Post removed (X-No-Archive: yes)

Post removed (X-No-Archive: yes)

At Wed, 09 May 2007 15:28:09 +0000, David Gillen let his monkeys type:

> let [at] it.snow said:
>>>> When one of your 'close to 60' customers finally wakes up and realizes
>>>> how they've been scammed, I would suggest you give them a link to a real
>>>> CAPTCHA, with real security. Luckily, quite a few of them are available
>>>> for free; for example, QuickCaptcha:
>>>> <http://www.web1marketing.com/resources/tools/quickcaptcha/>.
>>>

>>
> FYI, most captchas out there have been broken, and the ones that haven't more
> often than not throw up something which is completely illegible to the end
> user.
>
> D.

By broken, do you mean someone OCR'ed the contents of the random captcha
images, or was able to link the form data to the correct captcha
string? I agree quite a few captchas are like lotteries, completely
illegible. But I've not seen many live examples of succesful
captcha-cracking based on image scanning.

In reality, it all depends of course how big the target audience is. I've
made sites using simple 'what's ONE plus ELEVEN' type checking that never
have been compromised, probably simply because the benefits don't
outweigh the work involved.

As an addition/alternative to captcha's, consider utilities like Bad
Behaviour or similar, that analyze the http requests and compare them to
known, blacklisted ones.

Another, more advanced captcha idea (somehow hasn't become popular - yet)
is based on man's incredible ability to recognize and match known faces,
even if they differ hugely in separate images. (same reason we see faces
in clouds, the burn pattern on our pizza bottom, or the marble tiles in
the loo.) I know serious experiments have been undertaken years ago
already to replace pin-code bases teller machines with a set of memorized
faces. Far easier to remember, and almost impossible to share with others.

Sh.

<comp.lang.php>
<David Gillen>
<09 May 2007 15:28:09 GMT>
<slrnf43q47.mct.Belial [at] murphy.redbrick.dcu.ie>

> most captchas out there have been broken, and the ones that haven't more
> often than not throw up something which is completely illegible to the end
> user.
>

www.freeviewepg.co.uk/cap.jpg

One of the main tricks would is writing your own as the above demo image
codes show .

- different background images
- different squares/stars/haxagons used for the digits
- different top left x y co-ords

Aint had a single piece of spam yet & i can only assume users dont have
any problem with the readability as nobody has ever said anything .


...... toby will be along shortly to say its shite of course and that he
can do it better .

On May 10, 2:56 am, l... [at] it.snow wrote:
> >> When one of your 'close to 60' customers finally wakes up and realizes
> >> how they've been scammed, I would suggest you give them a link to a real
> >> CAPTCHA, with real security. Luckily, quite a few of them are available
> >> for free; for example, QuickCaptcha:
> >> <http://www.web1marketing.com/resources/tools/quickcaptcha/>.
>
> >I have been waiting for a link like this for ages. Always meaning
> >to investigate it. Thanks for posting this, Leif.
>
> Can someone help me integrate this Quickcaptcha with my two contact
> forms? This should be a really easy job and I'm willing to pay US$ 50
> by PayPal for the work. I'm not a PHP coder so I'd be unable to do the
> job myself.
>
> Please respond to furrine... [at] hotmail.com

rentacoder.com

Flamer.

On May 10, 2:56 am, l... [at] it.snow wrote:
> >> When one of your 'close to 60' customers finally wakes up and realizes
> >> how they've been scammed, I would suggest you give them a link to a real
> >> CAPTCHA, with real security. Luckily, quite a few of them are available
> >> for free; for example, QuickCaptcha:
> >> <http://www.web1marketing.com/resources/tools/quickcaptcha/>.
>
> >I have been waiting for a link like this for ages. Always meaning
> >to investigate it. Thanks for posting this, Leif.
>
> Can someone help me integrate this Quickcaptcha with my two contact
> forms? This should be a really easy job and I'm willing to pay US$ 50
> by PayPal for the work. I'm not a PHP coder so I'd be unable to do the
> job myself.
>
> Please respond to furrine... [at] hotmail.com

rentacoder.com

Flamer.

Krustov wrote:

> ..... toby will be along shortly to say its shite of course and that he
> can do it better .

Well, if you insist. "It's shite." Happy now? I won't claim that I "can do
it better", because doing it *at all* lowers one to the level of snails and
toads and other slimy vermin.

OK, perhaps not quite, but most CAPTCHAs fall foul of anti-discrimination
laws in many jurisdictions, as they fail to make allowances for people
using screen readers or braille terminals. They can also be a problem for
the colourblind.

Even users with perfect eyesight find it annoying to have to enter a
random string of letters and numbers for, seemingly to them, no reason.

Better alternatives to comment and contact form spam exist. Both comments
and contact forms are types of communications -- they often include a
subject, almost always include a body, they usually include a sender's
name and e-mail address, and we can determine the originating IP address.
Now, how does all that information sound familiar? Oh yes -- it's the same
sort of information that an e-mail message carries.

There are several very good pieces of software for detecting e-mail spam
(SpamAssassin is one), often with a 95%+ catch rate, and few, if any,
false positives. All your server-side script needs to do is reformat an
incoming message as an e-mail (contact forms generally do this anyway!),
adding the sender's name and address in the From header, their IP address
as a Received header, their User-Agent in the X-Mailer header and so on.

Contact forms would send that as-is to a destination e-mail address which
was protected by a decent spam filter. Job done!

Comment forms would pass the message to a spam filter installed on the
server, which would return a response indicating whether the message was
likely to be spam. Spammy messages would be discarded, informing the user;
non-spammy messages would be posted as comments; for messages in between,
you'd put them into a "maybe spam" pile, ready for manual moderation.

This way, rather than writing your own half-assed spam detection and
having to constantly worry about maintaining it and fixing bugs, you can
rely on best of breed efforts, written by a third party, with nothing to
worry about other than installing upgrades every couple of months.

Third-party spam filters often include features like:

- Bayesian learning

- Constantly updated IP address blacklists

- Constantly updated URL blacklists

- Hard-coded words likely to be spam (Viagra)

- Regular expressions for detecting spam patterns
(such as M1X1NG NUM83RS 4ND L3TT3RS 4ND US1NG T00
MUCH UPP3RC4SE 4ND EXCL4M AT10N M4RKS!!!!!)

As well as taking advantage of these really cool techniques, you're using
a method that doesn't increase the burden of effort on regular users.

--
Toby A Inkster BSc (Hons) ARCS
http://tobyinkster.co.uk/
Geek of ~ HTML/SQL/Perl/PHP/Python/Apache/Linux

<comp.lang.php>
<Toby A Inkster>
<Thu, 10 May 2007 13:35:49 +0100>
<56gbh4-8oj.ln1 [at] ophelia.g5n.co.uk>

> > ..... toby will be along shortly to say its shite of course and that he
> > can do it better .
>
> Well, if you insist. "It's shite." Happy now?
>

Only it if gives you a wake up call to stop acting like a arsehole .

...... thats stuckles job on this newsgroup :-)

Krustov wrote:
> <comp.lang.php>
> <Toby A Inkster>
> <Thu, 10 May 2007 13:35:49 +0100>
> <56gbh4-8oj.ln1 [at] ophelia.g5n.co.uk>
>
>>> ..... toby will be along shortly to say its shite of course and that he
>>> can do it better .
>> Well, if you insist. "It's shite." Happy now?
>>
>
> Only it if gives you a wake up call to stop acting like a arsehole .
>
> ..... thats stuckles job on this newsgroup :-)
>

Naw, I just call them like I see them. Arseholes are arseholes, no
matter where they are.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex [at] attglobal.net
==================