An interesting idea would be a browser extension which users can pay or subscribe a nominal fee (eg $2 a year) which hooks up to this service so the user would never need to manually enter a captcha.
It would detect a captcha on a page the moment the browser renders the field and it would be completed in ~15 seconds by the time the user scrolls down to the form and completes the other parts.
Funny you should say that.. We (my former classmate and I) built a prototype for that a year ago, but life happened and I never got around to making it into a product. If anyone entrepreneurial is interested in solving that problem (especially for blind people!), I'd love to make it happen. :)
stuff like this is exactly why captchas are outdated...they don't stop the real spammers, and just annoy your users.
With most captchas I have to try 3-4 times before I can actually spell out what the image is showing. The only exception is ReCaptcha, those tend to be easy to decipher.
I wonder if 3-4 years down the line, everyone will continue using captchas...even when they stop working as a method to fight spam
Only if you define "work" as blocking 100% of spam.
The evidence that they work is right in front of you. The incremental cost of posting 1000 spam comments went from basically zero to $1.39.
I use ReCaptcha on my sites and, as far as I can tell, the only spam getting through is humans (typically with .cn hostnames) manually entering the CAPTCHA. Meanwhile it's blocking 100s of dumb, automated attempts.
It depends on what you are doing it for, if you've found site(s) that don't use rel=nofollow $1.39 for 1000 users is a pretty good deal, especially if the CAPTCHA is stopping the vast majority of spammers from making the link juice worthless.
I'd pay $1.39 for 1000 links from sites that haven't been spammed to death with out thinking about it.
You should be using something unique to your site in addition to the widely-used countermeasures. Until your site is worth targeting explicitly, that little bit of custom code can make it uneconomical to spam your site.
You can also join with others who work to stop this kind of spam. For example, Project Honeypot ( http://www.projecthoneypot.org/ ) offers honeypots to trap all kinds of spammers, including comment spammers.
If you're expecting some kind of 100% solution to spam, I doubt that will never happen. The best anyone can do is combine a bunch of decent solutions, preferably in unique combinations, and hope to reduce spam to a manageable level. If one countermeasure blocks 50% of spam and another 70% and another 90% and their failures are independent, you're down to 0.5 x 0.3 x 0.1 = 1.5% of spam getting through. Chain enough partial solutions together and you get something better than any one alone.
The assumption was that the solutions were chained and that they would never see the things that failed before that. But I guess I only stipulated that the failures were independent, when the math I wrote meant that the successes should be independent, as well.
They do stop real spammers, as a real spammer works on extremely high volume and the cost of doing the captcha is way too expensive to do at the numbers they are at.
Agreed, "spammers" are not the people who use CAPTCHA breaking.
The people that use it have very specific purposes in mind. Spamming through CAPTCHA'd systems makes little sense as it costs too much. That said, there are many businesses, large and small, that use breakers to engage in commerce.
Actually, I managed a reasonably large scale free email operation and spammers DO spend money solving captchas.
We had this issue with spammers where after sending 50 emails a day we would ask users to solve a captcha after each email sent. That didn't work.
Upon further investigation and adding some code to track keypresses, we discovered the reason: it had been humans all along, sending spam semi-manually from a cybercafe/sweatshop in Nigeria using an add-on like Roboform as an aid. And yes, these were the usual H3rb4l V14gr4 spammers as well as some Nigerian Princes.
While there is poverty, Captchas are necessarily broken.
Spammers are the ones who use it extensively and that's why such a service was born. The percentage of people using it for other purposes would be infinitesimally small.
You can't directly attach value to the money they spend on this. They create accounts on many services like Gmail, Yahoo, Hotmail, etc for email spamming and they need to use these services for the tools that they purchased to work. These tools basically automate everything except the captcha solving part.
Captchas are not outdated. They are good against brute-forcing password for example: 10 unsuccessful login attempts -> please use captcha. Since brute-forcing takes millions or tens of millions of attempts, it becomes uneconomical.
The benefit of the captcha method is that your account can't be DOSed -- the legitimate user can still get in by entering one captcha, which is much better than, say, having to wait for an hour.
Okay, so bad guys can bypass captchas really easily now for pretty cheap. Anyone want to make a GM script or something so normal people can use this as well to answer youtube and other captchas? I'd pay $1.39 to not have to type captchas in for a month or so of just normal internet use. I'm not trying to spam, just communicate.. Death TO captchas.
That could actually work if you did it the reCAPTCHA way, i.e. "which two of these three comments are spam?" Where one of the three is already known to be spam. Of course the chance of getting it right by guessing is pretty high but there may be ways around that (by showing more confirmed non-spam comments perhaps). A cool start-up idea right there!
I wonder what the rate of return on something like this is. I don't know about anyone else, but I NEVER click on, yet alone but from people spamming links in comment threads. Do you?
To prevent what? Data entry? I've also noticed that quite a few shady companies I've seen register their companies and bank accounts in Cyprus and live/operate elsewhere. I'm assuming it provides some kind of legal benefit but I don't know what.
The difference between a real user and these type of services is mainly the latency, an effective counter would rely on this fact. One idea would be some kind of game that would be easy for users with low latency to play for a few seconds and win but would be impossible for the proxy'd filipinos.
I've burned through thousands of credits at deathbycaptcha on some "darker" projects of mine, they have a nice service. Depending on the kinds of links you're building, they can be extremely cost effective. If you're going for high volume crappy links, they aren't worth it.
Automated forum account creation/posting, blog comment spamming, craigslist account creation/posting to name a few.
Some other famous sites that are doing this since the mid 2000s - http://decaptcher.com
They integrate with just about every famous spam tool.
UPDATE: Automated Gmail, Yahoo, Hotmail account creation, etc. They create accounts in bulk and then spam through the gmail, yahoo, and hotmail accounts by tools that are being sold.
forum spamming is far too expensive if you're paying for captchas. There is an extremely famous/popular forum spamming software on the market (made by russians) that internally solves captchas.
If you're going to forum profile spam, you'll go broke paying for captchas.
Ok I stand corrected, the economics of paying for forum spamming does not make sense and the software you mentioned (I don't want to name it here) does solve many captchas automatically (It is even rumored to solve Google's captchas)
But for other stuff that I mentioned in my previous comment, it does make sense for them economically and they do use it.
I'm not sure why you wouldn't want to provide names or links here. I'm sure if HN users want to spam we're resourceful enough to figure it out for ourselves and for those of us who don't care to spam it would be helpful to see what we're up against.
sure. Familiar with a link wheel? Basically creating accounts at major authority sites (wordpress.com, blogger, blog.com, etc) and then posting articles to those sites that link back to your site you're trying to rank for.
Using something like Celerity or Watir for Ruby, combined with this captcha service, you can essentially automate the entire process.
Building a bot to do something like that really teaches you a ton about how you would prevent such activity on your own systems.
1) if you're using a popular CMS platform, ELIMINATE ALL FOOTPRINTS. Change all url strings from the default, remove standard text/descriptions on signup and comment forms. Kill anything that can be scraped against the rest of the installs to hide your own sites from the scrapers the spammers use to find you.
2) Tap into distributed spam prevention systems. Akismet is probably the most popular example. Your single site will most likely miss the indicators of a spammer, but a system like Akismet can see the 10000 links all pointing to the same url in one hour and lock things down for you.
I've legitimately thought about doing a talk at a Wordcamp one day called "How I Spam You" that just walks people through how to spam wordpress, so they can then go protect their sites.
We probably shouldn't talk about viruses or security flaws, either -- might give someone the idea that it's ok to break into a machine. We ought to respect it by not discussing such things.
"We probably shouldn't talk about viruses or security flaws, either -- might give someone the idea that it's ok to break into a machine. We ought to respect it by not discussing such things."
I interpreted the OP to be more disgusted at someone making a business out of actively circumventing a control then we discussing that it exists.
That is a bit different than discussing the existence of flaws. In this case it's making money off actively exploiting the flaws.
This sort of thing is inevitable whenever you have a flawed system which incentivizes this type of activity. If anything it only raises awareness to how we should stop using captchas because they simply don't work.
That's like saying 'guns don't work because sometimes when you shoot someone they survive.' Guns and captchas work, you just don't like being shoot at, or having to guess at obfuscated letters.
captchas also keep out some legitimate users[1]. I have to screenshare/visit my father fairly often because he runs into trouble deciphering non-recaptcha captchas for the most part (he's low vision with some other vision problems). The only saving grace of recaptcha and a very select few alternatives (google comes to mind) is the audio captcha he can at least listen to.
I would gladly consider working on a browser extension that implements this service for his sake. It's a double edged sword, and really, if your spam prevention relies heavily on captchas, it's not feasible in the long term anyway. This is not the first or last or cheapest service to break them.
I haven't even gotten started on my own personal gripes about captcha abuses. Top on my list right now is one I'm going to encounter again on my flight later today: gogo inflight wifi asking me to fill out a captcha after payment...on wifi on a plane 35000 feet up in the air in the middle of California. Talk about pointless.
Have you seen http://www.webvisum.com/? It's a Firefox addon that sends CAPTCHAs for remote solving. I haven't tried it because registration requires human approval.
It would detect a captcha on a page the moment the browser renders the field and it would be completed in ~15 seconds by the time the user scrolls down to the form and completes the other parts.