Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Captcha fails to prevent spam submission

i have added captcha in comment form and its working, but i still keep getting spam. Is there any other methods I can use? Thanks for the help

like image 202
Vikrant Shitole Avatar asked Aug 06 '12 21:08

Vikrant Shitole


3 Answers

DISCLAIMER: I own SpamCaptcher but will still try to be impartial here

The results you will see with your CAPTCHA depend heavily on 3 main factors:

  1. How you implemented the CAPTCHA
  2. The type of CAPTCHA you use
  3. The return on investment a spammer gets from spamming your site

CAPTCHA Implementation

Before we discuss whether the type of CAPTCHA you are using is the right one for your needs (or whether you should be using one at all), first check to see if it is implemented correctly. If it isn't being validated server side, can be bypassed by turning off JavaScript or disabling Flash (or changing any other client-side configuration), or the answer is stored client-side then the implementation needs to be fixed. Of course, whoever makes the CAPTCHA you use should make it so you don't have to worry about this. Note: I highly recommend against you rolling your own CAPTCHA solution.

CAPTCHA Type

Most people think of CAPTCHAs as a picture of distorted text that they have to decipher. While this is certainly one implementation of a CAPTCHA (and currently the most "popular") it is not the only one. While this distorted text based CAPTCHA was successful for a little while, the improvement of OCR made it so that spammers could solve these with automated tools. In an effort to combat this, the people who made the CAPTCHAs made them harder to read and now we are stuck in a situation where computers keep getting better at solving them while humans struggle more and more. Recently there has been a boom in CAPTCHA providers providing a range of different types of CAPTCHAs:

  • Image recognition
  • Image orientation (my personal favorite)
  • Games
  • Video comprehension
  • Audio comprehension
  • etc.

Also, people have moved away from the strict definition of a CAPTCHA and have come up with some other solutions that may work for you depending on your site (more about this in the next section).

Some things to keep in mind when you are selecting a CAPTCHA type is that certain people may struggle with certain types. It is good practice to make sure that people with visual impairments and people with hearing impairments can still solve the CAPTCHA. It is also important to note that the CAPTCHA is only as strong as its weakest point. So, for example, if the visual portion of a CAPTCHA were rock solid but the audio component was weak, then security would be weak. In fact, in this case you would only be bothering most of your legitimate users with the CAPTCHA while providing the spammers an easy way to get around it it.

Spam ROI

Depending on the nature of your site, spammers may have a big or small incentive to spam you. If the incentive is small then chances are that they will not write custom solutions to spam you. However, if the incentive is big then there is a good chance that they will write custom solutions for your site.

Let's start with the small incentive case. If you fall into this category then I recommend picking a CAPTCHA that doesn't have widespread adoption yet (but is still secure) and is extremely easy, if not transparent, for your users. Honeypots and Hashcash are examples of transparent solutions. At SpamCaptcher we provide such a solution called Proof-of-Work.

If, on the other hand, you have a site that has a high ROI for the spammers then you will need more security. In this case you obviously want to pick a solution that has strong security and still provides a good user experience. However, if the ROI of your site is high enough then you may be faced with Human CAPTCHA Solvers. A CAPTCHA alone will not protect you from them. However, (another shameless plug), SpamCaptcher has its TrustMe Account solution for that.

Conclusion

You really need to pick the CAPTCHA that is right for your needs which means you need to find the right balance between security and user friendliness. I obviously recommend SpamCaptcher and think our Rotational Image CAPTCHA would be a great solution for you but you obviously need to decide what is best for your site. Here are a couple CAPTCHA providers you may want to consider:

  • SpamCaptcher
  • Confident Technologies
  • ReCaptcha

Hope that helps!

like image 125
Hmmmmm Avatar answered Sep 25 '22 14:09

Hmmmmm


Captcha has been broken for some time.

There is no perfect solution to preventing spam comments.

You can require users to register before posting a comment. While spambots can also break that, it's a harder problem for them to solve. This solution also discourages participation by real people.

You can automatically flag comments from non-registered users as requiring review before they are posted, and either review them yourself or through the community (much as Stack Overflow does with certain content such as edits). You might also want to flag comments by "new" users that have not established much credibility yet.

You should not create an IP block list. Most of your spam will come from compromised computers that are also used by legitimate people. If you block one IP, another zombie computer will most likely try an connect to resume work. On the other hand, you may well block the human user of a zombie computer from using your site.

like image 44
Eric J. Avatar answered Sep 23 '22 14:09

Eric J.


I suggest adding extra measures in addition to Captcha.

In my case I experitmented with adding a hidden field ->

<form action="/submit.php" method="post">
    <p>Your name: <input type="text" name="name" /></p>
    <p>Your email: <input type="text" name="email" /></p>
    <p class="antispam">Leave this empty: <input type="text" name="url" /></p>
    <p><textarea name="message"></textarea></p>
    <p><input type="submit" value="Send" /></p>
</form>

.antispam { display:none;}

and then validate it on server side ->

<?php 
// if the url field is empty 
if(isset($_POST['url']) && $_POST['url'] == ''){
     // then send the form to your email
} 
// otherwise, let the spammer think that they got their message through
?>

The above code example was extracted from this useful article: http://www.nfriedly.com/techblog/2009/11/how-to-build-a-spam-free-contact-forms-without-captchas/ from Nathan Friedly

In my site I'm implementing both -the above approach AND Google's reCaptcha-.

So far is working OK.

like image 31
Pablo Avatar answered Sep 25 '22 14:09

Pablo