If you run a vBulletin-based forum, you might have noticed a BIG influx of spam in the past few days. Spammers are no longer slowed by the vBulletin CAPTCHA, and according to Slashdot, aren’t slowed by a variety of others, either.
For years, CAPTCHAs have been getting more and more complex in order to stop the bots. However, I think we’ve reached the end of that road. They’re already too difficult for most humans to get on the first try, and making them more difficult will only serve to frustrate more users. So what can you do?
I have an answer for today, and an idea for the future. The answer today is to use a “question and answer” type CAPTCHA, which many sites already use. The key is to use the right kind of question. Rather than asking something generic like “what is 3+1”, ask something that can only be found on your site, like “In our site title at the top of the screen, what is the second letter?”. It’s still painfully obvious for a human, but much more difficult for a bot. If your script can handle it, write a variety of questions and answers to help keep the bots thrown off.
Going forward, I’d love to see the questions put into a CAPTCHA-style box (embedded in an image). Doing that would add another step to the spammers job, but would still leave it quite easy for a user.
Picture this. You have:
- 10 questions in rotation
- When a bot visits the site, they are presented with one embedded in an image.
- They need to decipher this very long image (50-100 characters, instead of 6-8).
- Now that it’s deciphered, they need to look at your site and do what it says.
While bots could certainly start keeping a database of answers for various sites, you can just change your bank of Q&A’s from time to time to stay ahead.This also would eliminate the popular technique of showing CAPTCHAs to users on another site in order to break into yours. For example, a bot might go to your site, pull the CAPTCHA you showed them, show it to visitors on a porn site (“fill out this captcha to see the next page!”), then get into yours. If the CAPTCHA contained a question that could only be answered by someone on your site, that problem goes away.
The problem of spamming will never go away, but we need to work hard to stay ahead of them.
I am using phpBBS, and have been over 2 years without a spam registrant. My secret? I altered the size of the CAPTCHA image, altered its URL, and edited a few HTML elements that surround it. The spiders that pluck out these images have a unique challenge, and they drop dead. Prior to effecting this change on my site, I was being badly abused.
I don’t even use email confirmation. It’s bulletproof because I’m different and a small target. If everyone took similar aims, and the packages that rely on CAPTCHA offered an easier means by which those deploying these web technologies could confront hackers with a dizzying landscape of diversity, we’d all be better off.