Image Based CAPTCHA Is Fast Losing It's Appeal

• Jan 20, 2005
• 11 Comments
• Print

I read an article recently that talked about how ticket scalpers have a 10% success rate against TicketMaster's CAPTCHA controls. That might not seem like a very good rate, but when you have an automated process attacking it, 10% is plenty good.

CAPTCHA for the uninitiated stands for Computer Aided Program to Tell Humans and Computers Apart. It's a method or program used to distinguish between a computer and a human.. The most popular type out there is the letter or word warping kind you often see when signing up for a web based email account.

It turns out that character recognition programs are getting better by the second. As cool as these type of controls are, I think a simple text based semantic approach might prove stronger. For example, asking a simple question such as "RGB Stands for Red Green and what color?". If you can't answer that question, I probably don't mind the fact that you're not commenting on my blog. ;)

The one problem with this question approach is that you can't generate these questions automatically. You'd have to create a decently sized database of questions. However, the benefit is that language recognition is still very difficult for a computer. Especially when dealing with mispellings.

What is the nomber after foure?
Waht is the nmuber aeftr fuor?"

In any case, rel="nofollow" and CAPTCHA aren't going to be the final solution. At some point, our blog engines will have to learn to tell the difference like a human would. One approach is to enlist the concept of trust. If you've been subscribed to my blog a while or I'm subscribed to yours, I'll let your comments in no problem. Otherwise your comment will have to pass a series of heuristics to get in the door.

Humans, feel free to comment...

UPDATE: It's worth noting that Bayesian Spam Filtering is not a silver bullet. Spammers have gotten smart and are now employing a tactic called Bayesian Filter Poisoning. By including random legitimate words along with their message, they either get their message through, or cause you to teach your filter to regard legitimate words as suspect.

I've seen a particularly tricky approach via email where they used a font in the same color as the background. Check out the following quote. Highlight it with your mouse and see what it says.

This looks does like Spam to the human naked eye. BuyecheapodrugssandtimprovesyourasexOlife. But it doesn't to the computer

What others have said

Scott Jan 20, 2005 10:39 PM

# re: Image Based CAPTCHA Is Fast Losing It's Appeal

There's a theory going around that this arms race will provide the economic incentive to make AI a real thing.
here are some more thoughts on the subject
http://thresholdstate.com/threshold/3730/comment-spam-and-a-disheartening-realisation

Pat Jan 21, 2005 10:00 AM

# re: Image Based CAPTCHA Is Fast Losing It's Appeal

It seems like you could use a Baysian (sp?) spam filter. No?

Haacked Jan 21, 2005 10:41 AM

# re: Image Based CAPTCHA Is Fast Losing It's Appeal

Bayesian filtering is no silver bullet. See my update to this post.

you've been HAACKED Jan 31, 2005 6:10 AM

# Beating CAPTCHA With A Neural Network

you've been HAACKED Jan 31, 2005 6:13 AM

# Beating CAPTCHA With A Neural Network

Giddy Up! Feb 03, 2005 8:15 AM

# re: Fighting Comment SPAM with CAPTCHA

Paul Whitaker's E-Commerce Blog Apr 23, 2005 5:50 PM

# Beating CAPTCHA With A Neural Network

Let's hope the blog comment spammers don't get a hold of this one. I've recently had problems with Trackback spam, so hopefully at least my captchas are still viable to stop comment spam for a while.As if to punctuate my post entitled "Image Based CA

Community Blogs Aug 31, 2006 3:14 AM

# What About CAPTCHA?

I mentioned several heuristic approachs to blocking spam in my recent post on blocking comment spam,

claire rand Oct 19, 2007 11:58 AM

# re: Image Based CAPTCHA Is Fast Losing It's Appeal

of course playing with text colours won't fool an email program that has leanrt to hate html, and the email will be gibberish to anyone whos viewing it as plain text anyway.

Anthony Jan 29, 2008 11:11 AM

# re: Image Based CAPTCHA Is Fast Losing It's Appeal

I have been reading up on several ways to prevent spambots from spamming your form. I came up with a simple technique that doesn't use image validation but simple number validation. Each time a user enters my form, I generate a unique ID and a 5-7 digit number code. I save this unique ID to a database and its associated number code. when form is submitted, if hidden field unique ID is the same and number code you typed is correct it submits the info and deletes the record, otherwise it will assume spam and not submit info. Again, it can be broken but that come into how complex I display the 5-7 digit code. ATK Contact Form is an example. So far it has worked!
ATK Solutions

Ilya May 12, 2008 8:47 AM

# re: Image Based CAPTCHA Is Fast Losing It's Appeal

Anthony, that still can be easily broken by using Mozilla engine server-side so that it calculates w/ JS the value you require.

What do you have to say?

Title:

Name:

Email: (never displayed) (will show your gravatar)

Website:

Comment: Allowed tags: blockquote, a, strong, em, p, u, strike, super, sub, code

Please add 8 and 1 and type the answer here: