captcha to defeat form spammers

[let]

I wish to use a CAPTCHA to defeat form spammers... currently I am
using NMS FormMail Version 3.14c1 ... is there a simple solution for
NMS FormMail perhaps using a CAPTCHA (I know it's been mentioned
before)?

Alternatively there is http://www.freecontactform.com/

I would like to hire someone to customise that freecontactform for me.
It is written in PHP and I do not understand PHP. I need two contact
forms and could pay $40 by paypal to a developer for the minor changes
needed to the form.

Please reply to (e-mail address removed)

This is a service which the form developer claims to provide but they
have not answered my emails.

 

[Tina Peters]

I wish to use a CAPTCHA to defeat form spammers... currently I am
using NMS FormMail Version 3.14c1 ... is there a simple solution for
NMS FormMail perhaps using a CAPTCHA (I know it's been mentioned
before)?

Alternatively there is http://www.freecontactform.com/

I would like to hire someone to customise that freecontactform for me.
It is written in PHP and I do not understand PHP. I need two contact
forms and could pay $40 by paypal to a developer for the minor changes
needed to the form.

Please reply to (e-mail address removed)

This is a service which the form developer claims to provide but they
have not answered my emails.

I have a really simple form that may work for you here:

www.formmailscript.com

You don't need to know any coding at all, you just copy/paste the form bit
into your webpage.

--Tina

 

[Leif K-Brooks]

I have a really simple form that may work for you here:

www.formmailscript.com

You don't need to know any coding at all, you just copy/paste the form bit
into your webpage.

Your fake CAPTCHA is just as useless as the last time you advertised it
here. The security characters are printed _in_the_clear_ in the HTML
source of the page. It would be completely trivial to write a script to
break your 'CAPTCHA', as seen here:
<http://groups.google.com/group/alt.html/msg/8a280131cf52deb1>.

Please stop selling snake oil. Your code isn't worth the hard drive
space used to store it, and it _certainly_ isn't worth $10.

 

[Tina Peters]

Your fake CAPTCHA is just as useless as the last time you advertised it
here. The security characters are printed _in_the_clear_ in the HTML
source of the page. It would be completely trivial to write a script to
break your 'CAPTCHA', as seen here:
<http://groups.google.com/group/alt.html/msg/8a280131cf52deb1>.

Please stop selling snake oil. Your code isn't worth the hard drive
space used to store it, and it _certainly_ isn't worth $10.

and yet, I've been using it for close to a year with ZERO spam issues.

Further, I've sold it close to 60 times with not one complaint. I'm fairly
certain that some of those sales came from people here at alt.html, because
there was a spike in sales last time you went on your tirade about how
worthless it was. Yet, I don't see anyone here complaining about it ;-)

--Tina

 

[Leif K-Brooks]

and yet, I've been using it for close to a year with ZERO spam issues.

That's because spammers typically go for the very low-hanging fruit and
ignore everything else; it has nothing to do with the merits of your
'CAPTCHA'.

When one of your 'close to 60' customers finally wakes up and realizes
how they've been scammed, I would suggest you give them a link to a real
CAPTCHA, with real security. Luckily, quite a few of them are available
for free; for example, QuickCaptcha:
<http://www.web1marketing.com/resources/tools/quickcaptcha/>.

 

[Tina Peters]

That's because spammers typically go for the very low-hanging fruit and
ignore everything else; it has nothing to do with the merits of your
'CAPTCHA'.

Thank you for making the argument for my form (which I never said was
CAPTCHA). ;-)

I never said my form couldn't be cracked. I'm saying that spam bots have no
reason to try to get around it and will probably be a very long time before
they even try. In the almost year that I've been using it, we went from
about 99% bot generated spam to 1% legitimate email ratio from our
form....to 100% legit. That's ZERO bot generated spams for almost a year.
For $10, its more than worth it.

Also, as you so rightly suggested, guess which method spammers are going to
try to get around first? CAPTCHA, which millions of sites currently
use...or my form, which *maybe* 200 people use. Do you honestly think
CAPTCHA is 100% spam proof? I'm sure that's not what you're trying to
imply.

--Tina

 

[Jonathan N. Little]

Thank you for making the argument for my form (which I never said was
CAPTCHA). ;-)

No you allude to it by offing it as a solution to posters looking for
CAPTCHA. Your make your bogus "security" code look like a CAPTCHA
*image* by randomizing the color and font faces but it still is just
plain old character data.

The principle behind the *security* in CAPTCHA is that the characters
are represented as distorted binary data images of the characters which
can neither be recognized as characters nor OCR converted! You form is
*no more effective* than adding an input field with an unexpected name
say "monkey"

<label for="monkey">Enter 'monkey' in this box</label>
<input name="monkey" id="monkey" type="text">

Spammers would not be expecting a required "monkey" field.

I never said my form couldn't be cracked. I'm saying that spam bots have no
reason to try to get around it and will probably be a very long time before
they even try. In the almost year that I've been using it, we went from
about 99% bot generated spam to 1% legitimate email ratio from our
form....to 100% legit. That's ZERO bot generated spams for almost a year.
For $10, its more than worth it.

Also, as you so rightly suggested, guess which method spammers are going to
try to get around first? CAPTCHA, which millions of sites currently
use...or my form, which *maybe* 200 people use. Do you honestly think
CAPTCHA is 100% spam proof? I'm sure that's not what you're trying to
imply.

As long as your "security" script remains obscure no one will bother to
hack it but that is no excuse to sell it under the pretext of what is is
not! You are just scamming the ignorant.

 

[Chris Morris]

The principle behind the *security* in CAPTCHA is that the characters
are represented as distorted binary data images of the characters
which can neither be recognized as characters

....by people. I mentioned CAPTCHAs at a talk on web application
security I was giving earlier today, and the audience found them very
annoying from a user perspective...

The reason the majority of spam-bots don't break CAPTCHAs is not
because it's especially difficult (several well-documented methods
exist) but because there are enough sites out there that don't have
any anti-spam defences of any sort it's not worth their time to try.

That being the case, I'd take a custom-written plain text challenge
over a standard CAPTCHA library any time. If I wasn't capable of
coding my own, I might even consider paying someone $10 to add a
unique one to my application.

<label for="monkey">Enter 'monkey' in this box</label>
<input name="monkey" id="monkey" type="text">

I did this for an installation of a popular bulletin board, except
that the field was hidden and prefilled with the correct value. I
already had a decent keyword-based spam filter in place, I was just
curious as to how much I would catch by using this first. 20-25%, as
it happens, which gives an idea of the spammers' methodology and
cost-benefit calculations here.

The most effective one is to drop messages containing URLs (or too
many URLs, if there might be legitimate reasons to include any at all)
and there's nothing the spammers can do about it because they need
those URLs to be present to get any benefit from the spam.

 

[dorayme]

That's because spammers typically go for the very low-hanging fruit and
ignore everything else; it has nothing to do with the merits of your
'CAPTCHA'.

When one of your 'close to 60' customers finally wakes up and realizes
how they've been scammed, I would suggest you give them a link to a real
CAPTCHA, with real security. Luckily, quite a few of them are available
for free; for example, QuickCaptcha:
<http://www.web1marketing.com/resources/tools/quickcaptcha/>.

I have been waiting for a link like this for ages. Always meaning
to investigate it. Thanks for posting this, Leif.

 

[Jonathan N. Little]

...by people. I mentioned CAPTCHAs at a talk on web application
security I was giving earlier today, and the audience found them very
annoying from a user perspective...

I totally agree...I was not advocating the use of CAPTCHAs just that
TP's script is masquerading as one...which it is not.

The reason the majority of spam-bots don't break CAPTCHAs is not
because it's especially difficult (several well-documented methods
exist) but because there are enough sites out there that don't have
any anti-spam defences of any sort it's not worth their time to try.

Proper server-side validation of data and simple measures to prevent
relaying is your best defense.

 

[Beauregard T. Shagnasty]

I have been waiting for a link like this for ages. Always meaning
to investigate it. Thanks for posting this, Leif.

Is the sample on that page supposed to work? I tried at least a dozen
different 'Submits', after refreshing the page each time and getting a
new image. Always the answer, "You entered an incorrect code." ..and my
eyes are pretty good.

They are extremely hard to read; I'd never use it on my sites.

 

[dorayme]

I totally agree...I was not advocating the use of CAPTCHAs

ah but they do look nice...

 

[Tina Peters]

I totally agree...I was not advocating the use of CAPTCHAs just that
TP's script is masquerading as one...which it is not.

Is that the best argument you can come up with against my form? That is
pretends to be CAPTCHA when it isn't? Its NOT CAPTCHA and is so obviously
NOT CAPTCHA - its a simple script that thwarts spam bots and IT WORKS.
Will it work 12 months from now? Who knows? Will CAPTCHA? It probably
has a better chance of being beaten, since more people use it...hence,
spammers have more motivation to get around it.

--Tina

 

[Tina Peters]

Is that the best argument you can come up with against my form? That is
pretends to be CAPTCHA when it isn't? Its NOT CAPTCHA and is so obviously
NOT CAPTCHA - its a simple script that thwarts spam bots and IT WORKS.
Will it work 12 months from now? Who knows? Will CAPTCHA? It probably
has a better chance of being beaten, since more people use it...hence,
spammers have more motivation to get around it.

--Tina

PS: Four more people purchased it today and I can only assume that it was
from these postings, since traffic to the site
(http://www.formmailscript.com) is almost negligible. Soooooo, whoever
purchased it, please be sure to post about how useless it is, how it didn't
completely eliminate your form spam and how it wasn't worth your $10. ;-)

--Tina

 

[dorayme]

Is the sample on that page supposed to work? I tried at least a dozen
different 'Submits', after refreshing the page each time and getting a
new image. Always the answer, "You entered an incorrect code." ..and my
eyes are pretty good.

They are extremely hard to read; I'd never use it on my sites.

mmm... it is a point! Some of them _are_ hard to read, I agree.
Most I have little trouble.

My guess for

<http://members.optushome.com.au/droovies/test/pics/captcha.gif>

is:

1. 7C2CR

2. 9NSW1

3. J7B4D

4. PJ9FK (this one is really too hard!)

So more care is needed I guess in the construction of these
things, but the idea is pretty good as far as I can see?

 

[Jonathan N. Little]

Then why to you bother to change the fonts and colors of the "security"
code?


- its a simple script that thwarts spam bots and IT WORKS.

PS: Four more people purchased it today and I can only assume that it was
from these postings, since traffic to the site
(http://www.formmailscript.com) is almost negligible. Soooooo, whoever
purchased it, please be sure to post about how useless it is, how it didn't
completely eliminate your form spam and how it wasn't worth your $10. ;-)

Hey, some folks also give away their money to folks that promise them
some sort of afterlife, does not mean that they shall receive!

 

[Tina Peters]

Then why to you bother to change the fonts and colors of the "security"
code?

What a dumb question. Who cares what color the font is? It can be changed
to whatever anyone wants it to be.

;-)

Hey, some folks also give away their money to folks that promise them
some sort of afterlife, does not mean that they shall receive!

Some folks also try to make completely unrelated analogies seem relevant.
;-)

--Tina

 

[Leif K-Brooks]

What a dumb question. Who cares what color the font is? It can be changed
to whatever anyone wants it to be.

So you made every character in your 'CAPTCHA' a different color and font
just because you felt like it? I find that hard to believe.

 

[Beauregard T. Shagnasty]

mmm... it is a point! Some of them _are_ hard to read, I agree.
Most I have little trouble.

My guess for

<http://members.optushome.com.au/droovies/test/pics/captcha.gif>

Good samples. My point, which I might expound on a bit, was that I
*studied* the graphics - up close and personal - to be sure I had the
right characters, and every time I typed one, the site told me it was
incorrect. If I couldn't read it fairly easily, I refreshed and got
another. So either I'm colorblind, or the sample page fails.

I'm not colorblind, but just now thinking about that, how would a
colorblind person ever get one of these QuickCaptcha things to work?

So more care is needed I guess in the construction of these
things, but the idea is pretty good as far as I can see?

Pardon my French, but the idea sucks.

 

[dorayme]

Good samples. My point, which I might expound on a bit, was that I
*studied* the graphics - up close and personal - to be sure I had the
right characters, and every time I typed one, the site told me it was
incorrect. If I couldn't read it fairly easily, I refreshed and got
another. So either I'm colorblind, or the sample page fails.

I'm not colorblind, but just now thinking about that, how would a
colorblind person ever get one of these QuickCaptcha things to work?


Pardon my French, but the idea sucks.

I like this kind of French. <g>

It is, indeed, a point about the color-blind. But I don't really
see that the basic idea depends on colour:

<http://members.optushome.com.au/droovies/test/pics/captchaGreysca
le.gif>

And I am not at all sure why you think the idea itself sucks? As
for it not working on some page, that may be due to other faults
(surely on the link you used it would not be meant to work, but
just showing an example? But I don't know this for sure.). I very
much like the idea that a pattern recognition being can see
things that clunky old robots can't.

True, this would still leave the blind without help and this may
be something you are concerned about and fair enough too.