see text message spam, Facebook spam, MySpace spam, and so on. Email itself isn't the problem. Changing what you call the system doesn't change how it works. It's recipient-pays messaging that's the problem.
Sure, sender-pay systems like the postal service see some volume of advertising, but the volume is kept down by the relatively high marginal cost. Ultimately, I don't see a way of reconciling free anonymous messaging with a spam-free inbox.
If you have the proper IEEE 754 exception disabled, the answer is positive infinity. :-)
I don't think this works well. It's almost as easy to break this as breaking a regular captcha, with the additional step of having to make a bitmap out of the characters first. In fact, it might even be easier, since it would appear that the same letters all use the same pattern for each font, with only minor random noise to obscure the character. Since reloading produces a new captcha, it would only be necessary for an attacker to reload enough to get the full alphabet. This would be trivial, especially over a botnet.
A better ascii art captcha would require a little more variation in the individual letters, and a little more variation in the separator between the letters, which is currently just a space character. And it would be even better if they mixed and matched within the character itself, and transformed the letters a bit more.
I think GP is referring to ASCII art, as in, making an airplane or something out of letters, and then asking the user to identify it. I'm not sure that would be any more difficult to break than the existing image captchas out there, though it would certainly have the same limitation.
"If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
Well, there's bound to be a few rednecks who can use computers - I didn't say all of them couldn't.
Also, the site doesn't require a captcha to sign up (that I could find).
Not only will this scheme be impossible for color blind people but a computer can probably overcome it. While computers can not "see" colors like a human can they can discern colors. Internally, all colored images on a computer have number codes for the colors. A certain range of values corresponds to certain colors. If you have colored text there will be a color attribute that the computer can access.
Already been done.
Trivially easy to break; even easier than graphical captchas. Heck, this isn't even an exercise for the "abler student".
AC
The animal one won't internationalise very well. For example, a cow is a pet in India and food in most other parts of the world. A dog is food in China, and a pet in most other parts of the world.
I mean, where do you think spam comes from!
It's really kind of a no-brainer, yes?
Making people pay for posts. Making people pay for email. That will stop spam dead in its tracks.
Now, I didn't say you'd LIKE what 's next...
RS
...being that it has long been the case that, it takes money to make money, the idea is not only good practice, but sound business.
There is nothing to FEAR but NOTHING itself; and I fear there is a whole lot of nothing going on. --scorpivs
The whole approach of having a CAPTCHA that is validated by a computer breaks down at some point. The Turing test is performed by a human, not a computer. With CAPTCHAs, since they are computer-automated, it will always be a cat-and-mouse game between those who design and implement the CAPTCHA problems, and those who work on ways to subvert them.
For a more definitive way to tell automated actions and people apart would be to use people to test them, yet this may be prohibitive in many cases due to the labor costs involved.
wait whats the answer?
kittens chase cats?
O.o
We all bloody well know how to get rid of spam but nobody ever talks about the real culprits. The credit card companies. The ones who facilitate the way for spammers to make money. Unfortunately the CC companies make money so they don't care, but let's face it, if the CC companies decided to get rid of spam and lose the income, it could be wiped out in a week. All they would have to do is deny any payments to somebody suspected of spam - problem solved - I never hear anybody bitch about the root of the problem which is the ability to recieve payments.
Stay tuned for new sig...
I made a CAPTCHA using flickr images to try and get around this problem: http://www.planetjoel.com/viewarticle/630/Flickr-CAPTCHA+v0.2+using+PHP+and+the+FlickrAPI+for+human+recognition It's similar to Microsofts ASSIRA. I think this approach makes it more fun for the user and is harder for bots.
--
On Slashdot I'm a lawyer.
I'm sure most here have played that online 20 questions game, which used user input to create an impressive database that would guess your item every time. What about using that kind of information as a captcha? Tell the user to do the answering for a predetermined item randomly chosen, and the user will navigate to the correct item via the answers. For instance, the captcha program says "Think of a %s ('bee', for this example) and answer the following questions:
CAPTCHA: Is it alive?
User: Yes
CAPTCHA: Is it bigger than a shoebox?
User: No
CAPTCHA: Does it fly
User: Yes
etc.
Sure, it would take a bit of time on the user's part, but it's fairly entertaining, easy for the end user, time-intensive on a large scale for scammers, and difficult for a computer to answer.
Due to circumstances beyond my control, I am master of my fate and captain of my soul.
Google gives the most results for "dogs chase cats"; that must be the correct answer.
For something like this to work, the phrases would need to be uncommon in a standard corpus of text. (Yet still be easily understandable for a human)
so i make a bot that
A: gets the text in the image
b: performs a google search with the text and all the options
c: enter the result that generated the most results
O.o
> Verified signup/credit card with confirmation:
> Nearly-full, with shutoff or limitations imposed at first sign of abuse.
I'm not saying that the concept itself is wrong, but you say this as if the spammers don't have the information pertaining to millions of identities to use on a whim.
You know that they sell CC#s and details by the thousands, right?
How about something like this then:
* Some anti-spam organization sets up servers that store hashed email addresses. Call it a VEM (Verified Email) for short. It stores the hashed email address and a timestamp for the last check made on it.
* When an ISP receives an email from a user, it sends that email adddress to the VEM server, which hashes it and looks it up in their database. If the email address has been reported as a spammer, the VEM returns the result and the ISP does not send the email. Otherwise it returns the timestamp on the last verification check. The VEM database only contains hashes so that if its compromised the hacker can't establish a list of valid email addresses without knowing the hashing algorithm.
* If an ISP using its bayesian email filter detects an email address that appears to be spam, it reports that address to the VEM. If it is reported it gets flagged as a bad address, and will be reported as such.
* Since the VEM also returns the last time a message was sent from this email address, the ISP can then delay sending the next message by a few seconds, with the amount increasing every time if its been within a few seconds, so that eventually its no longer practical to spam from this address because the delay makes it impractical.
* On the client side you encourage developers to include a filter to only approve messages which have been verified. The user has the choice of whether to only receive verified email.
Now I am sure that some aspect of this is illconceived, prone to abuse etc. I know spammers can fake their email address, bots can send via their infected system's address etc, but I think this would quickly disable those addresses and it wouldn't be hard for the ISP to send a message back informing the user that its been disabled and why.
I am sure people could use this to try to create a "DOE" attack (Denial of Email) by using software to report an address as a spammer, so that needs to be thought out. Perhaps the connection between the ISP and the VEM needs to be authenticated such that only those ISPs that the VEM has authorized are acceptable etc.
I just can't see any way to fix the problem without some third-party server that tracks spamming addresses and allows for filtering them out at the ISP level.
"The first time I got drunk, I got married. The second time I bought a chimpanzee, after that I stayed sober" Arian Seid
I have actually canceled accounts where they have introduced CAPTCHA's. I hate them and vote with my wallet. Want to lose me as a customer introduce a CAPTCHA, that is of no benefit to me.
Only if the compromising malware is stealing credit card information from the host computer. Otherwise, the bots will need valid credit card (or Paypal, etc) information, either belonging to the controller, or harvested some other way.
Death Penalty preceded by Torture, Forced Labour and Random Pseudo-Medical Tests in concentration camps for spam-bot makers, spammers and their families.
That should make them think twice before attempting something since ending up in jail with a "nice" cell partner named Bubba may be the dream of a lifetime for some of them.
Oh wait the Human Right yes, we are all human... of course we are...
Just throw away every comment that contains any URL. A bit unfriendly, yes, but spam with no URL in it is rare and apart from very technical or Internet-centric applications users cope well with this.
I wrote a piece on Craigslist's Increasingly Complicated Battle Against Spammers last year. They've tried everything known and it hasn't worked. They've tried capchas, email confirmation, phone confirmation, and IP address checking. It hasn't helped. There's a whole industry providing tools to help spam Craigslist.
Craigslist is now leaning hard on some of the companies helping others spam Craigslist, with modest success. At least Craigslist spamming tools are no longer available via Google Checkout. (With that, Google was close to being an active participant in illegal activity.) "www.adsoncraigs.com", the source of Craigslist Auto Poster, has been shut down. Some of the Craigslist posting tools use a program to break captchas, and some outsource the job to a service in a low-wage country.
The going price for oursourced manual captcha solving is around $0.60/1000 captchas.
Maybe to send each email you need to solve a CAPTCHA, unless the recipient has you on their whitelist. Paying people to solve them becomes a much greater cost when it is per message rather than per account. While it doesn't solve the problem of making a well-working CAPTCHA, it does make each successful solution less valuable to spammers, therefore making it less likely for them to bother. It will make more determined spammers try harder to automate the process, so we'd have to be sure we can keep the arms race moving.
As for legitimate users, most people get email addresses by asking for them, so the recipient should know to whitelist the sender.
My webcomic
LOL...Maybe they are outsourcing the work too. :)
Ask the person to guess if the person/computer talking back to it is a person or computer. As long as the website is popular enough, then you can sometimes pair humans with humans. You might get some interesting conversations going too, especially if the site using this is like Slashdot where people of similar interests come to. In addition, people rarely sign up for accounts so these turing tests would not be too much of a hassle.
Not sure where I got it from, but I added an error message to the time zone pull down menu on registration forms. Most bots will select the first item on any list, and in most time zones the first zone is the middle of the Pacific where no one lives. Since I did it, I have eliminated around 99% of my bots. Bots control is more about forcing something irregular. Something that is not easy to program for, and in combination with other Turing Test.
Living in Chile
Do you think the idea of dynamically named form inputs has any legs in the fight against automated form submissions? Yeah, 'quite similar to a token so where's the advantage?' I hear you say. but combined with dynamic ordering of the input elements (within limits), wouldn't this be enough (with some logic within your controller) to determine if the post contains the expected data and thereby fooling most automated methods? Except in the case of very short forms perhaps? Drawback - Your users form completion order changes, but is this a big deal? You only register once. Disclaimer: First post from a web dev and something that annoys the hell out of me. Be gentle lol.
I'm not highly sensitive to the breaking of auto-fill mechanisms for the sake of increased security.
But that's the problem, a lot of people are. There are reasons the form fillers are so popular - I myself would be loathe to go without them. After all, it's not improving my security in the slightest, it's improving YOUR (or whoever runs the servers) ability to block spam - and that only slightly.
To me the loss of auto-fill seems far greater than the marginal improvements you get in spam blocking on the server side, and the loss of users from people who don't want to go to the trouble of filling a whole form.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Every so often toss in an image with the statement "Pakistan always has been and will always be the sole rightful owner of Kashmir and the Republic of China is the legitimate government of the Chinese people."
"Anyone who attempts to generate random numbers by deterministic means is living in a state of sin." -- John von Neumann
I posted it before, and I'll post it again: PORNTCHA!
Use hi-res porn images as the CAPTCHA images, and use hard-to-automate anatomical questions like "are the blonde's boobs bigger than the brunette's?" or "Are these two lesbians?" Any wrong answer brings up another PORNTCHA challenge. Any correct answer ends the porn session and proceeds to the signup. The porn users probably won't "feel the need" to answer a lot of questions correctly, and the service users have a way to get past.
It's kinda like a honey pot, only with tasty, tasty honeys.
John
Really we shouldn't worry too much about this problem. In 25 years most of the effort is going to be in AIs trying to keep annoyingly slow humans off their web sites.
Actually, that would be pretty interesting. The spammers have always proven to be very hard-working when it came to breaking CAPTCHAs. Why not "force" them to advance our A.I. field?
The problem is very easy to fix,require a non web email address with a required email conformation, require an ISP email address. They have to be payed for unlike free web email addresses. For theses worried about getting spam from what they want to sign up for,for each site signed up for use a different middle name initial,then you know for sure just who sold your email address
Jack of all trades,master of none
And record IPs of people that spam and shut them the fuck down.
How about email addresses that cost 5 cents to register?
Would it really be that easy for bots to register 100,000 Gmail addresses?
It is a task for United Nations. Spam is causing a major damage to the world economy via lost work time, traffic, etc. We need international enforceable laws, which would make spam illegal and inevitable punishable worldwide.
It is a bog problem and requires a big solution.
Our leaders shall overcome their cultural shock, phase out activities in local organizations, like EU, NATO, CIS, etc., and begin to work in a global setup, the UN, the WTU - world telecommunication union, Interpol, UNICEF, etc.
What is the point of fighting spam in, say, the USA, if it will continue to pour in from, say, Indonesia?
What is with this sentiment of "God help the colourblind?" I've never seen a monitor with a face button to colour rotate the screen, which is the obvious aid to provide for the dominant red-greed cohort. As 500 million monitors attest, society doesn't give a damn.
What amazes about this subject is that some people seem able to disparage AI in one breath, then capitulate on captchas in the next breath. At least I assume it's the same fleeting "what have you done for me lately?"
We were comfortably smarter than our machines until there was connivance at stake. Maybe we're playing the wrong side of the fence. Perhaps human stupidity is our more enduring quality. Crib some text from a 419 solicitation. (This could be done in real time.) See if the purported person sends you money (the bots aren't dumb enough to do this, despite having more than their fair share of the credit cards). If you receive money, you have a 100% certified human visitor who will certainly raise the level of discourse in your many forums.
I suspect the deeper problem with captchas is our herd mentality. Doesn't Google serve half their queries with prebuilt pages keyed off a few dozen most popular search terms?
Considering the relative advantages and disadvantages of human cognition, I'm tempted to implement a captcha which asks the user to "identity the statistically fallacy in the following statement from today's lead story on FOX News". There are some compelling advantages here. For one, you'll never run out of fresh material. This could be named the "dusty corridor" captcha. Perhaps there is a unique signature that emanates from disused wetware taking the plunge.
Or maybe instead it's our knee-jerk circuits that are most intrinsically human. If a pregnant women is shot in the stomach who or what is responsible:
A) the gun,
B) the bullet,
C) the government,
D) the foetus
Or perhaps we should be queried on our finely honed social calculus: which is worse, an Asian man marrying a black women, or a black man with an Asian wife? If possible, justify your answer. (For a human, the optional portion is normally left blank.)
Here's another good one. "From your current computer terminal, make a one sentence edit to [randomly selected] page on Wikipedia. If an edit associated with your IP address is still there in five minutes, you will allowed to register with this site."
The telling detail here is that we value our site visitors so slightly (fractions of a cent, on average) that we can't spare a sliver of human eyeball to vet that the new registrant doesn't instantly leave a cow patty.
We're not even trying to validate humans. We're trying to validate cattle.
... are much overblown, but you need to make the captchas per-message rather than per-account.
http://web.archive.org/web/20070822051020/http://petmail.lothar.com/design.html#auto34
" Hire People To Solve CAPTCHA Challenges
Spammers set up a sweatshop (which I will call a Turing Farm) to employ people to look at computer screens and answer CAPTCHA challenges. They get to send one message to one recipient for each challenge passed. Assuming 10 seconds per challenge, and paying roughly $5/hour, that represents $14 per thousand messages. A typical spam run of 1 million messages per day would cost $14000 per day and require 116 people working 24/7.
This would break the economic model used by most current spammers. A recent Wired article showed one spammer earning $10 for each successful sale. At that rate, $14k/1Mspam requires a 1 in 1000 success rate just to break even, whereas current spammers are managing a 1/100k or even 1/1M sucess rate. "
To this day, nobody has beaten some of the better written anti-botting random events in the game Runescape. They use rotating 3D models in Jave with shifting light overlays to change the colors of the pixels randomly. And here's why captchas do work and always will. You take like 1 day to write a captcha generator and it takes someone a week or two, maybe even months to write an AI program that can read it. Then as soon as you notice spammers getting past it, you change one thing and they have to almost start over from scratch. With Java you just swap out the 3D model and it's a completely different set of pixels to measure and the bot builders have to almost start from scratch. There's basically no more botting in RS anymore.
Google's Super Secret Search Algorithm: SELECT @search_results FROM internet WHERE @search_results = 'good'
Sadly, this fails in two ways:
- Its not random. Somebody has to enter all of these phrases and possible answers into a database, which means that there are a finite number of them (and probably a computationally low finite number at that -- maybe a few thousand at most). Brute force or a small army of cheap outsourced labor will have your CAPTCHA broken in days if not hours.
- It has multiple choice answers. Forget the wasted time and effort of searching Google. Just pick one. You have a 33% of being correct, and you also have just added that result to your dictionary for the next time the question comes up. Even if the non-correct answers are randomized, the correct answer still has to be in the list of possibilities so seeing the question two or three times will give you a statistically good chance of solving the riddle. This point is actually meaningless however when the first issue is taken into account though (you can't have a static list of answers for a random question!)
Any non-random CAPTCHA immediately falls victim to a (relatively) simple trial-and-save dictionary attack, regardless of whether its based on text or pictures or smells or anything else. The 3d CAPTCHA from TFA would be broken (to a spammer-acceptable level) within a few days if it was used on a site that some spammer REALLY wanted to hit -- its basically the same idea as yours except using a 3d picture rather as opposed to a text phrase. Figuring out a rotation between two 2d projections of a 3d object isn't all THAT hard (again, within acceptable limits, and especially given a small finite list of possibilities) providing that its not a degenerate case (looking at that axe blade-on for example) but most degenerate cases would be hard for a human to pick out as well.
The only true save for CAPTCHAs is diversity -- there are so many different methods and possibilities out there that you rarely see two major sites using the same one. That means spammers have to break a new one for every site they want to spam. And its fairly easy for a site to switch CAPTCHAs (or at least it could be with a good site layout). Some spammer figured out how to OCR your randomly-colored-lines-on-text CAPTCHA? Switch to 3d rotations. They figure that out, switch to 3d rotations with random polka-dots. On your end its a few lines of code to switch plugins (which you'd probably be quick to set up if this became a regular problem on your site). On the spammer's end is a whole new world of OCR or dictionary building or whatever method they need for the CAPTCHA style-of-the-month. Also, implement a short (5sec or so) delay when loading the CAPTCHA. It has to be short enough that a human could just chalk it up to server or internet lag. This won't stop spammers, but it will mean they have to spend more time in order to break your CAPTCHA (because they have a minimum of 5sec between attempts, rather than the 100-200ms or so that normal net lag would give them -- meaning it will take them 25-50 times longer to break your CAPTCHA, give or take). Maybe even make it start taking 15 or 20 seconds if you see some threshhold of attempts in a certain time (say 100 in a minute.. actual numbers of course will depend on your expected human traffic -- you don't want to inconvenience legitimate users too much or they'll just go elsewhere).
There's an important phrase I've used a couple of times though -- "acceptable". A spammer likely wouldn't care a whole lot if 5% or even 50% of their messages don't get through -- most of the time they're paying very little incremental cost per message, if anything (botnets make it pretty much free). All of their cost is in breaking the CAPTCHA or other security, including the development of botnet clients and the such. Once their software has been developed they couldn't care less if they send 1 million or 10 million messages (except perhaps as an accounting measure if they charge their client per message, but thats really a (business) politics issue, not an economic or technical one).
I just noticed that the author of that captcha must have noticed this link because he dropped the price. earlier when I looked at this it was ten bucks - now it's 2. What a loser, trying to profit from /.
The audio puzzles on reCaptcha are extremely difficult! I could only manage 2 correct answers out of 15 attempts!
So you can't spell "there" but expect random users to spell at least somewhat reasonably? Fail, in my book.
Every single time a CAPTCHA discussion comes here the /. user QuoteMstr (ID 55051) posts this nonsense he probably stole somewhere.
Look at this nonsense: if machines can't describe the picture, how the hell is the CAPTCHA server supposed to verify that the client gave the correct answer?
This is the dumbest sentence ever written by a 5 digit ID on /.
Please mod the troll down, it shows completes lack of understanding on how a computer works.
I've pointed here that if you have a 3D model of a cat, and generate a million picture of that cat differently rendered, all the "CAPTCHA server" [sic] needs to know is that the generate file captcha0938914696.jpg was generated using the "cat model". The computer has no understanding of what a cat is, the computer does not need to be capable of recognizing the cat by analyzing the picture.
Please, stop stupidly modding QuoteMstr +5 insightful because what he's cut/pasting really makes zero sense.
Mod QuoteMstr troll down.
I used to help out with a chess organization's website. We had a bulletin board; however, I modified the verification code to ignore the input from the captcha. I added a paragraph instructing the potential user to search the site for the answer to a question. We went from 3 - 5 malicious accounts per day down to 0 since that was implemented.
I'm liking the magic eye captcha's at http://hidden-3d.com/index.php?id=gallery&pk=237&comment_show=1#comments
Sure not everyone can see them, but are their comments worth listening to if they can't cross their eyes? They probably have a one-eyed view of life anyway.
Any of them that are not trivial for bots ot parse are way too difficult to read, sometimes taking 2-3 tries before I get it right.
I like the ones better where there is a sentence on the page like "Click on the picture with a baby in it". Then you have a bunch of pictures of animals, with one of them being a baby.
It would read out a 4 or 5 digit number and then you would type it in. Not sure what the best audio format would be but Flash is everywhere so maybe that.
Make these pictures automatically from very big (and slowly changing in time) alphabet so that bots will get hard time adapting to it.
Then you'll get two goals: CAPTCHA and high IQ audience.
LOL. You're right.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
It's always the same story. "Technology X is no longer able to stop spammers/bots. Technology Y will solve everything though."
As long as it's an arms race of technology, it will be...an arms race. Better tech means more effort on the part of the spammers to break it. The rewards for the spammer stay constant, but the costs for the defender constantly increase.
There are only two ways to stop spam: Make it financially unsustainable, or murder everyone on this list, and repeat every six months. Note that I'm NOT advocating this behaviour, but unless you can change the price model of spam, it's the only solution.
Everything else is damage control.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
Actually, in the same vein as ASCII art, other approaches that rely on human perception might work very well too. While the bots are capable of optical character recognition and even some limited pattern recognition, would they ever be able to handle some of the more bizarre elements of biological perception such as optical illusions? The sort of thing I'm thinking about here are usually found in psychology textbooks, like the one where you stare at a green, yellow, and black American flag for several seconds and then stare at a blank page and see a "ghost" of the flag in the correct colors. That particular one relies on the way photoreceptors become fatigued so as to produce an afterimage. There's also a good deal of processing the biological brain does with the visual information it receives, it seems like finding a method of exploiting that would be the surest way to separate the fleshies from the bots.
As long as scammers can put up sites where humans solve captchas for porn, I think using captchas as a protection mechanism is pretty much busted.
Luke uses a compass to navigate, Lisa is wearing a black shirt, Simon is wearing an orange shirt, Steve is wearing a red shirt, Christine is a couch potato, Lindsay is wearing a brown shirt.
1.) Which woman is wearing a shirt the color of snow?
2.) Which man is wearing a shirt the color of grass?
What? :-)
Harald
The ultimate trump card for CATCHPA always seems to be that it will always be worked around by some third-world worker.
What I really never understood is why we're putting the CATCHPA on the registration of new e-mail accounts. Why don't we put it on the part that's actually being abused- sending e-mail?
-Every hundred-or-so e-mails (or whatever pattern best fits spammers), request a CATCHPA in some passive way ("please fill in this CATCHPA sometime in your next 10 emails").
-Increase the CATCHPA frequency on that account based on the number of failures to stem brute-force solutions.
-Also increase the frequency if the mail being sent triggers spam-filter red-flags. Ramp the inconvenience gradually, and you won't have to use the nuclear option on legitimate users.
The third-world worker can still enter the CATCHPA for every 100 e-mails, but by then you're getting near the point where that worker is manually and semi-legitimately sending you spam.
Isn't that enough?
That's what I was thinking... but maybe there could be some way to use random names for the fields, and also place them in the page via Javascript so that the layout always looks the same for the first field that was laid out in the code is also random; that way you don't know if the first field is the email, password, username, etc unless you analyze the js code to see where the field is placed.
Go hug some trees.
You can display different instructions for the users. One time you see "please type the blue letters only" and the next time you see "please ignore the red letters and type the black letters", or "please type the green letters and ignore the blue letters" or even use Yoda-speak "the green letters you ignore, but the blue letters you type" so that besides all the image parsing, the bots have to parse the instructions.
Eventually they might get it right but it gives you more time to come up with something else.
Go hug some trees.