Weblog Navigation

First Previous Index Next Last

CAPTCHA added

Tuesday, 12th September 2006

Spammers have been getting even more obnoxious lately. They discovered the contact form here, and started using that to send me spam. So I added code to the CGI script to check the message body, and reject it if it contains links to web sites. Then they started exploiting a technical flaw in the way the message was being piped to sendmail, causing it to send me an e-mail full of gibberish, but CC the spammer so they could get my e-mail address. Neat trick! I'm now using a CPAN module to make sure all messages are properly encoded before piping to sendmail.

Recently though, they've begun just sending small legitimate-looking messages, saying things like “great site, keep up the good work!” They're trying to trick me into replying, so they can get my e-mail address. There's no good way to block these based on message content - I could block the exact strings they use, but they'll just use different ones, and it won't really solve the problem. So I decided to take a drastic step: adding a CAPTCHA.

A CAPTCHA, or “Completely Automated Public Turing test to tell Computers and Humans Apart,” can be implemented in a variety of ways, the most common of which is a graphical image of a handful of random letters that you must type into a form field. The image is distorted in such a way that it is very difficult for a computer to identify the letters, but humans should be able to do so. Unless they're blind, in which case an audio alternative is sometimes provided as well.

I decided to implement my CAPTCHA as a simple arithmetic problem. This should be easy for a computer to solve, but since it's unique, it won't be done without some kind of human intervention - someone would have to write a program to solve it, and I'm betting the spammers aren't that creative.

A friend suggested that instead of using numbers like “2+3” I should use words like “two plus three” to make it even harder for spammers to figure out. Unfortunately since my web site supports localisation, that means I'll have to translate it into however many languages I want to support... but since the vast majority of the site is only available in English, translating the CAPTCHA can definitely wait.

So try it out, if you feel like e-mailing me. Spammers have tried to send me mail 27 times since I fixed a bug in the logging code yesterday.


Weblog Navigation

First Previous Index Next Last