As a follow up to my post back in mid-April: This CAPTCHA thing is incredible. For fellow WordPress users, the plugin I’m using is Peter's Custom Anti-Spam Image Plugin for WordPress. As I said at the time, I used to get many hundreds of spam a day. Traffic here has jumped up since then, and I wouldn’t be at all surprised to find I’m getting a couple of thousand a day by this point. But all of them bounce off the CAPTCHA, and I never even see them. I only see a spam make it through about once every other week, and I’m betting the ones that do make it though are entered manually.
One more thing to note is that I’m not even sure those few spam are really spam. What I see is that every once in a while I’ll get a comment from someone that is something like, “That’s great!” or “I have always thought so too.” Their name is something harmless, but their URL links back to a page of ads. Are these people really spammers? It’s arguable. Since their name isn’t something like “get a free Wii!” it means they aren’t trying to game the Googlebot. In any case, I tend to can these comments since “me too”-ing doesn’t serve any real purpose, so other readers aren’t missing anything.
In any case, these are really impressive results for a CAPTCHA with only one short phrase that never changes. It really is amazing how well it works. This more or less proves that nearly all spam comes from automated scripts that don’t even attempt to cope with CAPTCHA. I’m more convinced than ever that the CAPTCHAs of warped, mixed case pink-on-purple letters with blue polkadots that are so difficult for humans are pretty much a waste of everyone’s time. An easy-to-read three-letter word is more than enough to defeat automated scripts.
My Music
![](/promo/images/thumb_music2.jpg)
Do you like electronic music? Do you like free stuff? Are you okay with amateur music from someone who's learning? Yes? Because that's what this is.
Pixel City Dev Blog
![](/promo/images/thumb_pixel_city.jpg)
An attempt to make a good looking cityscape with nothing but simple tricks and a few rectangles of light.
Seven Springs
![](/promo/images/thumb_seven_springs.jpg)
The true story of three strange days in 1989, when the last months of my adolescence ran out and the first few sparks of adulthood appeared.
Internet News is All Wrong
![](/promo/images/thumb_news.jpg)
Why is internet news so bad, why do people prefer celebrity fluff, and how could it be made better?
The Loot Lottery
![](/promo/images/thumb_lottery.jpg)
What makes the gameplay of Borderlands so addictive for some, and what does that have to do with slot machines?
That’s Great!!
I have always thought so too!!
btw: go to here http://www.@#$@#@.com to see how much I hate spam (and get a new Wii)
On a different note, you have to wonder what is going to be spamed at that guy who just got locked down once he hits jail.
I appreciated that the word is allways the same, and agree, it’d take a human to notice the pattern and hard code it to allways type the right thing for it to make a real difference. the level of spam i’ve seen recently has been pretty much 0.
Personally I dont think that spammers will bother beating captchas anytime soon, purely because not everyone is using them. Why bother putting a huge amount of processing power into posting somewhere like this when you can put a hundred comments on the blog down the road for the same effort?
That was great! Follow this link to my page of ads!
I’ve noticed the “that’s great” type posts on the forums I moderate. They’re typically first posts from someone with a spam URL in the profile. They’ll often wind up bumping threads that have been inactive for months.
On a more lively forum, they’d probably have a better chance of seeming to fit in. On a small, friend-only forum, though, it tends to be pretty obvious that it’s just a spam strategy.
Installed the same script on a WordPress blog I run after reading about it here – from 20+ spam comments a day (used moderation to stop them getting onto the ‘live’ site, which was a pain in itself), to a grand total of 1 spam comment that’s gotten through since. You’re right, it works a charm…
The beef I have with CAPTCHAs is that blind people who are dependant on screen readers can’t recognize them.
People with minor visual impairments, like color blindness (the minor variants are pretty common), fail on many elaborate CAPTCHAs, too.
There are better, more text-based ways to seperate machines from humans, for example posing a random question (“What is 5+5?”, “Write the following word in reverse: banana”, “How many sides has a d20?”). These don’t discriminate against people with impaired vision.
“Wii-agara – play ALL night long!”
I ought to talk to one of the admins at the forum I help moderate (over at http://www.aspromos.com, if anyone cares) about this. Our spam rate has skyrocketed as of recently, and I’m usually the first one to catch it–which is really annoying when it’s the same exact post from last time. And the same exact post that I’ve seen on other forums and went “man, that’s annoying!”
Yeah. Good for you!
Amazing that such a basic anti-spam trick works so well.
Unfortunately, the more advanced captchas are necessary in some cases.
Specifically, there are spam scripts out there that target phpBB. They get past the phpBB basic captcha without breaking a sweat. But if you put a different captcha on there, they don’t even bother programming them how to crack it.
The likelihood of a captcha being bypassable is related to the prevalence of that captcha. The one you mention seems to not be too widespread yet, so it should work for a good long time.
Additionally, captchas that let you use your own fonts (like this one does) are rarely cracked, as the script is only good for the fonts that it gets programmed for. Use a rare or custom font, and you’re in the clear.
On a different note, you have to wonder what is going to be spamed at that guy who just got locked down once he hits jail.
The man should obviously also be flayed alive with a very sharp salt crystal, but I hope part of his punishment is that his email access be restricted to certain set addresses… which are regularly published to the world at large.
That’s a fine idea, talk about letting the punishment fit the crime!
Let that spammer spend his days wading through mountains of offensive spam just to find a message from a family member.
In fact, don’t let him use any filtering, make him have to scroll through all the incoming mail, every header, every single message, just to find the real stuff.
Right, and rapers should be raped? Murderers murdered?
Bah, that whole “eye for an eye” business is so uncivilized, IMHO…
“That's great!” or “I have always thought so too.” are definitely spam. I get dozens of them at a time (most are automatically moderated, but still). I’ll also get some that don’t appear to link anywhere bad. I think the idea is to make it harder for admins to determine what to delete or what not to delete.
Movable Type’s anti spam measures were great, but have been getting worse as time goes on. Plus, I only allow comments within the last 60 days, so maybe it was never as good as I thought. I’ve always wanted to avoid CAPTCHAs because they are mildy annoying even to regular folks… your version is actually pretty nice, but as others have mentioned, when a particular CAPTCHA implementation becomes common, spammers will break it. It’s called security by obscurity, but hey, sometimes it works:)
When I found out that the captcha word is the same every time, I thought that couldn’t be any secure.
Guess I overestimated the persistance of spammers.
Ain’t the the truth.
I have the Joomla! content management system installed alongside the SMF forum software on my site. I neglected to get the CAPTCHA working with the bridge registration module and ended up getting some spam. Considering how small and comparatively traffic-free my site was, I was kind of surprised I got as much as I did. Another thing that surprised me was the number of spam posts was far from the number of spam bots that had actually joined. I guess they couldn’t deal with the intricacies of SMF… :P
I ended up getting the CAPTCHA back in place and the amount of spam has tapered off to precisely nil. I love it.
It still kind of makes you wonder how much bandwidth spammers utilize, even if they can’t get in. You figure, each one of them, successful or not, has to download the entire HTML document.
Let’s take this page as an example. Right now, as I’m typing this, this page is just over 35KB. If a thousand spammers visit this page, they’re collectively pulling 35MB of data (assuming that there’s no server- and client-side compression, of course). Now assuming those same bots skim through the rest of this site (all of the other articles, etc), we’re talking about a TON of wasted bandwidth.
It’s kind of troubling when you think about it.
I’ve run across a few spambot entries that seemed pretty harmless at first. They even grabbed parts of the other posts or the forum titles leading to giveaway phrases like “I could talk about ‘Forum Dummy Title’ all day long!” so they looked legit at first. A few days later however they edited their posts to be clear p0rn and ad spam.
I guess that’s what the “That’s great” bots are trying to do as well – if someone new registers you look closer at him, but someone that has been posting halfway meaningful stuff might slip through.
Heh, I was chided by other posters for mentioning in a comment that the anti-spam word never changed.
If Shamus himself says it, it’s ok, so there. :p
;)
Oh yeah, I forgot to mention. Before I put my CAPTCHA back into place on my site, I found that banning *@mail.ru e-mail addresses took care of at least half of the spambots. :P
Thanks for the info! I was unaware of this, and have now added it to my own. Sweet!
Since I’ve installed this CAPTCHA my spam has dropped to almost none as well. Every other week I do get a flurry (and by a flurry, I mean, maybe 25) of comments with the same text and other formatting. I suspect that these aren’t hand-written spam comments, but as soon as I start flagging the message as spam with Akismet I don’t see them anymore anyway — Good enough for me.
you’re right shamus.
when my forum was running phpBB2, to prevent spambots from registering, i installed a simple mod which asked just one simple non-standard question: that blocked all the spam, because spambots are made to cope with standard forms, and don’t bother of working-around non-standard ones.
Sorry, I’m joining this conversation very late, but a few versions ago, I implemented an audio feature to this plugin so that visually impaired users can click on the image to hear an mp3 reading out the letters in the word. Hopefully this addresses the accessibility issue :D
It makes sense, if you think about it, spammers are fundamentally forced to do things in the mass drive by bot way, throwing what is essentially an AI complete problem at the bot stops it in its track. It’s true that the necessity of the captcha can be coded around sometimes, but it should be noted that this doesn’t per se mean the captcha failed, just that the spammer worked his way completely around the impregnable defense. There sort of like the Maginot Line that way.
So why is it that, although my name and email address are already filled out when the page loads (I’m guessing they’re provided by a cookie?), I have to type the “d” of the anti-spam word (thereby triggering my browser’s autocomplete)?
Motion pictures and TELEVISION shows are Licensed Contemporary with a gentle Tomatometer of seventy five% or greater after
a set quantity of reviews (eighty for vast-release motion pictures, forty for restricted-release
motion pictures, 20 for TELEVISION exhibits), including 5 reviews from Top Critics.