Sigh. I guess it is a good sign that I’m researching CAPTCHA’s at the moment. Spammers finally seem to have found our site and deemed it good enough to spam it. Surely a sign of succes, but also a nuisance for the normal people using the site. Making the signup procedure a bit more difficult for computers seems the way to go, so some kind of CAPTCHA has to go in. The other approach would be to use a DNS-based blocking list, e.g. through an apache module like mod-defensible but in general I’m not a big fan of blocking lists due to false positives.

Besides, CAPTCHA’s still seem to be working fine as a deterrent so I don’t have real doubts about the effectiveness. But putting up a crappy image and expect people to parse it and retype it is an additional hurdle, so my attention got caught by the term ‘invisible captcha’, where some Javascript is used to add a hidden field to a form with a secret. This should be trivial to work around if the spam robot would actually execute the javascript, but that doesn’t seem to be the case for most of the robots.

Some examples: this method in .NET just uses a random GUID value for each form. This PHP example creates a simple sum to be done, which has the added benefit that the user can be asked this task as well, thus degrading gracefully for people without javascript. Things seem to have started with this article on a Lightweight Invisible CAPTCHA control which also provides a simple sum to make.

I’ve ended up cobbling my own invisible captcha together based on the ideas put forward in the .NET article mentioned above, and so far it seems to work fine, keeping the spambots out while letting normal people in. I’d link to our signup page so you can see for yourself, except that it’s an invisible CAPTCHA. :-)

Published on 26/04/2007 at 16h48 by Hans de Graaff, tags , , ,

Powered by Publify | Photo Startup stock photos