I agree with Tijnema on the fact that visual positioning doesn't really matter to the bots. They don't really "see" the page the way we see it. Most tricks you're going to try using HTML and JS are going to be readable by a bot. You could take your example and replace the alert() with a window.location (think that's the JS command for redirecting to another page), but a bot could just look for an onclick or form submit stuff. Since there's always some kind of variation in CAPTCHA systems (layout of the HTML, form names, etc), I'm guessing that most spam bots are pre-programmed to handle specific well known CAPTCHA systems, that there's not much intelligence built into them. So really, all this isn't so much about "can a bot figure it out" is "can a human figure it out enough to program a bot to handle it easily". I'm guessing the majority of the spam bots out there work like this: 1. Crawl the internet, maybe using search engines to identify potential targets (ie. Searching for forums running phpBB or something) 2. Create an account on the system (or if accounts aren't required, head straight to where you post public messages) and use pre-programmed methods for performing the proper CAPTCHA response. If a bot programmer really wants to get into your site, they may create a new bot (or modify an old one) to work against your site. If it's better to handle the multi-thousand sites running a standard install of a known exploitable CAPTCHA system rather than a single site running a non-standard one, then my guess is they'll go for the most and easiest to exploit. That doesn't let us, as programmers, off the hook for running a single site using a non-standard CAPTCHA system. We still have an obligation to try to make it as secure as possible (again, balancing ease of use as well, for our users). -TG = = = Original message = = = On 3/30/07, John Comerford <johnc@xxxxxxxxxxxxxxxxxxxx> wrote: > I was reading the current tread on CAPTCHA and possible cracks and I > thought maybe I'd throw this out to the group to see what you think. > Recently I saw a forum where in order to post you first had to click on > a div that was placed at a random location on the page, it read > something like, "Click here if you are human". I was thinking that > maybe you could put together a system that looks something like this: > > http://people.aapt.net.au/JComerford/ClickMe.htm > > I was thinking you could use it in a couple of ways: > > 1) As a replacement to a CAPTCHA image > 2) When you click the image a CAPTCHA image is loaded into the 'Click > Me' container > > The main problem is how to tell the server that the div has been > clicked, in a way that can't be simulated. I am not an expect with > either JS or PHP, but maybe some of the bigger brains out there could > throw in their 2 cents...... > > JC This looks maybe hard to crack, but actually it isn't very hard. All the clicking does is calling a javascript function. You still could submit the page without clicking the box. Tijnema ___________________________________________________________ Sent by ePrompter, the premier email notification software. Free download at http://www.ePrompter.com. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
