Read this
http://en.wikipedia.org/wiki/CAPTCHA
Then look at how the RTA implemented CAPTCHA
http://www.rta.nsw.go
Or just guess – yep not images but plain text...
I guess no one loves them enough to even send spam.
It's actually quite clever. It has hidden characters between the visible characters, so any bot that comes along and tries to cheat, will need to take into account CSS rules.
Or just guess – yep not images but plain text...
I guess no one loves them enough to even send spam.
Well, actually... have you tried to copy and paste the word? It's not all that bad, very specific to the site with obvious easy workarounds... unless the separators change as well...
Or just guess – yep not images but plain text...
I guess no one loves them enough to even send spam.
Look a little closer at the code. There are hidden spans in between each letter.
yeah it is specific, as far as I can tell the separators are always full stops.
I would assume that the generator can be easily modified.
I actually like this. I'd just go with more than just "." as a hidden seperator.
It's probably even harder to automate solving, because currently the spammers just OCR it or ship the image off to a human to solve.
This way, they haven't got an image to ship off to a 3rd party and the only way to OCR it would be to spin up a browser and screenshot the page and OCR that.
Some random/multiple positioning and the OCR way won't be easy.
At the very least it will require so much customisation for your site from the spam robots to make it not worth it for them.
FWIW, you would be surprised at how simple you can make spam protection and still have it work. For example, even though our sites are quite popular news sites we just use the simple "hidden field that should be left empty" to trick out robots that just fill in every field. That always works for a good few months after we change the field names for the robots to be modified for the new field name.
I actually like this. I'd just go with more than just "." as a hidden seperator.
The only issue I have with their solution is that, I suspect, they have one global word that expires every few hours. So, instead of generating the captcha for each user, they captcha is reused in every form.
It wouldn't take much effort to make it even more effective.
I agree, the separators should also be randomised. The concept is good though – it should even work for screen readers...
Yeah, it was "debts" for me with something about 2 hours.
That's probably the biggest flaw if that's how they are doing it. A spammer only needs to check it manually 12 times a day and then spam away.
A spammer only needs to check it manually 12 times a day and then spam away.
Huh?
I managed to copy the value and paste it and submit nothing in any of the fields... I was told it was submitted OK – I wonder if it actually was – because if so – that's pretty ordinary..
For example, even though our sites are quite popular news sites we just use the simple "hidden field that should be left empty" to trick out robots that just fill in every field.
Thats called a honeypot :)
Carpoint have an interesting one. In order to view the full car specs you need to get past the standard image captcha. Next, when it shows the specs, they are in a fixed width font and look normal. But it's when you highlight the text, when it looks weird. Looking behind the scenes for the word '4 Stroke' shows this:
<div class="doubledivrandom">
<div class="float">4 S r k </div>
<div class="absolute"> t o e</div>
<div class="clearboth"/>
</div>
FWIW, you would be surprised at how simple you can make spam protection and still have it work. For example, even though our sites are quite popular news sites we just use the simple "hidden field that should be left empty" to trick out robots that just fill in every field.
I like this idea. Then ban the IP of anyone that fills it out
Then ban the IP of anyone that fills it out
Which is REALLY flapping stupid considering you may be blocking a proxy, dynamic ip, or a static ip which ends up on a legit user at some point.
Then ban the IP of anyone that fills it out
I can see an intentionally malformed packets taking out your entire site. Be careful with IP Bans.
But it's when you highlight the text, when it looks weird. Looking behind the scenes for the word '4 Stroke' shows this:
<div class="doubledivrandom">
<div class="float">4 S r k </div>
<div class="absolute"> t o e</div>
<div class="clearboth"/>
</div>
Yep, a news site called MIS does the same.
Try and copy the text of that article.
<span class="security">d<span class="hidden">.</span>a<span class="hidden">.</span>y<span class="hidden">.</span></span><input name="security_word" type="Text" class="BodyTextNoMargin" size="6" maxlength="50" value=""/>
Not too hard to bypass if coded correctly.
Tell the program to remove any string between <span class="security"> and </span><input name="security_word" type="Text" class="BodyTextNoMargin" size="6" maxlength="50" value=""/> that matches <span class="hidden">.</span>
Then you have: day
Thats a very crappy CAPTCHA implementation.
Not too hard to bypass if coded correctly.
there is no reason it couldn't be changed to have a random class name.
if enough parts of it are made random i think it could work very well.
if enough parts of it are made random i think it could work very well.
The thing is, it doesn't have to work "very well". It just has to be better than the others. And since the huge majority of feedback forms have no protection at all, spammers will just target those instead.
Yep, a news site called MIS does the same.
http://www.misaustra
Try and copy the text of that article.
That's all good and well, but... have you viewed that page in IE8?
Edit.. second time it worked. First time IE8 only gave me mumbo jumbo.