Alternatives to CAPTCHAing users

CAPTCHA is a method designed to prevent automated programs from submitting information to a website.  It can help prevent these malicious programs registering with sites, posting spam comments or getting up to other undesirable activity.  CAPTCHA stands for Complete Automated Public Turing test to tell Computers and Humans Apart.  It works by requiring the user to enter a code displayed within an image.  Images are usually distorted to prevent programs from using image recognition software from recognising the codes.  This can also make it difficult for users to accurately work out what characters are displayed.  For example, the following completely illegible CAPCHA image appeared on flickr.


The reason for these images becoming more and more difficult to decipher is that the programs used to place spam become more sophisticated in order to overcome the obstacles placed in there way.  Gmail, yahoo and hotmail have all had their CAPTCHA images broken by spammers and although it is fairly easy to present a image in a different way it does mean they have to be fairly obscure.

Gmail, yahoo and hotmail’s CAPTCHA broken by spammers

This method is fairly widely used on the internet but places the emphasis on the user to prove they are not a computer program.  There are alternatives to this approach for instance akismet looks at content submitted to a web site and assesses it against various criteria to determine whether it is likely to be spam.  Flagged content can then be reviewed by the administrator.  Similarly anti-spam programs can be used to filter out spam sent from contact forms rather than making it more difficult for customers to contact you.

Honey pots are another method that can be used on forms to help prevent submissions from malicious programs.  This involves placing extra fields within a form that will be invisible to your users.  As the programs do not view pages in the same way as users they tend to complete these fields meaning you can reject these submissions. Ned Batchelder’s article Stopping spambots with hashes and honeypots covers the use of honey pots to prevent spam in more detail.  It also indicates how to make things even more difficult for automated spam programs by randomising field names and using the submitters IP address to prevent automatic submissions from groups of machines.

These methods can do a lot to help minimise misuse of your site by malicious programs.  However, to some extent it will depend on the value of your site to spammers.  Gmail, yahoo and hotmail have seen their CAPTCHA images broken as it is worth the effort in order to get large numbers of programs automatically registering email accounts and sending spam.  Honey pots on there own will be easier to overcome if there is good reason to do so, although Ned Batchelder’s full method is likely to be more difficult.  You can reduce the value of overcoming your defences by doing things such as using no follow links in comments on your site so they will not improve search engine rating.

The main thing is not to use CAPTCHA indiscriminately on forms.  There may be some situations where it is useful particularly if the returns for beating your defences are significant.  However, in the majority of cases you are creating a barrier for the people using your site.

Tags: , ,

Leave a Reply