captcha to defeat form spammers

[Jonathan N. Little]

What a dumb question. Who cares what color the font is? It can be changed
to whatever anyone wants it to be.

What is dumb is that you would believe that anyone with technical could
not see though the ruse. If it is not important then why change the
color and font for each character, we all know why.

Some folks also try to make completely unrelated analogies seem relevant.

Maybe you don't see the correlation, but then again you may truly
believe that your script adds security. Here I will explain the
relevance of the analogy, just because some folks buy it does not prove
that it is does what you purport...

 

[Jonathan N. Little]

Jonathan N. Little wrote:

Okay now I see the typos! Why I connot see them before I hit send! Now
in English

What is dumb is that you would believe that anyone with technical could
not see though the ruse. If it is not important then why change the
color and font for each character, we all know why.

What is dumb is that you would believe that anyone technical could not
see through the ruse. If it is not important then why change the color
and font for each character? We all know why.

 

[dorayme]

Jonathan N. Little wrote:

Okay now I see the typos! Why I connot see them before I hit send! Now
in English

What is dumb is that you would believe that anyone technical could not
see through the ruse.

I liked the first version, it was more interesting, "with
technical" and the reader fills in, is not so bad at all. Play to
your strengths and have more confidence in your dyslexic typing...

 

[Jonathan N. Little]

I liked the first version, it was more interesting, "with
technical" and the reader fills in, is not so bad at all. Play to
your strengths and have more confidence in your dyslexic typing...

You're just toying with me aren't 'cha!

 

[dorayme]

You're just toying with me aren't 'cha!

Maybe just a little teensy weensy bit... but that I liked that
first sentence better is a fact. It may be a Martian fact. <g>

 

[Andy Dingley]

I'm saying that spam bots have no reason to try to get around it

Spam bots have no reason to get onto my site, so I have no need for a
CAPTCHA form at all - real or fake..

If I build the next YouTube/LiveJournal, then I'll immediately become
interesting to them. Exactly at this point, fake captchas like yours
become useless.

So just _when_ is your fake form actually useful to me? And why
should I pay $10 for it?

 

[Tina Peters]

Spam bots have no reason to get onto my site, so I have no need for a
CAPTCHA form at all - real or fake..

If I build the next YouTube/LiveJournal, then I'll immediately become
interesting to them. Exactly at this point, fake captchas like yours
become useless.

So just _when_ is your fake form actually useful to me? And why
should I pay $10 for it?

You don't have to be the next YouTube to become a target of spam bots. One
of my little sites was seeing maybe 1000 visitors per month and the form was
being spammed to death. I think a lot of people with sites that aren't on
the level of YouTube can relate.

Its useful to you when the spam bots find your unprotected form and you
become beyond frustrated with the spam that comes through. You won't find a
solution that is easier to use (except maybe taking your form offline). You
just copy/paste the form bit into your webpage and upload it and one other
file to your site.

Again, I never said this can't be worked around by spam bots. What I've
always said is that its not likely to be for a very long time and many
people are using it with excellent results. Logic dictates that with the
popularity of Captcha, its going to be figured out by spambots wayyy before
my script will be. If you want to do the whole Captcha thing...more power
to you. For those who can't easily figure that out, formmailscript.com
offers a quick/easy/cheap solution.

--Tina

 

[mbstevens]

Spam bots have no reason to get onto my site, so I have no need for a
CAPTCHA form at all - real or fake..

If I build the next YouTube/LiveJournal, then I'll immediately become
interesting to them. Exactly at this point, fake captchas like yours
become useless.

I think the easiest way to kill it, if you have access to the server
mailer program's source, is just to watch the spam that actually comes in
and filter for particular strings that they use which normal posters would
seldom if ever use, dying with an error if one is found. You have to
update the code occasionally, but it only takes a few minutes.
Spam on my forms has gone from about twenty a day to zero, but YMMV.

 

[wayne]

I think the easiest way to kill it, if you have access to the server
mailer program's source, is just to watch the spam that actually comes in
and filter for particular strings that they use which normal posters would
seldom if ever use, dying with an error if one is found. You have to
update the code occasionally, but it only takes a few minutes.
Spam on my forms has gone from about twenty a day to zero, but YMMV.

Perhaps you should look at the free form here: www.tectite.com

There is a setting to defeat multiple urls from being inserted anywhere
in the form. I use it with a setting og "1" for the number of urls to
allow and it has virtually stopped this kind of postings. The forms are
used here:
bayareabluegrass.org on the "Fire on the Strings" page mostly. The
organization was getting 10 or more spams a day, from a relatively low
traffic site.


--
Wayne
www.glenmeadows.us
"I cannot imagine a God who rewards and punishes the objects of his
creation, whose purposes are modeled after our own -- a God, in short,
who is but a reflection of human frailty. Neither can I believe that the
individual survives the death of his body, although feeble souls harbor
such thoughts through fear or ridiculous egotism." [Einstein]

 

[mbstevens]

Perhaps you should look at the free form here: www.tectite.com

It looks like a good system for those who need the really need the big
guns, but I just look at the actual spams that are coming in and add a
function to the mail program (mine is in Perl) like:

if (
($msg =~ m/asvfdv/)
|| ($msg =~ m/guests:/ )
|| ($msg =~ m|info/index.html|)
|| ($msg =~ m/-report/)
|| ($msg =~ m/-credit/)
|| ($msg =~ m/-loans/)
|| ($msg =~ m/-airline/)
)
{
die "Error: Spam strings detected. Please remove common words used in spam.";
}

You just look at the spams that are coming in and choose some part that
would be unlikely for a real poster to use. I don't really need 9700
lines of PHP for my small problems, but I can imagine there are those that
do.

 

[Bergamot]

You just look at the spams that are coming in and choose some part that
would be unlikely for a real poster to use. I don't really need 9700
lines of PHP for my small problems, but I can imagine there are those that
do.

All of the prefab mail form scripts I've seen seem to be designed to be
all things to all people, thus they have a lot of extra stuff I'll never
use. I, too, ended up writing my own, doing similar filtering that
you're doing, in about 200 lines of code. Once in a while I'll get a few
spam messages through it, but a tweak of the filtering stops it.

 

[wayne]

> It looks like a good system for those who need the really need the big
guns, but I just look at the actual spams that are coming in and add a
function to the mail program (mine is in Perl) like:

if (
($msg =~ m/asvfdv/)
|| ($msg =~ m/guests:/ )
|| ($msg =~ m|info/index.html|)
|| ($msg =~ m/-report/)
|| ($msg =~ m/-credit/)
|| ($msg =~ m/-loans/)
|| ($msg =~ m/-airline/)
)
{
die "Error: Spam strings detected. Please remove common words used in spam.";
}

You just look at the spams that are coming in and choose some part that
would be unlikely for a real poster to use. I don't really need 9700
lines of PHP for my small problems, but I can imagine there are those that
do.

Yes, 9700 lines, but how many are actual code? I believe all of the
documentation is included in those 9700 lines, along with all of the
changes and revisions. Perhaps the documentation is a useful learning
tool for those so inclined.

I'm happy that your solution works for you, but wonder how much time is
needed to monitor the results. The site I had listed gets quite a few
spam attempts every day (I get an email each time there is an attempt to
send multiple urls or any errors, perhaps missing or duplicate
information in the fields) even though the site does not do major
business. I am not the recipient of the forms, I only set the site up
and make changes to the structure, troubleshoot problems - like spammed
forms. It only took three forms with multiple urls for the board of
directors for the organization to complain about receiving them. Luckily
the functionality to stop them was already in the script, just not
activated.

I believe this thread started with an op that wasn't prepared to write
php programs but wanted to eliminate spam. This seems to be a good
option to me.

YMMV.

Regards,
--
Wayne
www.glenmeadows.us
"I cannot imagine a God who rewards and punishes the objects of his
creation, whose purposes are modeled after our own -- a God, in short,
who is but a reflection of human frailty. Neither can I believe that the
individual survives the death of his body, although feeble souls harbor
such thoughts through fear or ridiculous egotism." [Einstein]

 

[mbstevens]

All of the prefab mail form scripts I've seen seem to be designed to be
all things to all people, thus they have a lot of extra stuff I'll never
use. I, too, ended up writing my own, doing similar filtering that
you're doing, in about 200 lines of code. Once in a while I'll get a few
spam messages through it, but a tweak of the filtering stops it.

Yes, and I think if you have a script that filters for everything, it
slows things down when you might really only need to search
for strings from the 10-20 spammers that happen to
have found you.

 

[dorayme]

Pardon my French, but the idea sucks.

I have been looking into it a bit and the business of letters on
backgrounds does suck more than I thought! And a test should
really not depend on just vision. I came across one view that
they are easy to robot crack by getting humans to solve them on a
high vol site and relaying the info back! Now I guess, if this is
right, this puts paid to all such "Turing" tests for such
purposes.

 

[let]

I have been waiting for a link like this for ages. Always meaning
to investigate it. Thanks for posting this, Leif.

Can someone help me integrate this Quickcaptcha with my two contact
forms? This should be a really easy job and I'm willing to pay US$ 50
by PayPal for the work. I'm not a PHP coder so I'd be unable to do the
job myself.

Please respond to (e-mail address removed)

 

[dorayme]

Can someone help me integrate this Quickcaptcha with my two contact
forms? This should be a really easy job and I'm willing to pay US$ 50
by PayPal for the work. I'm not a PHP coder so I'd be unable to do the
job myself.

Alternatively, you could post a question at alt.php, there are
many helpful people there.

One thing to note about this particular "Turing" test technique
is the difficulty not a few people will face in reading the
correct numbers even though well sighted. As discussed in this
thread.

I think there must be better implementations. One simple thing
better would be for the whole image to be about 5 times bigger!
That would solve many of the difficulties. And the idea of
confusing backgrounds can be taken too far. If the images were to
be bigger and the background plain white, you could turing away
on the distortion to the letters and it all would be easier for
humans, but I doubt easier for robots.

Letters are a very limited idea for this sort of thing. What
humans are good at is pattern recognition and background
knowledge of the world. Better to have things like "Was Marilyn
Monroe an actor, an athlete, a prime minister etc out of a big
field. A few human slam dunkers and the punter has to get over
90% score or whatever, a robot not having a chance. There are
many other things that would give crisper results.