Peter’s Custom Anti-Spam

  By Shamus   Jun 2, 2007   26 comments

As a follow up to my post back in mid-April: This CAPTCHA thing is incredible. For fellow WordPress users, the plugin I’m using is Peter’s Custom Anti-Spam Image Plugin for WordPress. As I said at the time, I used to get many hundreds of spam a day. Traffic here has jumped up since then, and I wouldn’t be at all surprised to find I’m getting a couple of thousand a day by this point. But all of them bounce off the CAPTCHA, and I never even see them. I only see a spam make it through about once every other week, and I’m betting the ones that do make it though are entered manually.

One more thing to note is that I’m not even sure those few spam are really spam. What I see is that every once in a while I’ll get a comment from someone that is something like, “That’s great!” or “I have always thought so too.” Their name is something harmless, but their URL links back to a page of ads. Are these people really spammers? It’s arguable. Since their name isn’t something like “get a free Wii!” it means they aren’t trying to game the Googlebot. In any case, I tend to can these comments since “me too”-ing doesn’t serve any real purpose, so other readers aren’t missing anything.

In any case, these are really impressive results for a CAPTCHA with only one short phrase that never changes. It really is amazing how well it works. This more or less proves that nearly all spam comes from automated scripts that don’t even attempt to cope with CAPTCHA. I’m more convinced than ever that the CAPTCHAs of warped, mixed case pink-on-purple letters with blue polkadots that are so difficult for humans are pretty much a waste of everyone’s time. An easy-to-read three-letter word is more than enough to defeat automated scripts.


20626 comments. Hurry up and add yours before it becomes passé.


  1. Adam says:

    That’s Great!!

    I have always thought so too!!

    btw: go to here http://www.@#$@#@.com to see how much I hate spam (and get a new Wii)

    On a different note, you have to wonder what is going to be spamed at that guy who just got locked down once he hits jail.

  2. mark says:

    I appreciated that the word is allways the same, and agree, it’d take a human to notice the pattern and hard code it to allways type the right thing for it to make a real difference. the level of spam i’ve seen recently has been pretty much 0.

  3. John says:

    Personally I dont think that spammers will bother beating captchas anytime soon, purely because not everyone is using them. Why bother putting a huge amount of processing power into posting somewhere like this when you can put a hundred comments on the blog down the road for the same effort?

  4. Rebecca says:

    That was great! Follow this link to my page of ads!

  5. Stephen says:

    I’ve noticed the “that’s great” type posts on the forums I moderate. They’re typically first posts from someone with a spam URL in the profile. They’ll often wind up bumping threads that have been inactive for months.

    On a more lively forum, they’d probably have a better chance of seeming to fit in. On a small, friend-only forum, though, it tends to be pretty obvious that it’s just a spam strategy.

  6. Bryan says:

    Installed the same script on a WordPress blog I run after reading about it here – from 20+ spam comments a day (used moderation to stop them getting onto the ‘live’ site, which was a pain in itself), to a grand total of 1 spam comment that’s gotten through since. You’re right, it works a charm…

  7. Anonymous Coward says:

    The beef I have with CAPTCHAs is that blind people who are dependant on screen readers can’t recognize them.
    People with minor visual impairments, like color blindness (the minor variants are pretty common), fail on many elaborate CAPTCHAs, too.
    There are better, more text-based ways to seperate machines from humans, for example posing a random question (“What is 5+5?”, “Write the following word in reverse: banana”, “How many sides has a d20?”). These don’t discriminate against people with impaired vision.

  8. Rustybadger says:

    “Wii-agara – play ALL night long!”

  9. Flexstyle says:

    I ought to talk to one of the admins at the forum I help moderate (over at http://www.aspromos.com, if anyone cares) about this. Our spam rate has skyrocketed as of recently, and I’m usually the first one to catch it–which is really annoying when it’s the same exact post from last time. And the same exact post that I’ve seen on other forums and went “man, that’s annoying!”

    Yeah. Good for you!

  10. brashieel says:

    Amazing that such a basic anti-spam trick works so well.

  11. ShadoStahker says:

    Unfortunately, the more advanced captchas are necessary in some cases.

    Specifically, there are spam scripts out there that target phpBB. They get past the phpBB basic captcha without breaking a sweat. But if you put a different captcha on there, they don’t even bother programming them how to crack it.

    The likelihood of a captcha being bypassable is related to the prevalence of that captcha. The one you mention seems to not be too widespread yet, so it should work for a good long time.

    Additionally, captchas that let you use your own fonts (like this one does) are rarely cracked, as the script is only good for the fonts that it gets programmed for. Use a rare or custom font, and you’re in the clear.

  12. Dev Null says:

    On a different note, you have to wonder what is going to be spamed at that guy who just got locked down once he hits jail.

    The man should obviously also be flayed alive with a very sharp salt crystal, but I hope part of his punishment is that his email access be restricted to certain set addresses… which are regularly published to the world at large.

  13. Dreamy McSleepland says:

    That’s a fine idea, talk about letting the punishment fit the crime!

    Let that spammer spend his days wading through mountains of offensive spam just to find a message from a family member.

    In fact, don’t let him use any filtering, make him have to scroll through all the incoming mail, every header, every single message, just to find the real stuff.

  14. Anonymous Coward says:

    Right, and rapers should be raped? Murderers murdered?
    Bah, that whole “eye for an eye” business is so uncivilized, IMHO…

  15. Mark says:

    “That’s great!” or “I have always thought so too.” are definitely spam. I get dozens of them at a time (most are automatically moderated, but still). I’ll also get some that don’t appear to link anywhere bad. I think the idea is to make it harder for admins to determine what to delete or what not to delete.

    Movable Type’s anti spam measures were great, but have been getting worse as time goes on. Plus, I only allow comments within the last 60 days, so maybe it was never as good as I thought. I’ve always wanted to avoid CAPTCHAs because they are mildy annoying even to regular folks… your version is actually pretty nice, but as others have mentioned, when a particular CAPTCHA implementation becomes common, spammers will break it. It’s called security by obscurity, but hey, sometimes it works:)

  16. Shandrunn says:

    When I found out that the captcha word is the same every time, I thought that couldn’t be any secure.
    Guess I overestimated the persistance of spammers.

  17. Ian says:

    Ain’t the the truth.

    I have the Joomla! content management system installed alongside the SMF forum software on my site. I neglected to get the CAPTCHA working with the bridge registration module and ended up getting some spam. Considering how small and comparatively traffic-free my site was, I was kind of surprised I got as much as I did. Another thing that surprised me was the number of spam posts was far from the number of spam bots that had actually joined. I guess they couldn’t deal with the intricacies of SMF… :P

    I ended up getting the CAPTCHA back in place and the amount of spam has tapered off to precisely nil. I love it.

    It still kind of makes you wonder how much bandwidth spammers utilize, even if they can’t get in. You figure, each one of them, successful or not, has to download the entire HTML document.

    Let’s take this page as an example. Right now, as I’m typing this, this page is just over 35KB. If a thousand spammers visit this page, they’re collectively pulling 35MB of data (assuming that there’s no server- and client-side compression, of course). Now assuming those same bots skim through the rest of this site (all of the other articles, etc), we’re talking about a TON of wasted bandwidth.

    It’s kind of troubling when you think about it.

  18. CASchoeps says:

    I’ve run across a few spambot entries that seemed pretty harmless at first. They even grabbed parts of the other posts or the forum titles leading to giveaway phrases like “I could talk about ‘Forum Dummy Title’ all day long!” so they looked legit at first. A few days later however they edited their posts to be clear p0rn and ad spam.

    I guess that’s what the “That’s great” bots are trying to do as well – if someone new registers you look closer at him, but someone that has been posting halfway meaningful stuff might slip through.

  19. Rolld20 says:

    Heh, I was chided by other posters for mentioning in a comment that the anti-spam word never changed.
    If Shamus himself says it, it’s ok, so there. :p
    ;)

  20. Ian says:

    Oh yeah, I forgot to mention. Before I put my CAPTCHA back into place on my site, I found that banning *@mail.ru e-mail addresses took care of at least half of the spambots. :P

  21. Nathanael says:

    Thanks for the info! I was unaware of this, and have now added it to my own. Sweet!

  22. Cineris says:

    Since I’ve installed this CAPTCHA my spam has dropped to almost none as well. Every other week I do get a flurry (and by a flurry, I mean, maybe 25) of comments with the same text and other formatting. I suspect that these aren’t hand-written spam comments, but as soon as I start flagging the message as spam with Akismet I don’t see them anymore anyway — Good enough for me.

  23. Lo'oris says:

    you’re right shamus.

    when my forum was running phpBB2, to prevent spambots from registering, i installed a simple mod which asked just one simple non-standard question: that blocked all the spam, because spambots are made to cope with standard forms, and don’t bother of working-around non-standard ones.

  24. Peter says:

    Sorry, I’m joining this conversation very late, but a few versions ago, I implemented an audio feature to this plugin so that visually impaired users can click on the image to hear an mp3 reading out the letters in the word. Hopefully this addresses the accessibility issue :D

  25. Chilango2 says:

    It makes sense, if you think about it, spammers are fundamentally forced to do things in the mass drive by bot way, throwing what is essentially an AI complete problem at the bot stops it in its track. It’s true that the necessity of the captcha can be coded around sometimes, but it should be noted that this doesn’t per se mean the captcha failed, just that the spammer worked his way completely around the impregnable defense. There sort of like the Maginot Line that way.

  26. Sam says:

    So why is it that, although my name and email address are already filled out when the page loads (I’m guessing they’re provided by a cookie?), I have to type the “d” of the anti-spam word (thereby triggering my browser’s autocomplete)?

Leave a Reply

Comments are moderated and may not be posted immediately. Required fields are marked *

*
*

Thanks for joining the discussion. Be nice, don't post angry, and enjoy yourself. This is supposed to be fun.

You can enclose spoilers in <strike> tags like so:
<strike>Darth Vader is Luke's father!</strike>

You can make things italics like this:
Can you imagine having Darth Vader as your <i>father</i>?

You can make things bold like this:
I'm <b>very</b> glad Darth Vader isn't my father.

You can make links like this:
I'm reading about <a href="http://en.wikipedia.org/wiki/Darth_Vader">Darth Vader</a> on Wikipedia!