HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Spam-Links (Captcha Alternatives)

R_JR_J Ex-FanboyMunich Admin
edited August 2013 in General Banter

It's a lot of talk about spam here and so I've just looked around for captcha alternatives. Even with all the effort that is done here there are some spambots coming through and they are opening discussions.

I don't like captchas. They are hard to read and I'm convinced that every spammers favorite tool find them easier to pass than it is for me. But I have seen some more graphical captchas and I've found the below and they look all more promising to me than recaptcha:

Yes, the last one is my favorite.

While thinking that all of them are better than recaptcha, I've found that list of services: http://extract-web-data.com/8-best-captcha-solving-services-and-tools/ 70 Cent for one thousand captchas!

I think, we've lost. You will not find an admin who wants to kill 1000 registrations for 70 Cent. That company should offer such a service in parallel...

Just wanted to show what I've looked at and found out on that topic.

Comments

  • ToddTodd Chief Product Officer Vanilla Staff

    This is excellent stuff. I think we can stand to make the captcha system more pluggable.

  • whu606whu606 I'm not a SuperHero; I just like wearing tights... MVP

    I think it is also worth bearing in mind what we already have that works.

    Until recently, BotStop (with modified registration approval) on its own was doing a sterling job of stopping bots for me.

    Then it was breached by bots, so @peregrine came up with the registration logger addition.

    The two in combination have, for me, sent bot applicants back to zero.

  • @whu606 yes but these are only based on not changing the approach.

    These are not hard to breach. No offence to the developers, but the odds are better with a well tested captcha with huge variation.

    grep is your friend.

  • I did the Ironclad CAPTCHA deciding I would enter 1,1,1 each time regardless of what I saw, on the 10th time I passed. of course it depends how it is implemented, however if the answers don't have enough variations it can bee beaten even if the not technically cracked.

    grep is your friend.

  • x00x00 MVP
    edited August 2013

    of all of them ASIRRA seems the strongest, becuase there variation of answers and a massive pool of data, which is pulled off a site which is constantly begin added to with public contributions.

    I also attempted reverse images search and was not effective.

    grep is your friend.

  • ToddTodd Chief Product Officer Vanilla Staff

    I think @x00 touches on a key point about captchas. There are really two things at play with any captcha system:

    1. How good is the captcha technology. This would include stuff like the sophistication of their rendering engine and how many variations they have.

    2. The popularity of the captcha system. The more popular a captcha system is the more hackers there'll be.

    I've done a lot of reading and usually re-captcha comes out on top with regards to technology. What we see now is that since it's the king of the hill there is just a lot more effort out there attacking it and its reputation has become a little blemished because of it.

    In a way we're starting to see more spam in Vanilla because our popularity is rising too. What I want to make sure though is that we stop spam with good technology, not just obscure technology that hasn't been cracked yet.

  • x00x00 MVP
    edited August 2013

    Those two point are why I suggest two solutions, one recaptcha type solution, and an alternative one.

    However it is better if every site doesn't do the same thing.

    grep is your friend.

  • R_JR_J Ex-Fanboy Munich Admin

    @x00: have you taken a look at the gaming approach (are you human)? I'm really loving that approach for it makes passing a capcha something enjoyable while all those text captchas are really annoying and I'd like to hear your opinion on that. I can not judge the quality and if it is really capable of stopping bots. I can just say "nice" or "ugly"... :-/

    Great that you took the time to test them!

  • the gaming one doesn't have a big enough pool of data or variation, and you can refresh as much as you like.

    grep is your friend.

  • vrijvlindervrijvlinder Papillon-Sauvage MVP

    The best captcha is a hidden field which if filled it means it is a bot and the reg is rejected.The value of the hidden field is always TRUE unless it is filled in.

    There is no fool proof way to stop human spammers unless you block their IP.

    The drawback of the hidden field is that it usually uses js or css and either could be disabled and the user would see the field and try to fill it and then get rejected. One way to get past this is to put label "If you can see this please do not fill it in" .

  • Anything you know how to do a good spammer will get round, the best solution are those that you can know how it works but it is still mathematically improbable to beat it.

    grep is your friend.

  • vrijvlindervrijvlinder Papillon-Sauvage MVP
    edited August 2013

    Yes, maybe something like :

        **define M_PI ** 
    
        and the answers could be multiple checkboxes 
    
        3.14159265358979323846
    
        or 
    
        3.14159265358979323846264338327950288
    
        or 
    
        3.15
    
        or
    
       None of the above
    

    That way they can learn something while they are at it ..... ;)

    The point is to make it easy for real users who likely do not know the answer and would guess, all answers are correct enough except the last one.

    Bots don't read and can't check boxes last from what I read about auto-form-submitter-bots .

Sign In or Register to comment.