I wonder if the ever increase battle between spammers and their victims (us) will result in the first true AI systems? Will they unintentionally end up make a computer that thinks like a human?
There has to be a way using Flash or some sort of randomly generated animated field that a human can distinguish that a bot canât.
The simple ability to use actionscript to randomly create a timeline for the flashed letter forms and the ability to use the same scripiting to create an endless combination of noise or disfigurement, would have to at least set the absolute bots back a bit.
Of course the real deal spam houses forcing actual people to do their dirty work may never be stopped, but the marco/bot programmers would have a hell of a time with a CAPTCHA that had its own timeline and actually moved.
If you were really clever you could also have the algorithms get MORE strict each time the person pressed the âshow me a new oneâ button based on their session ID or cookies.
Perhaps also getting away from letterforms entirely, using a gradient slice of colors with a corresponding universal sound, upon mouseover, by universal I mean things anyone would recognize. Flowing water, a cheering crowd. For the backend, have hundreds of dummy sounds, use a scripted backend to randomize the filename of the embedded sound clip, always make sure its position is as random as you can get it.
I think any system can be broken, and perhaps none of my ideas would work since the obvious weakness is it must be executed client side and would therefore be susceptible to reverse engineering.
I find this topic particularly interesting even the first time you brought it up, because its a call back to the most simple rule in our electronic age:
Anything that can be made, can be unmade.
And frankly, thereâs something almost comforting about that, as crazy as that sounds.
Quote
So what if the CAPTCHA turns into an intelligence test? Letâs not have dumb people make comments either 
Oh, damn. I canât spell "orange."
Matt Gibson on March 5, 2008 01:51 AM
/Quote
Better yet, let them enter a word that rhymes with orange.
I canât help but wonder that if adding a second captcha will significantly reduce the success rate. Currently, if an automated process getâs 20% correct, adding a second captcha will cut that by an additional 80%, leaving it at just around 5% success. Or at least thatâs my thought on it. I hate captchas, by the way, but they do keep tons and tons of spam from getting to our inboxes.
Thinking AloudHow about a CAPTCHA that depends on -errors- that humans will make (reliably!)./Thinking Aloud
I really donât understand how spammers get so much money to make spamming worth the effortâŚ
The âdistinguish pictures of dogs from catsâ page just informed me that I am a bot.
It asked me to choose all of the pictures of cats.
I did so, including one that contained both a dog and a cat.
I guess that was supposedly a picture of a dog.
I had read a while back about a way to make spamming prohibitively expensive.
It was Cringely IIRC, that proposed to make the sender of an email perform a small calculation sent to it by the email server. A small enough calculation to not be noticed by the average email user, but large enough that when a spammer tries to send huge amounts of mail at once, the computation becomes too time consuming to be worth it.
This was over two years ago. Has anyone heard of this concept being used?
Now, I understand that this would unjustly penalize businesses that legitimately send bulk emails. But, do any legitimate bulk emailers send as much as a spammer?
I prefer technical solutions.
For web form spam, you can easily filter keywords and links (spammers canât obfuscate them, they want links to be machine-readable - google-readable to be exact).
For other kinds of abuse, itâs more tricky, but it might be possible ot use trending, i.e. donât check individual request, observe how âuserâ behaves, how many registration he makes, how soon and how many e-mails he sends, etc. This should reliably pick up bots until spammers learn to emulate human behaviour better.
Why bother with Captcha? Just let them spam all they want and ignore them silently. This is what services like Akismet and Defensio are for. They will take care of watching over the evolution of spam messages and adjust the filtering techniques.
Defensio advertises an efficiency of 99.77%. Considering Akismet (no numbers) is at least 99.5%, you can combine both and get 99.9999% accuracy. Who needs a CAPTCHA?
Actually, I believe dynamically generated CAPTCHA fields would do the job. Your Server sends you a session ID and retains the properties of the generated CAPTCHA field.
A Bot will not be able to find the CAPTCHA field so, it wonât be able to insert text. Human CAPTCHA solving is no option, as the field name will be different every time.
Also, you should map the other fields as well, so the whole page changes in an unpredictable way for each session.
This could also be done with the Javascripts within each page, changing function names throughout to make it even more difficult for Bots to analyze it.
Why donât we skip the CAPTCHA and move to a pay per email type system? Just like we do with stamps. No gmail account for you until you provide a credit card number.
I read it that humans were being used (either wittingly or unwittingly) to read Googleâs CAPTCHAs. Either way, itâs a bit over the top to suggest CAPTHCA implementations are broken for everyone. Google/ Yahoo/ MS need to do something new because the monetary reward for breaking their CAPTCHAs is high enough to make it worth paying people to do it. This is not so for the average blog or even small web application.
Wouldnât it be much easier for Google/Yahoo/Hotmail/etc. to limit outgoing emails for new accounts? Instead of a single Turing Test, CAPTCHA, these services could pose a series of tests for the new users to complete over the course of weeks and months before email restrictions were lifted.
This sounds like the Matrix - Human farms of unknowing subjects breaking the CAPTCHA algorithm for the machines.
Mandatory 1 year prison sentences for all convicted spammers. 6-figure fines for all ISPâs who knowingly distribute spam. Ninkinpoops who attempt to respond to spam should be warned once, then have their internet connections disabled for 30 days if they do.
All internet advertising must be PAID advertising and belongs on commercial web pages and pop-up ads only. Everything else should be punishable by law.
Desperate measures for desperate times.
I like the JavaScript solution that was suggested earlier. You could just have JavaScript populate a hidden field with a value that will be read when the form is submitted. If a bot is visiting the page the JS wonât be executed and the bot will be defeated. That would unburden the user also.
Some of the options that you offer as alternatives are no better. If they offer a multiple choice then the probability of breaking the capture becomes 1 in the number of options offered. The number of choices needs to approach a really, really big number (I originally wrote infinity) to make the approach effective.
Iâm just saying, is allâŚ
To me the long term solution is to figure out and define exactly what spamming is, and automatically detect that behavior.
Maybe this requires some kind of machine learning. It may require shared databases of information about current spammers too â that has the capability to stay ahead of the spammers.
This would have to be combined also with some more sophisticated and fine-grained access control. (E.g. to beat the case where a spammer takes your captcha image and uses it to give other users access to a fake porn site, only serve captcha images to clients that you can be sure have already visited your site in the past N ms.)
A combination of countermeasures that are not uniform from site to site or even request-to-request would also be best. I.e. imagine your captcha incorporated all kinds of variation [note how similar the example cpatchas above are to each other for each of Google, Hotmail, Yahoo]. If in order to beat your captcha, a spammer had to run several recognition passes tuned for different kind of captcha distortions, it makes it that much more expensive and time consuming.
We can also come up with more sophisticated ways of defining exactly what some of the charactaristics of a âhigh qualityâ blog comment is, and score comments accordingly, and send lower ones into human moderation.
The community of people who donât like spam is much larger than spammers and people who donât care. We also have the advantage that the characteristic that unites us is that we hate spam, and want to fight it. Our disadvantage is that most of us who hate spam are just average users, and have a certain threshold of what hoops theyâre willing to jump through to get their actual work done.
So to me the best thing to do is to make our websites smarter, rather than forcing users to do too much work; and when we do have a task for the user to do (log in, captcha, whatever), make sure itâs as streamlined and easy to deal with as possible.
I write some bots myself (though not spam bots!). Just some bots to simplify certain internet tasks and I use WebKit which actually loads javascript. So to the people who are saying that using an invisible div with a javascript math problem solves CAPTCHA⌠it does notâŚ