The Tuks Linux User Group has had a an excellent track record in the past. We had some problems on the Wiki with SPAM just after the Wiki got put up, and then some problems with spam bots on the forums. The general solution to these problems is CAPTCHAs. Those of you familiar with phpbb will know it’s useless.
Whilst CAPTCHAs may provide protection at a glance, it is in fact so easy to circumvent it’s not even funny. Consider for example a OCR mechanism (which is how phpbb’s captcha got sunk afaik) that can pul text out of an image. There exists outline algorithms, so even make use of colours doesn’t help, once you’ve got an outline, there are only 62 (26 + 26 + 10) characters for each position, and generally less than 8 characters, so even if you need to guess that’s like less than 500 iterations … find the best-match, and take a wack – if you’re wrong, so what?
Now, let’s say we have an insanely hard CAPTCHA – a mere mortal has to be able to solve it right? Ok, so instead of trying to be smart, why not let other people be smart? Take the captcha you want solved, present it to a human, and let him solve it! Where do you get these people? Easy, give the promise of free porn and I can promise you half the male population will sit there and solve a few captchas before realizing they’ve been had. Ok, perhaps not quite, but you get the picture, “captcha protect” something of your own and let humans solve it for you. It’s called a man-in-the-middle. Not as quick as a fully automated crack, but can be quite sufficient if you can pull sufficient traffic.
So, how did TLUG manage to go more than a year without a single bot slipping through the nets on the forums? Well, actually, it turns out to be quite simple, we disabled the captcha (yes, you read correct, we TURNED IT OFF), and we changed the type of the username field upon registration to hidden, and added a usrname field which was to carry the actual username. Now, as it turns out, the bots kept on filling in the username field in addition to usrname … so a simple check that username was actually submitted, but with an empty value caught them 100 % accurately. Until a few days back.
Now I don’t want to go into too much detail of how we’ve now modified the hack, but let’s just say that what we’ve got lined up should keep them guessing for a while, and once they figured it out, we can just rely on the myriad of ways provided by HTML to hide things, and CSS, and javascript, and cascaded styles, and external sheets, etc etc … and even a few browser identification hacks to pick up on them, and to fool them into filling in fields they’re not supposed to be touching, or preventing them from filling in fields that are required. Bliss.
And the best of it all? Unless you actually go and dig beneath the surface it looks like we’re running without any spam control at all. There is absolutely no intrusion on the end user, unlike the ineffective captcha mechanisms.
And for once, and only once that I’m aware of, we are one ahead of the spammers, and for once, it’s them playing the catchup game, and not the “good guys”.
…do you think spammers will Google for a fix for there bots ?
or just eat ham for inspiration…
hehe, eat ham, hopefully.