17 Nov 2010, 22:19
New_clothes_tilley_hat_v1_pragsmall

Bob Cochran (170 posts)

Ugh, these captchas are very hard to use. They are hard to see clearly! It makes it much, much harder for me to post from my Droid phone! What I dislike the most is that after taking the time to craft a thoughtful reply to someone, getting the Captcha wrong will result in my entire post being dumped in the bit bucket with no chance to redo the captcha! I have to redo my post all over again.

Considering this is a technical, software developer-focused forum, what does this say about the level of testing that has been put into implementing Captchas in production mode? Was it someone’s intent to trash perfectly legitimate posts as a reward for a typing error?

Bob

18 Nov 2010, 13:53
Avatar_pragsmall

Diego Zamboni (69 posts)

I profoundly dislike the captchas. Since I have to be signed into my pragprog account to post, what is the point of having the captchas? Am I not supposed to be an authenticated user already? Was there a spam problem in the forums, and this is why the captchas were added?

Plus I agree with Bob that they are very often hard to make out correctly. I would strongly vote for getting rid of them if at all possible.

18 Nov 2010, 13:31
New-avatar_pragsmall

Travis Swicegood (116 posts)

While it might not be much help to those on mobile devices, there is a “refresh” button on reCaptcha. If a word is too hard to make out, just refresh and you’re on your way.

I kind of like reCaptcha just because of what it does. You’re helping digitize books as the second word is always a word that an OCR had trouble digitizing. Which also means (I think) that you can practically ignore the second word.

-T

Edit: Correction, you can ignore the first word - I just put it “ttt” for a three letter word and got through. :-)

18 Nov 2010, 13:58
Avatar_pragsmall

Diego Zamboni (69 posts)

Travis - I didn’t know this about reCaptcha, I guess I had never bothered to click on the little question mark button. Now I dislike it a little less :)

18 Nov 2010, 17:08
Headshot2010_prag_pragsmall

Susannah Davidson Pfalzer (77 posts)

Good news, folks. We’ve fixed the captcha functionality to keep your post in case of captcha failure. Thank you for the feedback!

19 Nov 2010, 04:50
New_clothes_tilley_hat_v1_pragsmall

Bob Cochran (170 posts)

Diego certainly makes an excellent point that we are already authenticated via email address and password authentication, so why would authenticated users be required to enter captchas? The captchas I see (on my 24” widescreen monitor) are hard for me to read. I wear glasses for astigmatism and nearsightedness. For really low-vision users the task must be difficult indeed. If you happen to be both low-vision and deaf, I think you are really out of luck with these captchas. Plus making your users do extra work in order to express themselves…I don’t know.

I am sympathetic to the spam issue, but I do not think Captchas are a good solution. They look interesting at first but then they squeeze out small but important groups of people from posting. And sooner or later someone will figure out how to programmatically determine the content of a captcha and supply it for processing.

19 Nov 2010, 15:15
Avatar_pragsmall

Diego Zamboni (69 posts)

Bob: I agree, the captcha should be at the account-creation stage (if it’s not there already), and not at the individual posting level. I don’t think this will stop me (or anyone who is interested enough) from posting, but it does pose an additional barrier.

As for solving captchas, spammers have figured out how to solve them, not programmatically, but using social engineering and the oldest trick in the book: offer people porn in exchange. Slightly NSFW link: http://blog.trendmicro.com/captcha-wish-your-girlfriend-was-hot-like-me/ As for programmatic methods and text-based captchas (those that ask you a question to which arguably only a human could provide an answer), Wolfram Alpha doesn't do too badly: http://joelvanhorn.com/2010/11/10/using-wolframalpha-to-hack-text-captcha/
19 Nov 2010, 20:25
Dave_gnome_head_isolated_pragsmall

Dave Thomas (337 posts)

Last week we had spammers create an account, then spam 780 messages into the forums.

People complained about that.

So I added capchtas at the point of message creation. I used Google recaptcha, because it seemed to be widely used and popular.

I’m open to alternatives.

19 Nov 2010, 22:36
New_clothes_tilley_hat_v1_pragsmall

Bob Cochran (170 posts)

Dave, I am sympathetic to the problem you are facing. Have you analyzed the spam that you got – did you study it carefully? Was it all from just one account? Or were there several? How fast did the spam postings come in, was it 780 messages over a calendar week or was it 780 messages within an hour, or…? I think no person who truly wants to participate in your forums can post with great speed. So it seems to me that it might be possible for you to do the following.

Hold all posts for one clock minute

Count the number of posts from the same account

If the account has more than 3 posts within 20 seconds (based on the time the post comes in over the wire), suspend the account until the account holder calls customer support…or calls someone. I don’t think a legitimate poster can do > 3 posts within 20 seconds.

If the account has more than 10 posts pending within 20 seconds, close the account down.

I think that might be a great help in turning away spam.

If you have spam posts that trickle in steadily, like once every minute, you can apply the same logic.

Suppose someone creates a new account and then sends in posts once every hour. You can queue those, too, and perhaps programmatically scan them for “spam-ish” content.

I know my ideas are a little half-baked right now, I will give them more thought. I have other ideas too, that I will give thought to and post here over the weekend.

Bob

19 Nov 2010, 23:36
Avatar_pragsmall

Diego Zamboni (69 posts)

Dave, I really sympathize with you regarding the spam problem. Another alternative would be Akismet (http://akismet.com/ ), a spam filter that works very nicely, since it receives spam from all over the place, normally common spam types are blocked very quickly. I used it for a while when I had a Wordpress blog and it worked very well. They have plugins for different systems.

20 Nov 2010, 21:10
New_clothes_tilley_hat_v1_pragsmall

Bob Cochran (170 posts)

I have not looked at Akismet. Interesting idea, that! Thanks for bringing it up, Diego.

Another idea. Why not offer me a public key certificate that would let me authenticate each post I make on the forums automatically through the login process? The login could be certificate based. Anyone who has a certificate-based login is exempted from using Captchas when posting. How would I get the certificate? I could apply for one, pay for it, and get an email containing an activation link 24 hours or so later. I don’t mind paying a $5.00 fee to help defray costs. Or I could get one free, provided to me in the same manner, on any order of both a print book and an ebook with Pragmatic Programmer.

I think a transaction involving a payment plus a waiting period to obtain the public key certificate would eliminate most or all spam robots.

Bob

21 Nov 2010, 18:40
Dave_gnome_head_isolated_pragsmall

Dave Thomas (337 posts)

Folks, I appreciate the suggestions.

I did analyze the spam: we get hit (or used to get hit) about once a week. Sometimes it was from a single account, sometimes from multiple accounts. Sometimes the posts we just a few a day, and other times they were blasted in.

I’ve considered a rate-based approach, and in a world where I had the time I’d love to investigate a queue-based, rate-limited approach. If I can eek out a spare hour or so, I’ll look into doing it. In the meantime, a quick (if obnoxious) captcha seems to have stopped the problem for now.

  You must be logged in to comment