I had to receive a text message in order to sign up for gmail. Don’t they still do that?
The economics are heavily in favour of the spammers, aren’t they? The spammers have an ongoing financial incentive to break big systems so they’ll keep working on it. Which basically means entering into an arms race with spammers.
Better would be to hit the opposite side and prosecute anyone who uses spam to sell something. If they aren’t legally accessible, just block name/IP of the mail/web server that does the trade until fixed. I imagine that would reduce spam by an order of magnitude more-or-less instantly.
The anti-bot method I like requires no script and no effort from the real user. A text input styled for display:none within the submission form, possibly with a name of “zipcode” or something similar. Most bots will attempt to populate it with “convincing” data.
When you process the form, reject any submission with data in that box.
I didn’t come up with this, but it seems to work pretty well.
I think the ascii-art captchas are as weak as image based captchas. it’s a kind of security by obscurity if you ask me. if google would decide to use them, it’ll take a day and they’re solved 
Please enter your Social Security number, mother’s maiden name, date of birth and driver’s license ID.
(It works for the bank…)
I am starting to think that some kind of global internet ID system that relates back to real world credentials is the only way to go. I know, it removes our anonymity, but it solves the problem.
The ID could be constructed in such a way that websites could not access the private information, just the fact that this ID is from a real person. Of course, regulating whoever has that information would be the challenge.
Almost all the great suggestions on this “thread” are security by obscurity. Putting in JavaScript ? Invisible fields named “zipcode” ? Those things will be circumvented 30 seconds after they have been implemented. Remember, we are talking about Google and Hotmail here, not some private blog. On a private blog, even something as silly as Jeff’s “orange” is enough.
Brother Erryn, that’s rather easy to break - naturally it will only stop bots that are not expecting your mechanism, but any sophisticated attacker of Google/Yahoo/Microsoft is going to spend some time studying the page to determine minor obstacles such as those.
Javascript/css tricks are easily broken.
Jeff,
From a recent post on the Joel on Software forums:
“Chenette said organized attackers are using automated tools to sign up for Gmail and other Web-mail accounts. When the CAPTCHA image appears, it’s automatically sent off to a large and low-paid workforce, typically in another country, where a worker enters the code and sends it back so the account can be created.”
http://www.theregister.co.uk/2008/02/08/microsoft_captcha_buster/
http://www.enterprise-security-today.com/story.xhtml?story_id=58602
How do you stop spammers from using low paid Humans to beat CAPTCHAs? Is the CAPTCHAs days numbered?"
So it appears that the Google CAPTCHA algo hasn’t been broken at all, but simply circumvented by those willing to pay people to get them through.
Oops! Forgot the link to the post at JOS:
http://discuss.joelonsoftware.com/default.asp?joel.3.600679.21
i think the next step in captcha is to require a valid answer, not just repeat the letters.
here are some ideas. to be successful, you would have to have a bank of X000 simple, first grade question/answers.
what color is this?
what is 1+3
what is this year
what is the first
what is 10/2
what day is after Monday
how many hours are in the day
How exactly are spammers any different than traditional marketing houses that send bulk mail advertising to your mailbox? Guess what… the difference is strictly due to the public’s perception.
If you really want to stem the tide, it needs to be legitimized and regulated. Once that is done, the various governments would have a financial incentive to really punish rogue spammers. After all, a rogue spammer would be cutting into their own profit. Further, the traditional marketing companies would push the smaller guys out of the market.
Here’s how I see it: all ISPs pool their email address list into a giant database. A spammer would buy the right to send x number of messages to x number of addresses on that list. Say 40% goes to the government of the country of the ISP of the recipient, the rest goes to the ISP. If the spammer sends a message to someone on the Do Not Email list they are fined something like $100 per instance, lack of paying the fine = jail time for whoever the government can capture. Maybe it costs something like $0.05 per address per message, which is pretty close to bulk mailing rates.
There’s financial incentive for: 1. ISPs to join the list; 2. Pretty much any government to enforce regulatation, which is something they like doing anyway; and, 3. Spammers to register and follow the rules.
After all, from a spammers perspective it’s much more cost effective to broadcast a message to a known good list of recipients than it is to try and harvest those addresses in the first place.
One solution I’ve seen (and only in one place - in a free 2chan-esque image board software package) is a ‘spam trap’ - basically invisible form fields that are only filled out by spambots. These fields are then tested and if they have any value, the input is discounted as spam.
I’m a fan of the reCAPTCHA project. But lately I’ve hit a lot of words on reCAPTCHA that I can’t decipher! I love the idea of CAPTCHA using a picture instead of words; it’d be easier to internationalize such a system.
How about this:
Once your CAPTCHA algorithm is broken, you obtain the solution and incorporate it into you own CAPTCHA generator:
- Generate the image.
- Use the solution.
- See if the “solution” matches the actual answer.
- If it does, discard it and do steps 2-4 again. If it doesn’t match, then your CAPTCHA is safe!
The only problem would be obtaining the solution. $$$ 
Heres a question: could improvements of CAPTCHA-defeating technology be used to make super-reliable OCR?
as http://en.wikipedia.org/wiki/Captcha, clearly states:
This point seems to be missed by just about anyone, and it’s something worth considering. Just think “what would Bruce Scheiner say?” and you’ll get it right 
they just need flash based animated + audio captchas
An intelligence test like:
“You have a bucket that holds two gallons and one that holds three gallons. How many buckets do you have?” (smirk)