Firefox PHP

Non-graphical CAPTCHA when posting

Posted by sheik 
Non-graphical CAPTCHA when posting
February 07, 2006 11:26AM
Quick Link to the Module: [www.celerity.co.uk]

After being hit by 400+ automated spams twice in the last week I finally cracked and wrote this module (based on Arthur Louie's graphical captcha module for user registration).
I have only knocked it up quickly and the idea is also something I came up with without a great deal of thought, so I'm not making any claims that it is particularly secure.

Overview

(note, module has not yet been tested with Phorum v5.1)
Adds a non-graphical CAPTCHA when posting, in an attempt to defeat automated spambots.
It is deliberately non-graphical to allow use by people who are vision-impaired or are using text-only browsers.
The way it works by default, is to ask your visitors to pick a code containing an animal
from a list.
eg: they may see:

book17, mouse187, biscuit54, trousers512


They would be expected to type (or copy/paste) "mouse187" into the relevant box.

If you really want to annoy people, you can also make registered users complete the CAPTCHA.

The word list and instructions can be customised according to your site, so for example, if
you run a computer gaming site, it might be reasonable to ask your visitors to be able to identify
the Nintendo character from the following list :

masterchief17,horace14,yoshi200,pacman98


You may ask why I don't just make my forums read-only for guests. The reason is that I believe this harms the site community in the long run. If at all possible, I want casual new visitors to my sites to be able to post without having to register - otherwise they may not post at all.

Implementing a usable CAPTCHA system is a tricky problem, so if you have criticisms or ideas please post here.

Download Link to the Module: [www.celerity.co.uk]

Example post forms with the module enabled for non-registered users:

(fairly) normal CAPTCHA: [www.cantonese.sheik.co.uk]
Example with a customised CAPTCHA: [www.moviedeaths.com]

(click "post" on either site to see the CAPTCHA, but please don't actually enter the right code, as these are live sites)
UPDATE: I've had to make the above request bold, as some people obviously can't read :(.
To reiterate, I'd rather not have posts on my live sites by people that are "just testing the CAPTCHA". Surely that isn't too much to ask?!

/\dam

--
My notable Phorum sites:
Movie Deaths Database - "review comments" system mostly powered by Phorum
Learn Chinese! - integrated forum quiz




Edited 5 time(s). Last edit at 03/08/2006 10:11AM by sheik.
Re: Non-graphical CAPTCHA when posting
February 07, 2006 11:49AM
Nice-to-have list:
- make moderators never see CAPTCHA.
- incorporate some kind of timed session, where registered users only have to pass the CAPTCHA once every x minutes.

/\dam

--
My notable Phorum sites:
Movie Deaths Database - "review comments" system mostly powered by Phorum
Learn Chinese! - integrated forum quiz
Re: Non-graphical CAPTCHA when posting
February 07, 2006 11:58AM
I didn't try it out yet, but I like the idea to do it this way! I always have been somewhat reluctant against the image checks because of vision-impaired people who can't use that kind of system in lots of cases. This system forms a nice bump in the road for anonymous spambots.

Some thoughts on security:

It's less secure than using images. The codes that are used are not too hard to recognize by their current format, so spammers could simply try over and over again to post the message. At some point they will get lucky. When they get lucky, they could even let their tools learn the successful word.

You could keep track of failed tries in the user data and automatically disable the user when too many failed tries are made within a short period of time.


Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce
Re: Non-graphical CAPTCHA when posting
February 07, 2006 12:07PM
I guess its mostly not registered users doing that kind of crap ;)


Thomas Seifert
Re: Non-graphical CAPTCHA when posting
February 07, 2006 12:17PM
@Maurice, yes, it is definitely not as secure as images.
I've been trying to balance useablity with security - so for example I could append an 18 digit string to each "code" which would make it more secure, but there are plenty of users that don't even know how to copy/paste so they would find it a nightmare.

@Thomas, exactly right, all my spam currently comes from unregistered users, and I don't want to make registration on my sites compulsory in order to post.

I actually played around with a few textual CAPTCHAs. Some gave more permutations for words, eg: "blue_mouse_723, scared_vole_12 etc" some relied on mathematical ability, eg: "please subtract 9 from twelve" etc etc. I came to the conclusion that it isn't trivial to come up with a challenge that would be understood by everyday users who may only speak English as a second language.

My solution has been live for an hour or so and seems to be working - I don't pretend it is the best solution though, and I expect I shall still get some complaints!
@Maurice: I also expect you may find some bugs if you install it to your famous test forum :)

/\dam

--
My notable Phorum sites:
Movie Deaths Database - "review comments" system mostly powered by Phorum
Learn Chinese! - integrated forum quiz
Re: Non-graphical CAPTCHA when posting
February 07, 2006 12:51PM
Oops, just noticed the settings weren't being properly saved.
v0.2 has now been uploaded to the same link.

/\

--
My notable Phorum sites:
Movie Deaths Database - "review comments" system mostly powered by Phorum
Learn Chinese! - integrated forum quiz
Re: Non-graphical CAPTCHA when posting
February 07, 2006 01:08PM
By the way, the way this module prevents the action of posting, is to set the "preview" flag. So users who fail the CAPTCHA will be presented with the normal preview screen, an error message telling them they've failed and a new CAPTCHA.

I'm not sure if this was the best way to deal with a failed post - but I didn't want anybody to lose their message due to a careless typo.

/\dam

--
My notable Phorum sites:
Movie Deaths Database - "review comments" system mostly powered by Phorum
Learn Chinese! - integrated forum quiz
Re: Non-graphical CAPTCHA when posting
February 08, 2006 05:53AM
Added to the Wiki.

/\

--
My notable Phorum sites:
Movie Deaths Database - "review comments" system mostly powered by Phorum
Learn Chinese! - integrated forum quiz
Re: Non-graphical CAPTCHA when posting
February 08, 2006 07:01AM
One issue I hadn't considered is the amount of CAPTCHA files generated by this technique. An empty file is created every time the "post" form is displayed, which on my forums quickly leads to many thousands of files created on the server. I currently have a cronjob wiping the files every 30 minutes, but it isn't an ideal solution.

I'm considering using a template hack to only ever show the "preview" button rather than the "post" button. This would mean the captcha would only be generated for genuine posters, rather than people just browsing.

What do you think, and what would be the best way to hide the "post" button? I could do in the template with PHP, but is there a pure "template code" solution to only show the button if in preview mode?

Thanks,

/\dam

--
My notable Phorum sites:
Movie Deaths Database - "review comments" system mostly powered by Phorum
Learn Chinese! - integrated forum quiz
Re: Non-graphical CAPTCHA when posting
February 08, 2006 09:10AM
There's no such solution, unless you want to fallback on javascript code that is run to hide the button from the viewer (not too pretty). But I think that not having a post button isn't really sensible for this form somehow. Your users will probably dislike you for forcing them into previewing before posting :)

Can't you create the captcha in a user field in the database instead of on-disk?


Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce
Sorry, only registered users may post in this forum.

Click here to login