As a webmaster, I see why this is bad. As a surfer, it's great. I can't stand anything to do with CAPTCHA codes. We need a new solution to the spam problem that doesn't involve harassing visitors to repeatedly attempt to enter some hard-to-read code.

The modern OCR most likely beats average user in character recognition. As long as they want people to be able to read the CAPTCHA, unlikely a bot success rate will drop.

I know that I am finding CAPTCHAs increasingly difficult to read. I just wish I knew what the solution was.

I don't use captchas on any of my website. Instead I create random field names. So instead of:

username
password
email

the fieldnames are
<input type="text" name="434k35h7s9d79753535">
<input type="text" name="37849sgd7g7573576tg">
<input type="text" name="353bdfgrgtdfgdfgdfg">

and if you reload, the fieldname will change again:

dfe3553535ddfsdsfsd
jfkldsjfkdjsdfjfsdf
fddfgdfgdf464646666

So far I don't have any problems with bots. However I guess this only works because nobody else is using this solution. Of course password managers don't work either, because the fieldnames change everytime the website is loaded. Personally I find Captchas annoying, and nowadays I have to request a new captcha two or three times before one appears that I can read.

[edited by: jecasc at 10:36 am (utc) on Jan 11, 2011]

Among other techniques, I use random (well... encrypted with a random salt) field names as well. Makes it more difficult to tell which fields are the dummies that shouldn't be filled in by dummies :>

Be aware that there is a trade-off however. It breaks auto form filling.

Span is bad but recaptcha is a greater nuisance. Just wish that a spam prevention technique that is lesser evil than recaptcha existed.

[edited by: iThink at 11:09 am (utc) on Jan 11, 2011]

and if you reload, the fieldname will change again

Add those fields to DOM Via External JS and there will be no need to CHAPTCHA anything.

I suggest looking mods which make use of the StopForumSpam blacklists or writting your own to use their API. They're pretty effective. Plain English questions and the picture captcha developed by Microsoft also work well...

i've found that stopping people posting links (or anything containing http, www, url) in their first couple of posts works well.

if a member is new, and they include a phrase like that, then just block it at source -- and don't up their post count either. that way even if the bot comes back and posts again, every subsequent post will be rejected too.

Googles response to this story:

Google counters that Wilkins test targeted an old form of reCAPTCHA from 2008 that’s been changed. “[T]his study does not reflect the effectiveness of reCAPTCHA’s current technology against machine solvers,” a Google spokesperson told The Register. “We’ve found reCAPTCHA to be far more resilient while also striking a good balance with human usability, and we’ve received very positive feedback from customers.”

link frontpage?

Wilkins acknowledged that his initial tests were on an older version of reCAPTCHA, but since that time, he has conducted tests on the new images produced by the system and found them to be even weaker than the older ones. In one of his original tests on the system, his success rate was five in 200. When that test was run on the new reCAPTCHA, the rate was 23 in 100.

One weakness of CAPTCHA schemes, though is that they use words that can be found in a dictionary. This makes it easier for machines to crack the phrases because they have something to compare them to for errors.

In addition, reCAPTCHA uses a “one-off” system. That means a letter in a word can be incorrect, and it will still be accepted by the system.
So if the reCAPTCHA phrase contains the word “meat” and a Webster enters “peat,” his or her response will still be interpreted as a valid one.

So far I don't have any problems with bots. However I guess this only works because nobody else is using this solution.

I'm inclined to agree, and I think that's always going to be the problem. For most websites, a mass solution is what's going to be used: either a solution for a single website with a large audience, or something that the vast majority of non-technical webmasters are going to want to adopt.

I haven't had trouble with bots for years, since I implemented my system. It's only slightly unusual. Once you make the effort to create something that other people aren't using you're no longer worth the spammers' time to crack. But people are fundamentally lazy, so we'll never reach an ideal situation where all webmasters use a slightly different bot-beating system that they've thought up themselves.

I have a popular VBulletin forum using recaptcha. It has worked great for a longtime but for about a week I've been manually approving accounts and getting hundreds of spam registrations a day from xrumer bots(they have 'man' entered in the Biography field).
I waited to see if Google had a quick fix but today, I am switching it over to something else at least for now.

Not trying to toot my own horn or anything like that (and since this is an internal link I hope the admins don't mind), but this may be legitimately useful to any of you exploring alternatives to CAPTCHAs. I posted the CAPTCHA-less solution I use fairly recently on this very forum. While not perfect, it does a pretty darned good job wherever I've used it in the past, mostly in low-traffic or moderate-traffic sites that got a large number of spam submissions.

Spamblocking without a CAPTCHA [webmasterworld.com]

I suggest looking mods which make use of the StopForumSpam blacklists or writting your own to use their API. They're pretty effective.

Not recently. I had to disable a StopForumSpam mod on my forum because it stopped working. Tons of bots were registering and the IPs and usernames were not in their database.

I switched to a random Q&A to keep the bots out - the only spammers who have gotten in was a guy with two accounts who dropped a tag-team "question" and "answer (with link)".

This whole thing is so annoying, really. Such a waste of our time. I wonder if anyone has been able to estimate the payoff these guys are getting with their infiltration into forums. Logically the payoff has to be high enough for them to keep it up; but I just wonder how worth it it is.

It really was only a matter of time until ReCaptcha was cracked.

I've noticed an increase in spam in the last week or so. I'm not using ReCaptcha at the moment (because Google bought them out), I was using a similar "code" antispam mod.

I now do the Q&A and that seems to have helped immensely. I put a question or two in there and it rotates between them, which is great.

I think ultimately a solution similar to how Askimet works on blocking comment spam in WordPress would be ideal. I guess StopForumSpam is supposed to work in a similar fashion. Having one authority that manages spam registrations all over the web in theory should be accurate and help. Between a solution like that and a Q&A question, that should cover 99.99% of spam sign-ups.

I'm new to running a forum, and recently I saw an increase in spammy registrations. I switched from reCAPTCHA to question/answer. I'm not sure how well will this hold them back.

One size does not fit all. When google bought recaptcha I was forced to write my own captcha code to get rid of their spyware, never looked back and could not be happier, zero automated spam so far.

I run a popular vbulletin forum, and reCaptcha definitely stopped working months ago. We switched over to Vbulletin's questions and answers and created our own custom questions, and that improved things significantly.

We also added the akismet check to the first one or two posts by a user, and that has helped catch a good bit of spam as well. So far we've only had one or two false positives, and their posts got approved within a day or two.

We've gone from deleting 5-10 spammers per day to less than five per week, and because of the akismet plugin, most of the time the spam never gets seen publicly.

Even if they created an "unbeatable" captcha... I could "beat" it by hiring some foreign labor for a tenth of a penny per correct captcha. Literally.

Not recently. I had to disable a StopForumSpam mod on my forum

It's not your forum. It's Brett's.

Just sayin'.

:)

Link?

[theregister.co.uk...]

Not recently. I had to disable a StopForumSpam mod on my forum because it stopped working. Tons of bots were registering and the IPs and usernames were not in their database.

I switched to a random Q&A to keep the bots out - the only spammers who have gotten in was a guy with two accounts who dropped a tag-team "question" and "answer (with link)".

A mix of plain english questions, StopForumSpam, Akismet and human moderation works very well for me...

The problem with "plain English questions" is that it is fairly easy to create a database of them, with automated handling for variations. Similar to CAPTCHAs, the questions would then have to become complex enough so that Joe User will have difficuly answering them. The whole thing is like an arms race.

When a word in a book scan can’t be recognized by Google’s OCR software, it’s sent to the reCAPTCHA pool. So when a person enters a reCAPTCHA phrase into a form, Google can discover what its OCR program couldn’t, without having to hire human editors to review scanning results.

Hey, if Google's OCR software cant read it, and we type it in during the verification process, how can the challange be compared to the response?

The more difficult it is to register, the fewer registrations you'll get.

On our forum with 1.3 million posts, we don't use captchas, or even email verification upon registration. Just a simple Q&A.

When we uncover organized corporate stealth marketing campaigns (as opposed to random viagra spammers), we find photos of the executives on the board of directors of the parent company behind the campaign, and, with a simple software tool, we allow people to make comics of them, and then email the comics to the executives, in a sort of "reverse" marketing campaign. They love that.

As rollinj mentioned, paid crowdsourcing makes captchas almost irrelevant, and there is plenty of spammer-for-hire work on Mechanical Turk. See: [behind-the-enemy-lines.blogspot.com...]

youfoundjake, each suspect word is run against multiple human users. I guess the first few will get through with any nonsense they type :)

there has to be a clever and inexpensive way to resolve this silly cat/mouse style arms-race!

very useful:

[webmasterworld.com...]

Well this is rather disconcerting. What should a vBulletin user do about it - what can we do about it?