Spammers aren't being stopped by my CAPTCHA. What else can I use?
+2
A:
You could try requiring e-mail confirmation, if you haven't already. If they're using humans to break the CAPTCHA there isn't a lot you can do -- there's no difference from your site's point of view between users signing up because they want to and users signing up because they're being paid to.
If they're posting spam, you should probably look into detecting that instead of trying to lock them out at the login level -- Blogabond did an article a little while ago about how they detect and deal with spam posts
Michael Mrozek
2010-05-31 00:58:51
+1 for e-mail confirmation.
Yann Ramin
2010-05-31 00:59:23
@the I actually loathe e-mail confirmation, but it is a legitimate strategy :-\
Michael Mrozek
2010-05-31 01:01:22
Technically, requiring real email isn't going to stop them either. I used to run a moderately successful forum and we used to get spam as well, even though it required email confirmation, CAPTCHA and everything. At the end of the day, you still need moderators to catch that sort of thing.
Dean Harding
2010-05-31 01:01:27
@codeka Exactly, I would expect automating e-mail confirmation to be really easy, but it seems to stop most spammers, so sites continue to do it. I expect it to die out eventually
Michael Mrozek
2010-05-31 01:03:12
+1
A:
If they are humans, they will always be able to break the CAPTCHA. Try to detect the spam messages themselves.
Of course, the only real defense against human services is human services - someone will have to monitor the single posts.
BlueRaja - Danny Pflughoeft
2010-05-31 01:00:31
+1
A:
not a direct CAPTCHA alternative but What I did was to rename and add bunch of form elements named suggestively to fool the bots ..
e.g.
subject, name, URL that way it was really easy to spot the fake users and remove.. We ended up redirecting thebots to a fake confirmed message..
this cut down bots by roughly 90%
good luck!
Webby
2010-05-31 01:08:30
http://www.rustylime.com/show_article.php?id=338 and http://haacked.com/archive/2007/09/11/honeypot-captcha.aspx, Honeypot "Captcha alternative" though not really a guarantee or human service can work very well, is simple to implement, and unbiased. It can work for non-JS, non-CSS, and even screen readers users.
Tom
2010-05-31 01:52:51
A:
Is your spam in comments? You may get some headway using mollom's spam and captcha service.
I haven't used this yet, however I have the perception it's quite effective.
Rasputin Jones
2010-05-31 01:08:30
+1
A:
Could you try posing random simple questions that normal users can enter?
Such as a simple math question, "What is 2 plus 2 divided by 2?" or maybe something as easy as "What are the first 3 letters in the word: CARRIAGE?"
I have never seen such approaches widely used, but they should be straight forward enough to be easily answered.
Anthony Forloney
2010-05-31 01:14:05
That's a decent idea, as long as there's a variety of questions. I've seen just the first method on sites before ("Solve this problem: 2 + 3 = ___"). Because if there's one thing computers suck at, it's single-digit addition -- I wrote a greasemonkey script to break the one on Linux Journal in about 5 minutes
Michael Mrozek
2010-05-31 01:50:56
@Michael: Agreed, more variety is crucial. How about the second approach? Would something along those lines seem plausible? I am only asking since it seems as if you have more experience than I?
Anthony Forloney
2010-05-31 02:17:37
Well, any one method is easily handled by a custom bot, it would only work if you had a large number of question formats, rather than randomly generated questions in a single easily parsed format. It's probably pretty hard to come up with lots of different formats though
Michael Mrozek
2010-05-31 02:27:05
The good thing about asking text-based questions like this is it's pretty easy to change the questions once a bot breaks it. You could have "what colour is the sky?" (answer: blue) and when they break it change to "what colour is grass?" (answer: green).
Dean Harding
2010-05-31 11:32:08
A:
You could have 5 different images showed.
You could ask to our user which on is a cat, a ladder, a car..
You could have 100 images in your bank and display 5 of them dynamically.
Luc M
2010-05-31 01:16:31
That won't do anything to stop humans registering accounts, and even a bot could easily be modified to account a data set as small as 100 pictures.
PatrickJ
2010-05-31 01:22:27
+1
A:
Some methods to stop spam:
- Ask a question only a human would be able to answer
- Limit signups/posts to a certain amount per IP address
- Use a better captcha, for example recaptcha.
- Use email confirmation
- Make your forms more dynamic (ie. the variables change each time)
Alex
2010-05-31 01:19:50
These really are good. If you are using Zend Framework, just extend `Zend_Form` (e.g. `MyLib_Form_Abstract extends Zend_Form`), and override the `addElements()` and overwrite each form element name with an md5 rand and store the array info in an encrypted session token. Don't forget to call the parent. Then either "check" or "renew".
John Nall
2010-05-31 16:24:46
A:
I'm willing to bet that it's not the CAPTCHA rather your implementation of it that needs to be reconsidered. Have you...
- ... tried to post/spam without entering the CAPTCHA?
- ... really tried to break this? Can I go to your site, enter a CAPTCHA, get to the posting page, do a post, bookmark that URL... then mail said URL to a complete stranger (so far as your site is concerned) and have them post without entering the CAPTCHA?
- ... considered that it might be a human posting spam?
- ... when you whitelist after the user successfully enters the CAPTCHA, do you whitelist the session (right!) or the IP address (wrong!)?
Bob Kaufman
2010-05-31 01:37:10
A:
Most CAPTCHA's have been broken ( see PWNtcha ). You can use an API like the one at www.atlbl.com that should catch web spammers etc.