CAPTCHAs, who needs them?

Comments

1. Bob says:

   12/5/2006 at 3:28 pm

   What would your solution to sign up forms spam? i.e. on a webforum.

   Akismet is fantastic, i use it on my blog and integrated to the comments sytem on my site. But for forums, i’d like to catch the spam bot *before* they have a chance to post spam… the captcha is effective for this use (although as with every anti spam tool, including akismet), but still lets a few ‘smarter’ bots through…

   I’d love to stop using captcha and make it easier for real people to sign up but in the current climate of spam it’s impossible to not have something.

   The ban filter on the forum I run is massive and still doesn’t help, it’s not even a busy board! The new captcha on the latest version has been great, cutting new registrations from 20 per day to 1 in almost 2 months.
2. Ajay (39 comments.) says:

   12/5/2006 at 3:31 pm

   I believe, you are talking about alternatives to CAPTCHA. If so, you forgot about Spam Karma 2!
3. lambic (5 comments.) says:

   12/5/2006 at 3:43 pm

   Bob, I’m not a forum user so I can’t really comment on that aspect, my essay is targeted more at bloggers. There are alternatives to image based CAPTCHAs that are more accessible though, for example asking a question that a spambot would not be able to answer, like a simple math question (but then you’re excluding people who can’t do math ;))

   Ajay, I didn’t forget about SK2, I believe it fits into the comment analysis category where I used Bad Behaviour as the example. SK2 is listed on the Codex page I linked to so I didn’t bother including it explicitly.
4. Darren (1 comments.) says:

   12/5/2006 at 3:53 pm

   @Bob
   It may be time to consider changing your forum solution. Askimet integrates beautifully with bbPress which was developed by the makers of WordPress. Although I understand the difficulty that presents if you run a forum with a lot of users.
5. Quix0r (2 comments.) says:

   12/5/2006 at 4:19 pm

   I have already removed a graphical CAPTCHA from my blog – execept the one from SK2 which is already beaten – and switched over to a combination of all the plugins you told us:

   – Akismet for SK2
   – Spam Karma 2 itself (unknowngenius.com)
   – Bad Behavior 2 (homelandstupidity.us)
   – Comments Post Rewriter Plugin (my own one)

   And a less anti-spam but more user-validation plugin Skippy’s Comment Authorization plugin.

   Have fun with them to download and installation…
6. Kristin K. W. (5 comments.) says:

   12/5/2006 at 4:46 pm

   This was a great article, and I hope everyone who swear to CAPTCHA will read it and reconsider. It as you write “at worst discriminatory”.
7. Bob says:

   12/5/2006 at 9:15 pm

   @Bob
   It may be time to consider changing your forum solution. Askimet integrates beautifully with bbPress which was developed by the makers of WordPress. Although I understand the difficulty that presents if you run a forum with a lot of users.

   bbPress is not the kind of forum solution i’m looking for, as nice as it is

   It still wouldn’t stop users registering, just posting! I don’t like haveing loads of inactive accounts accumulating in my forum DB which take up a lot of names ‘real’ users would want to register…

   I’ve had a think about this and am going to try using a feature of the forum system i use (IPB) which you can create ‘custom’ registration forms, a good example of this is the sci fi uk forums which does this. using a custom form and not using standard names for the fields (i.e. using blargh instead of email in the html, and setting a hidden input with the name email, if filled in will block the user registering) will hide hopefully cause the bots to ignore it.

   There are, as yet, no easy to do alternatives to CAPTCHA, the best is probably the math question one, but does rely on numeracy skills.
8. Soccer Dad (6 comments.) says:

   12/6/2006 at 12:45 pm

   I believe captchas as a primary spam prevention method are very bad. However I do believe they have some use as a backup prevention method (ala SK2) There definitely are issues with visually impaired users, but Akismet alone won’t stop spam. You need a blended approach. Here’s an interesting captcha I’ve used with phpbb until Akismet and other methods get more widely used (and thus useful)

   http://www.kessels.com/captcha/

   Probably will induce a seizure or two, but makes it harder for the bots to decipher.
9. Chris says:

   12/6/2006 at 1:22 pm

   Interesting article, but couldn’t disagree more. Here’s why:

   Well formed captchas are easy for all but the seriously visually impaired. Sound based captchas are also available.

   Umm, I’m signed up to a spam database for email. But as you point out spammers aren’t stupid, they soon create workarounds. I’d be interested to see how labour intensive Akismet really is? Going by some accounts – very!

   Comment analysis programs are all very well but they have plenty of weaknesses that bots can exploit. Trust me, you can get yourself into a real lather trying to plug all the holes.

   Whitelisting and blacklisting can be very helpful in resolving minor spam issues and very handy for blocking malicious or persistent offenders.

   In summary, I struggle to see why you would put yourself to all this extra effort when a captcha very efficiently takes care of all but the most sophisticated and persistent spammers.

   By the way – if you’re highlighting time as an issue then really anybody who as anything worth saying will not begrudge a few seconds tapping out a captcha.

   Interesting debate.
10. George (1 comments.) says:

    12/6/2006 at 2:25 pm

    I hate captchas. I have slight vision problems from retinopathy and I have the hardest time reading captchas when they are distorted at all. It’s so much of a pain, that I don’t spend as much time reading blogs that use them anymore. I would like to be able to comment without having to take a vision test!

    As for forums, I think they are ok for sign up forms. That’s a one time thing, as opposed to posting on forums which is a more frequent thing, like commenting on blogs. So capthca’s for forum sign ups is ok, just not for every forum post.
11. lambic (5 comments.) says:

    12/6/2006 at 2:56 pm

    Chris, I’m not sure why you think Akismet is labour intensive. It took me five minute to install. For the first little while after it was installed I checked the comments it marked as spam for false positives but now I don’t even do that, I just hit the Delete All button every now and then.

    Obviously if you’re worried about false positives then it will take a bit longer to scan the marked comments but even then you can scroll through them pretty quickly. I don’t bother, and it’s only bitten me once, thanks to a reader whose username was a common online card game.
12. john t unger (1 comments.) says:

    12/6/2006 at 3:45 pm

    I use CAPTCHAs on my blogs and it does bum me out… I’d rather that there was a less labor intensive way for readers to be distinguished from bots. Even with the CAPTCHAs, some spam gets through, but it’s much better than it was when I turned them off.

    I also aggressively monitor my comments, and use blacklisting, word banning etc. There are some words common to spam comments which I don’t want to blacklist, because they might also have legit uses.

    I used to hold comments for approval, but I don’t care for the delay that this forces on the conversation. Plus, although it’s a good way to make sure that you reply to comments, it’s ultimately too time consuming.

    Readers can sign in to my blog with TypeKey to avoid the CAPTCHAs, but I regard that as only a partial solution. Even though the service has improved, I don’t like that it doesn’t allow the URL link to be specified on a comment post, and it’s still an extra step.

    I think the best solution will come from 3rd party identity verifiers eventually. You’ll sign in when you get online, and your verified ID will be used to mark you as a person. Sure, that system can be gamed also, but I think it shows promise.

    Two points in favor of CAPTCHAs:

    1. Since I have a comments feed, I feel very strongly that I need to do everything I can to save my readers from spam comments.

    2. Sometimes, that extra step before posting a comment gives a reader just an extra moment to think about whether they really want to go on record with their comment. Also, it provides a moment to think about whether you’ve said all you need to say. I never use the “preview” feature of comments, but I have edited comments I was leaving to either include or delete part of the comment when I noticed something in the preview that usually comes up along with a CAPTCHA.

    One point against:

    I hate having to fill out the CAPTCHA myself when I leave a comment in response on my own blogs! I try to respond to most comments, so I end up having to fill out a lot more CAPTCHAs than I would if I were just commenting elsewhere!
13. Chris says:

    12/6/2006 at 4:24 pm

    I’m up for trying anything to combat this scourge, but false positives tend to seriously antagonise your readership in my experience – therefore labour intensive checking it has to be. Plus it hinders the spontaneity of discussion.

    Also, just by looking at the comments on this post you could say that the average commenter of any worth will take a minimum of 3 – 4 minutes thoughtfully constructing his text. How long does it take to fill out a good captcha system? 5 seconds… if that… Not a great deal of time in the scheme of things.

    John – a good cms software will enable the webmaster to comment with out filling out captchas.

    There are undoubtedly good and bad captcha systems hence my careful use of the term “good captcha system”. The poorer cousins are a menace – of that I can heartily agree. However, get it right and captchas can be very effective.
14. Xial (3 comments.) says:

    12/9/2006 at 6:28 am

    To Chris:
    I hate filling out CAPTCHA, and I’ll generally not comment on something if forced to fill out a CAPTCHA.

    Many of them are annoying to read, at best, and impossible to read, at worst.

    I hate being forced to fill them out while trying to log in somewhere. I know my username, I know my password, just LET ME LOG IN, right?

    Case in point: I had to log in on a specific website I visit. I’ve already told them of my displeasure with the CAPTCHA they added to the login. I knew my name, and my password, but it took me three tries to get the bloody CAPTCHA right! At 14 seconds a pop, that’s three quarters of a minute wasted on a stupid log in form.
    (I also have a hateboner with requiring javascript to even log in.)
15. rightwingprof (2 comments.) says:

    12/10/2006 at 12:25 pm

    After using just about everything to control spam, I installed the auto-shutoff plugin and set it to shut off comments for all posts over 14 days old. It’s worked better than anything else.
16. lambic (5 comments.) says:

    12/10/2006 at 7:17 pm

    I considered the auto-shutoff route, but I actually quite like it when someone comes across an old post of mine and decides to comment on it, so I didn’t want to lose that.
17. evelyn says:

    12/17/2006 at 11:42 am

    The problem is, for your average blogger, captcha is actually the simplest and most effective anti-spam tool available. Most blogging softwares have it installed, or as an installable option, and it doesn’t require the person who runs it to do anything.

    I was deleting hundreds of spam each day on my personal blog – personal blog, nothing that draws traffic from anyone but my circle of family and friends. I had several modules that blocked based on known blacklists, but still I was getting hundreds of automated spam. Installed captcha and now I get something spammy through about once a month.

    In a personal situation things are a bit different – no one I know has problems seeing the captcha screen or reading the letters/numbers. And I don’t want to have to worry about needing to approve posts. So it is simple – a couple of seconds for a visitor to decipher the screen and neither of us are bothered by unwanted spam.
18. emubrerse (1 comments.) says:

    12/11/2007 at 10:15 pm

    http://www.google.com
    http://www.yahoo.com
    http://www.msn.com

Trackbacks/Pingbacks

1. Be Lambic or Green » CAPTCHAs, who needs them? says:

   12/5/2006 at 1:03 pm

   […] Update: This essay is now up at WLTC, if you like it, go vote for it! […]
2. Fitful Night. at Tragic/Beautiful says:

   12/5/2006 at 8:30 pm

   […] First off, here’s an interesting article that was linked from the dashboard of my admin panel here. Basically, it explains the way that a lot of spam blockers/catchers work with various blogging systems, and why the premise behind them isn’t such a good thing. Of course you still might say “But (insert spam catcher of choice here) is awesome! It works great!” and it probably does, but this explains why the premise that it works on isn’t so good. […]
3. BloggingPro China » CAPTCHAs, who needs them? says:

   12/6/2006 at 12:39 am

   […] 　　CAPTCHAs, who needs them?，这是篇反对CAPTCHAs的文章，CAPTCHA就是指为了阻止Spam的那些图片验证。 […]
4. CAPTCHA! I got you! at Pkchukiss - Reality Wine says:

   12/7/2006 at 10:39 am

   […] Now, after reading a post by Mark from Weblog Tools Collection that is mostly disapproving of the image Frankensteins, I am totally convinced that CAPTCHAs actually hinders commenting, (or registration, if your site happens to be using it). […]
5. CAPTCHAs - A necessary evil? » ConvUrgency.com E-Marketing Strategies & Services says:

   12/7/2006 at 12:47 pm

   […] I’ve just come across this article over at web log tools collection and it raises a few interesting points. […]
6. Bloganbieter.de » Blog Archive » Captcha als Schutz vor Spam in den Kommentaren says:

   12/9/2006 at 5:45 pm

   […] Update: Dass Captchas nicht die ultimative Lösung sind, Kommentar Spam zu bekämpfen, hat Mark von Weblog Tools Collection in diesem Post erklärt. Seine wichtigsten Punkte sind: […]
7. Hide your Email Address from Spammers with Escape Code - RL Digital says:

   12/10/2006 at 9:46 pm

   […] There is nothing worse than having your email inbox fill up spam just after you set it up. You need to post your email address on your blog/webpage so that readers/customers can contact you. How can you prevent the spammers from getting it while allowing legitimate users access? WordPress plugins and scripts that use CAPTCHAs are one way. However, they are not so easy to implement on non-PHP pages. And, some CAPTCHA critics claim they deter legitimate users. […]
8. Debate sobre captchas » BlogMundi says:

   12/12/2006 at 10:39 pm

   […] En un post anterior decía que la proliferación del uso de lectores de feeds iba en detrimento de los comentarios en los blogs. En Weblog Tools Collection realizan un análisis de lo perjudicial del uso de captchas en blogs a la hora de generar comentarios. […]
9. I Hate Capthcas - My New Blogging Enemy #1 » Connected Internet says:

   12/27/2006 at 8:17 am

   […] Adding Capthchas also put an additional barrier in place that could stop a reader posting.  If you really want to check that your poster is human then check out the Math Challenge Plugin that asks a ’simple’ maths question before a comment is posted.  You can see a similar solution in action at SEOpedia. More: WeblogTools […]
10. WordPress Anti-Spam Techniques » Reader Appreciaton Project says:

    4/20/2007 at 1:30 pm

    […] point the author of this anti-CAPTCHA essay is that CAPTCHAs aren’t really necessary given the back-end anti-spam solutions for […]
11. Аргументы против CAPTCHA &laquo Свобода слова вебмастерского says:

    5/22/2007 at 3:48 pm

    […] этом блоге автор приводит доводы того, почему система защиты от […]
12. Arguments against CAPTCHA » Web-master's Freedom of Speech says:

    2/15/2008 at 7:10 am

    […] this blog author leads arguments as to why the system of protection against bots, called CAPTCHA is not the […]
13. An essay for the blogosphere | BlogoSquare says:

    6/3/2008 at 7:06 am

    […] CAPTCHAs, who needs them? […]