Coding Horror: CAPTCHA Effectiveness

CAPTCHA Effectiveness

October 25, 2006

If you've used the internet at all in the last few years, I'm sure you've seen your share of CAPTCHAs:

The Blogger Captcha

Of course, nobody wants to use CAPTCHAs. They're a necessary evil, just like the locks on the doors to your home and your car.

CAPTCHAs are designed to discriminate between computer scripts from spammers and real human beings. There's a popular misconception in technical circles that CAPTCHA has been "broken":

CAPTCHA, which stands for (C)ompletely (A)utomated (P)ublic (T)uring test to tell (C)omputers and (H)umans (A)part, works well for small sites but larger 'community' sites where there are multiple SPAM targets CAPTCHA only provides a false sense of security - it can be broken fairly easily and serious spammers are getting more sophisticated all the time.

Some people actually believe that spammers can now "fairly easily" write scripts which use advanced optical character recognition to automatically defeat any online CAPTCHA form.

Although there have been a number of CAPTCHA-defeating proof of concepts published, there is no practical evidence that these exploits are actually working in the real world. And if CAPTCHA is so thoroughly defeated, why is it still in use on virtually every major website on the internet? Google, Yahoo, Hotmail, you name it, if the site is even remotely popular, their new account forms are protected by CAPTCHAs.

The comment form of my blog is protected by what I refer to as "naive CAPTCHA", where the CAPTCHA term is the same every single time. This has to be the most ineffective CAPTCHA of all time, and yet it stops 99.9% of comment spam. I can count on two hands the number of manually entered comment spams I've gotten since I implemented it. Granted, Yahoo is more popular than my blog by many orders of magnitude. But it's still strong evidence that moving the difficulty bar up even one tiny notch can be quite effective in reducing spam. I went from cleaning up comment spam every day to cleaning one per month. Big difference.

I've been experimenting with improving the rendering algorithms in my CAPTCHA server control, and it's interesting how fragile typical computer OCR really is. SimpleOCR has an online form that allows you to upload and OCR small greyscale TIF images. Here are the results of submitting a few standard 180x50 CAPTCHAs from my reworked rendering algorithm. Note that these CAPTCHAs all use the same font, Courier New.

OCR result
	Standard	CQXKN	5/5
	Low perturbation	KxT*2	3/5
	Medium perturbation	acNx4	2/5
	High perturbation	Kc	0/5
	Extreme perturbation	(blank)	0/5
	Standard, low noise	(blank)	0/5

I didn't expect it to do well, but I was frankly surprised how poorly the SimpleOCR engine actually performed. Adding a tiny bit of noise or perturbation to the CAPTCHA text was all it took to break the OCR. I'm sure there are more advanced OCR engines out there that might be able to do somewhat better than the free SimpleOCR engine. Still, it's unlikely that any OCR engine could beat high perturbation – where the characters are physically overlapping each other – plus a little background noise. And that level of CAPTCHA security is absolute overkill unless you happen to run one of the top 100 most popular sites on the internet. Furthermore, none of these are particularly difficult CAPTCHAs. The most extreme perturbation sample shown above is eminently "human solvable", at least in my opinion.

The default settings for my new and improved CAPTCHA server control, a combination of …

high contrast for human readability
medium, per-character perturbation
random fonts per character
low background noise

… should be far more protection than most websites need.

Captcha image, low noise, medium perturbation, varied fonts

Remember, I use "naive CAPTCHA" with 99.9% effectiveness. The "low" settings will be even easier to read than the defaults and may be more appropriate for your user base.

Of course, OCR isn't the only way to attack CAPTCHA. But the other scenarios for spammers "beating" CAPTCHA are even more far-fetched. The Petmail documentation explains:

1. The Turing Farm

Let's say spammers set up a sweatshop to employ people to look at computer screens and answer CAPTCHA challenges. They get to send one message for each challenge passed. Assuming 10 seconds per challenge, and paying roughly $5 per hour, that represents $14 per thousand messages. A typical spam run of 1 million messages per day would cost $14,000 per day and require 116 people working 24/7.
This would break the economic model used by most current spammers. A recent Wired article showed one spammer earning $10 for each successful sale. At that rate, the cost of $14,000 for 1,000,000 spam emails requires a 1 in 1000 success rate just to break even, whereas current spammers are managing a 1 in 100,000 or even 1 in 1,000,000 sucess rate.

2. The Turing Porn Farm

A recent slashdot article described a trick in which spammers run a porn site that is gated by CAPTCHA challenges, which are actually ripped directly from Yahoo's new account creation page. The humans unwittingly solve the challenge on behalf of the spammers, who can therefore automate a process that was meant to be rate-limited to humans. This attack is simply another way of paying the workers of a Turing Farm. The economics may be infeasible because porn hosting costs money too.

If you're not using CAPTCHAs because you think they're compromised, then you're too gullible for your own good. There's absolutely no concrete data supporting any of these attack scenarios happening outside laboratory (read: infinite money and time) conditions. Just ask Google:

Some captchas have been solved with more than 90% accuracy by scientists specializing in computer vision research at the University of California, Berkeley, and elsewhere. Hobbyists also regularly write code to solve captchas on commercial sites with a high degree of accuracy.
But several Internet companies say their captchas appeared to be highly effective at thwarting spammers. "Researchers are really good, and the attackers really are not," says Mr. Jeske of Google, based in Mountain View, Calif. "Having these methods in place we find extremely effective against automated malicious attackers."

The real secret to CAPTCHA is that it hits spammers where they are most vulnerable: in the pocketbook. The minute you put up a computational barrier, the entire economic model of spam comes crashing down.

Now if you'd prefer not to use CAPTCHA because it's an inconvenience for the user, I can respect that. CAPTCHA isn't the only way to block spammers. But give CAPTCHA its due: it was one of the original spam blocking measures used way back in 1997 by AltaVista. And, even more impressively, it's still one of the most effective ways to block spam at its source today.

Posted by Jeff Atwood

« Swiss Army Knife or Generalizing Specialist

The Build Server: Your Project's Heart Monitor »

111 Comments

I work with some of the more clever OCR technologies as part of my day job, and can tell you now - if the spammers are using anything like the technology we throw at scanning business documents, virtually all of your examples could be read.

Jonathan on October 29, 2006 1:58 AM

Technical measures like captchas are useless for blocking spam. Sure, they can block spam on a particular website, but that's only because spammers go against the easiest targets.

Just like they adapted to every other anti-spam feature, including bayesian networks, which were claimed to be a so great that "a href="http://paulgraham.com/spam.html"there is no way they can get around that/a".

If almost everyone was using captchas, spammers would use programs that break simpler ones. If everyone used complex captchas, spammers would find some other tricks. Spam is not technology-bound at all. It's not even the slightiest bit lower now that it was 10 years ago, in spite of all technical changes that were supposed to limit it.

And while the spammers can adapt, users cannot, and will suffer consequences of the anti-spam technology. Do you really want captchas everywhere if they won't limit spam even a little bit, only move it from one places to others ?

Tomasz Wegrzanowski on October 29, 2006 1:58 AM

That pwntcha site is a goatse in disguise, please don't post it.

name on October 29, 2006 2:00 AM

Jeff another problem with CAPTCHA's is users with visual disabilities. The Windows MSN-Live use one system where the user can listen and typing the words to continue. What you think about this?

Fabio Alves on October 29, 2006 2:12 AM

I don't know where this idea that they can "easily" beat it comes from, sure, theoretically they can but as long as there aren't any good free OCR library out there I don't think we have much to worry about.

Captchas are very effective against most spam like Jeff pointed out with his own example.

GH on October 29, 2006 2:57 AM

Besides, you could use something like SVG to create and image on the fly (unfortunately still not supported by IE7), or even use javascript and create a word using overlapping divs, how would they ever be able to catch that ?

GH on October 29, 2006 3:06 AM

I was recently a target of a spam-based DoS attack. My hosting provider recently disabled my blog due to excessive CPU and database use, all of which was due to an avalanche of comment spam. Fortunately I was able to get back on the air using an IP based block, with the promise of implementing CAPTCHA at a later date. So your post is very timely.

Your claim about "naive CAPTCHA" being effective makes me wonder: what about text-based CAPTCHAs? eg "please enter the name of a curved yellow fruit". This would seem to be just as difficult to parse automatically but not require users to view an image.

(BTW CAPTCHAs don't just affect users with visual disabilities. They affect all users who for whatever reason are unable to see images. Example: text-based browser users.)

Alastair Rankine on October 29, 2006 3:10 AM

Some issues with your captcha post.

A general purpose OCR engine is not the best way to defeat a captcha. Much simpler approaches with greater accuracy is possible.

A captcha image is highly constrained. It typically uses a small image with a single font with a fixed number of letter. Each letter is distributed roughly evenly and sequentially across the box.

* The spammer may actually rely on simple statistics like density analysis to determine the likely character. The spammer only needs to know what letter the value of a particular statistic(s)
correlates best to.

* A relatively simple neural network to do character recognition is also not so hard. Brain-n-brawns wrote in a day a captcha defeater. http://www.brains-n-brawn.com/default.aspx?vDir=aicaptcha

A naive captcha may be best for your site, since your site does not provide the best value (no offense) for a spammer, since it creates work and is only one site. It's not Yahoo or Google. A spammer could put more effort on targeting many other defenseless sites which in aggregate may have more traffic than you.

Wesner Moise on October 29, 2006 4:09 AM

Wes, I think that's a big point of Jeff's post. For his target audience, other bloggers etc..., CAPTCHA is still a very effective means for blocking spam.

For example, my Invisible CAPTCHA is trivially easy to beat. A comment spam bot would simply need to execute javascript.

In practice though, it is tremendously effective!

The REAL weakness of CAPTCHA is that it does nothing against trackbacks and pingbacks. This makes total sence since CAPTCHA is about filtering out non-humans, but trackbacks are by definition left by other computers.

That's where other solutions are necessary. I use Akismet for my comment filtering. Invisible CAPTCHA pretty much blocks all comment spam, and Akismet catches all the trackback spam.

Haacked on October 29, 2006 4:24 AM

I have a phpbb2 message board that I run and I was getting boatloads of spam. Adding in the default captcha did *not* reduce the spam in the slightest. That is, it was *completely*, 100% broken, contrary to your assertion that it isn't being used in the wild.

I ended up adding a single extra required field and that blocks out 99.99% of the spam. I've gotten maybe 2 or 3 spams since implementing it. It's not even a question. And it's not even a picture. It's just a field in the form that says "please type 1234 here".

I think the key isn't captcha, per se, but just being different. Security through obscurity in a sense. There's no benefit for some spammer to fix his script to handle my dorky custom web forum. But there's a huge benefit to cracking the default phpbb2 captcha algorithms because most users are going to just use the defaults.

-David

David on October 29, 2006 4:47 AM

Brain-n-brawns wrote in a day a captcha defeater.

For a very weak captcha-- none of the characters overlapped, and there was no background noise or lines overwriting the characters.

It's not Yahoo or Google. A spammer could put more effort on targeting many other defenseless sites which in aggregate may have more traffic than you.

And yet spammers are unable to defeat the more advanced captchas on Yahoo, Google, and Hotmail. Otherwise, why would Yahoo, Google and Hotmail continue to use them? To torture their poor users? Did you read the quote from the Google employee in the Wall Street Journal article?

--
Researchers are really good, and the attackers really are not," says Mr. Jeske of Google, based in Mountain View, Calif. "Having [CAPTCHA] in place we find extremely effective against automated malicious attackers."
--

Ahem. *extremely effective*.

The proof is in the pudding, and the pudding contains.. CAPTCHA. Good ones, using the rules I outlined.

* per-character perturbation
* characters that overlap
* noise or lines that overlay and touch the characters

If you look closely at the chinese Captcha defeating page linked in the first comment, you'll see that all the "unbroken" captchas have these three things in common.

Jeff Atwood on October 29, 2006 6:18 AM

and can tell you now - if the spammers are using anything like the technology we throw at scanning business documents, virtually all of your examples could be read.

Then prove it. Use the sample images provided and post the results from your OCR engine.

Jeff Atwood on October 29, 2006 6:19 AM

This makes total sence since CAPTCHA is about filtering out non-humans, but trackbacks are by definition left by other computers.

Well, kinda, but not really. Trackbacks/pingbacks are left on behalf of an author who just made a blog post. Making the author pass a CAPTCHA before leaving the pingback/trackback would be totally reasonable.. of course the technology doesn't exist to enforce this, so it's really a moot point.

Jeff Atwood on October 29, 2006 6:30 AM

Jeff, if your orange captcha is so effective, why do you need to filter out bee-el-oh-gee-ess-pee=oh-tee website adddresses?

Carl Manaster on October 29, 2006 7:31 AM

if the spammers are using anything like the technology we throw at scanning business documents, virtually all of your examples could be read.
-- Jonathan

Then prove it. Use the sample images provided and post the results from your OCR engine.
-- Jeff

But even if Jonathan's company's developed OCR IP can break difficult CAPTCHA's, their IP is probably proprietary developed research NOT available to or easily developed by the average hacker. Which re-emphasizes the "researchers are really good, and the attackers really are not" quote.

Ian Johns on October 29, 2006 7:39 AM

At wordpress.com we have Akismet instead of Captcha. Instead of putting up any barrier, everything goes through and Akismet learns what is spam. Once something is marked as spam for one person, it is marked as spam for everyone. Instead of preventing spammers, it's 1000s of eyes cleaning up the results.

It's been pretty effective, but there's been a few interesting cases:

- compliment spam ("great post!" with website field linking to their p-rn/adsense splog site)
- only attacking blogs that appear to still have the default post as the first post -- less likely to monitor spam.
- one p-rn spammer who finds political/pop culture keywords in a post and inserts a human crafted messages. Like: "Some people say Matt Damon isn't that good of an actor, I really liked him in Talented Mr. Ripley" whenever it finds a post with "Matt Damon"

The one thing it has absolutely sucked is spammers-to-be. People who are just testing out spam generation algorithms that have no payload. So you'll get random gibberish from an IP address and it will take a few days for Akismet to learn.

engtech on October 29, 2006 8:46 AM

What I dont get is why we haven't moved past text for CAPTCHAs. I expect in very short order for the massive amount of information google is storing with their Image Labeler: a href="http://images.google.com/imagelabeler/"http://images.google.com/imagelabeler//a to be used to determine if a human is at the keyboard. Its going to take some near impossible computing for attackers to determine that what they're looking at is a "bird" whereas a human can do it in seconds.

Jeff Jacobs on October 29, 2006 8:51 AM

why do you need to filter out bee-el-oh-gee-ess-pee=oh-tee website adddresses

Because of trackbacks. Blogsp0t is spam central.

Instead of putting up any barrier, everything goes through and Akismet learns what is spam.

This is a bad idea.

I am all for akismet testing a comment *after* validating it with CAPTCHA, but letting all the comments go directly through to askimet without any local CAPTCHA verification is asking for trouble. Every comment example you've given would have been stopped cold in its tracks by CAPTCHA.

Plus, you could reduce the comment load on the akismet servers by a thousand percent with a simple CAPTCHA in the host comments. Security starts at home.

Of course for trackbacks, which are machine entered, it's a different issue. I get 75 spam trackbacks per *hour* on this blog. Multiply that by the number of blogs, and.. well.. like I was saying, security starts at home. ;)

Jeff Atwood on October 29, 2006 10:05 AM

Here's an interesting alternative: the ASCII art CAPTCHA. ;)

http://www.thephppro.com/products/captcha/

Jeff Atwood on October 29, 2006 10:10 AM

How about CAPTCHA with random images instead of characters?

I heard about the KittenAuth a few months ago and it seems a great idea. Grid with random images of fluffy animals - click on 3 kittens to get through to the web site:

http://arstechnica.com/news.ars/post/20060407-6554.html

SimonTeW on October 29, 2006 10:25 AM

There is a program used to download files from different file-share-sites. It includes OCR engine that, in particular, works with rapidshare.de. And it usually works better than me. Could it be I am robot??? :)
Rapidshare uses low-contrast captchas, and it surely gives benefit to OCR against eye. Overlapping semitransparent symbols with colored line/dot/curve/character noise are also used there. OCR handles this. And seems it is open source.

Iggi on October 29, 2006 11:19 AM

Here's a Chinese site that offers Captcha-defeating software, for a price.

http://www.lafdc.com/captcha/

(warning VERY slow to load)

This site considers the CAPTCHAs used by Yahoo, Google, and Hotmail "Very Difficult" and cannot actually solve them. I used it, along with the results on this site..

http://sam.zoy.org/pwntcha/

.. as my template for what a *good* CAPTCHA should be:

1. low contrast only hurts humans, and doesn't affect OCR results at all. So high contrast.
2. per-character perturbation
3. characters that overlap
4. Some noise or lines that touch the characters

I haven't seen any software that can deal with #3 and #4, which is what Yahoo, Google, and Hotmail use. Note the disclaimer at the second link:

--
PWNtcha does not work [on any CAPTCHA]. It is not an intelligent program that tries to decode a random CAPTCHA. Such a program would be nearly impossible to do. PWNtcha is simply a toolkit of image manipulation functions, and a list of known CAPTCHAs with the associated list of image operations to apply in order to decode each of them. If I have never seen your CAPTCHA, then PWNtcha does not know about it, and there is absolutely no way it could decode it.
--

Jeff Atwood on October 29, 2006 11:27 AM

On my blog, I tried an "accessible captcha" who ask very simple questions instead of words. For exemple, "in 656486473, what number come before 3 ?" or "what's the result of twenty two plus nineteen ?" (it also use sometimes a visual captcha). It's available for dotclear (but it's in French) at http://www.atelierphp5.com/un-captcha-accessible.html

Anyway, the idea behind it is quite simple (and free) to make.

Bishop on October 29, 2006 11:40 AM

To the people still saying captcha is broken, like Jeff says, prove it instead of saying it. Of course someone spending lots of time on it can "break" most captchas but that's not what we are talking about, we are talking about building a good enough OCR engine into a spambot that can effectively spam people using capcthas.

If it takes them five minutes per blog to find the text, post the spam, check if it's posted, read the next image or test the next match it's no worth it, that would effetively stop their spamming.

One thing that people seem to miss is that there is no obvious way to automatically determine what image is the captcha image, you would need to test every image on the page.

Lets say you create five captchas on the server and then printout a javascript that creates and organizes a set of divs so that the correct combination appears, tell me how any ocr software could catch this ?

I suppose you could make something that takes a screenshot of the page and tries to find the text but then again, where is the captcha located among all the rest of the text ?

Captchas are far from broken and as jeff pointed out even simple captchas are effective.

At least in this world there are real solutions, it hasnt gotten as bad as email where we have to have blocklists and kinds of stupid checks to block spam.

GH on October 29, 2006 11:56 AM

A user wrote...

"That pwntcha site is a goatse in disguise, please don't post it."

and it is in fact not. There is an unfortunate use of a distorted goatse image in one of the captcha examples, but the site itself is valid and worthy of being posted.

Phillip on October 30, 2006 1:13 AM

I'd think the world would be inured to goatse by now. *ahem* Anyway, captchas are good, for sure, and I've been poking a site I off and on moderate to implement them for anonymous comments for some time now.

To everyone who says do stuff with javascript, well, that's the fast track to leaving out in the cold disabled users and the occasional people with javascript off or unavailable. You can also make an unbreakable image captcha, and the spammer will move to dragon naturally speaking if you provide an audio version. (I hear that used to work pretty well, until hotmail started distorting the heck out of them.)

In general, what's going to save you is the sheer heterogenity of captchas. There are a number of libraries available, which can each be tweaked in various ways. If spammers break through, just swap the library out with another. Lazy admins get spammed because they're too lazy to do maintenance like that, not just because their captcha is weak. (In which case their laziness will generally manifest in many other ways that endanger their server.)

Foxyshadis on October 30, 2006 2:30 AM

Come on Jeff, explain why you're happy to discriminate against people with visual disabilities, contrary to legislation.

Captchas are an effective tool in the war on spammers, but unless implemented like MSN with alternative mechanisms, it discriminates and excludes people, exactly what the internet was not supposed to do.

I don't believe weighing spam against a significant percentage of internet users is fair.

Doug on October 30, 2006 3:19 AM

Wow, I called this article months ago :)

foobar on October 30, 2006 4:18 AM

Trackbacks/pingbacks are left on behalf of an
author who just made a blog post. Making the
author pass a CAPTCHA before leaving the
pingback/trackback would be totally reasonable..
of course the technology doesn't exist to enforce
this, so it's really a moot point.

Well that would require a modification of the Trackback API and the Pingback API. The same issue applies to the Comment API. None of these APIs even consider the idea of SPAM.

I've tried to get in contact with the authors of the Comment API to no avail. I think it's time we updated these APIs.

Who's with me?

Haacked on October 30, 2006 4:57 AM

Accessibility is an issue. As mentioned before, some implementations provide an audio version so visually impaired people can get access. As the Wikipedia article (linked in the original post) mentions, people who are both visually and hearing impaired are left out.

Also mentioned in the Wikipedia article is the possibility of using a challenge that requires thinking, such as solving a simple math equation or answering a trivia question. While this inevitably isn't totally safe from compromise, it seems at least as good as using the images, and it's nice that it could include virtually eveyrone.

John on October 30, 2006 5:11 AM

Another thing to do to block bots and improve accessibility is to have them input the same text they put in a previous part of the form (chosen randomly, preferably a required element, i.e. name (on this blog)). And to keep bots even more confused, have the captcha image, except hide it (turn off it's display, move it out of page, size it to 0, etc) so bots pick up on it and enter wring info into the captcha box. This method maintains accessibility for all users (since they don't need to read an image or hear a sound byte).

jaxad0127 on October 30, 2006 5:43 AM

My only problem with captchas is when I can't read them. I don't have any real vision problems, but there are fonts that don't seem to make it into my brain (some cursive fonts that are used in logos get mis-parsed). When I get a captcha that is is too bent or twisted, I often have to do it twice.

More than that and I just leave, and give up on the site.

JoeTortuga on October 30, 2006 6:53 AM

At my company, we deal with OCR on a daily basis. Based on that experience, your findings are absolutely not suprising at all to me, Jeff. Even though we use very advanced OCR engines here, the data that comes out isn't the best.

I have no problem with CAPTCHAs or filling them out. The ones I do have a problem with would be example #5 you give: Extreme perturbation. That one is kind of hard for me to read because the 7 is getting overwritten by the A (though I still can read it obviously).

Jeremy on October 30, 2006 7:18 AM

But why is my "Enter the word" the same word, every day? If I have to enter a word, at least give me a new one every so often. Why not put up an image and have a person answer what it is. "Circle" "Triangle" "Bill Gates in jail" (oh I just chuckle every time I see that mug shot)

Tim on October 30, 2006 8:33 AM

Ticketmaster is the worst CAPTCHA I have experienced. Sometimes it takes me two or three tries to figure out the words they are spewing forth. Eventually it gives me an easy one, but then again, wouldn't the software eventually get in if the sites eventually give it an easy one?

Tim on October 30, 2006 8:36 AM

Phil Haack (is that his real name?) has blogged about 'invisible CAPTCHAs' that use embedded javascript to solve the CAPTCHAs, so the user never actually sees the CAPTCHA (unless the browser doesn't support javascript).

It's an interesting idea based on the fact that spambots don't interpret javascript:

http://haacked.com/archive/2006/09/26/Lightweight_Invisible_CAPTCHA_Validator_Control.aspx

mikeb on October 30, 2006 9:09 AM

CAPTCHA, 99.9% effective in blocking the visually impared.

steveth45 on October 30, 2006 9:21 AM

What about just making it hard for spammers to actually submit the comments? Like use different names and order for HTML form elements on every blog?

The key enabler for spam is software monoculture.

In the case of email, we have no choice, you need a standard protocol for mail. But for a human activity, like commenting on a blog, all that's required is that the user understand how to operate the interface-- what it looks like.

I don't use Movable Type anymore, but when I did, I used a nonstandard installation and renamed some of the directories. By looking at the server logs, I saw that this stopped at least some spambots. The next step would have been to hack the MT code to change the names of the form elements, and maybe even add some "honeypot" form elements (invisible fake post buttons and comment boxes maybe?).

Reed on October 30, 2006 10:24 AM

Doug, I think everyone would be happy to not "discriminate" as you call it if it was easy, unfortunately it is not very easy for a private person to make his site fully available for people with disabilities.

These laws that exists in some countries requiring all sites to be available for people with disabilities are absurd, who's going to provide that technology and pick up the costs ? Where does it stop ? There is always something more that could be done for a particular group with disabilities isn't there ?

Granted all government sites should be fully accessable but other than that these laws just proves how out of touch politicans are and how easily they can be persuaded by interest groups.

GH on October 30, 2006 10:25 AM

mikeb, the MS Ajax Tookit has something similar named the NoBot component, however hwo hard would it eally be to create a spambot built ontop of IE or Gecko that would easily pass the javascript tests ? It wouldn't be hard at all.

GH on October 30, 2006 11:31 AM

I can't spell, I'm tired :-(

GH on October 30, 2006 11:32 AM

Here's an interesting alternative: the ASCII art CAPTCHA. ;)

a href="http://www.thephppro.com/products/captcha/"http://www.thephppro.com/products/captcha//a

This seems pretty ingenious, if you implement it correctly. You could either output tricky HTML/CSS (or even more advanced, javascript), so now the spammer needs to render HTML, CSS, and possibly Javascript, and THEN needs to use good AI to convert the ASCII image to a phrase.

pdq on October 30, 2006 11:40 AM

Last week I've got 200 spam comments on my blog.
And all coming from the website, and not from the comment API.
So I imagine that the type of captcha used on my blog sw has been broken :-)

Simone on October 30, 2006 12:59 PM

BTW, the captcha used here is not sufficiently difficult. even MS software could read it!

Vinnie on October 31, 2006 2:29 AM

Yellow, no... blue. Wait, red... No orange. Help! I'm color-blind!

Me on October 31, 2006 10:41 AM

Come on Jeff, explain why you're happy to discriminate against people with visual disabilities, contrary to legislation.

Probably for the same reason as he filters out all of us who linked him from Blogspot.

why do you need to filter out bee-el-oh-gee-ess-pee=oh-tee website adddresses
Because of trackbacks. Blogsp0t is spam central.

Nice to know how much you respect your readers.

Leigh Simpson on November 1, 2006 1:57 AM

Nice to know how much you respect your readers.

Don't complain to me, complain to blogsp0t! It's really profoundly bad. See here:

a href="http://www.lockergnome.com/nexus/web/2005/06/30/the-strange-world-of-blogspot-spam-blogs/"http://www.lockergnome.com/nexus/web/2005/06/30/the-strange-world-of-blogspot-spam-blogs//a

--
What I've found, though, is that a large percentage (maybe up to a third) of all Blogspot blogs are spam-logs - sites created to increase the Google ranking of some other site (which is itself usually a Google-spamming site). The ultimate purpose of these spamlogs is usually to drive traffic to a commission-paying ph4rmacy, pr0n, or c4sino site.
--

That's from 2005, but I assure you the flow of blogsp0t trackback spam continued unabated through at least last month.

Jeff Atwood on November 1, 2006 6:57 AM

There are other simple ideas too ... think out of the box of "text recognition".
Something I used on my guestbook ...
http://bhansalimail.com/guestbook.php

It just asks people to add two numbers (they are a mix of random number/Swatch time).

Dozens of better ideas out there, but the problem is getting something popular enough to replace/expand on captcha's!

Vinit on November 2, 2006 11:40 AM

personally I'm loving the look of Geoff Appleby's Gaptcha... Captcha with photos instead.
http://blogs.crankygoblin.com/blogs/geoff.appleby/archive/tags/GAPTCHA/default.aspx

I'm also wondering if captcha is the best thing - because who needs comments from the visually impaired anyway?

andrew/crucible on November 5, 2006 7:05 AM

I admit to not having read everything on the page properly, but the thought occurs to me - and my apologies if this is way out dated - would a captcha made from either 1. a fading in and out set of letter (each fading from background colour to a different colour at different rates)..an animated gif or 2. a flash animation with moving characters be a lot more difficult to break?

Robert on November 18, 2006 1:09 AM

Hi,

I'm just entering the wonderful world of captcha's, but am wondering about another approach. I don't exactly know how spambots work, but would it work if everytime a page with a form is visited, the formfields have a different (randomised) name?

Another thought I had about visual captchas, would a small flash-movie displaying text/something (maybe some interactivity in it?) work? Only trick here would be to pass the right information backforth between the movie and the page...

cheers,
Job

Job on November 19, 2006 8:21 AM

orange

Dean Edwards on February 2, 2007 5:05 AM

I was getting wiki spam on a low-volume specialized wiki. I simply required users to use a password to edit, and put it right on the front page spaced out. Real naive, and instantly effective. Again, I wasn't a high-value target.

Michael on February 6, 2007 5:22 AM

Hi,

I am getting ready to launch an assembly for ASP.NET called HTMLCaptcha. I thought the readers of this article and blog might be interested in what it does.

HTMLCaptcha outputs a small icon-sized image -- a real picture, not skewed text -- created entirely in HTML/CSS, and then offers a random selection of choices that best describe the image. The user must select the correct descriptor in order to validate.

The idea is similar to that described in the paper "CAPTCHA: Using Hard AI Problems For Security".

There are several advantages to this method --

-- Hard A.I. problem. There is a much higher probability that a human will associate a random, arbitrary image with its correct descriptor than computer software.

-- Text scanning techniques do not apply.

-- Every developer can create their own CAPTCHA images for their site with the included utility. Uniqueness does provide a deterrent, and makes the A.I. problem harder:

I think the key isn't captcha, per se, but just being different. Security through obscurity in a sense.

An image can be anything. In the image cache that is included with the download, I use standard icons, plus simple bars of different colors (with descriptors like "vertical bars - black RED black BLACK"). You could also use sequences of geometrical shapes, e.g. two circles and a triangle, dots and slashes, or another set of icons, or mix and match.

You can download the demo (in beta), or read more at

http://www.htmlcaptcha.com

JA on February 15, 2007 10:42 AM

Hi,

I have a solution to cut 100% of guest book spam:

You ask the visitor for a $1.00 pre-authorization through PayPal before he can submit his form.
You then check the form submission, if he is a genuine visitor, you cancel the authorization, if he is a spammer, you withdraw his money.
You will be either lonely or rich!

Marc on February 21, 2007 4:59 AM

what about www.captchasolver.com ? it's an automated captcha solving web service and it's able to solve any type of captcha.

csharpp on March 27, 2007 1:13 PM

Well a turning test would be better if you have something like

A1B2C3 and the instructions are. Please enter all the Numbers from the string above. Or if they were colours something like. Enter all Red and Blue Letters from above. Or ever Second Red Letter. Soemthing that needs a little more smarts then just OCR.

Brian on May 4, 2007 1:59 PM

I wonder how different the results would be if instead of "enter the word image", it would just be "copypaste the word orange below". I would hypothesize that it would not affect comment spam that much, and would make things easier for (some of) the users. (Especially the sight-impared)

Roie on May 19, 2007 7:58 AM

I also have observed CAPTCHAs being easily violated in the wild. If the site has a high enough payoff, its worth it. In our case, reducing the incentive helped most. How? Timer. Normal users don't need to hit the page (not a registration app) more than once every few minutes. For the bots to make their money, they were hitting multiple times per minute, or as fast as the server would accept calls. A timer made it too slow to get their message out, so aside from preventing access, attacks dropped off almost immediately because we were not a good target.

shoobe01 on May 31, 2007 4:20 AM

Very interesting article, I've myself coded a simple CAPTCHA breaker in PHP (you can see it at http://www.alixaxel.com/wordpress/2007/06/15/php-captcha-decoder/) however this article reminded me of a way in which other more complex CAPTCHAS could be broken.

Alix Axel on July 1, 2007 8:17 AM

How about reCAPTCHA?

http://recaptcha.net/

It's a centralized solution where the images come from unOCRable words of old books' scanned pages.
With this CAPTCHA solving farms are turned into volunteer old book digitizing farms.

I gave it a try, you can see it in action at www.e4ec.org when posting a new notice. Spammers started to abuse the pages, now I'll see what they can do with recaptcha.

GalosA on July 22, 2007 3:15 AM

The problem is that all these puzzle and roadblocks are killers to the website traffic.

htt://www.mediaplanetaria.com

Juan on July 29, 2007 8:50 AM

CAPTCHA Turing farms *do* exist. They have been spotted in the wild:

http://www.getafreelancer.com/projects/142555.html

$3 per 1000 captchas, with 10,000 expected per person per day. 14 people offered to do the job.

There are literally hundreds more of these:

http://www.google.com/search?q=captcha+data+entry+site%3Agetafreelancer.com

They're typically for account creation on sites that will be used to send other spam. (Google and Yahoo Mail, MySpace.) They're not going to do a one-off solution just for your little blog, but the major sites are a big target and they will keep getting hit.

a/c on September 28, 2007 9:05 AM

And yet Yahoo's chat forums (captcha-protected) are full of bots.

Anonymous on September 29, 2007 5:01 AM

Check how Ticketmaster was defeated and sued...

'But RMG's software, according to Mr. Kovach, can also "figure out the randomly generated characters and retype them automatically."'

Andy on October 8, 2007 10:25 AM

I have translated the captcha plugin for dotclear into English. If anyone is interested, I'm using it now on my site and I have posted a link to the translated files in the first comment of this post where I describe what I did: http://www.matthewhelmke.net/index.php/2007/10/30/14-i-have-installed-an-accessible-turing-test

matthew on October 30, 2007 4:52 AM

Now social engineering and sex are being used to beat CAPTCHAs:

http://www.theregister.co.uk/2007/10/31/captcha-busting_trojan/

The trojan offers to show progressively more naked pix of a stripper as the user solves CAPTCHAs.

jeff on November 2, 2007 9:19 AM

Im all very new to this kind of thing?

could anyone help me find something that could easily break simple captcha's like this?

http://img219.imageshack.us/img219/2710/capvl8.png

DannyH on November 5, 2007 1:36 AM

In most cases no need to use cheap work force or OCR, more effective to use vulnerabilities in captchas. In my new project I'm describing vulnerable captchas and there are a lot of them in Interent.

No need to use troyans when there is my Month of Bugs in Captchas: http://websecurity.com.ua/category/moseb/

Besides, captcha at codinghorror.com is vulnerable for constant values bypass method (I wrote about this method at my site). You need more reliable captcha.

MustLive on November 13, 2007 8:08 AM

Whats wrong with you commenters?! You completely missed the point of this post. Captcha is not effective because it is unbreakable, it is effective because breaking it requires knowledge and/or computing power. Breaking captcha will increase costs of spamming, thus making spamming unprofitable.

Uncle J on November 17, 2007 8:47 AM

You have a fairly negative bias towards captcha-farms.

I'm not saying they are effective, but:

1) You don't pay 5$ hour for braking captchas. You get people from the poorest countries in the world.

2) Keeping up a porn site costs money? You know what, you can even make extra money with that porn site! In addition to breaking captchas.

I agree computers can not solve captchas until they really can reason - AI is not here yet.

doni on December 3, 2007 4:42 AM

No idea what OCR software you used, but Abbyy FineReader doesn't have any problem with most of them (especially the low noise one). However, your "combined" image was indeed unbreakable for it.

Indy on December 6, 2007 4:08 AM

i was wondering if i cant see the image of the captcha instead i see in the place of the image a red X as in the image seems to be broken what can i do

Afra on March 25, 2008 10:26 AM

On my blog, I tried an "accessible captcha" who ask very simple questions instead of words. For exemple, "in 656486473, what number come before 3 ?" or "what's the result of twenty two plus nineteen ?" (it also use sometimes a visual captcha). It's available for dotclear (but it's in a href="http://nurmagomedov.blogspot.com"dagestan/a ) at http://www.atelierphp5.com/un-captcha-accessible.html

good way ...

Geor on May 22, 2008 6:50 AM

charlie capindo on May 29, 2008 10:41 AM

Well I guess most everyone has already told you this, but I'll say it again. Captcha recognition using visual methods is MUCH more effective than you give credit. I can easily write algorithms to break any of your posted examples. And what's more, I can do it in a language as simple as AutoHotKey.

Just be aware that there ARE many real-world, working bots that can read captchas without brute-forcing or web hacking of any kind.

Thanks for the article.

Josh on July 16, 2008 1:15 PM

Truely speaking eailier i really dont know about CAPTCHA, i encounterd with it some time on the portal's but through this topic i came to know what the actually CAPTCHA is about, its very informative an di am really thankful of you for that information.

Shawn
-----------------------------------------------
http://www.clickidentify.com

Shawn on July 29, 2008 4:02 AM

http://www.laizjj.cn

fjdfe on August 20, 2008 7:19 AM

ALEX21 on August 26, 2008 8:15 AM

#21271;#20140;#19987;#19994;#25968;#25454;#24674;#22797;#20844;#21496;#65292;#20849;#21516;#25968;#25454;#24674;#22797;#20986;#23436;#32654;#25968;#25454;#12290;#30828;#30424;#25968;#25454;#24674;#22797;#25216;#26415;#22826;#23436;#32654;#20102;#12290;#20013;#22269;#30041;#23398;#34892;#19994;#65292;#25552;#20379;#25968;#25454;#24674;#22797;#26381;#21153;#65292;#29616;#22312;#24456;#22810;RAID#25968;#25454;#24674;#22797;#37117;#22810;#12290;#32780;#19988;#30828;#30424;#20462;#22797;#20844;#21496;#20063;#22810;#12290;#20294;#26159;#19978;#28023;#25968;#25454;#24674;#22797;#24456;#23569;#12290;#26477;#24030;#25968;#25454;#24674;#22797;#21364;#24456;#22810;#12290;#23567;#36137;#23637;#31034;#36135;#26550;#65292;#28909;#29233;#30828;#30424;#25968;#25454;#24674;#22797;#12290;#25105;#20204;#30340;#30828;#30424;#20462;#22797;#22797;#31532;#19968;#12290;#25105;#20204;#30340;#26376;#39292;#32654;#21619;#12290;#32500;#25252;#30828;#30424;#25968;#25454;#24674;#22797;#27704;#36828;#31532;#19968;#12290;RAID#25968;#25454;#24674;#22797;#21407;#26469;#20063;#36825;#20040;#23481;#26131;#12290;

DDD on August 30, 2008 1:32 PM

Here is an idea for a captcha that's actually unbreakable, and if limited to a specific language, even difficult to break by outsourcing to China/Russia/etc.

http://www.yuniti.com/BetterCaptcha

Marcos on October 14, 2008 11:45 AM

What I don't understand about it, is why you need captchas to protect forms. You only make your website unfriendly to your customers, human visitors in general.
Also using some javascripts to hide form elements not only is bypassed by bots but at the same time you cannot service humans who do not want to have active content enabled.
Spam is typically submitted by bots or other automated scripts. There're far superior solutions by using just plain HTML to protect the forms against automated scripts and bots and without visible overhead to the forms.

Mark S on October 31, 2008 5:12 AM

I' looking for any java script beside of catpcha which can detect human like typing speed, mouse movement if not will rederect to other url instead of posting

vietnamtin on November 3, 2008 1:01 AM

hello i want captcha entry work can anyne help me

venketlakshmi on November 5, 2008 10:55 AM

online_lakshmi@yahoo.com

venketlakshmi on November 5, 2008 10:56 AM

Thanks for the reply, I get it now!

miles on December 5, 2008 2:05 AM

Hi,

We need Good captcha Entry work. Could you please any one to help me?
:) gopi2i@hotmail.com

Gopinath.R on January 26, 2009 9:17 AM

captcha is dying.
http://slsecurity.blogspot.com
with
http://winguard.blogspot.com/

winguard on February 3, 2009 11:04 AM

Does your website need CAPTCHA?

http://www.webdigi.co.uk/blog/2009/does-your-website-really-need-a-captcha/

Web development on February 9, 2009 11:55 AM

Why Captcha,
Hackers can break them all.
http://dexzone.blogspot.com/
DexZone

http://crackzsl.blogspot.com/
Cyber Realm

Find some hack here

winguard on February 14, 2009 8:20 AM

[quote]Some people actually believe that spammers can now fairly easily write scripts which use advanced optical character recognition to automatically defeat any online CAPTCHA form. [/quote]

Ever heard of USDownloader? It was created to beat Rapidshare websites captcha.

Mein on February 14, 2009 11:03 AM

Bet nobody can solve this captcha:

http://chimptron.com/?p=122

Simian Antics on February 22, 2009 11:05 AM

fgfgfgf

gfgf on March 30, 2009 9:40 AM

Thanks for demonstrating that capthas don't have to be unreadable!

web design norwich on April 27, 2009 1:59 PM

Cool, Thanks for the great tip!
http://www.mpos.net/s/p3.asp
http://www.mpos.net/s/p4.asp

COOL on June 23, 2009 1:56 PM

http://www.mpos.net/s/p3.asp
Cool, Thanks for the great tip!
http://www.mpos.net/s/p4.asp

COOL on June 23, 2009 1:59 PM

i need a data capatche work can any one help me by mail me the website name pls my email is shak775@gmail.com

shakeel on June 24, 2009 2:29 AM

Thanks for assembling this. I would love a 8.5 x 11 2-page version for my aging eyes. I know, I know, people over 50 aren’t supposed to be scripting. Got to find an 11 x 17 printer…

grow taller 4 idiots on July 21, 2009 2:32 AM

Thanks for your post.
However people knows how to bypass captha and spam as they want.
http://winguard.blogspot.com/

I have recently setup an email form at my web site.
http://colombo77.com/offers/demonoid/index.htm

However I have noticed that some are spam this email form.
It uses basic captcha technique.
I think I need to go for a more advanced php cpatcha forms.
http://slsecurity.blogspot.com

Slsecuriy on August 11, 2009 3:56 AM

Thnx for thise details. This article was really informative for me. Thnx for those details

Pravin on August 18, 2009 7:05 AM

More comments»

The comments to this entry are closed.