programming and human factors
by Jeff Atwood
In November 2007 I called these three CAPTCHA implementations "unbreakable":
| Google (unbreakable) | |
| Hotmail (unbreakable) | |
| Yahoo (unbreakable) |
2008 is shaping up to be a very bad year indeed for CAPTCHAs:
Which means I am now 0 for 3. Understand that I am no fan of CAPTCHA. I view them as a necessary and important evil, one of precious few things separating average internet users from a torrential deluge of email, comment, and forum spam.
So reading that the three best CAPTCHA implementations have been defeated sort of breaks my heart. Even what I consider to be the strongest, Google's implementation, fell hard:
On average, only 1 in every 5 CAPTCHA breaking requests are successfully including both algorithms used by the bot, approximating a success rate of 20%.
A twenty percent success rate doesn't sound like much, but these spammers are harnessing networks of compromised PCs to send out thousands upon thousands of simultaenous sign-up requests to GMail, Hotmail, and Yahoo Mail from computers all over the world. Even a five percent success rate against a particular email service CAPTCHA would be cause for serious concern; with twenty percent success rate you might as well put a fork in that thing-- it's done.
In the meantime, CAPTCHA still serves a useful purpose-- speed bumps that prevent evil bots and the nefarious people who run them from completely overrunning the internet, as Gunter Ollman notes:
CAPTCHAs were a good idea, but frankly, in today's profit-motivated attack environment they have largely become irrelevant as a protection technology. Yes, the CAPTCHAs can be made stronger, but they are already too advanced for a large percentage of Internet users. Personally, I don't think it's really worth strengthening the algorithms used to create more complex CAPTCHAs – instead, just deploy them as a small "speed-bump" to stop the script-kiddies and their unsophisticated automated attack tools. CAPTCHAs aren't the right tool for stopping today's commercially minded attackers.
There's simply too much money to be made in email spam for the commercial CAPTCHA algorithms, regardless of how good they may be, to survive forever. How old is Google's CAPTCHA now? Two to three years old? In the short term, perhaps proliferation and evolution of many different CAPTCHA techniques is the most effective prevention. You should emulate the techniques from the most effective and human-readable industrial grade commercial CAPTCHA, but avoid copying them outright. Otherwise, when they're inevitably broken, you're broken too. CAPTCHA defeating tools are tailored to very specific inputs; if there's little to no monetary incentive, odds are nobody will bother to customize one for yours. My ridiculously simple "orange" comment form protection is ample evidence of that.
Beyond diversification, the deeper question remains: how do we tell automated bots from people-- without alienating our users in the process? How can we build a next generation CAPTCHA that's less vulnerable to attack?
Here's some food for thought:
At some point, unfortunately, CAPTCHA devolves from a simple human reading test into an intelligence test or an acuity test. Depending on how invasive you want to be, you'll eventually be forced to move to two-factor authentication, like sending a text message to someone's cell phone with a temporary key.
I don't have the all answers, but one thing is for sure: I hate spammers. As fellow spam-hating internet users we all have a vested interest in seeing CAPTCHA techniques evolve to defeat spammers.
In regard to Guillaume's comment.
Cute.. fluffy is nice.
The biggest issue with these types of captcha is that it is not too complicated to build a pretty thorough library of images used, quite quickly.
For instance, one can go to http://smokinn.com/blog/app/img/spam_pics/1.png
to get the first image (cool... public folder!)
and then iterate through the images to the end, gathering each.
A human with malicious intent can correlate the filenames to fluffy/not fluffy and then build automation. To make it even more robust (just in case you decided to use a renaming script to rotate the images around internally) the actual image could be correlated to fluffy/not fluffy. The program can then check the data in each image (rather than the filename itself) and 'sense' the matches and thus appropriate selections.
You would need a rather substantial library to make this captcha strong enough... and enough time to manually go through each one noting if it is fluffy or not.
Interested in hearing what improvements you have thought of...
Demi Raven on March 5, 2008 10:01 AMOkey, it is used everywere. Often it is very easy to see what letters anc charactars there is, BUT try this one: http://www.iis.se/domains/domainandcontactsearch?query=sunets0702-00001
Hkkathome on March 5, 2008 10:03 AMMost captcha relies on you being able to see and speak English so you have instantly alienated all your potential blind and non-english speaking users
Most of the alternative systems mentioned above rely on a bot not knowing your captcha method, as soon as they do they can defeat it easily (at least often enough to be useful), or use subjective tests which humans regularly fail as well, or cost the user money ....
This last one is the best and worst, it would stop all the spammers, (if it costs more than the return they will not spam) but it will also stop the majority of your potential users
Universal ID is not an option, universal ID is never universal, I for one will not have one and so will not pass, and it assumes that the ID system is perfect (cannot be cracked, cannot be faked) and every system can be and is, if there is enough money involved.
Jaster on March 5, 2008 10:15 AMOh ...
Who took transported the Cleopatra's Needle to Central Park and shares a name with a firm of Tailors in England
Henry Honychurch Gorringe (Rhymes with ....)
Jaster on March 5, 2008 10:19 AMI think that the actual problem is somehow, even with all of us telling our parents, friends and children NOT to click on spam links or buy from spammers some "people" still do it.
If there was no money in spam, they wouldn't have any incentive, but you have to remember that in direct mail (snail mail) 1% is considered a good return in email costs are so much lower that .001% is still a good return.
So the real question is, How do we find that ignorant .001% of people educate them???
Dave on March 5, 2008 10:34 AMAll this talk and not a single person suggested replacing SMTP protocol with something more up to date with the real world?
Alex G on March 5, 2008 10:41 AMI just say we make it legal to murder these bastards. Put out a bounty on their heads.
Where do I start?
dnm on March 5, 2008 10:45 AMCheck out the submission page on thoof.com - it uses a fairly novel approach where you must click on the kittens in a picture (its a much more elegant implementation than the Microsoft proof of concept you link to above).
Ian Clarke on March 5, 2008 10:46 AMDave: With a claw hammer.
dnm on March 5, 2008 10:46 AM@Alex G on March 5, 2008 10:41 AM
SMTP is slowly being replaced by web-based email.
KG on March 5, 2008 10:53 AMWe use reCaptcha - it works great so far :)
Lukas on March 5, 2008 11:40 AMCaptcha is good in theory but I have come across many users who struggle to read the letters, including those who have lowered visual acuity. Some captcha themes are so obscure though as to make it difficult to read them in any circumstance. A new method is certainly needed!
BlackWasp on March 5, 2008 12:12 PMI have a simple and I think only breakable on a site by site basis. I don't think this could be broken by an automation except on a case by case basis.
The idea is simple, present the user with a paragraph of text describing something. Subsequently the user must answer a key question the solution to which was clearly presented in the paragraph previously. For example,
Fact: 20% of all dogs suffer from Fleas.
Question: In a selection of 25 dogs how many are likely to suffer from fleas? (One word) Five
Of course thousands of these could easily be created, and certainly more complicated ones with non numeric solutions. Basically solving these would require a certain level of intelligence. There are still I guess several hurdles such as the language barrier, the intelligence barrier and the requirement that these be created by a human in the first place and will probably require regular updating. Of course if this idea took on it would be possible for a company to create a server of these puzzles and then charge for site/content providers to use their regularly updated set of solutions.
The advantage of this approach is that the user must show real intelligence in order to solve these sorts of problems. This has never been solved by an automation, but before capcha was even invented there was already software which could solve hand written character recognition so it was only a small step to cracking capcha.
I guess the other problem with this approach is that lots of internet users don't want to invest the time to read a paragraph of text just to sign up to something.
Southern Chess Player on March 5, 2008 12:55 PMAny new method will be attacked and broken too, not that that's necessarily a bad thing. It drives us forward, makes us find new ways of protecting ourselves. Often, the technology used by the bad dudes becomes useful too.
I always disliked CAPTCHA though. I've never been able to decipher them. Hopefully whatever is used to replace them is a lot more user friendly.
Naked Programmer on March 5, 2008 12:58 PM@Thic Ric: no, Gmail spam can just be sent from Gmail's smtp server, or you can just spoof the From address. There are other protections (too many sent messages will cause your IP to be blocked) but it doesn't require solving captchas.
Paolo Bonzini on March 6, 2008 1:18 AMLOL, the ASCII art captcha can be broken in a second... the only serious one to me seems recaptcha.
Paolo Bonzini on March 6, 2008 1:26 AMTo codemonkey:
validating identity does not mean that policy would not permit having more than one email address. But maybe those separate addresses can be managed under a single 'account'. So I do NOT propose that people should be limited to only one email address with a given provider, just like I have two cell phone numbers. I can turn off my work cell phone when at home, and vice versa. But it should be up to that identity provider (cell phone, email, whatever) if they want to allow a single person to have more than one. It may even prove to be another point of service for gmail to allow you to manage more than one email box under a single login.
Validation: That depends on the form of identity. As for the case with cell phones, a text message can be sent by an automated system. To activate the account, you reply to the text message with a certain message. I've actually seen this implemented on a site, and it worked for me. I don't recall where it was, since I only had to do it once and it was over a year ago.
I left my message with an open question, what other forms of Id are acceptable. I explicitely noted that users would NOT find it acceptable to use SSN.
Michael Lang on March 6, 2008 1:58 AM
Instead of capta why don't you ask a question.
And a have a database full of questions like "what color is the sky"
or even harder questions like riddles, so the computer wont be able to brake them but a normal human with basic understanding will.
Another idea is have a movie played and the answer to the question is inside the 10 second clip which could be a flash or real player.
boya on March 6, 2008 2:20 AMI see where you're coming from, but what's your average Joe who needs a quick email for whichever benign reason going to think? The credo of the big sites is their accessibility - secure email providers exist for those users sufficiently paranoid, but for everyone else there's a quick gmail account and away you go. Are casual users going to remain if they have to jump through more hoops than 1 or 2 captchas?
I stand by my claim that the best solution is a dual system - captcha and administrative routines to back that captcha up. Captcha alone clearly isn't a solution, and any decent admin ought to be keeping tabs on this stuff anyhow even (or especially) on a site as huge as google. Stating that you should have to pay a micropayment or submit identity to gain a simple web-based email address seems kind of boggling, though maybe that's just the culture shock setting in.
codemonkey on March 6, 2008 2:57 AMMy missus liked the "cats and dogs" one but she would!!
I Like what Ajaxian.com do, ask a question like "what does the X in AJAX stand for?" of course this has the added bonus of weeding out any human that doesn't know what their talking about as well
Of course, as with all systems like this, it only takes time for people to hack it. This article could easily be posted after several years of any alternatives.
Are we just too reliant on computers to do things for us?
Matt Smith on March 6, 2008 3:00 AMAll of the replies above have a flaw in as much as they refer solely to the quality of the Captcha. If a spammer's machine fails a captcha four times then succeeds (and I realise this is not how probability works, but law of averages here) then clearly they're safe and can go on to make as many accounts as they like, right?
What's being forgotten is that it's very easy to shore up the captcha capability with automated or manual flagging of IP addresses and identities. Keep logs, alert admins. If IP address xxx.yyy.foo.bar just tried to send out a x captcha requests in y minutes and got z% of them wrong, ban it - or, if you're feeling charitable, block it for a week. While we're at it flag the email addresses they successfully made and either automatically block, disable or remove those or else drag them to the attention of an admin. You could argue that the wave of captcha requests can happen too fast for a human administrator to respond, that it'd be relentless and your poor admins would never get any sleep; what's to stop this process being totally automatic on the part of the server, and letting admins take a look at sufficiently borderline cases?
You could further argue that letting an automated system cancel and ban accounts is too heavy-handed, but these are free email accounts on privately owned servers: in return I'd point out we are very far into 'Access is a Priviledge, Not A Right' territory here. If they were charged for I would expect a far more sophisticated and authenticated system, but on what is (no offence meant) the lowest common denominators of popular webmail sites I would rather the admins be heavy-handed than too soft.
codemonkey on March 6, 2008 3:03 AM* Distinguish pictures of dogs from cats
- what if you're a dumbass and can't manage that?
* Choose a word that relates to all the images
- what if you're a dumbass and can't manage that?
* ASCII art
- what if you're a dumbass and can't manage that?
* Solve failed OCR inputs
- what if you're a dumbass and can't manage that?
* Trivia questions
- what if you're a dumbass and can't manage that?
* Math and word problems
- what if you're a dumbass and can't manage that?
You have to remember that 50% of the world's population has a lower than average IQ (obviously). It's a bit cruel asking them to answer even the simplest of questions.
p.s.
***CLICK HERE*** For hot orange babes with MASSIVE oranges who want to suck your orange - these orange sluts will make your orange 5 INCHES LONGER in just ONE WEEK!!!
Get cheap orange MEDS online from OnlineOrangePharmacy etc...
RWW on March 6, 2008 3:55 AMI suspect cat vs. dogs will give a 50% success rate :-)
Yuval Perlov on March 6, 2008 5:53 AMFor the sites thate are concerned with signups - as opposed to say codinghorror where it's just a login - why not just have a minimum time set? Somewhere between 1-2 mins?
For a person entering all of their information and reading the whatnot on the page, they might not even notice at all that 1-2 mins have passed since the page loaded, whereas some algorithm (or paid person) that is able to crack the captcha, can only do it from 1440 - 720 times a day. It's not deal breaker but it definately shifts the supply curve for the people who are in it for the money.
Steve-O on March 6, 2008 6:09 AMPart of the protection inherent in schemes like Guillaume's fluffy/not-fluffy is that it's there on his site, and not very many else; same with the "who is this character you should know about?" scheme. Each individually might be easy to write a data-driven script for that gets a reasonable number of successes by chance. But to crack both of them, you need two sets of precomputed response data, at least.
Now you can get into a personal site and at most a smallish number of fan sites. Big deal.
If there are many flavours of site using these approaches, each with a different set of possible responses to subject-specialist challenges, the work required to overcome any arbitrary site increases. Yes, it would be possible to build up a site to plausible vocabulary database, but it would at least incur a cost to build that up. It's just another instance of diversity vs monoculture.
The places that will always have the problem are the all-comers type site, like Google, and I don't have a solution for that, especially under the plausible assumption that the attacker is using a botnet to spread his signal.
Steve on March 6, 2008 6:20 AMResearch have note that the best captcha has a combination of varying character size, character font type, character colour, character positioning, background. Now, if you randomise these factors, i.e. each characters of the captcha word is unique, you should theoretically get a very good captcha.
This is what we are trying to accomplished, and an example can be found here:
http://twiki.org/cgi-bin/view/Plugins/CaptchaPlugin
to follow up on my last comment... As for email or other 'identity' providers, why not require two forms of other 'identity'. That technique is used to get a new driver's license, a new bank account, a passport, and even a job. I think it is perfectly resonable to expect one or more forms of identity to create another form.
Obviously the issue with this is that a majority of people are not going to be willing to give some forms of personal identification such as an SSN#, birth certificate, last utility bill, or last paycheck. Additionally, a number of these are culturally dependent. however, there are forms of ID that anyone can get where the identity provider has done some kind of validation of the identity.
The first that comes to mind is a cell phone number. Some cell phones do not require identity such as ATT GoPhones. But they do cost some money. It is doubtful that it would be worth it to a spammer to buy 1000 phones, use them to get other online identities, and then take the time to sell those phones again. However, if that is a concern, you can require that the phone be from a subset of cell phone providers that do require billing information from the user.
Does anyone else have an idea for another identity a web site can resonable request and VALIDATE that a user would be willing to supply? ideally, there should be at least three different identity options, and let the user decide which two they have available to supply.
This comment does NOT apply to validation of an anonymous user when posting a blog comment or forum post. Those sites should either require login, or rely solely on statistical filtering to determine spam based on content.
Michael Lang on March 6, 2008 7:58 AMTo Michael Lang:
I've got four Gmail accounts - one that is my real name (joe.q.bloggs@, as a purely random example) for jobhunting and similarly official stuff, one that is historic and I've had for ages and that people I know casually use to contact me, one that is sufficiently extant I can use it for random purposes, and one that is used solely to sign up for forums and other such services to alleviate some of the spam. This isn't even a remotely unusual use of Gmail: part of the very draw of these services is that you can throw out multiple accounts for whatever purposes you need.
In the face of that:
1) How are you going to compare-validate? If someone gives you a document reference that's a duplicate to the one in your system, are you going to say 'no, no second email for you'? That's taken away half of the usability of the system in a stroke, and you'd better hope that your single address doesn't get hit by too many spammers that end up making it unusable - since you can't get a new address to 'start over' without destroying your old one. If you're not going to compare-validate what's the point in demanding ID that anyone could make up? (See: address+postcode fields in hotmail signup.)
2) How are you going to verify-validate? If someone gives you a cellphone number are you going to call them up and ask 'hey, did you just sign up an email address?' You have to, otherwise how do you know they didn't just pluck a number out of midair? Multiply that amount of bureaucratic hassle by the number of gmail accounts there are. Then multiply that exponentially to be able to validate on things that are truly unique and have heavy information restriction in place such as SSN#s or National Insurance numbers. I'm reasonably sure the Data Protection Act would not exactly consider your SSN critical for signing up for free email. Compare that hassle to Hitting The Big Red Ban Button for too many hits from one IP or for too many suspicious captcha fails.
(As a side note, together with my 4 Gmail accounts I own 0 mobile phones.)
3) Are you going to trust bank details, billing details, stringent sets of contact details, or SSN/NI details to sites that are favorite targets for iframe / phishing / spamvirus attacks?
codemonkey on March 6, 2008 8:30 AMIn response to Steve:
"Now you can get into a personal site and at most a smallish number of fan sites. Big deal."
Big Deal indeed for those who run those sites should it be compromised. Unless there is a suitable message throttling mechanism in place, it may lead to a DoS attack and perhaps significant overage charges from one's ISP.
You are absolutely correct in your comment that "all-comers" such as Google face the biggest issues.
The main point is that one should never be too self-assured of the security of one's CAPTCHA method. There are plenty of methods that spammers can use to break a CAPTCHA, and any CAPTCHA that can be seen and analyzed by a person can be similarly analyzed by a computer...
A big question is: if we still wish proceed in using CAPTCHAs, how does one develop a CAPTCHA that is complicated - perhaps random - enough that a computer would have a difficult time with it without making it so complicated that it becomes an obstacle for a human?
Demi Raven on March 6, 2008 8:59 AMHey Now Jeff,
It sure will be interesting to see how CAPTCHA evolves over time.
Coding Horror Fan,
Catto
Why not use better stalling/probationary techniques. 1 e-mail per day until enough long term users have not called your e-mail spam, then weed out the long term accounts that approve accounts later marked as spam senders.
x (probationary user) has sent you this e-mail is it spam? y/n
Sending the first 10 e-mails require captcha of various forms, failing any deletes the account. 20% success wouldn't be good enough.
Any mass mailing activity in the first 30 days = deletion.
Have people prove their nationality by finding the bad grammar in a story, then monitor how many e-mails are sent to countries not speaking that native language. (oh noes, you may needs grammar to sends males to the internets - wouldn't that be a bonus.)
But basically, just continue to imagine new tricks that computers haven't been programmed to defeat yet, and cycle through them randomly. Then when one technique is defeated, remove it from the rotation and add 2 more unsolved techniques. Eventually you'll have a collection of 100's or 1000's of tricks to be solved and solving any one of them will have a very low rate of return.
Berg on March 6, 2008 10:43 AMPrompt the user with 2 captchas... 20% x 20% = 4% chance of success for bots.
Manu on March 6, 2008 11:07 AMi am beginning to wonder if captchas are nothing more than turing tests.
ralph on March 6, 2008 12:04 PM"You must make a 30 cent payment using PayPal. Click on the "Pay Now "button.
How's that for a captcha or gotcha or whatever
John A Davis on March 6, 2008 12:18 PMTicketmaster recently won a lawsuit under the DMCA against a company that created bots that circumvented CAPTCHAs...
If companies can go after music file-sharers in the courts, why can't they go after spammers?
LS on March 6, 2008 12:32 PMMost people know the difference between a man and a woman from looking at a picture - why not use that fact for a CAPTCHA?
Ulrik on March 7, 2008 5:49 AMThe "What's the common theme of the images" is intriguing, but might have cultural bias.
Also, as tagged pictures (Flickr, Zooomr, others) become more of a searchable database, such a system might become less effective.
Ike on March 7, 2008 9:00 AM
I see two keys below the F on mine... neither of which is the one key below the F on a Dvorak... also, it is not necessarily the case that everyone can receive cellphone texts...
RWW --
"You have to remember that 50% of the world's population has a lower than average IQ (obviously). It's a bit cruel asking them to answer even the simplest of questions."
Umm, you mean 50% of the world's population has a lower than *MEDIAN* IQ. Guess we know which half you're in.. wokka wokka.
Brian on March 8, 2008 12:00 PMI'm reminded of XKCD's solution ( http://xkcd.com/233/ )
When Littlefoot's mother died in the origional 'Land Before Time,' did you feel sad?
( ) Yes
( ) No
(Bots: No lying)
Joking aside, any solution should address human spamfarms. Like a, "What's the name of this site?" or "What color is this site's background? Yellow, white, or blue?" where multiple choice is not radio buttons, but a text field, and the question asks something about the context that'd be removed in a spamfarm.
The problem is that for something like Google or Hotmail, the site's too well known and the reward for cracking is too high for most captchas, including context-based questions, to be effective.
Also, what would we call a CAPTCHA that is meant to thwart human spammers?
Blain on March 9, 2008 4:47 AMThe hotmail captcha is one of the worst that I've seen.
Syahid A. on March 9, 2008 7:26 AMHere's a nice idea about captcha cracking:
http://ardoino.com/41-online-social-and-unaware-captcha-cracking/
At an abstract level a CAPTCHA is attempting to perform a specific Turing test to determine if an unknown participant is a human or machine.
As the variety of CAPTCHA increase, the Turing tests change from specific to general.
A program capable of discriminating the difference between a human and another machine for these 'general' Turing tests would capable of passing itself off as human to itself (and possibly humans too).
You end up with an infinite recursion with a CAPTCHAs arms war. As a side effect SPAM solves a key problem of machine intelligence (who said it was useless!).
what if you showed a picture which the user had to describe in one word. but also randomly change the pictures.
so you could have a few thousand off each (i.e. dog, cat, house, market, man, woman etc pictures.) and thousands of different words.
then change all of the pictures every so often.
it sounds daft i know.
JamesT on March 10, 2008 4:12 AMsorry didn't read the above posts.
JamesT on March 10, 2008 4:13 AMI use a modified captcha-type Turing test on my blog. Now, I don't get the traffic that some sites get, but I had a post make the front page of digg.com recently. That post garnered well over 100 comments, without a single spam comment.
How did I modify it? Well, I don't use reading or images. I use a form of an intelligence test with questions that should be easy for a human to answer, but not for anything automated to guess easily. Some answers are text, some are numbers. It's not perfect, and it could probably be broken pretty quickly and easily by anyone with a will to do so, but really, if we are honest with ourselves, all a captcha or any other Turing test is going to do is help eliminate the nuisances. This is like putting a lock on the front door of your house, it won't prevent a thief with intent, but it will stop the casual opportunist attempting to open the door.
matthew on March 10, 2008 5:55 AMWith CAPTCHA breached, do you think that Google system issues like the meltdown Google Groups group-owners are experiencing
http://groups.google.com/group/Google-Groups-Basics/browse_thread/thread/1427ec5996001762/
are the result of Google overreacting to this security threat?
I run a web site that has a registration form that was getting bombed by spammers. I threw in two very simple tests:
1. I scan every submission against a list of "unlikely words". This list includes words that were routinely showing up in the spam adds, like "mortgage" and names of sex drugs, including a few common "obfuscated spellings" like "\/iagra". (Obviously if you are running a web site for a bank, blocking anyone who asks about mortgages may not be a good plan. The list of prohibited words would have to be tailored to the site.) (I see from my first attempt to submit this post that you're blocking names of sex drugs also.)
2. The funny part: One field on the form asked the user to place himself in a category with a set of radio buttons to pick. I noticed that the spammers picked the first radio button well over 90% of the time. So I added a new first choice, "I am a spammer", and if they picked that, I rejected the entry.
Since making the above two changes several months ago, only a handful of irrelevant entries have made it through, and those look too coherent to be machine-generated spam, I think they're "manual spam".
The big caveat on this sort of strategy is that my site gets about 60,000 unique visitors a month and the only thing anyone has to gain by spamming my site is getting his ads or links to his site onto my pages. That is, I'm not a big target. I'm sure if Google or a big bank or somebody tried my tactics the spammers would see what they were up to and easily circumvent it.
But I think it stands to reason that "adequate security" for a small site with little to steal is much different from adequate security for a big site that could potentially give a succesful hacker access to megabucks. Like, I lock my front door and I keep a gun handy for self-defense. I consider that adequate security. I certainly hope that First National Bank, not to mention nuclear weapons depots, have more stringent security than that. I have no illusions that the lock on my front door is going to keep a skilled team of terrorists from breaking into my house. But I also pretty much assume that no skilled team of terrorists is likely to target my house.
jay on March 13, 2008 12:40 PMOn a totally different direction: How about if we just start compiling a big list of web sites and email addresses of spammers. It should be easy enough to collect this using spam filters on email programs. Then post many copies of this list, with hot links, all over the net. Then the spammers robots will find it, and they'll start spamming each other! It may not do much to solve the problem but it would certainly be poetic justice.
Idea #2: Put together an organization dedicated to tracking down the home phone numbers of spammers. Post this on the net. Encourage hundreds of thousands of people to call them at all hours of the day and night. Maybe they'd sue for harassment, but it would make for a fun day in court.
jay on March 13, 2008 12:57 PMJay: because blacklists don't work. Enumerating badness is like trying to count grains of sand.
http://www.codinghorror.com/blog/archives/001009.html
Jeff Atwood on March 14, 2008 2:10 AMThere's a service that hires captcha typers from bulgaria.
To Jay: most addresses are faked or are joe jobs.
Justin Goldberg on March 14, 2008 3:30 AMgraylist
calcnerd256 on March 16, 2008 1:15 PMCaptcha is a hurdle for visitors. Why should visitors have to jump thru hoops b/c of spammers? (And still, it's not 100%).
Blacklists / greylists / whitelists are a PITA to maintain, distribute and make errors.
Moderation puts the onus on the blogger and a delay in the comment posting - who wants either?
Bots makes oodles of assumptions and can be tested for, just need to think like a bot. :D
No hurdles, open commenting, no maintenance, no delay ... simple. ;)
stk on March 29, 2008 10:03 AMInteresting ideas, but most won't work
1) ASCII art
- take a png from the webpage and OCR it (piece of cake, 1 hour work)
2) Javascript
- comments are made by HTTP requests GET or POST No javascript is involved, and if it's in the browser, you can look what it does, simulate and POST it. Robots don't use a webpage, they use a socket to send the HTTP request
3) dogs/cats/ugly people
- 9 pictures, 3 choices, that would be 1/1000 ?
could work, but I saw some guys that I wouldn't call ugly that were labeled ugly. Can't work for google/hotmail, spammers would just harvest the images and create 1 big database with the results ugly/not ugly. Homeusers can't use it either, they don't have an ugly-people database.
4) jane has 4 oranges, take away one, how many does she have left?
- useless, you can't say this question in 20 difference ways, so hackers be able to calculate this very easily.
5) math
- if there is something a computer can do, it's solving math... so useless
Acutally, no system will work. People in China get 30$ a month (!) to make my NIKE running shoes. Give 50$ to some friends from India and they'll solve captcha's all day long... Defying all captcha's
Tricks:
- no human can enter a captcha within 1 second, so if the message is posted 2 second after generation - delete
- noone is supposed to post more messages than 1 per minute
- limit the regeneration of the captcha: 1 minute for the 2nd chance, 2 for the 3rd, 5 for the 4th, 10 for the 5th...
- if the captcha isn't solved withing 10 seconds after generation (let them first solve the captcha before entering userdetails/comments) it fails - solves the farming/sending to p*rnsites
- internet police: log IP's, IP + time = user
that user's internet access is blocked for 7 days. countries not cooperating: cut-off of the internet
Also:
use a captcha to inform the user if the registration/comment was successful
- that way, a bot doesn't know if he solved the captcha correctly ;) since knowing that would require solving a captcha :P
Tim on April 7, 2008 6:38 AMI don't mean to spam :)
But for forums/blogs: registered users should be able to flag something spam. Make use of the "web 2.0 social" techniques to fight spammers
http://www.theregister.co.uk/2008/04/14/msn_captcha_breaking/
MSN is truly broken...and definitely by script, not cheap labor.
Jeff on April 14, 2008 3:08 AMFirst, judging by Poker's comment above, your captcha is broken ;)
Second, your captcha has made the news: a href="http://www.news.com/8301-10784_3-9929073-7.html"http://www.news.com/8301-10784_3-9929073-7.html/a
Caleb on April 29, 2008 4:07 AMHow about ReCaptcha? Anybody heard it broken?
It is the Captcha 2.0 green technology (recycling human computer interaction power)!
Hi Jeff
Why did't your captcha control work, when reject user from the default page ?
Ken on May 26, 2008 4:53 AMa
a on May 26, 2008 1:23 PMya cool article.thnaks a lot.
dvdsfv on July 12, 2008 8:51 AMDear Sir,
Thanking you again and have a nice day. I am very interested to join
online captcha entry project. So i need your help. I promise you that
always i give you support as your requirement. Pls give me a chance to
join with your job.
I am waiting your nice confirmation.
Regards
Ahsan
Dear Sir,
Thanking you again and have a nice day. I am very interested to join
online captcha entry project. So i need your help. I promise you that
always i give you support as your requirement. Pls give me a chance to
join with your job.
I am waiting your nice confirmation.
Regards
Ahsan
e-mail:ahsan_0115@yahoo.com
ahsan011@gmail.com
captchas are a thing of a past no offense... youclash.com
youclash.com on January 10, 2009 7:28 AMTo kill the spam you must kill the benefactor (the advertiser) why not post heavy fines and penalties on these guy. I get junk every day from legitimate mortgage, manufacturing, medical, etc... HELLO these are the guys paying to send the spam. Kind of like the king pins in the Drug industry placing their name and address label on every drug they sell. They broadcast themselves every day. Why don't they get stung. In the event we signed up for their junk make them prove it. Am I missing something here because it seems like a no brainier to me. Sign in Visa,MC,AMEX,DISCOVER,PAYPAL and all other big time payment systems into the legislation and require them to firewall any payments made to blacklisted offenders. No sales stops the advertising payments real fast. That's how you kill the spam business short of shutting down the internet all together. Want to know how to kill the drug industry - poison the drugs and let them go to the streets only the biggest junky of junkies will continue to roll the dice. Leave the pot alone because I kinda like that one sometimes - helps kill the frustration of all the spam I need to filter through every other day.
Michael on April 16, 2009 4:29 AMguiar
trova on April 16, 2009 7:33 AMhotcapcha is a little subjective - I wasn't sure there was a third hot one :)
I have an onlines savings account that has a terrible system though. You have to put in about twenty secret questions. I'll never remember all the answers, or I'll have changed my mind, or something by the time I have to access it again.
As well as putting together multi-factor authentication for stuff like online banking, there also needs to be a culture-change. Governments need to get tough and prosecute and also religions/moralists/parents/whoever need to educate the next generation that it is wrong to steal.
John Ferguson on February 6, 2010 10:20 PMWhen making a comment on the Wolfram or MathWorld site, they ask you: 3 + 4 = ?
The math is even in plain text on the page.
Not sure what their success rate is, but it is probably pretty good. For email providers, this would obviously be overrun quickly. Word problems would be even better. They could even be simple and take a lot of different forms: "What is 4 from seven?", "Jill gives Johnny two apples plus three oranges. How many apples does Johnny have?"
Jason B on February 6, 2010 10:20 PMI think it's time to add some inteligence in the process, what about 'questions' like these:
a banana cost $1. three bananas will cost $_____
I had a $3 discount on a $15 product. I paid $____
and the text could come as a standard captcha.
( I am Brazilian, so my writing might have some mistakes ).
A surprising number of the suggestions above are culturally dependent. For example:
Not everyone has a Social Security Number. In New Zealand for example, the is no universal personal identifier (and long may that freedom continue).
Not everyone has a drivers license. I was 42 before I felt the need to get one.
Not everyone will recognise an athlete dribbling a round ball as related to the word "basket", as http://gs264.sp.cs.cmu.edu/cgi-bin/esp-pix just asked me.
Any trivia questions (no matter how simple) will be foreign to some people. ("What's the second world war?" asks someone in Chad.)
Spam is a tax we pay for having email. Use spam filters - all you can.
ISPs should have better spam filters than most do: Gmail does well. Learn not to let spam annoy you.
What is the button below F on your keyboard?
:D
captchas ia a fake
erectile dysfunction causes on February 6, 2010 10:20 PMThe comments to this entry are closed.
Subscribe in a reader
Subscribe via email
|
|
Traffic Stats |
