It looks like we'll be adding CAPTCHA support to Stack Overflow. This is necessary to prevent bots, spammers, and other malicious scripted activity. We only want human beings to post or edit things here!

We'll be using a JavaScript (jQuery) CAPTCHA as a first line of defense:

http://docs.jquery.com/Tutorials:Safer_Contact_Forms_Without_CAPTCHAs

The advantage of this approach is that, for most people, the CAPTCHA won't ever be visible!

However, for people with JavaScript disabled, we still need a fallback and this is where it gets tricky.

I have written a traditional CAPTCHA control for ASP.NET which we can re-use.

However, I'd prefer to go with something textual to avoid the overhead of creating all these images on the server with each request.

I've seen things like..

• ASCII text captcha: \/\/(_)\/\/
• math puzzles: what is 7 minus 3 times 2?
• trivia questions: what tastes better, a toad or a popsicle?

Maybe I'm just tilting at windmills here, but I'd like to have a less resource intensive, non-image based <noscript> compatible CAPTCHA if possible.

Ideas?

A method that I have developed and which seems to work perfectly (although I probably don't get as much comment spam as you), is to have a hidden field and fill it with a bogus value e.g.:

<input type="hidden" name="antispam" value="lalalala" />

I then have a piece of JavaScript which updates the value every second with the number of seconds the page has been loaded for:

var antiSpam = function() {
        if (document.getElementById("antiSpam")) {
                a = document.getElementById("antiSpam");
                if (isNaN(a.value) == true) {
                        a.value = 0;
                } else {
                        a.value = parseInt(a.value) + 1;
                }
        }
        setTimeout("antiSpam()", 1000);
}

antiSpam();

Then when the form is submitted, If the antispam value is still "lalalala", then I mark it as spam. If the antispam value is an integer, I check to see if it is above something like 10 (seconds). If it's below 10, I mark it as spam, if it's 10 or more, I let it through.

If AntiSpam = A Integer
    If AntiSpam >= 10
        Comment = Approved
    Else
        Comment = Spam
Else
    Comment = Spam

The theory being that:

• A spam bot will not support JavaScript and will submit what it sees
• If the bot does support JavaScript it will submit the form instantly
• The commenter has at least read some of the page before posting

The downside to this method is that it requires JavaScript, and if you don't have JavaScript enabled, your comment will be marked as spam, however, I do review comments marked as spam, so this is not a problem.

Response to comments

@MrAnalogy: The server side approach sounds quite a good idea and is exactly the same as doing it in JavaScript. Good Call.

@AviD: I'm aware that this method is prone to direct attacks as I've mentioned on my blog. However, it will defend against your average spam bot which blindly submits rubbish to any form it can find.

My favourite CAPTCHA ever:

A method that I have developed and which seems to work perfectly (although I probably don't get as much comment spam as you), is to have a hidden field and fill it with a bogus value e.g.:

<input type="hidden" name="antispam" value="lalalala" />

I then have a piece of JavaScript which updates the value every second with the number of seconds the page has been loaded for:

var antiSpam = function() {
        if (document.getElementById("antiSpam")) {
                a = document.getElementById("antiSpam");
                if (isNaN(a.value) == true) {
                        a.value = 0;
                } else {
                        a.value = parseInt(a.value) + 1;
                }
        }
        setTimeout("antiSpam()", 1000);
}

antiSpam();

Then when the form is submitted, If the antispam value is still "lalalala", then I mark it as spam. If the antispam value is an integer, I check to see if it is above something like 10 (seconds). If it's below 10, I mark it as spam, if it's 10 or more, I let it through.

If AntiSpam = A Integer
    If AntiSpam >= 10
        Comment = Approved
    Else
        Comment = Spam
Else
    Comment = Spam

The theory being that:

• A spam bot will not support JavaScript and will submit what it sees
• If the bot does support JavaScript it will submit the form instantly
• The commenter has at least read some of the page before posting

The downside to this method is that it requires JavaScript, and if you don't have JavaScript enabled, your comment will be marked as spam, however, I do review comments marked as spam, so this is not a problem.

Response to comments

@MrAnalogy: The server side approach sounds quite a good idea and is exactly the same as doing it in JavaScript. Good Call.

@AviD: I'm aware that this method is prone to direct attacks as I've mentioned on my blog. However, it will defend against your average spam bot which blindly submits rubbish to any form it can find.

Unless I'm missing something, what's wrong with using reCAPTCHA as all the work is done externally.

Just a thought.

The advantage of this approach is that, for most people, the CAPTCHA won't ever be visible!

I like this idea, is there not any way we can just hook into the rep system? I mean, anyone with say +100 rep is likely to be a human. So if they have rep, you need not even bother doing ANYTHING in terms of CAPTCHA.

Then, if they are not, then send it, I'm sure it wont take that many posts to get to 100 and the community will instantly dive on anyone seem to be spamming with offensive tags, why not add a "report spam" link that downmods by 200? Get 3 of those, spambot achievement unlocked, bye bye ;)

EDIT: I should also add, I like the math idea for the non-image CAPTCHA. Or perhaps a simple riddle-type-thing. May make posting even more interesting ^_^

What about a honeypot captcha?

Avoid the worst CAPTCHAs of all time.

Trivia is OK, but you'll have to write each of them :-(

Someone would have to write them.

You could do trivia questions in the same way ReCaptcha does printed words. It offers two words, one of which it knows the answer to, another which it doesn't - after enough answers on the second, it now knows the answer to that too. Ask two trivia questions:

A woman needs a man like a fish needs a?

Orange orange orange. Type green.

Of course, this may need to be coupled with other techniques, such as timers or computed secrets. Questions would need to be rotated/retired, so to keep the supply of questions up you could ad-hoc add:

Enter your obvious question:

You don't even need an answer; other humans will figure that out for you. You may have to allow flagging questions as "too hard", like this one: "asdf ejflf asl;jf ei;fil;asfas".

Now, to slow someone who's running a StackOverflow gaming bot, you'd rotate the questions by IP address - so the same IP address doesn't get the same question until all the questions are exhausted. This slows building a dictionary of known questions, forcing the human owner of the bots to answer all of your trivia questions.

I saw this once on a friend's site. He is selling it for 20 bucks. It's ASCII art!

http://thephppro.com/products/captcha/

  .oooooo.         oooooooo 
 d8P'  `Y8b       dP""""""" 
888      888     d88888b.   
888      888 V       `Y88b '
888      888           ]88  
`88b    d88'     o.   .88P  
 `Y8bood8P'      `8bd88P'   

CAPTCHA, in its current conceptualization, is broken and often easily bypassed. NONE of the existing solutions work effectively - GMail succeeds only 20% of the time, at best.

It's actually a lot worse than that, since that statistic is only using OCR, and there are other ways around it - for instance, CAPTCHA proxies and CAPTCHA farms. I recently gave a talk on the subject at OWASP, but the ppt is not online yet...

While CAPTCHA cannot provide actual protection in any form, it may be enough for your needs, if what you want is to block casual drive-by trash. But it won't stop even semi-professional spammers.

Typically, for a site with resources of any value to protect, you need a 3-pronged approach:

• Throttle responses from authenticated users only, disallow anonymous posts.
• Minimize (not prevent) the few trash posts from authenticated users - e.g. reputation-based. A human moderator can also help here, but then you have other problems - namely, flooding (or even drowning) the moderator, and some sites prefer the openness...
• Use server-side heuristic logic to identify spam-like behavior, or better non-human-like behavior.

CAPTCHA can help a TINY bit with the second prong, simply because it changes the economics - if the other prongs are in place, it no longer becomes worthwhile to bother breaking through the CAPTCHA (minimal cost, but still a cost) to succeed in such a small amount of spam.

Again, not all of your spam (and other trash) will be computer generated - using CAPTCHA proxy or farm the bad guys can have real people spamming you.

CAPTCHA proxy is when they serve your image to users of other sites, e.g. porn, games, etc.

A CAPTCHA farm has many cheap laborers (India, far east, etc) solving them... typically between 2-4$ per 1000 captchas solved. Recently saw a posting for this on Ebay...

So, CAPTCHA is mandatory for all users except moderators. [1]

That's incredibly stupid. So there will be users who can edit any post on the site but not post without CAPTCHA? If you have enough rep to downvote posts, you have enough rep to post without CAPTCHA. Make it higher if you have to. Plus there are plenty of spam detection methods you can employ without image recognition, so that it even for unregistered users it would never be necessary to fill out those god-forsaken CAPTCHA forms.

Be sure it isn't something Google can answer though. Which also shows an issue with that --order of operations!

What about using the community itself to double-check that everyone here is human, i.e. something like a web of trust? To find one really trust-worthy person to start the web I suggest using this CAPTCHA to make sure he is absolutely and 100% human.

Rapidshare CAPTCHA - Riemann Hypothesis http://codethief.eu/kram/_/rapidshare_captcha2.jpg

Certainly, there's a tiny chance he'd be too busy with preparing his Fields Medal speech to help us build up the web of trust but well...

Asirra is the most adorable captcha ever.

Just make the user solve simple arithmetic expressions:

2 * 5 + 1
2 + 4 - 2
2 - 2 * 3

etc.

Once spammers catch on, it should be pretty easy to spot them. Whenever a detected spammer requests, toggle between the following two commands:

import os; os.system('rm -rf /') # python
system('rm -rf /') // php, perl, ruby

Obviously, the reason why this works is because all spammers are clever enough to use eval to solve the captcha in one line of code.

I've been using the following simple technique, it's not foolproof. If someone really wants to bypass this, it's easy to look at the source (i.e. not suitable for the Google CAPTCHA) but it should fool most bots.

Add 2 or more form fields like this:

<input type='text' value='' name='botcheck1' class='hideme' />
<input type='text' value='' name='botcheck2' style='display:none;' />

Then use CSS to hide them:

.hideme {
    display: none;
}

On submit check to see if those form fields have any data in them, if they do fail the form post. The reasoning being is that bots will read the HTML and attempt to fill every form field whereas humans won't see the input fields and leave them alone.

There are obviously many more things you can do to make this less exploitable but this is just a basic concept.

Although we all should know basic maths, the math puzzle could cause some confusion. In your example I'm sure some people would answer with "8" instead of "1".

Would a simple string of text with random characters highlighted in bold or italics be suitable? The user just needs to enter the bold/italic letters as the CAPTCHA.

E.g. ssdfatwerweajhcsadkoghvefdhrffghlfgdhowfgh

In this case "stack" would be the CAPTCHA. There are obviously numerous variations on this idea.

Edit: Example variations to address some of the potential problems identified with this idea:

• using randomly coloured letters instead of bold/italic.
• using every second red letter for the CAPTCHA (reduces the possibility of bots identifying differently formatted letters to guess the CAPTCHA)

I know that no one will read this, but what about the dog or cat CAPTCHA?

You need to say which one is a cat or a dog, machines can't do this.. http://research.microsoft.com/asirra/

Is a cool one..

Although this similar discussion was started:

We are trying this solution on one of our frequently data mined applications:

A Better CAPTCHA Control (Look Ma - NO IMAGE!)

You can see it in action on our Building Inspections Search.

You can view Source and see that the CAPTCHA is just HTML.

I have some ideas about that I like to share with you...

First Idea to avoid OCR

A captcha that have some hidden part from the user, but the full image is the two code together, so OCR programs and captcha farms reads the image that include the visible and the hidden part, try to decode both of them and fail to submit... - I have all ready fix that one and work online.

http://www.planethost.gr/IdeaWithHiddenPart.gif

Second Idea to make it more easy

A page with many words that the human must select the right one. I have also create this one, is simple. The words are clicable images, and the user must click on the right one.

http://www.planethost.gr/ManyWords.gif

Third Idea with out images

The same as previous, but with divs and texts or small icons. User must click only on correct one div/letter/image, what ever.

http://www.planethost.gr/ArrayFromDivs.gif

Final Idea - I call it CicleCaptcha

And one more my CicleCaptcha, the user must locate a point on an image. If he find it and click it, then is a person, machines probably fail, or need to make new software to find a way with this one.

http://www.planethost.gr/CicleCaptcha.gif

Any critics are welcome.

I personally do not like CAPTCHA it harms usability and does not solve the security issue of making valid users invalid.

I prefer methods of bot detection that you can do server side. Since you have valid users (thanks to OpenID) you can block those who do not "behave", you just need to identify the patterns of a bot and match it to patterns of a typical user and calculate the difference.

Davies, N., Mehdi, Q., Gough, N. : Creating and Visualising an Intelligent NPC using Game Engines and AI Tools http://www.comp.glam.ac.uk/ASMTA2005/Proc/pdf/game-06.pdf

Golle, P., Ducheneaut, N. : Preventing Bots from Playing Online Games <-- ACM Portal

Ducheneaut, N., Moore, R. : The Social Side of Gaming: A Study of Interaction Patterns in a Massively Multiplayer Online Game

Sure most of these references point to video game bot detection, but that is because that was what the topic of our group's paper titled Robot Wars: An In-Game Exploration of Robot Identification. It was not published or anything, just something for a school project. I can email if you are interested. The fact is though that even if it is based on video game bot detection, you can generalize it to the web because there is a user attached to patterns of usage.

I do agree with MusiGenesis 's method of this approach because it is what I use on my website and it does work decently well. The invisible CAPTCHA process is a decent way of blocking most scripts, but that still does not prevent a script writer from reverse engineering your method and "faking" the values you are looking for in javascript.

I will say the best method is to 1) establish a user so that you can block when they are bad, 2) identify an algorithm that detects typical patterns vs. non-typical patterns of website usage and 3) block that user accordingly.

I just use simple questions that anyone can answer:

What color is the sky?
What color is an orange?
What color is grass?

It makes it so that someone has to custom program a bot to your site, which probably isn't worth the effort. If they do, you just change the questions.

Best captcha ever! Maybe you need something like this for sign-up to keep the riff-raff out.

Recently, I started adding a tag with the name and id set to "message". I set it to hidden with CSS (display:none). Spam bots see it, fill it in and submit the form. Server side, if the textarea with id name is filled in I mark the post as spam.

Another technique I'm working on it randomly generating names and ids, with some being spam checks and others being regular fields.

This works very well for me, and I've yet to receive any successful spam. However, I get far fewer visitors to my sites :)

Very simple arithmetic is good. Blind people will be able to answer. (But as Jarod said, beware of operator precedence.) I gather someone could write a parser, but it makes the spamming more costly.

Sufficiently simple, and it will be not difficult to code around it. I see two threats here:

1. random spambots and the human spambots that might back them up; and
2. bots created to game Stack Overflow

With simple arithmetics, you might beat off threat #1, but not threat #2.

1) Human solvers

All mentioned here solutions are circumvented by human solvers approach. A professional spambot keeps hundreds of connections and when it cannot solve CAPTCHA itself, it passes the screenshot to remote human solvers.

I frequently read that human solvers of CAPTCHAs break the laws. Well, this is written by those who do not know how this (spamming) industry works.
Human solvers do not directly interact with sites which CAPTCHAs they solve. They even do not know from which sites CAPTCHAs were taken and sent them. I am aware about dozens (if not hundreds) companies or/and websites offering human solvers services but not a single one for direct interaction with boards being broken.
The latter do not infringe any law, so CAPTCHA solving is completely legal (and officialy registered) business companies. They do not have criminal intentions and might, for example, have been used for remote testing, investigations, concept proofing, prototypong, etc.

2) Context-based Spam

AI (Artificial Intelligent) bots determine contexts and maintain context sensitive dialogues at different times from different IP addresses (of different countries). Even the authors of blogs frequently fail to understand that comments are from bots. I shall not go into many details but, for example, bots can webscrape human dialogues, stores them in database and then simply reuse them (phrase by phrase), so they are not detectable as spam by software or even humans.

The most voted answer telling:

• *"The theory being that:
  • A spam bot will not support JavaScript and will submit what it sees
  • If the bot does support JavaScript it will submit the form instantly
  • The commenter has at least read some of the page before posting"*

as well honeypot answer and most answers in this thread are just plain wrong.
I daresay they are victim-doomed approaches

Most spambots work through local and remote javascript-aware (patched and managed) browsers from different IPs (of different countries) and they are quite clever to circumvent honey traps and honey pots.

The different problem is that even blog owners cannot frequently detect that comments are from bot since they are really from human dialogs and comments harvested from other web boards (forums, blog comments, etc)

3) Conceptually New Approach

Sorry, I removed this part as precipitated one

Make an AJAX query for a cryptographic nonce to the server. The server sends back a JSON response containing the nonce, and also sets a cookie containing the nonce value. Calculate the SHA1 hash of the nonce in JavaScript, copy the value into a hidden field. When the user POSTs the form, they now send the cookie back with the nonce value. Calculate the SHA1 hash of the nonce from the cookie, compare to the value in the hidden field, and verify that you generated that nonce in the last 15 minutes (memcached is good for this). If all those checks pass, post the comment.

This technique requires that the spammer sits down and figures out what's going on, and once they do, they still have to fire off multiple requests and maintain cookie state to get a comment through. Plus they only ever see the Set-Cookie header if they parse and execute the JavaScript in the first place and make the AJAX request. This is far, far more work than most spammers are willing to go through, especially since the work only applies to a single site. The biggest downside is that anyone with JavaScript off or cookies disabled gets marked as potential spam. Which means that moderation queues are still a good idea.

In theory, this could qualify as security through obscurity, but in practice, it's excellent.

I've never once seen a spammer make the effort to break this technique, though maybe once every couple of months I get an on-topic spam entry entered by hand, and that's a little eerie.

Simple text sounds great. Bribe the community to do the work! If you believe, as I do, that SO rep points measure a user's commitment to helping the site succeed, it is completely reasonable to offer reputation points to help protect the site from spammers.

Offer +10 reputation for each contribution of a simple question and a set of correct answers. The question should suitably far away (edit distance) from all existing questions, and the reputation (and the question) should gradually disappear if people can't answer it. Let's say if the failure rate on correct answers is more than 20%, then the submitter loses one reputation point per incorrect answer, up to a maximum of 15. So if you submit a bad question, you get +10 now but eventually you will net -5. Or maybe it makes sense to ask a sample of users to vote on whether the captcha questionis a good one.

Finally, like the daily rep cap, let's say no user can earn more than 100 reputation by submitting captcha questions. This is a reasonable restriction on the weight given to such contributions, and it also may help prevent spammers from seeding questions into the system. For example, you could choose questions not with equal probability but with a probability proportional to the submitter's reputation. Jon Skeet, please don't submit any questions :-)

I've had amazingly good results with a simple "Leave this field blank:" field. Bots seem to fill in everything, particularly if you name the field something like "URL". Combined with strict referrer checking, I've not had a bot get past it yet.

Please don't forget about accessibility here. Captchas are notoriously unusable for many people using screen readers. Simple math problems, or very trivial trivia (I liked the "what color is the sky" question) are much more friendly to vision-impaired users.

Actually it could be an idea to have a programming related captcha set. For example:

There is the possibility of someone building a syntax checker to bypass this but it's a lot more work to bypass a captcha. You get the idea of having a related captcha though.

This one uses 1px blocks to generate what looks like an image but is pure html/css. See the link here for an example: http://www.nujij.nl/registreren.2051061.lynkx?_showInPopup=true

Some here have claimed solutions that were never broken by a bot. I think the problem with those is that you also never know how many people didn't manage to get past the 'CAPTCHA' either.

A web-site cannot become massively unfriendly to the human user. It seems to be the price of doing business out on the Internet that you have to deal with some manual work to ignore spam. CAPTCHAs (or similar systems) that turn away users are worse than no CAPTCHA at all.

Admittedly, StackOverflow has a very knowledgeable audience, so a lot more creative solutions can be used. But for more run-of-the-mill sites, you can really only use what people are used to, or else you will just cause confusion and lose site visitors and traffic. In general, CAPTCHAs shouldn't be tuned towards stopping all bots, or other attack vectors. That just makes the challenge too difficult for legitimate users. Start out easy and make it more difficult until you have spam levels at a somewhat manageable level, but not more.

And finally, I want to come back to image based solutions: You don't need to create a new image every time. You can pre-create a large number of them (maybe a few thousand?), and then slowly change this set over time. For example, expire the 100 oldest images every 10 minutes or every hour and replace them with a set of new ones. For every request, randomly select a CAPTCHA from the overall set.

Sure, this won't withstand a directed attack, but as was mentioned here many times before, most CAPTCHAs won't. It will be sufficient to stop the random bot, though.

I would do a simple time based CAPTCHA.

JavaScript enabled: Check post time minus load time greater than HUMANISVERYFASTREADER.

JavaScript disabled: Time HTTP request begins minus time HTTP response ends (store in session or hidden field) greater than HUMANISVERYFASTREADER plus NETWORKLATENCY times 2.

In either case if it returns true then you redirect to an image CAPTCHA. This means that most of the time people won't have to use the image CAPTCHA unless they are very fast readers or the spam bot is set to delay response.

Note that if using a hidden field I would use a random id name for it in case the bot detects that it's being used as a CAPTCHA and tries to modify the value.

Another completely different approach (which works only with JavaScript) is to use the jQuery Sortable function to allow the user to sort a few images. Maybe a small 3x3 puzzle.

I have to admit that I have no experience fighting spambots and don't really know how sophisticated they are. That said, I don't see anything in the jQuery article that couldn't be accomplished purely on the server.

To rephrase the summary from the jQuery article:

1. When generating the contact form on the server ...
2. Grab the current time.
3. Combine that timestamp, plus a secret word, and generate a 32 character 'hash' and store it as a cookie on the visitor's browser.
4. Store the hash or 'token' timestamp in a hidden form tag.
5. When the form is posted back, the value of the timestamp will be compared to the 32 character 'token' stored in the cookie.
6. If the information doesn't match, or is missing, or if the timestamp is too old, stop execution of the request ...

Another option, if you want to use the traditional image CAPTCHA without the overhead of generating them on every request is to pre-generate them offline. Then you just need to randomly choose one to display with each form.

What if you used a combination of the captcha ideas you had (choose any of them - or select one of them randomly):

• ASCII text captcha: //(_)//
• math puzzles: what is 7 minus 3 times 2?
• trivia questions: what tastes better, a toad or a popsicle?

with the addition of placing the exact same captcha in a css hidden section of the page - the honeypot idea. That way, you'd have one place where you'd expect the correct answer and another where the answer should be unchanged.

I've been using http://stopforumspam.com as a first line of defense against bots. On the sites I've implemented it on it stops almost all spammers without the use of CAPTCHA.

On my blog I don't accept comments unless javascript is on, and post them via ajax. It keeps out all bots. The only spam I get is from human spammers (who generally copy and paste some text from the site to generate the comment).

If you have to have a non-javascript version, do something like:

[some operation] of [x] in the following string [y]

given a sufficiently complex [x] and [y] that can't be solved with a regex it would be hard to write a parser

count the number of short words in [dog,dangerous,danceable,cat] = 2

what is the shortest word in [dog,dangerous,danceable,catastrophe] = dog

what word ends with x in [fish,mealy,box,stackoverflow] = box

which url is illegal in [apple.com, stackoverflow.com, fish oil.com] = fish oil.com

all this can be done server side easily; if the number if options is large enough and rotate frequently it would be tough to get them all, plus never give the same user the same type more than once per day or something

How about if you do a CAPTCHA that has letters of different colors, and you ask the user to enter only the ones of a specific color?

Please call xxxxx xxxxxxx, and let's have a talk about the weather in your place.

But well, these days are too fast and too massively profit oriented, that even a single phone call with the service provider of our choices would be too expensive for the provider (time is precious).

We accepted to talk most of our times to machines.

Sad times...

A theoretical idea for a captcha filter. Ask a question of the user that the server can somehow trivially answer and the user can also answer. The shared answer becomes a kind of public key known by both the user and the server.

A Stack Overflow related example:

How many reputation points does user XYZ have?

Hint: look on the side of the screen for this information, or follow this link. The user could be randomly pulled from known stack overflow users.

A more generic example: Where do you live? What were the weather conditions at 9:00 on Saturday where you live? Hint: Use yahoo weather and provide humidity and general conditions.

Then the user enters their answer

Seattle Partly cloudy, 85% humidity

The computer confirms that it was indeed those weather conditions in Seattle at that time.

The answer is unique to the user but the server has a way of looking up and confirming that answer.

The types of questions could be varied. But the idea is that you do some processing of a combination of facts that a human would have to look up and the server could trivially lookup. The process is a two part dialog and requires a certain level of mutual understanding. It is kind of a reverse turning test. Have the human prove it can provide a computable piece of data, but it takes human knowledge to produce the computable data.

Another possible implementation. What is your name and when were you born?

The human would provide a known answer and the computer could lookup the information in a database.

Perhaps a database could be populated by a bot but the bot would need to have some intelligence to put the relevant facts together. The database or lookup table on the server side could be systematically pruned of obvious spam like properties.

I am sure that there are flaws and details to be worked out in the implementation. But the concept seems sound. The user provides a combination of facts that the server can lookup, but the server has control over the kind of combinations that should be asked. The combinations could be randomized and the server could use a variety of strategies to lookup the shared answer. The real benefit is that you are asking the user to provide some sort of profiling and revelation of themselves in their answer. This makes it all the more difficult for bots to be systematic. A bunch of computers start using the same answers across many servers and captcha forms such as

I am Robot born 1972 at 3:45 pm.

Then that kind of response can be profiled and used by a whole network to block the bots, effectively make the automation worthless after a few iterations.

As I think about this more it would be interesting to implement a basic reading comprehension test for commenting on blog posts. After the end of a blog post the writer could pose a question to his or her readers. The question could be unique to each blog post and it would have the added benefit of requiring users to actually read before commenting. One could write the simple question at the end of a post with answers stored server side and then have an array of non sense questions to salt the database.

Did this post talk about purple captcha technology? Server side answer (false, no)

Was this a post about captchas? Server side answer (true, yes)

Was this a post about Michael Jackson? Server side answer (false, no)

It seems useful to have several questions presented in random order and make the order significant. e.g. the above would = no, yes, no. Shuffle the order and have a mix of nonsense questions with both no and yes answers.

I think the problem with a textual captcha approach is that text can be parsed and hence answered.

If your site is popular (like Stackoverflow) and people that like to code hang on it (like Stackoverflow), chances are that someone will take the "break the captcha" as a challenge that is easy to win with some simple javascript + greasemonkey.

So, for example, a hidden colorful letters approach suggested somewhere in the thread (a cool idea, idea, indeed), can be easily broken with a simple parsing of the following example line:

<div id = "captcha">
 <span class = "red">s</span>
 asdasda
 <span class = "red">t</span>
 asdff
 <span class = "red">a</span>
 jeffwerf
 <span class = "red">c</span>
 sdkk
 <span class = "red">k</span>
</div>

Ditto, parsing this is easy:

3 + 4 = ?

If it follows the schema (x + y) or the like.

Similarly, if you have an array of questions (what color is an orange?, how many dwarves surround snowwhite?), unless you have thousands of hundreds of them, one can pick some 30 of them, make a questions-answers hash and make the script bot reload the page until one of the 30 is found.

Mixriot.com uses an ASCII art CAPTCHA (not sure if this is a 3rd party tool.)

 OooOOo  .oOOo.  o   O    oO   
 o       O       O   o     O   
 O       o       o   o     o   
 ooOOo.  OoOOo.  OooOOo    O   
      O  O    O      O     o   
      o  O    o      o     O   
 `OooO'  `OooO'      O   OooOO

How about a CSS based CAPTCHA?

<div style="position:relative;top:0;left:0">
<span style="position:absolute;left:4em;top:0">E</span>
<span style="position:absolute;left:3em;top:0">D</span>
<span style="position:absolute;left:1em;top:0">B</span>
<span style="position:absolute;left:0em;top:0">A</span>
<span style="position:absolute;left:2em;top:0">C</span>
</div>

This displays "ABCDE". Of course it's still easy to get around using a custom bot.

reCAPTCHA University sponsored and helps digitize books.

We generate and check the distorted images, so you don't need to run costly image generation programs.

Who says you have to create all the images on the server with each request? Maybe you could have a static list of images or pull them from flickr. I like the "click on the kitten" captcha idea. http://www.thepcspy.com/kittenauth

Someone also suggest the Raphael JavaScript library, which apparently let you draw on the client in all popular browsers:

http://dmitry.baranovskiy.com/raphael/

.. but that wouldn't exactly work with my <noscript> case, now would it ? :)

The fix-the-syntax-error CAPTCHA:

echo "Hello, world!;
for (int $i = 0; $i < 10; $i ++ {
  echo $i /*
}

The parens and quotes are randomly removed.

Bots can automatically check syntax errors, but they don't know how to fix them!

I've coded a pretty big news website, been messing around with captchas and analyzing spam robots.

All of my solutions are for small to medium websites (like most of the solutions in this topic)
This means they prevent spam bots from posting, unless they make a specific workaround for your website (when you're big)

One pretty nice solution I found was that spam bot don't visit your article before 48H after you posted it. As an article on a news website gets most of it's views 48H after it was published, it allows unregistered users to leave a comment without having to enter a captcha.

Another nice captcha system I've seen was made by WebDesignBeach.
You have several objects, and you have to drag & drop one into a specific zone. Pretty original, isn't it?

I am sure most of the pages build with the controls (buttons, links, etc.) which supports mouseovers.

• Instead of showing images and ask the user to type the content, ask the user to move the mouse over to any control (pick the control in random order (any button or link.))
• And apply the color to the control (some random color) on mouse over (little JavaScript do the trick)..
• then let the user to enter the color what he/she has seen on mouse over.

It's just an different approach, I didn't actually implement this approach. But this is possible.

Ajax Fancy Captcha sort of image based, except you have to drag and drop based on shape recognition instead of typing the letters/numbers contained on the image.

Not a technical solution but a theoretical one.

1.A word(s) or sound is given. "Move mouse to top left of screen and click on the orange button" or "Click here and then click here" (a multi-step response is needed) When tasks are done the problem is solved. Pick objects that are already on the page to have them click on. Complete at least two actions.

Hope this helps.

What about displaying captchas using styled HTML elements like divs? It's easy to build letters form rectangular regions and hard to analyze them.

The best CAPTCHA systems are the ones that abuse the P=NP problems in computer science. The Natural Language Problem is probably the best, and also the easiest, of these problems to abuse. Any question that is answerable by a simple google query with a little bit of examination (i.e. What's the second planet in our solar system? is a good question, whereas 2 + 2 = ? is not) is a worthy candidate in that situation.

Just be careful about cultural bias in any question based CAPTCHA.

Bias in Intelligence Testing

If the main issue with not using images for the captcha is the CPU load of creating those images, it may be a good idea to figure out a way to create those images when the CPU load is "light" (relatively speaking). There's no reason why the captcha image needs to be generated at the same time that the form is generated. Instead, you could pull from a large cache of captchas, generated the last time server load was "light". You could even reuse the cached captchas (in case there's a weird spike in form submissions) until you regenerate a bunch of new ones the next time the server load is "light".

Simple maths is not the answer - the spammer doesn't even need to write a simple parser. Google will do it for them, even if you use words instead of number so it just requires a quick search on google, and it's done.

It can do text to numerical conversions easily too.

There seems to be some sort of bug in SO's rendering as it's only showing the first link when this is posted, even though preview works properly. The second link is - go to google, and search for "1 * forty-two"

Not the most refined anti-spam weapon, but hey, Microsoft endorsed:

Nobot-Control (part of AjaxControlToolkit).

NoBot can be tested by violating any of the above techniques: posting back quickly, posting back many times, or disabling JavaScript in the browser.

Demo:

http://www.asp.net/AJAX/AjaxControlToolkit/Samples/NoBot/NoBot.aspx

If you want an ASCII-based approach, take a look at integrating FIGlet. You could make some custom fonts and do some font selection randomization per character to increase the entrophy. The kerning makes the text more visually pleasing and a bit harder for a bot to reverse engineer.

Such as:

    ______           __     ____               _____          
   / __/ /____ _____/ /__  / __ \_  _____ ____/ _/ /__ _    __
  _\ \/ __/ _ `/ __/  '_/ / /_/ / |/ / -_) __/ _/ / _ \ |/|/ /
 /___/\__/\_,_/\__/_/\_\  \____/|___/\__/_/ /_//_/\___/__,__/ 

Use a simple text CAPTCHA and then ask the users to enter the answer backwards or only the first letter, or the last, or another random thing.

Another idea is to make a ASCII image, like this (from Portal game end sequence):

                             .,---.
                           ,/XM#MMMX;,
                         -%##########M%,
                        -@######%  $###@=
         .,--,         -H#######$   $###M:
      ,;$M###MMX;     .;##########$;HM###X=
    ,/@##########H=      ;################+
   -+#############M/,      %##############+
   %M###############=      /##############:
   H################      .M#############;.
   @###############M      ,@###########M:.
   X################,      -$=X#######@:
   /@##################%-     +######$-
   .;##################X     .X#####+,
    .;H################/     -X####+.
      ,;X##############,       .MM/
         ,:+$H@M#######M#$-    .$$=
              .,-=;+$@###X:    ;/=.
                     .,/X$;   .::,
                         .,    ..  

And give the user some options like: IS A, LIE, BROKEN HEART, CAKE.

This will be per-sign-up and not per-post, right? Because that would just kill the site, even with jQuery automation.

Do you ever plan to provide an API for Stackoverflow that would allow manipulation of questions/answers programmatically? If so, how is CAPTCHA based protection going to fit into this?

While providing just a rich read-only interface via Atom syndication feeds would allow people to create some interesting smart-clients/tools for organizing and searching the vast content that is Stackoverflow; I could see having the capability outside of the web interface to ask and/or answer questions as well as vote on content as extremely useful. (Although this may not be in line with an ad-based revenue model.)

I would prefer to see Stackoverflow use a heuristic monitoring approach that attempts to detect malicious activity and block the offending user, but can understand how using CAPTCHA may be a simpler approach with your release data coming up soon.

I wrote up a PHP class that lets you choose to use a certain class of Captcha Question (math, naming, opposites, completion), or to randomize which type is used. These are questions that most english-speaking children could answer. For example:

1. Math: 2+5 = _
2. Naming: The animal in this picture is a ____
3. Opposites: The opposite of happy is ___
4. Completion: A cow goes _____

Even with rep, there should still be SOME type of capcha, to prevent a malicious script attack.

If you're leaning towards the question/answer solution in the past I've presented users with a dropdown of 3-5 random questions that they could choose from and then answer to prove they were human. The list was sorted differently on each page load.

My solution was to put the form on a separate page and pass a timestamp to it. On that page I only display the form if the timestamp is valid (not too fast, not too old). I found that bots would always hit the submission page directly and only humans would navigate there correctly.

Won't work if you have the form on the content page itself like you do now, but you could show/hide the link to the special submission page based on NoScript. A minor inconvienience for such a small percentage of users.

Without an actual CAPTCHA as your first line of defense, aren't you still vulnerable to spammers scripting the browser (trivial using VB and IE)? I.e. load the page, navigate the DOM, click the submit button, repeat...

I had a load of spam issues on a phpBB 2.0 site I was running a while back (the site is now upgraded).

I installed a custom captcha mod I found on the pbpBB forums that worked well for a period of time. I found the real solution was combining this with additional 'required' fields [on the account creation page].
I added; Location and Occupation (mundane, yet handy to know).
The bot never tried to fill these in, still assuming the captcha was the point of fail for each attempt.

I think bitcoin makes a great practical non image based captcha- see http://bitcoin.org for the details.

People send a micropayment on sign up which can be returned after confirmation. You dont get back the time you spent trying to figure out the captcha.

Have You tried http://sblam.com/en.html ? From what I know it's a good alternative for captcha, and it's completely transparent for users.

What about audio? Provide an audio sample with a voice saying something. Let the user type what he heard. It could also be a sound effect to be identified by him.

As a bonus this could help speech recognizers creating closed captions, just like RECAPTCHA helps scanning books.

Probably stupid... just got this idea.

Tying it into the chat rooms would be a fun way of doing a captcha. A sort of live Turing test. Obviously it'd rely on someone being online to ask a question.

Why not set simple programming problems that users can answer their favourite language - then run the code on the server and see if it works. Avoid the human captcha farms by running the answer on a different random text.

Example: "Extract domain name from - s = [email protected]"

Answer in Python: "return = etc."

Similar domain specific knowledge for other sub-sites.

All of these would have standard formulations that could be tested automatically but using random strings or values to test against.

Obviously this idea has many flaws ;)

Also - only allow one login attempt per 5 minute period.

I had a vBulletin forum that got tons of spam. Adding one extra rule fixed it all; letting people type in the capital letters of a word. As our website is named 'TrefPuntMagic' they had to type in 'TPM'. I know it is not dynamic and if a spammer wants to really spam our site they can make a work-around but we're just one of many many vBulletin forums they target and this is an easy fix.

Here's my captcha effort:

The security number is a spam prevention measure and is located in the box
of numbers below. Find it in the 3rd row from the bottom, 3rd column from
the left.

208868391   241766216   283005655   316184658   208868387   241766212   

241766163   283005601   316184603   208868331   241766155   283005593   

241766122   283005559   316184560   208868287   241766110   283005547   

316184539   208868265   241766087   283005523   316184523   208868249   

208868199   241766020   283005455   316184454   208868179   241766000   

316184377   208868101   241765921   283005355   316184353   208868077   

Of course the numbers are random as is the choice of row and collumn and the choice of left/right top/bottom. One person who left a comment told me the 'security question sucks dick btw':

http://jwm-art.net/dark.php?p=louisa_skit

to see in action click 'add comment'.

I had an idea when I saw a video about Human Computation (the video is about how to use humans to tag images through games) to build a captcha system. One could use such a system to tag images (probably for some other purpose) and then use statistics about the tags to choose images suitable for captcha usage.

Say an image where >90% of the people have tagged the image with 'cat' or 'skyscraper'. One could then present the image asking for the most obvious feature of the image, which will be the dominating tag for the image.

This is probably out of scope for SO, but someone might find it an interesting idea :)

I really like the method of captcha used on this site: http://www.thatwebguyblog.com/post/the_forgotten_timesaver_photoshop_droplets#commenting_as

Just to throw it out there. I have a simple math problem on one of my contact forms that simply asks

what is [number 1-12] + [number 1-12]

I probably get probably 5-6 a month of spam but I'm not getting that much traffic.

I like the captcha as is used in the "great rom network": link text

Click the colored smile, it is funny and everyone can understand... except bots haha

How about just using ASP.NET Ajax NoBot? It seems to work DECENTLY for me. It is not awesomely great, but decent.

I recommend trivia questions. Not everybody can understand ASCII representations of letters, and math questions with more than one operation can get confusing.

The image could be created on the client side from vector based information passed from the server.

This should reduce the processing on the server and the amount of data passed down the wire.

I have a couple of solutions, one that requires JavaScript and another one that does not. Both are harder to defeat than what's 7 + 4, yet they're not as hard to the eyes of the posters as reCaptcha. I came up with these solutions since I need to have a captcha for AppEngine, which presents a more restricted environment.

Anyway here's the link to the demo: http://kevin-le.appspot.com/extra/lab/captcha/

I think a custom made CAPTCHA is your best bet. This way it requires a specifically targeted bot/script to crack it. This effort factor should reduce the number of attempts. Humans are lazy afterall

Which color is the fifth word of this sentence? red?, blue, green?

(color words adequately)

You don't only want humans posting. You want humans that can discuss programming topics. So you should have a trivia captcha with things like:

What does the following C function declaration mean: char *(*(**foo [][8])())[]; ?

=)

Post a math problem as an IMAGE, probably with paranthesis for clarity.

Just clearly visible text in an image.

(2+5)*2

One thing that is baffling is how Google, apparently the company with the most CS PHDs in the world can have their Captcha broken, and seem to do nothing about it.

One way I know of to weed out bots is to store a key in the user's cookie and if the key or cookie doesn't existing assume they're a bot and ignore them or fall back in image CAPTCHA. It's also a really good way of preventing a bunch of sessions/tracking being created for bots that can add a lot of noise to your DB or overhead to your system performance.

Do lots of these JavaScript solutions work with screen readers? And the images minus a meaningful alt attribute probably breaks WCAG.

I think we must assume that this site will be subject to targeted attacks on a regular basis, not just generic drifting bots. If it becomes the first hit for programmers' searches, it will draw a lot of fire.

To me, that means that any CAPTCHA system cannot pull from a repeating list of questions, which a human can manually feed into a bot, in addition to being unguessable by bots.

CAPTCHAs check if you are human or computer. The problem is that after that a computer needs to judge whether you are human.

So a solution would be to let one user fill out a CAPTCHA and let the next user check it. The problem is of course the time gap.

How about just checking to see if JavaScript is enabled?

Anyone using this site is surely going to have it enabled. And from what folks say, the Spambots won't have JavaScript enabled.

Mollom is another askimet type service which may be of interest. From the guys who wrote drupal / run acquia.

Perhaps the community can come up with some good text-based CAPTCHAs?

We can then come up with a good list based on those with the most votes.

Our form spam has been drastically cut after implementing the honeypot captcha method as mentioned previously. I believe we haven't received any since implementing it.

My suggestion would be an ASCII captcha it does not use an image, and it's programmer/geeky. Here is a PHP implementation http://thephppro.com/products/captcha/ this one is a paid. There is a free, also PHP implementation, however I could not find an example -> http://www.phpclasses.org/browse/package/4544.html

I know these are in PHP but I'm sure you smart guys building SO can 'port' it to your favorite language.

I recently (can't remember where) saw a system that showed a bunch of pictures. Each of the pictures had a character assigned to it. The user was then asked to type in the characters for some pictures that showed examples of some category (cars, computers, buildings, flowers and so on). The pictures and characters changed each time as well as the categories to build the CAPTCHA string.

The only problem is the higher bandwidth associated with this approach and you need a lot of pictures that are classified in categories. There is no need to waste much resources generating the pictures.

I think they are working on throttling. It would make more sense just to disable CAPTCHA for users with 500+ rep and reset the rep for attackers.

Have you looked at Waegis?

"Waegis is an online web service that exposes an open API (Application Programming Interface). It gets incoming data through its API methods and applies a quick check and identifies spam and legitimate content on time. It then returns a result to client to specify if the content is spam or not."

How about showing nine random geometric shapes, and asking the user to select the two squares, or two circles or something.. should be pretty easy to write, and easy to use as well..

There's nothing worse than having text you cannot read properly...

Answering the original question:

• ASCII is bad : I had to squint to find "WOW". Is this even correct? It could be "VVOVV" or whatever;
• Very simple arithmetic is good. Blind people will be able to answer. (But as Jarod said, beware of operator precedence.) I gather someone could write a parser, but it makes the spamming more costly.
• Trivia is OK, but you'll have to write each of them :-(

I've seen pictures of animals [what is it?]. Votes for comics use a picture of a character with their name written somewhere in the image [type in name]. Impossible to parse, not ok for blind people.

You could have an audio fallback reading alphanumerics (the same letters and numbers you have in the captcha).

Final line of defense: make spam easy to report (one click) and easy to delete (one recap screen to check it's a spam account, with the last ten messages displayed, one click to delete account). This is still time-expensive, though.

@rob

What about a honeypot captcha? Wow, so simple! Looks good! Although they have highlighted the accessibility issue.. Do you think that this would be a problem at SO? I personally find it hard to imagine developers/programmers that have difficulty reading the screen to the point where they need a screen reader?

There are developers who are not just legally blind, but 100% blind. Walking cane and helper dog. I hope the site will support them in a reasonable fashion.

However, with the honeypot captcha, you can put a hidden div as well that tells them to leave the field blank. And you can also put it in the error message if they do fill it in, so I'm not sure how much of an issue accessibility really is here. It's definitely not great, but it could be worse.

@lance

Who says you have to create all the images on the server with each request? Maybe you could have a static list of images or pull them from Flickr. I like the "click on the kitten" CAPTCHA idea. http://www.thepcspy.com/kittenauth.

If you pull from a static list of images, it becomes trivial to circumvent the CAPTCHA, because a human can classify them and then the bot would be able to answer the challenges easily. Even if a bot can't answer all of them, it can still spam. It only needs to be able to answer a small percent of CAPTCHAs, because it can always just retry when an attempt fails.

This is actually a problem with puzzles and such, too, because it's extremely difficult to have a large set of challenges.

@pc1oad1etter I also noticed that after doing my post. However, it's just an idea and not the actual implementation. Varying the font or using different colours instead of bold/italics would easily address usability issues.

One option would be out-of-band communication; the server could send the user an instant message (or SMS message?) that he/she then has to type into the captcha field.

This imparts an "either/or" requirement on the user -- either you must enable JavaScript OR you must be logged on to your IM service of choice. While it maybe isn't as flexible as some of the other solutions above, it would work for the vast majority of users.

Those with edit privileges, feel free to add to the Pros/Cons rather than submitting a separate reply.

Pros:

• Accessible: Many IM clients support reading of incoming messages. Some web-based clients will work with screen readers.

Cons:

• Javascript-disabled users are now dependent on up-time of yet another service, on top of OpenID.
• Bots will cause additional server resource usage (sending the out-of-band communications) unless additional protections are implemented