I guess I should add to this, that of course if people are replying, then the CAPTCHA's only stop bot's from doing anything automatically (either posting for example or registering to post).

So of course it won't stop spamming when people are replying, which however is implemented is widely done by URL spammers.

The other part of this is to use the CAPTCHA for registering users, to not display that registration as is widely done by forum software and is part of the problem, and to ascertain through either a question or two during registration or afterwards via the email address supplied during registration if this is someone you want to approve as a user of your site.

Once approved, they would enter via user name/email address and their supplied password, so CAPTCHA's are only involved in new user registration, if in fact you are soliciting user membership from the public.

rd


Ralph Daugherty wrote:
There was a slashdot thread or two on CAPTCHA's a few weeks ago, but no one really offered anything very helpful about what is going on out there.

Lots of quibling over how certain MSFT entities practice it in a substandard way, but for the most part that's just /. being /. However, when I looked at the example CAPTCHA images, they were trivially straightfoward letters for OCR'ing, relatively lined up and well separated.

Displaying in different colors including pastels really screws OCR up, but it's not necessary. The key is to overlap the characters somewhat with characters tossed and turned.

I agree with the suggestion to just generate these images with random number of characters (from three to five, for example) generated at positions that overlap at least two of the characters and store a set of them on IFS with answers in a file keyed by the file name as suggested (by Nathan I think).

My vague understanding from lots of /. references is an implication that CAPTCHA's are forwarded to very, very low paid people assisting URL spammers (not necessarily worded that way elsewhere, my description) to reply to the CAPTCA's. Given that most spamming attempts come from bot networks of random owned PO's, and that responses are fairly quick, it is onconcievable to me that OCR software algorithms have been downloaded to owned bot PC's or that the CAPTCHA images are forwarded and OCR'd elsewhere.

In any event, as I suggest here to do, most CAPTCHA's are not OCR'able anyway due to overlapping and/or very difficult to separate from background characters.

Nathan's suggestion is really quite simple and the way to go.

rd


Nathan Andelin wrote:
Quoting from the Wikipedia article on CAPTCHA:

"Breaking a CAPTCHA generally requires some effort specific to that
particular CAPTCHA implementation, and an abuser may decide that the
benefit granted by automated bypass is negated by the effort required
to engage in abuse of that system in the first place."

With that quote in mind, a hacker might be more willing to spend the time to break a CAPTCHA algorithm offered via popular web service, thinking that it would automatically compromise all the sites that relied on that particular Web service. If that matters.

Nathan.





As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.