North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Captchas was Re: ISP wants to stop outgoing web based spam

  • From: Simon Waters
  • Date: Wed Aug 16 04:23:29 2006

On Wednesday 16 Aug 2006 01:13, Paul Jakma wrote:
> On Thu, 10 Aug 2006, Simon Waters wrote:
> > I've no doubt some captcha can be invented in ASCII, but this isn't
> > it.
> 'tis. It works for at least one blog platform, where I've never once
> had comment spam.

You snipped the bit where I said "It would work for a minority use."

I'm sure it works fine for just you, but it doesn't scale, so the folks at 
Nanog probably don't care.

The reason people use image recognition is it is something (most) humans find  
very easy, but requires considerable investment of effort (or resource for 
self training) to teach computers, and readily permits of variations ('click 
the kitten' being a good example).

For a demonstration of bashing at ASCII captchas try any good chat bot.

I asked the online bot at your question:

"What is 2 added to 23?"

Ellaz replied;

"I can tell you that 2, plus 23, is equal to 25"

I hope your parser can recognise that as a valid answer, otherwise you'll have 
trouble with humans failing the test. Although for blog comments, excluding 
stupid, or overly verbose humans may not be a bad idea, I just get the 
feeling some days I'd never get to comment on anyones blog.

I thought maybe spice it up a little;

Simon: "What is the square root of -1?"
Ellaz: "Hey Hey!  You cannot take the square root of a negative number.  That 
gives an imaginary number, and I don't go there."

(Spot the canned response).

Shucks. Unfortunately Ellaz bot isn't terribly good at non-maths questions, 
but I think it makes the point well enough. 

The reason no one defeated your text captcha was probably because no one 
tried, but that won't remain the case if it gets popular. We are locked in 
another arms race here. At the moment greylisting kills most of your email 
spam, and any captcha (even ones for which programs exists for, and which 
score better than humans) will kill most of your blog spam, but don't expect 
them to last as a defence, just as greylisting is slowly crumbling. The real 
solution is to break the monoculture, and have more security at the leaf 
nodes, but someone already started that thread (again).

Although possibly the mistake is to assume you can distinguish between humans, 
and computers on the basis of intelligence. It isn't reliably possible to do 
this yet, but give it a few years and you'll know that if a site asks for all 
the integer solutions of a given quintic equation, it is probably not that 
interested in comments from apes, except perhaps the most exceptional apes.