Friday, December 14, 2007


Sam made a post about some of the problems he's been having with spam on sites that we all use that he runs. It's caused some discussion and debate on the topic in FGIJ and elsewhere. He and I have actually debated this topic before, as early as when he taught the security courses and I was consulting with him on topics for them.

Spam, specifically website spam, seems like an almost impossible thing to prevent.

Captcha is the most common way to fight website spam today. The problem is, captcha that is easily read by humans can also be easily read by OCR technology. More complicated captchas still have software that can break them as well as potential vulnerabilities in implimentation. The end result is that captcha, while looking good in theory, tends to only act as a minor barrier to determined spammers.

There's the other non-image captcha solutions such as basic math ("What is 4+4?") or
logic questions, but they all can be beaten by the spammers just as easily as image captchas.

One alternative is animated captchas. Here, we generate some sort of animated GIF of the captcha which makes it that much more difficult to crack. The problem is, this can be ugly (great, takes me 10 years to purge all animated GIFs from my site and now I get to add flashy ones back to fight spam) and it still isn't perfect. An animated GIF can be torn apart frame-by-frame just as easily as normal image captchas. All this does is make the entire process more resource intensive, for both the spammer and the website.

Another alternative is multiple choice logic questions as mentioned here and used here. This can be a nice alternative, and has the upside of being more accessible to the blind, but it is language centric and can still be hard for people with dyslexia (like me).

Something I found that I like is ASCII captcha which has the benefit of still being mostly accessable (the blind will still have a hard time) while being moderately difficult to crack.

So what other options out there? And what can we do to continue the fight against spammers?