Spam Bots and CAPTCHAs

A simple, but very effective phpBB antispam tool Textual Confirmation (TC) asks newly registering user a question. If the answer is wrong, TC rejects the registration.

How much questions do you need for the best protection? Hard to say, but definitely not 50.

Earlier or later, a cheap outsourced monkey answers some of your questions and adds the answer into the spammer’s database. As a counteraction, you need to change you question. When you have 50 questions, it’s a tedious task.

In my opinion, 2 or 3 questions is enough.

The Yahoo CAPTCHA is broken press-release reveals some numbers. I’m highlighting them:

It’s not necessary to achieve high degree of accuracy when designing automated recognition software. The accuracy of 15% is enough when attacker is able to run 100 000 tries per day, taking into the consideration the price of not automated recognition — one cent per one CAPTCHA.

So:
* 15% recognition rate is enough
* 1 cent per 1 CAPTCHA when using monkeys

According to the hmm… press-release (formally, it’s a blog entry, but the style is very press-releasish), the Yahoo CAPTCHA is broken.

(more…)

According to Wikipedia, a denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended users. Recently it happended to bbantispam.com and bbspam.com. More precisely, it was not a DoS-attack, but a DoS-suicide.

(more…)

I already wrote about The best CAPTCHA ever — it’s a simple, but impressive looking math expression. Use of a scientific CAPTCHA is taking off. Now you can see one on the registration page of the library of Moscow Institute of Physics and Technology:

Translation:

(more…)