The Anti-CAPTCHA
Given the amounts of comment spam that I’ve been having to moderate, I’m thinking I’m going to try something a little different.
I’ve added an anti-CAPTCHA to the site. “What exactly is an anti-CAPTCHA?” you might ask. To make a short answer short: it’s sort of like a CAPTCHA, with the small difference that you’re supposed to get it wrong. Which means that all the script based spam-bots out there that blindly enter the CAPTCHA string will get rejected, as well bots that aren’t designed to handle CAPTCHA strings (you still have to enter a string, just not the one presented).
I’ve used TrencaSpammers as the basis, since I wanted something that was already out there and relatively easy for a machine to bypass (i.e.: rather than creating a custom script, I want something that bots will recognize). I’ve further modified it to make the image less obscured and altered the validation check to reject the correct number rather than require it (a string of the same length is still required, though, to ensure that at least something is typed in).
Some of the advantages to this method:
- It doesn’t present the same accessibility problems a regular CAPTCHA does (since any text can be entered)
- It doesn’t present as much burden to users (since it’s purposefully easy to read)
We’ll see if this has a practical effect in cutting down on the spam I have to moderate.
August 27th, 2006 at 8:32 pm
The Anti-CAPTCHA works!
August 27th, 2006 at 11:31 pm
This is an interesting take on spam - make the user follow instructions no machine could parse. Although, what about this isn’t, ultimately, parsable? Spammers adapt, so popularity of this approach may render it ineffective.
By far, the best approach to spam protection for me has been collective intelligence. Specifically, in the form of Akismet (a WordPress plug-in). Spam is registered in a central place and then filtered automatically for those blogs subscribing to it. You have the ability to pull it back, but my spam all but disappeared once that was enabled.
I just got back from a WikiSym conference where vandalism and spamming were some of the topics of concern. I think that building some kind of central monitoring would definitely help against the latter, given that most spam is automated (and therefore mass produced).
August 27th, 2006 at 11:57 pm
There are already other solutions out there that try to ask more difficult questions that may or may not be easily parsable by machines (i.e.: “2 + 2 = ?” or other basic math problems). I was more interested in the idea of having a system that relied on answering questions wrong. Even if it ultimately doesn’t work out, it at least gave me a few minutes of amusement tonight coming up with and implementing it.
There’s nothing about the solution that is inherently unparsable — the key is that the HTML for the solution looks exactly the same as the thousands of other WordPress installs using the exact same CAPTCHA plugin. Hence, a script meant to bypass that particular CAPTCHA would fail.
I do realize, though, that this continuing to work does depend on this technique not becoming popular.
August 31st, 2006 at 4:16 pm
Spam Karma seems to work pretty good and it’s a wp plugin. Though your solution seems very interesting :).
September 6th, 2006 at 2:04 pm
While you may see a “practical effect”, this is no solution at all. The only achievement is that you moved from:
- the big group of sites using captchas that can be broken in the same way
to
- to the small group of sites that use a different method which nobody so far bothered to break automatically
As soon as enough sites use these “Anti-Captchas”, it will become viable to defeat them - and they *will* be defeated, since that’s not even a 30-minute-task for any skilled programmer.
September 6th, 2006 at 2:08 pm
Hmm, interesting idea, but as someone has pointed out earlier in the comments - they will learn how to get over this as soon as your mechanism gains popularity.
Moreover, what about those who miss what you wrote in the brackets? Some people may fill in the value ‘automatically’, just because CAPTCHAs are now everywhere.
September 6th, 2006 at 4:06 pm
[…] Tim Tucker posted an interesting solution to some of the CAPTCHA solving stuff going around. He posted that to comment on his blog you must enter any data, as long as it’s incorrect. So as long as you don’t type in whatever you see and it is six characters long, it will be solved. […]
July 29th, 2007 at 5:37 am
free viagra at! viagra.com.org.us! try now and have fun in bed!
just kidding haha!
nice system by the way but i almost forgot to enter a number other than the given haha!
January 15th, 2008 at 7:03 am
Hello…I Googled for form protection, but found your page about The Anti-CAPTCHA…and have to say thanks. nice read.
February 5th, 2008 at 11:03 am
Hello…Man i love reading your blog, interesting posts ! it was a great Tuesday