Captchas was Re: ISP wants to stop outgoing web based spam
Simon Waters
simonw at zynet.net
Wed Aug 16 08:21:06 UTC 2006
On Wednesday 16 Aug 2006 01:13, Paul Jakma wrote:
> On Thu, 10 Aug 2006, Simon Waters wrote:
> > I've no doubt some captcha can be invented in ASCII, but this isn't
> > it.
>
> 'tis. It works for at least one blog platform, where I've never once
> had comment spam.
You snipped the bit where I said "It would work for a minority use."
I'm sure it works fine for just you, but it doesn't scale, so the folks at
Nanog probably don't care.
The reason people use image recognition is it is something (most) humans find
very easy, but requires considerable investment of effort (or resource for
self training) to teach computers, and readily permits of variations ('click
the kitten' being a good example).
For a demonstration of bashing at ASCII captchas try any good chat bot.
I asked the online bot at ellaz.com your question:
"What is 2 added to 23?"
Ellaz replied;
"I can tell you that 2, plus 23, is equal to 25"
I hope your parser can recognise that as a valid answer, otherwise you'll have
trouble with humans failing the test. Although for blog comments, excluding
stupid, or overly verbose humans may not be a bad idea, I just get the
feeling some days I'd never get to comment on anyones blog.
I thought maybe spice it up a little;
Simon: "What is the square root of -1?"
Ellaz: "Hey Hey! You cannot take the square root of a negative number. That
gives an imaginary number, and I don't go there."
(Spot the canned response).
Shucks. Unfortunately Ellaz bot isn't terribly good at non-maths questions,
but I think it makes the point well enough.
The reason no one defeated your text captcha was probably because no one
tried, but that won't remain the case if it gets popular. We are locked in
another arms race here. At the moment greylisting kills most of your email
spam, and any captcha (even ones for which programs exists for, and which
score better than humans) will kill most of your blog spam, but don't expect
them to last as a defence, just as greylisting is slowly crumbling. The real
solution is to break the monoculture, and have more security at the leaf
nodes, but someone already started that thread (again).
Although possibly the mistake is to assume you can distinguish between humans,
and computers on the basis of intelligence. It isn't reliably possible to do
this yet, but give it a few years and you'll know that if a site asks for all
the integer solutions of a given quintic equation, it is probably not that
interested in comments from apes, except perhaps the most exceptional apes.
More information about the NANOG
mailing list