security posted in security  on 3 January 2007
by Andrew Lang 
View by Categories | View By Latest

How Spam-proof Are CAPTCHAs?

How Spam-proof Are CAPTCHAs?
Background info:- CAPTCHA stands for "Completely Automated Public Turing test to tell Computers and Humans Apart" - you see it when you fill in online forms that have a security code you enter, just before submitting the form (just like the attached example).

These are quite a solid way of keeping out spam robots from completing the forms and giving you loads of deliberately misspelled porn text or something even more bizarre (complete with links) on your site. When your site ranks in the top-10 in Google for 'v1agra pill z" you know you need a CAPTCHA on your website forms.

But are they 100% spam-proof? Programs/bots are still capable of downloading the image and at least attempting to read it.

With that in mind, someone has created an HTML-based (not image) CAPTCHA.

openquoterangeva writes to tell us about a twist he has developed on the common Captcha technique to discourage spam bots: HECs encode the Captcha image into HTML, thus presenting an unsolved challenge to the bots' programmers. From the writeup: "The Captcha is no longer an image and therefore not a resource they can download and process. The owner of the site can change the properties of the Captcha's HTML, making it unique,... add[ing] another layer of complication for the bot to crack." HECs are not exactly lightweight the one on the linked page weighs in at 218K but this GPL'd project seems like a nice advance on the state of the art.closequote

Link to full article

Courtesy of

Share this article:

view my profile on Google+