captcha to defeat form spammers

[let]

I wish to use a CAPTCHA to defeat form spammers. Please can someone
point me to an easily installable one. Currently I am using NMS
FormMail Version 3.14c1 which for some reason is newer than the
version on the SourceForge website which is 3.12. I am getting spammed
and want to defeat the spammers.

Is there something wrong with the 3.14 release, why have they gone
back to 3.12 on SourceForge?

 

[Jukka K. Korpela]

Scripsit (e-mail address removed):

I wish to use a CAPTCHA to defeat form spammers.

Don't. Google for captcha (perhaps with w3c as extra keyword) to get
enlightened.

If you can't cope with spam without creating problems and obstacles to other
people, like your visitors, stay out of the Internet. TIA.

Not an HTML issue; f'ups narrowed.

 

[Tina Peters]

I wish to use a CAPTCHA to defeat form spammers. Please can someone
point me to an easily installable one. Currently I am using NMS
FormMail Version 3.14c1 which for some reason is newer than the
version on the SourceForge website which is 3.12. I am getting spammed
and want to defeat the spammers.

Is there something wrong with the 3.14 release, why have they gone
back to 3.12 on SourceForge?

http://www.formmailscript.com We went from about 10 to 1 spam/legit
email to zero spam when we started using it.

--Tina

 

[David E. Ross]

I wish to use a CAPTCHA to defeat form spammers. Please can someone
point me to an easily installable one. Currently I am using NMS
FormMail Version 3.14c1 which for some reason is newer than the
version on the SourceForge website which is 3.12. I am getting spammed
and want to defeat the spammers.

Is there something wrong with the 3.14 release, why have they gone
back to 3.12 on SourceForge?

If you use a CAPTCHA, be sure to provide for the visually handicapped
who might be using an audio browser. CAPTCHAs even create problems for
the dyslexic and colorblind.

--
David E. Ross
<http://www.rossde.com/>

Natural foods can be harmful: Look at all the
people who die of natural causes.

 

[Stan Brown]

http://www.formmailscript.com We went from about 10 to 1 spam/legit
email to zero spam when we started using it.

"Simply edit a few bits if information" -- that creates a real sense
of confidence.

The site asks me to spend $10 for the product with no chance to try
it. No thanks.

--
Stan Brown, Oak Road Systems, Tompkins County, New York, USA
http://OakRoadSystems.com/
HTML 4.01 spec: http://www.w3.org/TR/html401/
validator: http://validator.w3.org/
CSS 2.1 spec: http://www.w3.org/TR/CSS21/
validator: http://jigsaw.w3.org/css-validator/
Why We Won't Help You:
http://diveintomark.org/archives/2003/05/05/why_we_wont_help_you

 

[Tina Peters]

"Simply edit a few bits if information" -- that creates a real sense
of confidence.

If you aren't able to fill in your email address and what you want for the
subject of your email, so the form knows where to send the results
too...then you have more problems than form spam. ;-)

The site asks me to spend $10 for the product with no chance to try
it. No thanks.

Its 2 small unencoded php files. Don't be silly.

--Tina

 

[Travis Newbury]

Stan Brown, Oak Road Systems, Tompkins County, New York, USA

Ah, another fingerlakeite

 

[Sherm Pendley]

If you aren't able to fill in your email address and what you want for the
subject of your email, so the form knows where to send the results
too...then you have more problems than form spam. ;-)

That's not what Stan was referring to. Gross misspellings like "bits if
information" are not confidence-builders.

Its 2 small unencoded php files. Don't be silly.

For one thing, charging $10 for "2 small unencoded php files" is beyond
silly, and verging on dishonest. It's like charging for "hello world".

For another, they don't even work. That isn't an effective CAPTCHA. The
verification letters are in the clear in the HTML, not embedded in an image;
it would take the stupidest script kiddie spammer about five minutes to
automate a form submission for this form.

sherm--

 

[Harlan Messinger]

If you use a CAPTCHA, be sure to provide for the visually handicapped
who might be using an audio browser. CAPTCHAs even create problems for
the dyslexic and colorblind.

They can even create problems for normally sighted people without
perceptual disabilities. Oftentimes I have been unable to tell whether a
particular stroke was part of a letter or part of the obfuscation.

 

[Chris Morris]

They can even create problems for normally sighted people without
perceptual disabilities. Oftentimes I have been unable to tell whether
a particular stroke was part of a letter or part of the obfuscation.

Unfortunately for CAPTCHAs, image processing software is able to
defeat any capture that might be easy for a person to read... The
eventual consequence will be CAPTCHAs that no-one can read.

Of course, the reason they're a bad idea is encoded into their name. A
Turing test is where a human tries to distinguish between a human and
a computer. Since no computer program has passed the test, no computer
program is qualified to administer the test by definition... (and even
then it'd be the wrong test - automatic isn't necessarily spam, manual
isn't necessarily not spam)

Conversely, a very simply written spamfilter will catch >99.9% of
spam. It's nowhere near as complex a problem as email spam. The big
giveaway is unexpected URL markup in the content, but adding a few
other regex-based tests helps.

 

[Tina Peters]

For one thing, charging $10 for "2 small unencoded php files" is beyond
silly, and verging on dishonest. It's like charging for "hello world".

If someone needed "hello world" written with instructions, I'd do it for $10
because I need the money. I'm a single mom currently putting 2 kids through
college and a third coming up in 2 years. If I can package and market the
simplest thing, and someone can use it, I will and I make no apologies for
it.

For another, they don't even work. That isn't an effective CAPTCHA. The
verification letters are in the clear in the HTML, not embedded in an image;
it would take the stupidest script kiddie spammer about five minutes to
automate a form submission for this form.

Yes, it does work. I'm not doubting that it can't be outsmarted and maybe
eventually it will. That said, I'm sure some wise alec is going to
purposely spam me...but we've gone from 10 spams to 1 legitimate email to
ZERO form spams since we started using it. We've been using it for several
months now and NOT ONE spam has made it through. Further, it doesn't have
the same usability issues that true CAPTCHA does.

Is it a perfect solution? No...its a $10 solution that works and is
incredibly easy for almost anyone to setup and get working.

--Tina

 

[Jonathan N. Little]

Tina Peters wrote:

Yes, it does work. I'm not doubting that it can't be outsmarted and maybe
eventually it will. That said, I'm sure some wise alec is going to
purposely spam me...but we've gone from 10 spams to 1 legitimate email to
ZERO form spams since we started using it. We've been using it for several
months now and NOT ONE spam has made it through. Further, it doesn't have
the same usability issues that true CAPTCHA does.

No it does *not* work! The whole point about CAPTCHA images is that they
are images of characters that a "human" must view and interpret as the
passcode and not trappable text. The font color and style means nothing
to a script!

Not to hard at all to devise a regular expression to extract "9f2bf"
from your script's generated table...

<table border="1" cellpadding="2" cellspacing="0" width="100%">
<tbody><tr bgcolor="#ffffff">
<td align="center"><font color="#0000ff" size="3">9</font></td>
<td align="center"><font color="#006633" face="Arial, Helvetica,
sans-serif">f</font></td>
<td align="center"><font color="#330033" face="Times New Roman, Times,
serif" size="3">2</font></td>
<td align="center"><font color="#ff0000">b</font></td>
<td align="center"><font face="Times New Roman, Times, serif"
size="4">f</font></td>
</tr>
</tbody></table>


Your CAPTCHA script is like putting a combination lock on a door with
the combination clearly printed on the lock!

 

[Sherm Pendley]

Tina Peters wrote:


No it does *not* work! The whole point about CAPTCHA images is that
they are images of characters that a "human" must view and interpret
as the passcode and not trappable text. The font color and style means
nothing to a script!

Not to hard at all to devise a regular expression to extract "9f2bf"
from your script's generated table...

<table border="1" cellpadding="2" cellspacing="0" width="100%">
<tbody><tr bgcolor="#ffffff">
<td align="center"><font color="#0000ff" size="3">9</font></td>
<td align="center"><font color="#006633" face="Arial, Helvetica,
sans-serif">f</font></td>
<td align="center"><font color="#330033" face="Times New Roman, Times,
serif" size="3">2</font></td>
<td align="center"><font color="#ff0000">b</font></td>
<td align="center"><font face="Times New Roman, Times, serif"
size="4">f</font></td>
</tr>
</tbody></table>

Just for grins...

#!/usr/bin/perl

use strict;
use warnings;

while(<DATA>) {
/">(.)<\/font/ && print $1;
}

__DATA__
<table border="1" cellpadding="2" cellspacing="0" width="100%">
<tbody><tr bgcolor="#ffffff">
<td align="center"><font color="#0000ff" size="3">9</font></td>
<td align="center"><font color="#006633" face="Arial, Helvetica,
sans-serif">f</font></td>
<td align="center"><font color="#330033" face="Times New Roman, Times,
serif" size="3">2</font></td>
<td align="center"><font color="#ff0000">b</font></td>
<td align="center"><font face="Times New Roman, Times, serif"
size="4">f</font></td>
</tr>
</tbody></table>

It took less than a minute to come up with that, and I'm no genius when it
comes to regexen. I wasn't guessing when I said it would take even the
stupidest script kiddie less than five minutes.

Tina, you've convinced yourself this is secure because otherwise you'd have
to admit you were suckered out of $10. Either that or you'd have to admit
you're selling snake oil; It's not clear to me whether you're the crook or
the sucker here.

The *only* reason you haven't gotten any spam yet is that no one has bothered
to try yet. You're not secure, you're just lucky.

sherm--

 

[Sherm Pendley]

Tina, you've convinced yourself this is secure because otherwise you'd have
to admit you were suckered out of $10. Either that or you'd have to admit
you're selling snake oil; It's not clear to me whether you're the crook or
the sucker here.

Okay, cleared that up. Tina's company axishost.com owns the domain where the
snake oil is being sold.

Tina, do you realize that by advertising this as effective spam prevention,
you're opening yourself to liability when (not if) it fails someone, their
server gets swamped, and they get blacklisted as a spammer? At $10 a pop,
how many copies of your snake oil will you need to sell to settle that claim,
and to pay the lawyers?

sherm--

 

[Darin McGrew]

The *only* reason you haven't gotten any spam yet is that no one has bothered
to try yet.

Bingo. The effectiveness of such trivial tests depends on each site using a
different test, so it isn't worth the spammers' time to update their
spambots. Encouraging others to use the same trivial test that you use will
ultimately make your test less effective.

 

[Chris Morris]

Just for grins...
while(<DATA>) {
/">(.)<\/font/ && print $1;
}

It took less than a minute to come up with that, and I'm no genius when it
comes to regexen. I wasn't guessing when I said it would take even the
stupidest script kiddie less than five minutes.

Of course not. On the other hand, proof-of-concept code for the "Make
internet users solve image CAPTCHAs for you in exchange for porn" spam tool
was posted years ago and people still use image CAPTCHAs...

The *only* reason you haven't gotten any spam yet is that no one has bothered
to try yet. You're not secure, you're just lucky.

Don't knock the "no-one has bothered to try" defence too much. One of
the various spam filters I've written onto a phpBB install does
nothing more than add an extra hidden variable to a form and check
it's submitted. It blocks about a third of spam account registration
attempts and about a fifth of spam posting attempts, and that's from
such a poor defence that most of the attackers bypass it without
realising it's there... Naturally it'd be no good on its own and there
are far more effective ones behind it that block the rest, but it's
interesting how many spammers currently get sufficient
return-on-investment with easily defeatable spam tools that they still
use them!

My point is that a defence of this sort is actually really good *if*
you're the only site that uses it and you're not in the top league of
sites where it's worth working around it solely to break your site's
defences. It's yet another reason why standard CAPTCHAs built into
popular applications are silly - there is a massive benefit to a
spammer from breaking the phpBB CAPTCHA, which is why I assume they
have already and don't even bother activating it myself.

If everyone coded their own test vaguely like the advertised one (but
with different markup, patterns, etc.) it would take them about five
minutes to code and the spammer five minutes to analyse and break. The
problem for the spammer is that this multiplies up to 5
minutes*[number of sites they want to spam] = several months which
makes it rapidly uneconomical for them. When there's thousands of
sites using standardised or no protection, breaking the odd ones out
is uneconomical for them too.

Now, charging $10 for said script is at the very best optimistic and
misguided, since its effectiveness decreases in proportion to the
number of people who buy it, and there are plenty of free alternatives
anyway... $10 for a well-written guide that teaches exactly the
*techniques* needed to write your own unique filters and tests in the
web language of your choice, on the other hand, would probably be
worth paying for.

 

[Stan Brown]

Fri, 23 Feb 2007 18:33:05 -0500 from Sherm Pendley <spamtrap@dot-
app.org>:

Okay, cleared that up. Tina's company axishost.com owns the domain where the
snake oil is being sold.

Hah -- I didn't pick up on that. Thanks for posting.

--
Stan Brown, Oak Road Systems, Tompkins County, New York, USA
http://OakRoadSystems.com/
HTML 4.01 spec: http://www.w3.org/TR/html401/
validator: http://validator.w3.org/
CSS 2.1 spec: http://www.w3.org/TR/CSS21/
validator: http://jigsaw.w3.org/css-validator/
Why We Won't Help You:
http://diveintomark.org/archives/2003/05/05/why_we_wont_help_you

 

[Tina Peters]

--
Tina Peters
AxisHOST.com, Inc.
Serving the web since 1997

Tina, you've convinced yourself this is secure....

Read above statement.

--Tina

 

[Tina Peters]

Fri, 23 Feb 2007 18:33:05 -0500 from Sherm Pendley <spamtrap@dot-
app.org>:

Hah -- I didn't pick up on that. Thanks for posting.

No, its not a perfect solution and Yes, someone may come along someday and
write a script to get around it. However, isn't that how it goes with just
about everything on the internet?

To anyone dealing with form mail spam, like I was, $10 is a very, very small
price to pay for relief. You can get around *anything* that combats form
mail spam. There is no perfect solution. I've offered something thats been
working for me for several months. Apparently, despite your "snake oil"
witch hunt...several people have put down $10 today for some relief, as
temporary as it may be.

I've made absolutely no attempt to hide the fact that this was MY website.
I've posted several times, with the URL in my sig...and my own ads appear on
the website and, of course, anyone with 1/2 a brain can do a WHOIS on the
domain.

Anyway, I'm going to step out of this thread now. I know how the usenet
mentality works and I prefer to deal with people who enjoy non-combative
conversation. I like the script, so do many others...and I stand by it.

--Tina

http://formmailscript.com

 

[let]

If you use a CAPTCHA, be sure to provide for the visually handicapped
who might be using an audio browser. CAPTCHAs even create problems for
the dyslexic and colorblind.

Can anyone give me a URL for a reputable CAPTCHA which I can use on my
webpage? That would be helpful, rather than sparking some sort of
meaningless argument. Is there anything on SourceForge for example?