North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Captchas was Re: ISP wants to stop outgoing web based spam
On Wednesday 16 Aug 2006 01:13, Paul Jakma wrote: > On Thu, 10 Aug 2006, Simon Waters wrote: > > I've no doubt some captcha can be invented in ASCII, but this isn't > > it. > > 'tis. It works for at least one blog platform, where I've never once > had comment spam. You snipped the bit where I said "It would work for a minority use." I'm sure it works fine for just you, but it doesn't scale, so the folks at Nanog probably don't care. The reason people use image recognition is it is something (most) humans find very easy, but requires considerable investment of effort (or resource for self training) to teach computers, and readily permits of variations ('click the kitten' being a good example). For a demonstration of bashing at ASCII captchas try any good chat bot. I asked the online bot at ellaz.com your question: "What is 2 added to 23?" Ellaz replied; "I can tell you that 2, plus 23, is equal to 25" I hope your parser can recognise that as a valid answer, otherwise you'll have trouble with humans failing the test. Although for blog comments, excluding stupid, or overly verbose humans may not be a bad idea, I just get the feeling some days I'd never get to comment on anyones blog. I thought maybe spice it up a little; Simon: "What is the square root of -1?" Ellaz: "Hey Hey! You cannot take the square root of a negative number. That gives an imaginary number, and I don't go there." (Spot the canned response). Shucks. Unfortunately Ellaz bot isn't terribly good at non-maths questions, but I think it makes the point well enough. The reason no one defeated your text captcha was probably because no one tried, but that won't remain the case if it gets popular. We are locked in another arms race here. At the moment greylisting kills most of your email spam, and any captcha (even ones for which programs exists for, and which score better than humans) will kill most of your blog spam, but don't expect them to last as a defence, just as greylisting is slowly crumbling. The real solution is to break the monoculture, and have more security at the leaf nodes, but someone already started that thread (again). Although possibly the mistake is to assume you can distinguish between humans, and computers on the basis of intelligence. It isn't reliably possible to do this yet, but give it a few years and you'll know that if a site asks for all the integer solutions of a given quintic equation, it is probably not that interested in comments from apes, except perhaps the most exceptional apes.