Posted by Chris Morris on 05/01/07 22:18

"Jonathan N. Little" <lws4art@centralva.net> writes:
> The principle behind the *security* in CAPTCHA is that the characters
> are represented as distorted binary data images of the characters
> which can neither be recognized as characters
....by people. I mentioned CAPTCHAs at a talk on web application
security I was giving earlier today, and the audience found them very
annoying from a user perspective...

The reason the majority of spam-bots don't break CAPTCHAs is not
because it's especially difficult (several well-documented methods
exist) but because there are enough sites out there that don't have
any anti-spam defences of any sort it's not worth their time to try.

That being the case, I'd take a custom-written plain text challenge
over a standard CAPTCHA library any time. If I wasn't capable of
coding my own, I might even consider paying someone $10 to add a
unique one to my application.

> <label for="monkey">Enter 'monkey' in this box</label>
> <input name="monkey" id="monkey" type="text">

I did this for an installation of a popular bulletin board, except
that the field was hidden and prefilled with the correct value. I
already had a decent keyword-based spam filter in place, I was just
curious as to how much I would catch by using this first. 20-25%, as
it happens, which gives an idea of the spammers' methodology and
cost-benefit calculations here.

The most effective one is to drop messages containing URLs (or too
many URLs, if there might be legitimate reasons to include any at all)
and there's nothing the spammers can do about it because they need
those URLs to be present to get any benefit from the spam.

--
Chris

[Back to original message]