Deprecated: Assigning the return value of new by reference is deprecated in /home/content/t/i/m/timtucker/html/weblog/wp-settings.php on line 267

Deprecated: Assigning the return value of new by reference is deprecated in /home/content/t/i/m/timtucker/html/weblog/wp-settings.php on line 269

Deprecated: Assigning the return value of new by reference is deprecated in /home/content/t/i/m/timtucker/html/weblog/wp-settings.php on line 270

Deprecated: Assigning the return value of new by reference is deprecated in /home/content/t/i/m/timtucker/html/weblog/wp-settings.php on line 287

Deprecated: Assigning the return value of new by reference is deprecated in /home/content/t/i/m/timtucker/html/weblog/wp-includes/cache.php on line 36

Deprecated: Assigning the return value of new by reference is deprecated in /home/content/t/i/m/timtucker/html/weblog/wp-includes/query.php on line 21

Deprecated: Assigning the return value of new by reference is deprecated in /home/content/t/i/m/timtucker/html/weblog/wp-includes/theme.php on line 540
timtucker.com » Blog Archive » The Anti-CAPTCHA


The Anti-CAPTCHA

Given the amounts of comment spam that I’ve been having to moderate, I’m thinking I’m going to try something a little different.

I’ve added an anti-CAPTCHA to the site.  “What exactly is an anti-CAPTCHA?” you might ask.  To make a short answer short: it’s sort of like a CAPTCHA, with the small difference that you’re supposed to get it wrong.  Which means that all the script based spam-bots out there that blindly enter the CAPTCHA string will get rejected, as well bots that aren’t designed to handle CAPTCHA strings (you still have to enter a string, just not the one presented).

I’ve used TrencaSpammers as the basis, since I wanted something that was already out there and relatively easy for a machine to bypass (i.e.: rather than creating a custom script, I want something that bots will recognize).  I’ve further modified it to make the image less obscured and altered the validation check to reject the correct number rather than require it (a string of the same length is still required, though, to ensure that at least something is typed in).
Some of the advantages to this method:

  • It doesn’t present the same accessibility problems a regular CAPTCHA does (since any text can be entered)
  • It doesn’t present as much burden to users (since it’s purposefully easy to read)

We’ll see if this has a practical effect in cutting down on the spam I have to moderate.

10 Responses to “The Anti-CAPTCHA”

  1. Tim Says:

    The Anti-CAPTCHA works!

  2. Kevin Makice Says:

    This is an interesting take on spam - make the user follow instructions no machine could parse. Although, what about this isn’t, ultimately, parsable? Spammers adapt, so popularity of this approach may render it ineffective.

    By far, the best approach to spam protection for me has been collective intelligence. Specifically, in the form of Akismet (a WordPress plug-in). Spam is registered in a central place and then filtered automatically for those blogs subscribing to it. You have the ability to pull it back, but my spam all but disappeared once that was enabled.

    I just got back from a WikiSym conference where vandalism and spamming were some of the topics of concern. I think that building some kind of central monitoring would definitely help against the latter, given that most spam is automated (and therefore mass produced).

  3. TimTucker Says:

    There are already other solutions out there that try to ask more difficult questions that may or may not be easily parsable by machines (i.e.: “2 + 2 = ?” or other basic math problems). I was more interested in the idea of having a system that relied on answering questions wrong. Even if it ultimately doesn’t work out, it at least gave me a few minutes of amusement tonight coming up with and implementing it.

    There’s nothing about the solution that is inherently unparsable — the key is that the HTML for the solution looks exactly the same as the thousands of other WordPress installs using the exact same CAPTCHA plugin. Hence, a script meant to bypass that particular CAPTCHA would fail.

    I do realize, though, that this continuing to work does depend on this technique not becoming popular.

  4. Eric Schoneveld Says:

    Spam Karma seems to work pretty good and it’s a wp plugin. Though your solution seems very interesting :).

  5. Anonymous Coward Says:

    While you may see a “practical effect”, this is no solution at all. The only achievement is that you moved from:
    - the big group of sites using captchas that can be broken in the same way
    to
    - to the small group of sites that use a different method which nobody so far bothered to break automatically

    As soon as enough sites use these “Anti-Captchas”, it will become viable to defeat them - and they *will* be defeated, since that’s not even a 30-minute-task for any skilled programmer.

  6. Alex Says:

    Hmm, interesting idea, but as someone has pointed out earlier in the comments - they will learn how to get over this as soon as your mechanism gains popularity.

    Moreover, what about those who miss what you wrote in the brackets? Some people may fill in the value ‘automatically’, just because CAPTCHAs are now everywhere.

  7. ha.ckers.org web application security lab - Archive » CAPTCHA Curiosity Says:

    […] Tim Tucker posted an interesting solution to some of the CAPTCHA solving stuff going around. He posted that to comment on his blog you must enter any data, as long as it’s incorrect. So as long as you don’t type in whatever you see and it is six characters long, it will be solved. […]

  8. jupi Says:

    free viagra at! viagra.com.org.us! try now and have fun in bed!

    just kidding haha!

    nice system by the way but i almost forgot to enter a number other than the given haha!

  9. Brandy Norwood Says:

    Hello…I Googled for form protection, but found your page about The Anti-CAPTCHA…and have to say thanks. nice read.

  10. Brandy Norwood Says:

    Hello…Man i love reading your blog, interesting posts ! it was a great Tuesday

Leave a Reply