Keeping CodeStore CAPTCHA-Free
I can't remember why but I tried to search for something on ipadforums.net and was presented with this CAPTCHA:
Now, aside from wondering why I'd need to pass a test just to search, just look at the test itself.
How would I describe that brand? I don't know. How should I describe it? Do you just want me to type T-Mobile in there?
Most likely I just type in "t mobile", but I didn't even try. I just left the site. Whose loss is that? Mine I guess, but theirs too!
It seems the CAPTCHA makers are having to get cleverer to out-wit the spammers, but, in doing so, they're out-witting the user too.
A CAPTCHA should be as simple as possible to solve and should require little or no thought on the part of the user. Like the one I added to a contact form recently:
Until recently I'd convinced the owners of the site to leave it CAPTCHA-free until it got to the point they couldn't cope with the amount of spam. The notion being that spam is their problem and not their users. They reached breaking point recently and so I added what I hope is a simple one.
How I Keep CodeStore CAPTCHA-Free
You may have noticed Codestore has always been CAPTCHA-free? How have I managed that? Using some fairly basic heuristics based on patterns I've noticed over the years running the site.
What I've noticed is that ~99% of responses to a blog post happen with the first 48 hours. Using this fact I then apply the following rules. If any of them are true it's gets auto-approved:
- Did it come from my IP address
- Did they enter an email address that has already been used for an approved post.
- Is the content link-free
- Is it less than 48 hours since parent document was published
These simple rules are used to set a field to "1" or "0" and that's what keeps the site spam-free for the most part.
What about false negatives though? Well, every two hours an agent emails me a list of spam it has blocked. The email looks like this:
As you can see, it's easy to spot the false negatives and to quickly scan-read over the rest. There's only about 1 every fortnight or so.
It's a bit of bind for me having to process an email every two hours, but then I'd rather that than you guys have to suffer a CAPTCHA.
There's always the chance I've missed some genuine posts at some point. There's noting I can do about that tough really.
Skip to the 
You can subscribe to an individual
Here is an article on it.....they somehow think it is great, that you have to watch or listen to an advertisement, and will then let you in, by asking you a question that you would only know, based on you paying attention to their advertisement.
But I am with you, I would avoid that, and not sit thru there BS.
http://mediadecoder.blogs.nytimes.c.. ..0/25/nucaptcha-engage-puts-security-feature-in-a-video/
Reply
"How would you describe this brand?" LOL...That's too funny!
Just think, that one CAPTCHA had to:
1) Start as an idea
2) Go through a review team
3) Get approved
4) Developed
If it's a large site, this was not just one person handling these functions. They must not have any sarcastic people working there.
Reply
I use the following.
1. Are all the input fields non-blank?
2. Is the hidden honey pot field correct? This prevents automated spammers.
3. Is the number of links less thsn my link threshold?
The only type of spam this does not catch is that of a person who goes to my website and enters a comment manually that is below the link threshold.
Some times they just enter a comment like "nice ..." with the web site link to their awful spam. To counteract this I've been thinking about removing the display of commenter's web sites.
I hav an RSS feed of my site's which look at anytime a comment is successfully posted.
Reply
I've honestly never minded CAPTCHA's, at least those that are easy to see (doesn't use both zeros and capital o's, that kind of thing). I have a feeling that these new types of CAPTCHA's (the question type) are more to stop overseas non-English speaking mechanical turks more than anything, and those are the ones I'm against.
Reply
Hi Jake,
But how many spam do you get every day?
The daily notification is useful, i use the same way for e-mail spam, but on my blog there ways days when i got 3 or even more spam messages per hour, so in a single daily notification is quite hard to find the false positives, in my opinion.
Since I also use Domino as HTTP server for my blog, first i tryed the SpamAssassin approach. But that needed a lot of rules to be quite accurate, and that means time to spend analyzing spam and ham messages and writing rules.
In the end i decided to save the posted comment in any case with the spam status. At this point I ask the user the captcha (dinamically created by a java agent). In this way I never had false positives or false negatives. An agent automatically deletes spam messages after a week.
If you want to try, feel free to post a comment on my blog to see the result :)
Reply
Numbers of spams per day varies. Massively. It seems to be as low as 10 a day at the moment. But, more normally, it's a hundred or more.
My notifications aren't daily though. There are 12 per day. Sometimes there's nothing to report. Sometimes the email only has about 3 "spams" in it. Sometimes dozens.
Yeah, there's a risk of missing a false negative. But, like I say, there are patterns you learn to spot and the real ones stand out like a saw thumb.
Most spam seems to happen over the weekend when the real comments never do, so (although I don't) I could probably just delete them all.
Reply
Ok, this make sense.
BTW Jake, I know you're not a Domino Developer anymore, but since i "professionally grew" with CodeStore blog about Lotus Notes/Domino i'd appreciate to have your opinion about NotePress, the blogging application i wrote for Domino.
You can find it on OpenNTF.
I hope I receive your feedback ;-)
Reply
I had looked at doing CAPTCHA's for a Coldfusion site recently and came across this google's reCAPTCHA project which is very ingenious and provides something useful for CAPTCHA's...
http://www.google.com/recaptcha
Reply