Thread

I know this isn’t directly CI-related, but I thought I’d ask anyway cos you’re all rather good!

I’ve made a script that generates a captcha. I want to test how good that captcha is. Do any of you know any programs or web services that test captchas? That is, programs/services which try to bust them, read them, OCR them, etc?

Thanks.

Anyone?

You could try Whats my Font

http://www.myfonts.com/WhatTheFont/

Its not design to bust captcha but it does read images for reconizable letters.

Problem with those services is they’re just AWFUL captcha breakers. They can’t beat even the simplest.

So you post…you wait less that 24 hours to BUMP your own post 😕  and then when someone offers you any sort of kind help at all… you crap on what they say. 😡

Hey spoof—Thanks for being a good sport!

You’re hilarious Randy, you’ve got yourself really worked up over me. Quit the hate campaign now?

Okay okay, forget online captcha testers—what do you guys think? Both are generated by parameters to a captcha library.

N.B. The preview image below is smaller and lower quality than the proper image - click on it.

The left one is jus slightly more human-readable than the right one, but that might just be the choice of numbers.
Instead of captchas, a better technique is where you have an input field that’s hidden through css (not through type=‘hidden’). Since the user can’t see it, he/she won’t fill it out, but a bot doesn’t realize that and still fills it out. Then the script just checks if the field is filled out, and if it is you know you’ve got a bot.
Much simpler, and it doesn’t rely on a human user doing anything extra.

The left one is jus slightly more human-readable than the right one, but that might just be the choice of numbers.
Instead of captchas, a better technique is where you have an input field that’s hidden through css (not through type=‘hidden’). Since the user can’t see it, he/she won’t fill it out, but a bot doesn’t realize that and still fills it out. Then the script just checks if the field is filled out, and if it is you know you’ve got a bot.
Much simpler, and it doesn’t rely on a human user doing anything extra.

Thanks for that. The advice with the CSS-hidden field is very, very interesting. I think I’ll add that to what I’m already doing. Very clever, I like it. But the details of it? Should I just add a load of random input boxes and hide them? Or name them specifically?

Certainly not a load of them, one works well enough.

// CSS
#not_here {
    display: none;
}

// Input
<input name="vanish" type="text" id="not_here" />

And then just check to make sure it’s blank.

if ($this->input->post('vanish') !== '')
{
    log_message('info', 'Spam submission by: '.$this->input->ip_address());
    exit;
}

It really depends on the amount of spam you’re getting.  A simple bot will be stopped by the above.  Something targeted directly at your site will have no problems getting through.  If someone is desperate enough, they will get their spam in somehow, even if they have to do it manually.

You’ll need to assess how much of a target your site is.  My approach is to start with something very user-friendly (captchas just aren’t), and make it more challenging if/when the amount of spam increases.

A blacklist and/or a system like akismet can do wonders without affecting the end-user.

It really depends on the amount of spam you’re getting.  A simple bot will be stopped by the above.  Something targeted directly at your site will have no problems getting through.

Exactly, of course for this to happen someone would have to know enough about your form and the input fields to edit their bot appropiately. Unless you have some very popular, high-traffic website, I doubt spammers would spend that much effort and time, so this method should work. I’ve read some blog posts about implementing this, and they all stated complete elimination of spam.

If you do run into problems, remember to give the name and id of the anti-spam field values that aren’t obvious to the bot. So ‘antispam’ might not work, but ‘country’ or ‘zip code’ could.

Captchas are the single most annoying thing I have come across on the internet, apart from people saying ‘I could care less’, of course.

The captcha you supplied on the right would just infuriate me.

PS: You could care less?

I should clarify. My captcha is on a login form, to access a restricted area. The password alone isn’t enough because I want to stop people trying a hundred passwords with a bot.

If thats all your trying to do I would only give them 3 attempts an hour. If they fail the three times then an email is sent to the email on record and notifies the user. Provide a link in the email that will allow for the password attempts to be reset. Also a link for password recover (just to make it easier on the user than searching the site for a link).

You could even take it a step further and deactivate the account for login if “user” goes over the login attempts. Then require the user to reactivate it via a link in an email. This approach stops bots that change IP’s.

I like the http://recaptcha.net/ project.

The hidden form field as they describe is a good way to go also.

The CI captcha library is pretty good, looks like your using something different thou.