Re: send form by email with image spam controler

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 9 Mar 2008, at 12:47, Per Jessen wrote:

Richard Heyes wrote:

How about this one -

http://jessen.ch/articles/captcha

Well, of course it can be broken too - it's only a matter of money
and time, both of which are critical to spammers.


Interesting. How well does this work?
Well - it's an idea I've had for a while, but I only just implemented it 
this morning.
The key thing is that in order to read the question, you need to render the HTML in an engine or browser with javascript support. Just parsing 
the page won't help you.
Like I said, it can be broken too (given sufficient effort).
It's not much effort - you just need to request a second URL after you've got the form. It's not hard and really doesn't really put anything more in the way of a bot than an image-based captcha. In fact I'd argue that parsing the text in your questions is significantly easier than doing OCR on an image. 


I'm interested because I wrote a number to text converter which could
be used as a CAPTCHA and it was eventually broken, so I resorted to
the more traditional image based CAPTCHA. For example:

Enter the following in numbers:

Four thousand and twenty two.

And of course the answer is 4022.


Did you use javascript to do that too? Seems to me it should work just
as well as what I proposed.
Text-based captchas will never be a big hurdle for bots. Anything you can convert from a number or numbers into text can also be parsed back to the numbers. Fact.
The key thing to remember when securing a form is that if you do something that's never been seen before it's unlikely that the generic bots will be able to get past it. If someone decides to target your site then a text-based captcha will never be good enough, and chances are nothing you do will work. If someone is willing to put in the effort you've got no chance.
As an example I used to have a simple text-based captcha on the comment form on my blog. It was pitifully simple to get past because all it asked you to do was type 'human' into a text box, but since my blog is not very popular it's not worth the bad guys investing time to mod their bots to get past it. I had zero spam comments while that was in place. I've since switched to Wordpress and I have to say that Akismet kicks the crap out of any captcha in terms of effectiveness. 

-Stut

--
http://stut.net/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux