CAPTCHA useless?

[Dogs and things]

And it's not only the human eye that has it's limitations, also the human patience is limited. Mine for example is not able te remain calm if I have to re-submit a form just because I wasn´t able to copy the code hidden in it's Captcha. If I do not really really want to join a certain site or send a certain form I just leave it if it's nearly impossible.

And that's a person who is pretty used to deal with Captchas, imagine a more Captcha illiterate person.

I think, for my site, that user accessibility and ease of use is of the utmost importance. And Captcha is not part of that.

[karossii]

I know that as soon as I see a captcha system, my first instinct is to run away. I hate them, and only register on boars using them if I really HAVE to. Like I just registered here because I need help with some questions on phpBB; and I know that it is unlikely I will get the answers anywhere else.

But if it is just a question of checking out some new site a friend recommended, or maybe a casual interest in a site from a search engine, I just forget all about it if I see a captcha. I hate the stupid things!

[Eelke]

Well, some might say they are happy to get only users that are genuinely interested in their site Still, annoying users is never a good thing. Problem is, there is no great alternative.

[Geed]

I made it so that users had to check their emails to register, and that seemed to fix many problems.

[ChrisRLG]

I made it so that users had to check their emails to register, and that seemed to fix many problems.

Bots can do that easy - so that is no help to stop them registering.

[Kim_Possible]

Bots can do that easy - so that is no help to stop them registering.

That is traditionally true, but on my largest board, we are getting a half-dozen registrations a day (this is way down after I tweaked the CAPTCHA), but even the ones that are registering are not activating. In this new wave of spam bots, I've not had a single one activate their account via email.

I know bots can . . . they just aren't this time around. Email activation is currently our best anti-spam weapon.

Could just be me though.

[stickerboy]

I implemented this - http://www.phpbb.com/kb/article/custom- ... mmer-tool/
12+ days and counting (*knocks on wood* ) with no spam registrations. I still have email activation turned on and CAPTCHA showing, but this seems to be working a great deal

[Dog Cow]

I made it so that users had to check their emails to register, and that seemed to fix many problems.

Bots can do that easy - so that is no help to stop them registering.

Some bots, such as XRumer, use a regular expression to search for the email by its subject, as is default by many popular forum systems. So it may help to change the subject of the registration email to something non-standard. Removing the words 'Welcome' and 'activation' might help, since those are two words which the bots look for. Just have the welcome/activation email subject be simply the name of your web site. People ought to figure that out easily.

[MartectX]

If I were writing such a bot I'd have him search the body for the domain name. I register to phpbb.com - I search the body of all incoming emails for phpbb.com.

So I don't think it's worth it to change activation mail wordings, because the link to your board has to be there anyway.

[Eelke]

Well, is it really important what you would do? You are not writing these bots (I hope) Bad code is produced all the time, why would spam bots be any exception?

[CMCDragonkai]

What about flash based captcha? Anybody thought of using that? Last I heard, flash was hard for search engines to index, so if you intend it not be indexed, I'd think bots would have hard time reading flash.

[Eelke]

Same principal applies: once phpBB adopts it, the incentive to crack it becomes so large it doesn't really matter how hard it is. Also, Flash has much narrower support than an image. BTW, Google can index Flash just fine, nowadays Don't know about other search engines, but I'd expect them to follow suit.

[onehundredandtwo]

Using Flash assumes that the end user has Flash installed on their system, which is not always the case.

And unlike PHP, Flash is not Open-Source and the person who creates the Flash CAPTCHA would need an Adobe CS3/4 Flash License or some other Flash developing tool.

[Kellanved]

What about flash based captcha? Anybody thought of using that? Last I heard, flash was hard for search engines to index, so if you intend it not be indexed, I'd think bots would have hard time reading flash.

On the contrary, flash is incredibly simple. php flash support is good enough to write small flash applications on the fly, the problem is that the flash program will contain the information in a format that is easy to parse - the flash player has to understand it after all. A bot wouldn't bother with the actual display, it would just decompile the flash animation.

[Dog Cow]

Also, there's the problem I've discovered which is that it appears to be impossible to securely pass variables between a server and the Flash client. That is because the Flash client runs on the client PC, so any HTTP requests it makes to the server (such as to get the Captcha text it is supposed to display) can be traced and logged by the end-user.

Even encrypting the communication is not the final solution, for the Flash client can be readily decompiled and the encryption algorithm exposed.