[thelist] CAPTCHA

Chris Anderson Chris at activeide.com
Mon Jun 8 13:27:21 CDT 2009

> I've been using simple humanising questions: Is water wet or dry? Is
> fire hot or cold? Things like that, which are dead simple for a human,
> but just about impossible for a bot to deduce.
> joel

> Thanks Joel.  I was wondering about this too, as I've seen some bots
> beat
> simple CAPTCHA.

However if specifically targeted and the bots are primed with the
answers to just a few, they become easier to abuse than CAPTCHA.

You need to examine what it is that you need to stop and what it is you
need to allow

Colour-based CAPTCHA can be difficult for the colour-blind, most forms
of CAPTCHA are not good for the visually impaired, form validation
looking for URLs and scripts are great - as long as your users shouldn't
be sending URLs or scripts, IP-based load validation is great if you do
not expect 100s of requests from the same IP, etc

You might also find you use different techniques for account creation to
anonymous feedback submissions because they ask for different

But one important part of the process is to measure the level of spam
before, and measure it again after the change (logging all the "bot"
traffic so you can analyse it for future enhancements)

And some techniques do not require the user to do anything extra. Hidden
blank form fields are an example of that.
At one site, I've dropped 500+ emails to 0 over the last six months
simply by swapping the name of the email entry with the name of an
address line - then checking that only the addressline (which is the
email box visually) has an email address in it. 
Every now and again I'll check the "botlog" and even after 6 months,
even the intelligent bots that guess the expected data type by the name
of the textbox keep entering an email address into the address line ;-)


More information about the thelist mailing list