Captcha is useless
Tuesday, April 14th, 2009Everyone with a blog knows about spam in comments. Wordpress standard comes with Akismet, which does a good job filtering spam in your comments. But wouldn’t you rather have no spam comments at all? That would save time checking for false-positives. The most used method for filtering spam is a CAPTCHA. A distorted image that should be unreadable for computer programs.

CAPTCHA
I read reCAPTCHA is a good implementation, and there is a Wordpress plugin available. Before downloading and activating reCAPTCHA I had about 10 to 15 spam comments a day, after activating I had about 7 to 10 spam comments a day…
Apparently it isn’t that great, you could even say it’s (almost) useless. It annoys users (some CAPTCHA’s are hard to read even for humans) and it doesn’t do what is should do. Inspired by Jeff Atwood’s ‘orange’ CAPTCHA, I decided to implement my own system. Without doing any research I assumed the spambots search for the image on the page. Easy to find for reCAPTCHA:
<div style=“width: 300px; height: 57px;” id=“recaptcha_image”><img style=“display: block;” src=“http://api.recaptcha.net/image?c=reallyReallyLongCode” height=“57″ width=“300″></div>
One of the easiest improvements could be to use an image that’s not that easy to find for the bot, maybe even multiple images. Actually everything you do that differs from the popular CAPTCHA implementations will make it harder for spambots to beat your own implementation.
My Implementation
I decided to go for multiple images, with images in between which are hidden using CSS. The inputfield with a non-standard ID ‘mycap’. As I wanted to test my implementation as soon as possible I hardcoded the CAPTCHA, which also made it easy to read the response. No distortion used in the images as I figured the spam bots would already be confused by the multiple images and the hidden images in between.

Screenshot of CAPTCHA
Up until today zero spam messages.
Update April 15th 8:12 AM:
Ben Maurer pointed me to the reCAPTCHA FAQ (I should have checked that earlier?), which indicates that comments indicated as spam by the reCAPTCHA plugin will end up in the Aksimet spam queue. After activating reCAPTCHA the Aksimet plugin should be disabled. Other options are to ignore the spam queue, or clean it regularly.
I choose to disable it, let’s see what happens
Update April 15th 6:26 PM:
10 hours later, 12 new spam comments. It seems the spambots are able to complete the reCAPTCHA tests, or someone has too much time on their hands. It seems I’m not the only one that noticed this. All spam comments were detected and moved to the spam queue. I’ll switch back to the ‘CAPTCHA’ I developed last weekend.
Update May 13th
I just had the first spam message passing my incredible difficult CAPTCHA, it was still caught by Akismet so it didn’t appear on the site. As there were no URL’s in the message (and there was only little text) I suspect it was a person and not a bot.



