Scott on Writing

Musings on technical writing...

I've Noticed My CAPTCHAs Effectiveness is Decreasing

About six months ago I implemented CAPTCHAs here on ScottOnWriting.NET and immediately saw comment spams drop from dozens a day to virtually zero. Sure, I occassionally found a comment spam or two every week, but the tide of spams had been abated. That's not the case anymore. I know get about 5-10 comment spams per day now.

I take it this uptike in comment spams despite the CAPTCHA means one of two things:

There's some security hole in my blog comment system where spammers can post comments without needing to use the CAPTCHA, or
Brute force is in effect here. There are folks out there who are taking the time to type in the CAPTCHA to propagate their spam.

I'm inclined to believe the latter explanation is what's happening because if there were a hole I'd expect to comment spam to ratchet back up to its previous, pre-CAPTCHA level. Assuming that spammers are taking the time to enter the CAPTCHA, it makes an interesting (albeit somewhat depressing) economic commentary: either that spam pays well enough to justify this behavior or it doesn't pay that well, but the people recruited to continue this spamming are “selling” their time for so little that the actions are still profitable. It's a bit of both, I'm sure, but it's sad because I would wager these people taking the time to surf to sites, paste in their spam, and enter the CAPTCHA, could be benefiting humanity moreso by producing a good or service.

The only real guard against comment spam is moderation or simply turning off comments. I've actually taken the latter approach with some of my other blogs because the hassle of periodically removing the comment spam or proactively moderating outweighed the value the contributors' comments.

posted on Tuesday, February 20, 2007 5:05 PM

Feedback

# re: I've Noticed My CAPTCHAs Effectiveness is Decreasing 2/20/2007 8:02 PM Rick Strahl

Scott, I'm seeing the same thing and I've been wondering the same thing. I've reviewed my code and have started logging requests from comment posts and noticed that these entries are spaced out a bit, so they seem to be of the 'manual' variety...

Not sure what the solution is but I suspect if these are really manual entries, that they will fall off again because it's really inefficient. I've bumped the minimum time required in my CAPTCHA code so that it essentially makes the process too slow to be effective for SPAM although it will cause some potential issues for some legitimate entries.

# re: I've Noticed My CAPTCHAs Effectiveness is Decreasing 2/20/2007 10:01 PM spammer

I am a spammer and do you guys wnat to get laid tonight.
I have ladies who can make your small willies enjoy

# re: I've Noticed My CAPTCHAs Effectiveness is Decreasing 2/21/2007 7:02 AM Kyle

Scott,

Digg just adopted the Open-ID platform (http://www.techcrunch.com/2007/02/20/kevin-rose-at-fowa-digg-adopts-openid/). I realize this is not a trust system, but appears to be a step in the direction of at least identifying people. Might be something interesting to adopt here as well.

- Kyle

# re: I've Noticed My CAPTCHAs Effectiveness is Decreasing 2/21/2007 12:44 PM Rachit

How about implementing something like this? Instead of using CAPTCHA, you ask a random question e.g What is the multiply/divide/addition/substraction of number X and number Y? These questions\answers should come randomly. I think that might be effective.

What do you think?

# re: I've Noticed My CAPTCHAs Effectiveness is Decreasing 2/21/2007 3:15 PM Abdu

Look at the ip addresses of these posts from your logs and search for repeating ones. There is cheap labor in third world countries who get paid for manual posting.

Block these ip addresses on a continuous manner and your spam should decrease.

If you have few minutes a day, moderate and approve each comment that passes CAPTCHA and you should be ok.

# re: I've Noticed My CAPTCHAs Effectiveness is Decreasing 2/21/2007 3:49 PM Jeff Atwood

I get some, too, but nowhere near five per day. That's a lot!

Definitely manually entered. Nobody is "cracking" CAPTCHA, because as you point out, the spam volume would be much higher than the handful/trickle we have now.

I think the next step beyond CAPTCHA is something like OpenID. Or disabling comments, I suppose, depending on how much you dislike your readers ;)

# re: I've Noticed My CAPTCHAs Effectiveness is Decreasing 2/22/2007 5:49 AM kbr

What do you think about that?

http://sam.zoy.org/pwntcha/

there is a lot similar project, just look at wikipedia (keyword: captcha) to read about OCR and non-OCR captcah breaking techniques...

this is explanation, how to "crack" CAPTCHA

# Attack of the Spam 3/21/2007 5:15 AM Wiennat's Blog

Attack of the Spam

# Removing Comment Support for the Summer 5/20/2007 5:50 AM Community Blogs

As noted earlier , I am going to be taking an extended sabbatical this summer and won't be as actively

# Removing Comment Support for the Summer 5/20/2007 5:56 AM BusinessRx Reading List

As noted earlier , I am going to be taking an extended sabbatical this summer and won't be as actively

# Attack of the Spam 8/6/2007 8:19 PM oneddtest

Attack of the Spam

# Removing Comment Support for the Summer 10/3/2007 8:03 PM ASPInsiders

As noted earlier , I am going to be taking an extended sabbatical this summer and won't be as actively

Title:

Name:

Url:

Enter the code you see:

Comments

Remember Me?

Add To Your Reader

My Links

Post Categories

May 2008

Comment Stats

Day	Total	% of Total
Sunday	186	6.8%
Monday	379	13.9%
Tuesday	453	16.7%
Wednesday	504	18.5%
Thursday	535	19.7%
Friday	494	18.2%
Saturday	166	6.1%
Total	2717	100.0%

Hour¹	Total	% of Total
12:00 AM	65	2.4%
1:00 AM	68	2.5%
2:00 AM	62	2.3%
3:00 AM	74	2.7%
4:00 AM	57	2.1%
5:00 AM	103	3.8%
6:00 AM	108	4.0%
7:00 AM	158	5.8%
8:00 AM	171	6.3%
9:00 AM	147	5.4%
10:00 AM	171	6.3%
11:00 AM	181	6.7%
12:00 PM	188	6.9%
1:00 PM	169	6.2%
2:00 PM	160	5.9%
3:00 PM	132	4.9%
4:00 PM	107	3.9%
5:00 PM	92	3.4%
6:00 PM	91	3.3%
7:00 PM	96	3.5%
8:00 PM	83	3.1%
9:00 PM	78	2.9%
10:00 PM	79	2.9%
11:00 PM	77	2.8%
Total	2717	100.0%

Comments by Blog Entry Date/Time

Day Entry Made	Avg.	Total
Sunday	5.54	144
Monday	5.22	339
Tuesday	4.28	419
Wednesday	7.67	637
Thursday	6.90	607
Friday	5.48	411
Saturday	5.33	160
Total	5.84	2717

Hour¹ Entry Made	Avg.	Total
12:00 AM	5.00	35
1:00 AM	1.00	2
5:00 AM	0.00	0
7:00 AM	7.00	35
8:00 AM	5.35	107
9:00 AM	6.32	278
10:00 AM	6.47	246
11:00 AM	4.41	181
12:00 PM	6.88	330
1:00 PM	3.00	111
2:00 PM	5.41	222
3:00 PM	8.64	285
4:00 PM	4.05	89
5:00 PM	5.92	154
6:00 PM	4.52	113
7:00 PM	9.67	174
8:00 PM	9.80	147
9:00 PM	5.05	111
10:00 PM	5.42	65
11:00 PM	4.57	32
Total	5.84	2717

Learn More About Comment Stats
¹ - All times GMT -8...

Blog Stats

Posts - 465
Stories - 0
Comments - 2717
Trackbacks - 568

Favorite Web Sites

My Books

My MSDN Articles

Scott on Writing

I've Noticed My CAPTCHAs Effectiveness is Decreasing

Feedback

# re: I've Noticed My CAPTCHAs Effectiveness is Decreasing 2/20/2007 8:02 PM Rick Strahl

# re: I've Noticed My CAPTCHAs Effectiveness is Decreasing 2/20/2007 10:01 PM spammer

# re: I've Noticed My CAPTCHAs Effectiveness is Decreasing 2/21/2007 7:02 AM Kyle

# re: I've Noticed My CAPTCHAs Effectiveness is Decreasing 2/21/2007 12:44 PM Rachit

# re: I've Noticed My CAPTCHAs Effectiveness is Decreasing 2/21/2007 3:15 PM Abdu

# re: I've Noticed My CAPTCHAs Effectiveness is Decreasing 2/21/2007 3:49 PM Jeff Atwood

# re: I've Noticed My CAPTCHAs Effectiveness is Decreasing 2/22/2007 5:49 AM kbr

# Attack of the Spam 3/21/2007 5:15 AM Wiennat's Blog

# Removing Comment Support for the Summer 5/20/2007 5:50 AM Community Blogs

# Removing Comment Support for the Summer 5/20/2007 5:56 AM BusinessRx Reading List

# Attack of the Spam 8/6/2007 8:19 PM oneddtest

# Removing Comment Support for the Summer 10/3/2007 8:03 PM ASPInsiders

Add To Your Reader

My Links

Archives

Post Categories

Comment Stats

Comments by Blog Entry Date/Time

Blog Stats

Favorite Web Sites

My Books

My MSDN Articles