«
»

Captcha is useless

Everyone with a blog knows about spam in comments. WordPress standard comes with Akismet, which does a good job filtering spam in your comments. But wouldn’t you rather have no spam comments at all? That would save time checking for false-positives. The most used method for filtering spam is a CAPTCHA. A distorted image that should be unreadable for computer programs.

Captcha

CAPTCHA

I read reCAPTCHA is a good implementation, and there is a WordPress plugin available. Before downloading and activating reCAPTCHA I had about 10 to 15 spam comments a day, after activating I had about 7 to 10 spam comments a day…

Apparently it isn’t that great, you could even say it’s (almost) useless. It annoys users (some CAPTCHA’s are hard to read even for humans) and it doesn’t do what is should do. Inspired by Jeff Atwood’s ‘orange’ CAPTCHA, I decided to implement my own system. Without doing any research I assumed the spambots search for the image on the page. Easy to find for reCAPTCHA:

<div style=“width: 300px; height: 57px;” id=“recaptcha_image”><img style=“display: block;” src=“http://api.recaptcha.net/image?c=reallyReallyLongCode” height=“57″ width=“300″></div>

One of the easiest improvements could be to use an image that’s not that easy to find for the bot, maybe even multiple images. Actually everything you do that differs from the popular CAPTCHA implementations will make it harder for spambots to beat your own implementation.

My Implementation

I decided to go for multiple images, with images in between which are hidden using CSS. TheĀ  inputfield with a non-standard ID ‘mycap’. As I wanted to test my implementation as soon as possible I hardcoded the CAPTCHA, which also made it easy to read the response. No distortion used in the images as I figured the spam bots would already be confused by the multiple images and the hidden images in between.

Screenshot of Captcha

Screenshot of CAPTCHA

Up until today zero spam messages. :)

Update April 15th 8:12 AM:

Ben Maurer pointed me to the reCAPTCHA FAQ (I should have checked that earlier?), which indicates that comments indicated as spam by the reCAPTCHA plugin will end up in the Aksimet spam queue. After activating reCAPTCHA the Aksimet plugin should be disabled. Other options are to ignore the spam queue, or clean it regularly.

I choose to disable it, let’s see what happens :)

Update April 15th 6:26 PM:

10 hours later, 12 new spam comments. It seems the spambots are able to complete the reCAPTCHA tests, or someone has too much time on their hands. It seems I’m not the only one that noticed this. All spam comments were detected and moved to the spam queue. I’ll switch back to the ‘CAPTCHA’ I developed last weekend.

Update May 13th

I just had the first spam message passing my incredible difficult CAPTCHA, it was still caught by Akismet so it didn’t appear on the site. As there were no URL’s in the message (and there was only little text) I suspect it was a person and not a bot.

This entry was posted on Tuesday, April 14th, 2009 at 9:11 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

5 Responses to “Captcha is useless”

  1. Ben Maurer Says:
    April 15th, 2009 at 2:16 am

    Hi,

    Please keep in mind that some spam bots cause a moderation email to get sent out when they fail the reCAPTCHA — http://wordpress.org/extend/plugins/wp-recaptcha/faq/ has more documentation about this.

    - Ben

  2. Mark Says:
    April 15th, 2009 at 7:39 am

    Hi Ben,

    I wasn’t aware that failed captcha’s turn up in the spam queue, it would make more sense to me that they aren’t stored at all.

    As I just read the WordPress reCAPTCHA FAQ, it would make sense to disable Akismet when installing reCAPTCHA. I will try that and update my post.

    Thanks for your comment.

    Mark

  3. Aewares Says:
    May 19th, 2009 at 11:53 am

    testing.

  4. Chase Says:
    August 7th, 2010 at 11:26 pm

    This method is completely useless, although it is easy to read… bots can easily read off the images. You changed it and it went to 0, because nobody has seen this method before. Most bots read off the internet cache, if anyone was to take a screenshot of the capcha, they would easily defeat it.

    You cannot defeat the bots, as computer languages evolve.

  5. Mark Says:
    August 9th, 2010 at 8:39 am

    I’m not claiming I defeated bots. Bots can of course easily read off the images, that’s why I put some extra images in between. Hidden via CSS. If bots scan the code they will come across a lot more images than just the letters users see. If they use some kind of screenshot mechanism then my ‘captcha’ is indeed completely useless.

    If people want to spam your site they will find a way to do it, wether you use a custom captcha or a generic one. I certainly do not advise my ‘captcha’ for a very popular, heavily visited website. Someone will write some custom code to post spam.

    For me this implementation works great.

Leave a Reply

Enter the word:

My great (?) anti spam system