Re: captcha to defeat form spammers
Jukka K. Korpela
> I wish to use a CAPTCHA to defeat form spammers.
Don't. Google for captcha (perhaps with w3c as extra keyword) to get
enlightened.
If you can't cope with spam without creating problems and obstacles to other
people, like your visitors, stay out of the Internet. TIA.
Not an HTML issue; f'ups narrowed.
--
Jukka K. Korpela ("Yucca")
http://www.cs.tut.fi/~jkorpela/
Tina Peters
<l...@it.snow> wrote in message
news:9aert2dp8c8b8svej...@4ax.com...
> I wish to use a CAPTCHA to defeat form spammers. Please can someone
> point me to an easily installable one. Currently I am using NMS
> FormMail Version 3.14c1 which for some reason is newer than the
> version on the SourceForge website which is 3.12. I am getting spammed
> and want to defeat the spammers.
>
> Is there something wrong with the 3.14 release, why have they gone
> back to 3.12 on SourceForge?
http://www.formmailscript.com We went from about 10 to 1 spam/legit
email to zero spam when we started using it.
--Tina
David E. Ross
> I wish to use a CAPTCHA to defeat form spammers. Please can someone
> point me to an easily installable one. Currently I am using NMS
> FormMail Version 3.14c1 which for some reason is newer than the
> version on the SourceForge website which is 3.12. I am getting spammed
> and want to defeat the spammers.
>
> Is there something wrong with the 3.14 release, why have they gone
> back to 3.12 on SourceForge?
If you use a CAPTCHA, be sure to provide for the visually handicapped
who might be using an audio browser. CAPTCHAs even create problems for
the dyslexic and colorblind.
--
David E. Ross
<http://www.rossde.com/>
Natural foods can be harmful: Look at all the
people who die of natural causes.
Stan Brown
> http://www.formmailscript.com We went from about 10 to 1 spam/legit
> email to zero spam when we started using it.
"Simply edit a few bits if information" -- that creates a real sense
of confidence.
The site asks me to spend $10 for the product with no chance to try
it. No thanks.
--
Stan Brown, Oak Road Systems, Tompkins County, New York, USA
http://OakRoadSystems.com/
HTML 4.01 spec: http://www.w3.org/TR/html401/
validator: http://validator.w3.org/
CSS 2.1 spec: http://www.w3.org/TR/CSS21/
validator: http://jigsaw.w3.org/css-validator/
Why We Won't Help You:
http://diveintomark.org/archives/2003/05/05/why_we_wont_help_you
Tina Peters
"Stan Brown" <the_sta...@fastmail.fm> wrote in message
news:MPG.2048729f1...@news.individual.net...
> Thu, 22 Feb 2007 13:31:09 -0500 from Tina Peters <ti...@axishost.com>:
> > http://www.formmailscript.com We went from about 10 to 1 spam/legit
> > email to zero spam when we started using it.
>
> "Simply edit a few bits if information" -- that creates a real sense
> of confidence.
If you aren't able to fill in your email address and what you want for the
subject of your email, so the form knows where to send the results
too...then you have more problems than form spam. ;-)
> The site asks me to spend $10 for the product with no chance to try
> it. No thanks.
Its 2 small unencoded php files. Don't be silly.
--Tina
Travis Newbury
> Stan Brown, Oak Road Systems, Tompkins County, New York, USA
Ah, another fingerlakeite
Sherm Pendley
> "Stan Brown" <the_sta...@fastmail.fm> wrote in message
> news:MPG.2048729f1...@news.individual.net...
>> Thu, 22 Feb 2007 13:31:09 -0500 from Tina Peters <ti...@axishost.com>:
>> > http://www.formmailscript.com We went from about 10 to 1 spam/legit
>> > email to zero spam when we started using it.
>>
>> "Simply edit a few bits if information" -- that creates a real sense
>> of confidence.
>
> If you aren't able to fill in your email address and what you want for the
> subject of your email, so the form knows where to send the results
> too...then you have more problems than form spam. ;-)
That's not what Stan was referring to. Gross misspellings like "bits if
information" are not confidence-builders.
>> The site asks me to spend $10 for the product with no chance to try
>> it. No thanks.
>
> Its 2 small unencoded php files. Don't be silly.
For one thing, charging $10 for "2 small unencoded php files" is beyond
silly, and verging on dishonest. It's like charging for "hello world".
For another, they don't even work. That isn't an effective CAPTCHA. The
verification letters are in the clear in the HTML, not embedded in an image;
it would take the stupidest script kiddie spammer about five minutes to
automate a form submission for this form.
sherm--
--
Web Hosting by West Virginians, for West Virginians: http://wv-www.net
Cocoa programming in Perl: http://camelbones.sourceforge.net
Harlan Messinger
> l...@it.snow wrote:
>> I wish to use a CAPTCHA to defeat form spammers. Please can someone
>> point me to an easily installable one. Currently I am using NMS
>> FormMail Version 3.14c1 which for some reason is newer than the
>> version on the SourceForge website which is 3.12. I am getting spammed
>> and want to defeat the spammers.
>>
>> Is there something wrong with the 3.14 release, why have they gone
>> back to 3.12 on SourceForge?
>
> If you use a CAPTCHA, be sure to provide for the visually handicapped
> who might be using an audio browser. CAPTCHAs even create problems for
> the dyslexic and colorblind.
They can even create problems for normally sighted people without
perceptual disabilities. Oftentimes I have been unable to tell whether a
particular stroke was part of a letter or part of the obfuscation.
Chris Morris
> David E. Ross wrote:
> > If you use a CAPTCHA, be sure to provide for the visually handicapped
> > who might be using an audio browser. CAPTCHAs even create problems for
> > the dyslexic and colorblind.
>
> They can even create problems for normally sighted people without
> perceptual disabilities. Oftentimes I have been unable to tell whether
> a particular stroke was part of a letter or part of the obfuscation.
Unfortunately for CAPTCHAs, image processing software is able to
defeat any capture that might be easy for a person to read... The
eventual consequence will be CAPTCHAs that no-one can read.
Of course, the reason they're a bad idea is encoded into their name. A
Turing test is where a human tries to distinguish between a human and
a computer. Since no computer program has passed the test, no computer
program is qualified to administer the test by definition... (and even
then it'd be the wrong test - automatic isn't necessarily spam, manual
isn't necessarily not spam)
Conversely, a very simply written spamfilter will catch >99.9% of
spam. It's nowhere near as complex a problem as email spam. The big
giveaway is unexpected URL markup in the content, but adding a few
other regex-based tests helps.
--
Chris
Tina Peters
news:m2k5y9v...@local.wv-www.com...
> "Tina Peters" <ti...@axishost.com> writes:
>
> > Its 2 small unencoded php files. Don't be silly.
>
> For one thing, charging $10 for "2 small unencoded php files" is beyond
> silly, and verging on dishonest. It's like charging for "hello world".
If someone needed "hello world" written with instructions, I'd do it for $10
because I need the money. I'm a single mom currently putting 2 kids through
college and a third coming up in 2 years. If I can package and market the
simplest thing, and someone can use it, I will and I make no apologies for
it.
> For another, they don't even work. That isn't an effective CAPTCHA. The
> verification letters are in the clear in the HTML, not embedded in an
image;
> it would take the stupidest script kiddie spammer about five minutes to
> automate a form submission for this form.
Yes, it does work. I'm not doubting that it can't be outsmarted and maybe
eventually it will. That said, I'm sure some wise alec is going to
purposely spam me...but we've gone from 10 spams to 1 legitimate email to
ZERO form spams since we started using it. We've been using it for several
months now and NOT ONE spam has made it through. Further, it doesn't have
the same usability issues that true CAPTCHA does.
Is it a perfect solution? No...its a $10 solution that works and is
incredibly easy for almost anyone to setup and get working.
--Tina
Jonathan N. Little
<snip>
> Yes, it does work. I'm not doubting that it can't be outsmarted and maybe
> eventually it will. That said, I'm sure some wise alec is going to
> purposely spam me...but we've gone from 10 spams to 1 legitimate email to
> ZERO form spams since we started using it. We've been using it for several
> months now and NOT ONE spam has made it through. Further, it doesn't have
> the same usability issues that true CAPTCHA does.
No it does *not* work! The whole point about CAPTCHA images is that they
are images of characters that a "human" must view and interpret as the
passcode and not trappable text. The font color and style means nothing
to a script!
Not to hard at all to devise a regular expression to extract "9f2bf"
from your script's generated table...
<table border="1" cellpadding="2" cellspacing="0" width="100%">
<tbody><tr bgcolor="#ffffff">
<td align="center"><font color="#0000ff" size="3">9</font></td>
<td align="center"><font color="#006633" face="Arial, Helvetica,
sans-serif">f</font></td>
<td align="center"><font color="#330033" face="Times New Roman, Times,
serif" size="3">2</font></td>
<td align="center"><font color="#ff0000">b</font></td>
<td align="center"><font face="Times New Roman, Times, serif"
size="4">f</font></td>
</tr>
</tbody></table>
Your CAPTCHA script is like putting a combination lock on a door with
the combination clearly printed on the lock!
--
Take care,
Jonathan
-------------------
LITTLE WORKS STUDIO
http://www.LittleWorksStudio.com
Sherm Pendley
Just for grins...
#!/usr/bin/perl
use strict;
use warnings;
while(<DATA>) {
/">(.)<\/font/ && print $1;
}
__DATA__
<table border="1" cellpadding="2" cellspacing="0" width="100%">
<tbody><tr bgcolor="#ffffff">
<td align="center"><font color="#0000ff" size="3">9</font></td>
<td align="center"><font color="#006633" face="Arial, Helvetica,
sans-serif">f</font></td>
<td align="center"><font color="#330033" face="Times New Roman, Times,
serif" size="3">2</font></td>
<td align="center"><font color="#ff0000">b</font></td>
<td align="center"><font face="Times New Roman, Times, serif"
size="4">f</font></td>
</tr>
</tbody></table>
It took less than a minute to come up with that, and I'm no genius when it
comes to regexen. I wasn't guessing when I said it would take even the
stupidest script kiddie less than five minutes.
Tina, you've convinced yourself this is secure because otherwise you'd have
to admit you were suckered out of $10. Either that or you'd have to admit
you're selling snake oil; It's not clear to me whether you're the crook or
the sucker here.
The *only* reason you haven't gotten any spam yet is that no one has bothered
to try yet. You're not secure, you're just lucky.
Sherm Pendley
> Tina, you've convinced yourself this is secure because otherwise you'd have
> to admit you were suckered out of $10. Either that or you'd have to admit
> you're selling snake oil; It's not clear to me whether you're the crook or
> the sucker here.
Okay, cleared that up. Tina's company axishost.com owns the domain where the
snake oil is being sold.
Tina, do you realize that by advertising this as effective spam prevention,
you're opening yourself to liability when (not if) it fails someone, their
server gets swamped, and they get blacklisted as a spammer? At $10 a pop,
how many copies of your snake oil will you need to sell to settle that claim,
and to pay the lawyers?
Darin McGrew
> The *only* reason you haven't gotten any spam yet is that no one has bothered
> to try yet.
Bingo. The effectiveness of such trivial tests depends on each site using a
different test, so it isn't worth the spammers' time to update their
spambots. Encouraging others to use the same trivial test that you use will
ultimately make your test less effective.
--
Darin McGrew, mcg...@stanfordalumni.org, http://www.rahul.net/mcgrew/
Web Design Group, da...@htmlhelp.com, http://www.HTMLHelp.com/
"You can't strengthen the weak by weakening the strong."
Chris Morris
> "Jonathan N. Little" <lws...@centralva.net> writes:
> > Not to hard at all to devise a regular expression to extract "9f2bf"
> > from your script's generated table...
>
> while(<DATA>) {
> /">(.)<\/font/ && print $1;
> }
>
> comes to regexen. I wasn't guessing when I said it would take even the
> stupidest script kiddie less than five minutes.
Of course not. On the other hand, proof-of-concept code for the "Make
internet users solve image CAPTCHAs for you in exchange for porn" spam tool
was posted years ago and people still use image CAPTCHAs...
> The *only* reason you haven't gotten any spam yet is that no one has bothered
> to try yet. You're not secure, you're just lucky.
Don't knock the "no-one has bothered to try" defence too much. One of
the various spam filters I've written onto a phpBB install does
nothing more than add an extra hidden variable to a form and check
it's submitted. It blocks about a third of spam account registration
attempts and about a fifth of spam posting attempts, and that's from
such a poor defence that most of the attackers bypass it without
realising it's there... Naturally it'd be no good on its own and there
are far more effective ones behind it that block the rest, but it's
interesting how many spammers currently get sufficient
return-on-investment with easily defeatable spam tools that they still
use them!
My point is that a defence of this sort is actually really good *if*
you're the only site that uses it and you're not in the top league of
sites where it's worth working around it solely to break your site's
defences. It's yet another reason why standard CAPTCHAs built into
popular applications are silly - there is a massive benefit to a
spammer from breaking the phpBB CAPTCHA, which is why I assume they
have already and don't even bother activating it myself.
If everyone coded their own test vaguely like the advertised one (but
with different markup, patterns, etc.) it would take them about five
minutes to code and the spammer five minutes to analyse and break. The
problem for the spammer is that this multiplies up to 5
minutes*[number of sites they want to spam] = several months which
makes it rapidly uneconomical for them. When there's thousands of
sites using standardised or no protection, breaking the odd ones out
is uneconomical for them too.
Now, charging $10 for said script is at the very best optimistic and
misguided, since its effectiveness decreases in proportion to the
number of people who buy it, and there are plenty of free alternatives
anyway... $10 for a well-written guide that teaches exactly the
*techniques* needed to write your own unique filters and tests in the
web language of your choice, on the other hand, would probably be
worth paying for.
--
Chris
Stan Brown
app.org>:
> Sherm Pendley <spam...@dot-app.org> writes:
>
> > Tina, you've convinced yourself this is secure because otherwise you'd have
> > to admit you were suckered out of $10. Either that or you'd have to admit
> > you're selling snake oil; It's not clear to me whether you're the crook or
> > the sucker here.
>
> Okay, cleared that up. Tina's company axishost.com owns the domain where the
> snake oil is being sold.
Hah -- I didn't pick up on that. Thanks for posting.
Tina Peters
--
Tina Peters
AxisHOST.com, Inc.
Serving the web since 1997
"Sherm Pendley" <spam...@dot-app.org> wrote in message
news:m2r6sgv...@local.wv-www.com...
> "Jonathan N. Little" <lws...@centralva.net> writes:
>
> > Tina Peters wrote:
> > <snip>
> >> Yes, it does work. I'm not doubting that it can't be outsmarted and
maybe
> >> eventually it will.
> Tina, you've convinced yourself this is secure....
Read above statement.
--Tina
Tina Peters
> Fri, 23 Feb 2007 18:33:05 -0500 from Sherm Pendley <spamtrap@dot-
> app.org>:
> > Sherm Pendley <spam...@dot-app.org> writes:
> >
> > > Tina, you've convinced yourself this is secure because otherwise you'd
have
> > > to admit you were suckered out of $10. Either that or you'd have to
admit
> > > you're selling snake oil; It's not clear to me whether you're the
crook or
> > > the sucker here.
> >
> > Okay, cleared that up. Tina's company axishost.com owns the domain where
the
> > snake oil is being sold.
>
> Hah -- I didn't pick up on that. Thanks for posting.
No, its not a perfect solution and Yes, someone may come along someday and
write a script to get around it. However, isn't that how it goes with just
about everything on the internet?
To anyone dealing with form mail spam, like I was, $10 is a very, very small
price to pay for relief. You can get around *anything* that combats form
mail spam. There is no perfect solution. I've offered something thats been
working for me for several months. Apparently, despite your "snake oil"
witch hunt...several people have put down $10 today for some relief, as
temporary as it may be.
I've made absolutely no attempt to hide the fact that this was MY website.
I've posted several times, with the URL in my sig...and my own ads appear on
the website and, of course, anyone with 1/2 a brain can do a WHOIS on the
domain.
Anyway, I'm going to step out of this thread now. I know how the usenet
mentality works and I prefer to deal with people who enjoy non-combative
conversation. I like the script, so do many others...and I stand by it.
--Tina
Stan Brown
> Can anyone give me a URL for a reputable CAPTCHA which I can use on my
> webpage?
No, no one can give such a URL because CAPTCHA is fundamentally
flawed. It's not just that there are better or worse implementations,
it's that the whole idea is unworkable.
As Jukka said when you started this thread:
> Google for captcha (perhaps with w3c as extra keyword) to get
> enlightened.
I'll go one further and give you a specific URL:
http://www.w3.org/TR/turingtest/
Read that, and stop sighing after flawed concepts. Just like
challenge-response, CAPTCHA is a misguided "solution" to a real
problem.
Philip Baker
<c.i.m...@durham.ac.uk> writes
it effective. It is the big sites that have the real problem. For
instance Yahoo, that want to block the automated creation of thousands
of accounts which can then be used for nefarious purposes like spamming
Yahoo Groups. What besides CAPTCHA can these sites use?
Day by day I'm getting more depressed with the Internet which seems to
be sinking in a swamp of spam. All the methods being used against it are
just fire-fighting and not getting to the root of the problem.
--
Philip Baker
PJB Software
Thalasson Web Resources
Charlie
my hosting through them (dccomm). But when another company managed to take
over, the customer service went through the floor and I had to find another
host - not only that, but I was unable to get the transfer information for
my domain (it had been locked), so I had to register a new one. If you are
the same Tina, let me know and I will send some business to Axis. The
customer service at the original WebServePro was great.
Charlie
Tina Peters
"Charlie" <None> wrote in message
news:45e27211$0$23498$baae...@news.mindlink.net...
Hey Charlie. WebServePro...wow. That brings me back almost a decade! I
just tried to take a look a their website, for old time sake, and it seems
to be down.
Anyway, yeah....axishost.com is mine. :-)
--Tina
Neredbojias
> "Tina Peters" <ti...@axishost.com> writes:
>
>> "Stan Brown" <the_sta...@fastmail.fm> wrote in message
>> news:MPG.2048729f1...@news.individual.net...
>>> Thu, 22 Feb 2007 13:31:09 -0500 from Tina Peters
>>> <ti...@axishost.com>:
>>> > http://www.formmailscript.com We went from about 10 to 1
>>> > spam/legit email to zero spam when we started using it.
>>>
>>> "Simply edit a few bits if information" -- that creates a real sense
>>> of confidence.
>>
>> If you aren't able to fill in your email address and what you want
>> for the subject of your email, so the form knows where to send the
>> results too...then you have more problems than form spam. ;-)
>
> That's not what Stan was referring to. Gross misspellings like "bits
> if information" are not confidence-builders.
>
>>> The site asks me to spend $10 for the product with no chance to try
>>> it. No thanks.
>>
>> Its 2 small unencoded php files. Don't be silly.
>
> For one thing, charging $10 for "2 small unencoded php files" is
> beyond silly, and verging on dishonest. It's like charging for "hello
> world".
Hah! You ought to try a few those (many) "unlimited music download"
sites which pop up in Google searches for d/l-able music. Some actually
charge for the "privelege" of downloading a _freeware_ music-sharing
program! Yeah, I got suckered once - because I didn't read carefully
enough, perhaps. I was looking for sites that charged on a per song
basis, not for whole cds.
> For another, they don't even work. That isn't an effective CAPTCHA.
> The verification letters are in the clear in the HTML, not embedded in
> an image; it would take the stupidest script kiddie spammer about five
> minutes to automate a form submission for this form.
>
> sherm--
>
--
Neredbojias
He who laughs last sounds like an idiot.
Charlie
"Tina Peters" <ti...@axishost.com> wrote in message
news:ZlwEh.182$uk6...@newsfe05.lga...
Wish I'd have known that prior to signing with my current host.Not that they
are bad,as a matter of fact, I like them. But I did appreciate the
WebServePro staff's willingness to help (on the three or so times I needed
it in the few years I was there). The folks at Net1 managed to ruin what, at
one time, was a good thing. Anyway,I will definately send you some business
in the future. Good to see you around again.
Charlie