Can CAPTCHA be saved?

[ktinkel]

The New York Times had an article on CAPTCHA (the odd bits of scanned text people must decipher to register here and elsewhere, or to post comments on a blog, etc.)

“A Dog or a Cat — New Tests to Fool Automated Spammers” (June 11; available free for one week) pointed out that robots can read CAPTCHA images. (No fooling — they get past ours regularly.) In response, developers have been making the images more complex — using color, layering, distorting angles or widths, adding background noise, and other tricks — until now some of these images cannot be read by human beings, yet still fail to foil the spammers.

One solution is to use abstract images (dogs, cats, etc.) that people can decipher though, presumably (or so far) the ’bots cannot. Another approach is to apply 3D effects, change the plane, and otherwise distort the characters mechanically without making them indecipherable to humans.

Poking around, I found one company that is working on the CAPTCHA problem (and selling the results): OCR Research. Programmers and others can license their technology (or it can be free in exchange for a link next to the CAPTCHA image). Not sure individuals can make direct use of their technology, but there some interesting things to see at their web site:

In order to prove the point, they “break” existing CAPTCHAs and show them on their “List of Weakness” (pages and pages of images that can be read by spiders and robots, complete with attribution). Interesting to see what doesn’t work, and why.

They also show examples of one of their improved CAPTCHAs (click on “tEAPAD_3D” in the menu bar at their site).

And they have an article, “Thinking of CAPTCHAs,” which is worth reading.

Interesting topic.

[iamback]

Quote:

Originally Posted by ktinkel

The New York Times had an article on CAPTCHA (the odd bits of scanned text people must decipher to register here and elsewhere, or to post comments on a blog, etc.)

The "scanned text" bit only comes at the end of the article as one new technique being used as a source of CAPTCHA images - but the huge majority of CAPTCHA images are computer-generated - which makes it easier for the computer to verify the result since it knows already what text it turned into an image.

Also, the article naively states "there is only one problem" which unfortunately not true. A major problem with all graphical CAPTCHAS (including cat-or-vegetable or scanned text images) is that they not only (more and more unsuccessfully) are keeping robots out, but are also quite successful at keeping humans out: those that can't see images in the first place. Only very, very few offer an alternative option for the blind, which often comes in the form of spoken (preferably also distorted) spoken text - which of course is quite successful in keeping those humans out that are not only blind but also deaf. The companies that offer them an option are extremely rare.

The major problem with these captchas is that they are not testing human capabilities, but are testing human senses. The article fails to mention that there are many alternatives that do not use how-good-are-your-senses techniques but instead are more like little intelligence tests, and they can be completely textual. It's as if they don't even know what the fundamental problem with visual tests are. Of course the W3C has something to say about that: Inaccessibility of CAPTCHA. It's a classic article and it amazes me that the NYT's BRAD STONE has apparently not surfaced this article in his research.

Alternatives do exist, and are being used, too. For instance, the test mentioned of showing an image of a tree, a head of lettuce and a whale and asking "which of these is a vegetable" has no need for images: just show the the words (text), and ask the same question. Another quite simple one I recently came across shows three words and asks: which of these is spelled correctly? The challenge in devising these textual tests is in coming up with questions that do not rely on local or cultural knowledge ("who won the last open?" would have me go "huh?").

Of course robots can learn to solve these riddles as well; on the other hand, they are relatively easy to create, and thus easier to replace if you find that the bots are getting through. But at least they won't keep deaf or blind people out by design.

Quote:

And they have an article, “Thinking of CAPTCHAs,” which is worth reading.

Interesting read, but hard going as a result of the Ukrainian accent... They say: "How can you be sure that your CAPTCHA is clear and kind to really ALL humans?" - and then equally fail to recognize that any form of image is not kind at all to "really ALL" humans... Besides, with most of their images I had a lot of problem deciphering the text - and while there are things not right with my eyes, I can still see.

[Richard Waller]

Not having such a device is worse. I am getting a growing amount of stuff from the forms on my websites and what is more agravating is that when I occasionally do look at these entries it is always garbage - or at least in a format I cannot read.

[iamback]

Quote:

Originally Posted by Richard Waller

Not having such a device is worse. I am getting a growing amount of stuff from the forms on my websites and what is more agravating is that when I occasionally do look at these entries it is always garbage - or at least in a format I cannot read.

No, you can "not have such a device" and still keep spammers away - there are other methods that are completely transparent to the users but quite successful. But one must keep in mind that no antispam measure is ever going to be 100% successful.

Two things to look at for alternatives:

• Akismet
• Bad Behavior

Both are PHP-based, and free.

(I've personally implemented Akismet on my (still to be made public) Travel Forum, while for the Wikka project a team member is busy implementing Bad Behavior. Wikis have recently become more and more targets of spammers, and we're feeling the crush on our own project website, too (where I implemented a few simple but reasonably effective anti-spam measures as well).

[ktinkel]

Quote:

Originally Posted by iamback

Two things to look at for alternatives:

• Akismet
• Bad Behavior

Both are PHP-based, and free.

WordPress arrives with an Akismet plugin. In my case it has been sitting there, disabled. I do not allow comments; will it be of any use?

Meanwhile, I will go see if it has been implemented for vB. Thanks.

[iamback]

Quote:

Originally Posted by ktinkel

WordPress arrives with an Akismet plugin. In my case it has been sitting there, disabled. I do not allow comments; will it be of any use?

If you don't allow comments on your site then how can you get spam? So no, it's not of any use to you - or not until you enable comments.

BTW, Akismet is actually a WordPress service, but while you need a key, you are not required to have a WordPress blog; on the contrary, they encourage others to use it. The service is theirs alone, but the API is open and they provide sample code. My implementation for my forum is based on a plugin by a Phorum user which was based on their sample code. But any programming language that is able to make HTTP requests and receive responses can be used to implement an Akismet client. (I wrote "PHP based" but that is basically because of the sample code they provide!)

Quote:

Meanwhile, I will go see if it has been implemented for vB.

Good idea! Do they have a concept of / mechanism for plugins? If not, it might require some hacking - I don't know if that is allowed. I'm interested in hearing what you find out.

[ktinkel]

Quote:

Originally Posted by iamback

Do they [vBulletin] have a concept of / mechanism for plugins?

Yep. And we have a plug-in that helps stop spam (combination of key words and posting threshold). That is, it doesn’t prevent a spammer from posting but throws suspect messages into moderation, so they never appear in public view. If the plugin makes an error (which it does on occasion), a staff member can simply approve it.

I just looked, and Akismet is available for vB. However, I think it may do more work (running off to compare each message against a remote database) without necessarily working any better. It would help if it too had a number-of-posts threshhold. (That assumes I really understand it from the descriptions!)

What I really think we could use is Bad Behavio[u]r, but there is no sign that it works on any forums, and a search on vB or vBulletin at the Bad Behavior site got no returns. Too bad — that plus one of these other things would probably do a good job.

[iamback]

Quote:

Originally Posted by ktinkel

Yep. And we have a plug-in that helps stop spam (combination of key words and posting threshold). That is, it doesn’t prevent a spammer from posting but throws suspect messages into moderation, so they never appear in public view. If the plugin makes an error (which it does on occasion), a staff member can simply approve it.

I just looked, and Akismet is available for vB. However, I think it may do more work (running off to compare each message against a remote database) without necessarily working any better. It would help if it too had a number-of-posts threshhold. (That assumes I really understand it from the descriptions!)

In the plugin as I have it in Phorum, there is a threshold of sorts: anonymous posts (if allowed of course) are always checked; for newly-signed up users the first so many posts are checked - default 5 I think. Is that what you mean? Probably a function of the plugin itself, not of Akismet per se.

Quote:

What I really think we could use is Bad Behavio[u]r, but there is no sign that it works on any forums, and a search on vB or vBulletin at the Bad Behavior site got no returns. Too bad — that plus one of these other things would probably do a good job.

I haven't tried this myself but I think it's not as easy to implement as Akismet (who say by the way that their service works best if you don't combine it with other filters although combination is possible). There's a BB plugin for Phorum, too, I think, so it might be worth having a look at that.

[ktinkel]

Quote:

Originally Posted by iamback

In the plugin as I have it in Phorum, there is a threshold of sorts: anonymous posts (if allowed of course) are always checked; for newly-signed up users the first so many posts are checked - default 5 I think. Is that what you mean? Probably a function of the plugin itself, not of Akismet per se.

Yes, that is what I mean. I will download the vB version of Akismet and check it out. I do think it would be Prevent Spam plug OR Akismet — not both.

Quote:

Originally Posted by iamback

Ihaven't tried this myself but I think it's not as easy to implement as Akismet (who say by the way that their service works best if you don't combine it with other filters although combination is possible). There's a BB plugin for Phorum, too, I think, so it might be worth having a look at that.

Thanks. We once looked at Phorum, in fact, before finding vBulletin. But maybe there is a possibility there (though probably not by the likes of me!) I will check it out.

All this spam is tedious, I must say.