Okey, it is used everywere. Often it is very easy to see what letters anc charactars there is, BUT try this one: http://www.iis.se/domains/domainandcontactsearch?query=sunets0702-00001
Most captcha relies on you being able to see and speak English so you have instantly alienated all your potential blind and non-english speaking users
Most of the alternative systems mentioned above rely on a bot not knowing your captcha method, as soon as they do they can defeat it easily (at least often enough to be useful), or use subjective tests which humans regularly fail as well, or cost the user money âŚ
This last one is the best and worst, it would stop all the spammers, (if it costs more than the return they will not spam) but it will also stop the majority of your potential users
Universal ID is not an option, universal ID is never universal, I for one will not have one and so will not pass, and it assumes that the ID system is perfect (cannot be cracked, cannot be faked) and every system can be and is, if there is enough money involved.
Oh âŚ
Who took transported the Cleopatraâs Needle to Central Park and shares a name with a firm of Tailors in England
Henry Honychurch Gorringe (Rhymes with âŚ)
I think that the actual problem is somehow, even with all of us telling our parents, friends and children NOT to click on spam links or buy from spammers some âpeopleâ still do it.
If there was no money in spam, they wouldnât have any incentive, but you have to remember that in direct mail (snail mail) 1% is considered a good return in email costs are so much lower that .001% is still a good return.
So the real question is, How do we find that ignorant .001% of people educate them???
All this talk and not a single person suggested replacing SMTP protocol with something more up to date with the real world?
I just say we make it legal to murder these bastards. Put out a bounty on their heads.
Where do I start?
Check out the submission page on thoof.com - it uses a fairly novel approach where you must click on the kittens in a picture (its a much more elegant implementation than the Microsoft proof of concept you link to above).
Dave: With a claw hammer.
@Alex G on March 5, 2008 10:41 AM
SMTP is slowly being replaced by web-based email.
We use reCaptcha - it works great so far 
Captcha is good in theory but I have come across many users who struggle to read the letters, including those who have lowered visual acuity. Some captcha themes are so obscure though as to make it difficult to read them in any circumstance. A new method is certainly needed!
I have a simple and I think only breakable on a site by site basis. I donât think this could be broken by an automation except on a case by case basis.
The idea is simple, present the user with a paragraph of text describing something. Subsequently the user must answer a key question the solution to which was clearly presented in the paragraph previously. For example,
Fact: 20% of all dogs suffer from Fleas.
Question: In a selection of 25 dogs how many are likely to suffer from fleas? (One word) Five
Of course thousands of these could easily be created, and certainly more complicated ones with non numeric solutions. Basically solving these would require a certain level of intelligence. There are still I guess several hurdles such as the language barrier, the intelligence barrier and the requirement that these be created by a human in the first place and will probably require regular updating. Of course if this idea took on it would be possible for a company to create a server of these puzzles and then charge for site/content providers to use their regularly updated set of solutions.
The advantage of this approach is that the user must show real intelligence in order to solve these sorts of problems. This has never been solved by an automation, but before capcha was even invented there was already software which could solve hand written character recognition so it was only a small step to cracking capcha.
I guess the other problem with this approach is that lots of internet users donât want to invest the time to read a paragraph of text just to sign up to something.
Any new method will be attacked and broken too, not that thatâs necessarily a bad thing. It drives us forward, makes us find new ways of protecting ourselves. Often, the technology used by the bad dudes becomes useful too.
I always disliked CAPTCHA though. Iâve never been able to decipher them. Hopefully whatever is used to replace them is a lot more user friendly.
@Thic Ric: no, Gmail spam can just be sent from Gmailâs smtp server, or you can just spoof the From address. There are other protections (too many sent messages will cause your IP to be blocked) but it doesnât require solving captchas.
1 Like
LOL, the ASCII art captcha can be broken in a second⌠the only serious one to me seems recaptcha.
To codemonkey:
validating identity does not mean that policy would not permit having more than one email address. But maybe those separate addresses can be managed under a single âaccountâ. So I do NOT propose that people should be limited to only one email address with a given provider, just like I have two cell phone numbers. I can turn off my work cell phone when at home, and vice versa. But it should be up to that identity provider (cell phone, email, whatever) if they want to allow a single person to have more than one. It may even prove to be another point of service for gmail to allow you to manage more than one email box under a single login.
Validation: That depends on the form of identity. As for the case with cell phones, a text message can be sent by an automated system. To activate the account, you reply to the text message with a certain message. Iâve actually seen this implemented on a site, and it worked for me. I donât recall where it was, since I only had to do it once and it was over a year ago.
I left my message with an open question, what other forms of Id are acceptable. I explicitely noted that users would NOT find it acceptable to use SSN.
Instead of capta why donât you ask a question.
And a have a database full of questions like "what color is the sky"
or even harder questions like riddles, so the computer wont be able to brake them but a normal human with basic understanding will.
Another idea is have a movie played and the answer to the question is inside the 10 second clip which could be a flash or real player.
I see where youâre coming from, but whatâs your average Joe who needs a quick email for whichever benign reason going to think? The credo of the big sites is their accessibility - secure email providers exist for those users sufficiently paranoid, but for everyone else thereâs a quick gmail account and away you go. Are casual users going to remain if they have to jump through more hoops than 1 or 2 captchas?
I stand by my claim that the best solution is a dual system - captcha and administrative routines to back that captcha up. Captcha alone clearly isnât a solution, and any decent admin ought to be keeping tabs on this stuff anyhow even (or especially) on a site as huge as google. Stating that you should have to pay a micropayment or submit identity to gain a simple web-based email address seems kind of boggling, though maybe thatâs just the culture shock setting in.
My missus liked the âcats and dogsâ one but she would!!
I Like what Ajaxian.com do, ask a question like âwhat does the X in AJAX stand for?â of course this has the added bonus of weeding out any human that doesnât know what their talking about as well
Of course, as with all systems like this, it only takes time for people to hack it. This article could easily be posted after several years of any alternatives.
Are we just too reliant on computers to do things for us?
All of the replies above have a flaw in as much as they refer solely to the quality of the Captcha. If a spammerâs machine fails a captcha four times then succeeds (and I realise this is not how probability works, but law of averages here) then clearly theyâre safe and can go on to make as many accounts as they like, right?
Whatâs being forgotten is that itâs very easy to shore up the captcha capability with automated or manual flagging of IP addresses and identities. Keep logs, alert admins. If IP address xxx.yyy.foo.bar just tried to send out a x captcha requests in y minutes and got z% of them wrong, ban it - or, if youâre feeling charitable, block it for a week. While weâre at it flag the email addresses they successfully made and either automatically block, disable or remove those or else drag them to the attention of an admin. You could argue that the wave of captcha requests can happen too fast for a human administrator to respond, that itâd be relentless and your poor admins would never get any sleep; whatâs to stop this process being totally automatic on the part of the server, and letting admins take a look at sufficiently borderline cases?
You could further argue that letting an automated system cancel and ban accounts is too heavy-handed, but these are free email accounts on privately owned servers: in return Iâd point out we are very far into âAccess is a Priviledge, Not A Rightâ territory here. If they were charged for I would expect a far more sophisticated and authenticated system, but on what is (no offence meant) the lowest common denominators of popular webmail sites I would rather the admins be heavy-handed than too soft.