2006
05.27

Bye bye, Captcha

Captcha! was my 2nd plugin. When I started creating it, I knew this solution wasn’t very suitable for this system nor going to last forever. By that time I was using WP 1.5, and didn’t knew Akismet. I’ve already seen other Captchas, but they look rather weak to me.

With the arrival of WordPress 2.0, Akismet already became a mature solution. However, many people complained it slows down the blog system. A friend even told me sometimes it gives false positives (valid comments marked as Spam by mistake). Furthermore, if you get much Spam, examining the Spam queue to look for false positives can be tedious.

With Captcha! I never had such problems. Since I installed, only got 2 spam comments. Believe it or not, there are people out there trying to break captcha security codes using OCR techniques, like Pwntcha and this other, which assures that bypassing HN_Captcha is a task of one evening (personally I think is a company trying to sale its product, and that Captcha! is a free an quite reliable solution). Although Captcha! was initially based on HN_Captcha PHP class created by Horts Nogajski under GPL license (Thanks, Horst!), I made several modifications to make it stronger.

I studied Computer Science and learned that Captcha! is not an elegant solution: I made a rather complex JavaScript to hide the original submit button (a script which doesn’t work on all WordPress templates), and needs external files (the TTF fonts from Dafont. I don’t bundle them with the plugin to avoid license problems).

But the worst is that it put your users out: another friend had some difficulties to post a comment, and even got a bit impatient. I’ve found myself in trouble when trying to leave a comment in other people’s blog using this plugin, and the last but not the less: Users with some vision problems cound really have a hard time with Captcha!. I agree Internet is a mostly visual media (although this will change), but blogs main purpose is to trasnmit data content, not to offer beautiful designs (other kinds of webs are for that, well, that’s my point of view).

In short, captchas bother readers who were supposed to be protected. Why don’t create an antispam protection system that bothers machines instead of people? I though on a crypthographic solution, maybe using JavaScript (AJAX). But it wasn’t necessary. A Computer Science Senior already had that idea and has created WP-HashCash, which does exactly that.

I’ve installed it on my system and disabled Captcha!. It’s woking perfectly. No Spam, no Captcha, and no user problems. :) So why keeping on developing Captcha!? Is it worth the hassle? No, it doesn’t.

Captcha! does not give me any revenue. I don’t earn money for this but spend a lot of time giving free support to people. In fact, I ended up giving support to people and maintaining this blog rather than posting articles (which is supposed this blog is for).

Maintaining Captcha! is tempting. Even though I stop using it, other users might still want it. Since I started developing XSPF player plugin and Captcha!, my web got lot of visits. I could keep on developing Captcha! simply to keep being more visited, but I won’t. It’s the power of the link and the ego as I explained in a previous post what compelled me to do that: To be visited, to be known, to become famous :D

But giving free suport during my spare time is not worth the hassle (I already get paid for that in my current work), because it prevents me doing other things I’d like to do, e. g. writing posts! ;) There are other ways to attract visits to my blog, and developing plugins is not a good one: when people get here looking for Captcha! or XSPF Player, they won’t stop to read other areas. Instead, they just download the plugin and won’t get back unless they get into trouble. I have my inbox flooded of messages asking and sometimes *demanding* support for what it’s suppose to be a hobby to me (nobody even makes a donation, by the way). And I ended up feeling a slave of giving free support to people I don’t even know, instead of spending my time in fixing up my own problems. Many people want things quick and easy (modern times) or they get frustrated and upset. I also need *my time*, and developing Captcha! took me many hours a day this last year. I have two systems to test it, but there are lots of alternative blog configurations there on the internet completely different to my ones: different PHP versions, Windows/Unix hosts, memory limitations, other plugins interacting with my this one, and so on and so forth.

Don’t misunderstand me! :) I’m not serious on this. I simply think there are more interesting things to be done.

Regarding Spam, WP-HashCash and its derivatives are methods that will eventually fail in the future. This is because those methods can be made automatic (it’s possible to make a program which interpretes JavaScript, the same way current browsers do, and sends Spam; I’ve already seen 2 ways to do that in Internet). It’s only a matter of time.

Any test made to detect whether a user is a human or a machine, will need human intervention (like Captcha! currently does). Otherwise, the test method could be made automatic and, thus, programmable on a machine. ;) So, only when current plugin (WP-HashCash) has been beaten, I will resurrect Captcha! again.

There is a Wiki in which I’ll be writing things about Captcha!, but this plugin, at the moment at less, is discontinued unless needed again.

Share
  1. Adolfo, creo que eso lo tendrías que preguntar al autor de WP-Hashcash. De todas maneras, cuando te sale ese mensaje, es porque es SPAM, o porque el usuario tiene javascript desactivado. WP-HashCash (y todo hoy día) necesitan Javascript para funcionar.

    Ese mensaje te dice que el usuario o es un spammer o no usa javascript.

    Like or Dislike: Thumb up 0 Thumb down 0

  2. He instalado WP-HashCash sin problemas, pero ahora la mayoria de los comentarios de usuarios sin registrar me los identifica como spam con el mensaje:
    [WORDPRESS HASHCASH] The poster sent us ‘0 which is not a hashcash value.

    Como puedo resolverlo?

    Like or Dislike: Thumb up 0 Thumb down 0

  3. me ha servido de mucho tu comentario. Gracias

    Like or Dislike: Thumb up 0 Thumb down 0

  4. [...] cosa que leí en el blog de boriel que es el autor de Capcha! Es que dejaba de usar su propio invento para usar para usar WP HashCash que es un sistema contra el [...]

    Like or Dislike: Thumb up 0 Thumb down 0

  5. Gracias David (#44) ;)

    En realidad creo que por ahora, WP-Hashcash es de lo mejor que hay (sigo usándolo y casi no tengo Spam). En cuanto al a interacción que comentas, pues depende, como todo. Hay usuarios a los que les molesta dar su email (y ponen un email falso) supongo que por el tema del Spam.

    En realidad en el blog no se comprueban los correos. En el foro sí, porque hay que registrarse.

    Supongo que cuando se generalice el uso de OpenID, todo esto cambiará. :)

    Like or Dislike: Thumb up 0 Thumb down 0

  6. creo que lo que comentas es cierto. Pero al contrario de tu pensamiento, creo que no deberias anclante en no incluirlo, si no que puedes actuar de otras formas, por ejemplo puedes filtrar los mensajes de distintas formas como por ejemplo ip o tiempo entre mensajes. Como bien dices todo se puede automatizar y si algo me a enseñado internet, es que por mucho que sepas siempre hay alguien que sabe mas que otro. Por eso tiene que existir cooperacion entre las personas y no ser avaricioso y compartir los conocimientos. Mi aporte para todo el mundo que utilice o no captcha es que al usuario se le envie un correo con alguna pregunta o alguna accion sobre el sitio para que sea valido el envio, de tipo “ingresa en la pagina (numero o direccion) y pincha el el link cuarto” o “responde a: (ejemplo: el apellido del rey de españa es?)”. Solo hay que buscar soluciones a los nuevos problemas aunque la mayoria de las veces sea complicado o casi imposible.PD: Muy bueno el foro. Volvere aunque no tenga preguntas.

    Like or Dislike: Thumb up 0 Thumb down 0

  7. muy bueno el post :-P

    Like or Dislike: Thumb up 0 Thumb down 0

  8. [...] about most strong Captcha having been defeated. Also, on top of visitors getting annoyed by it, the Captcha plugin I am using has gone unmantained lately. And, one way or another, I am getting comment spam again. Which is something I really hate [...]

    Like or Dislike: Thumb up 0 Thumb down 0

  9. fantastico

    Like or Dislike: Thumb up 0 Thumb down 0

  10. Hi, Jayson:

    I was about to tell you to move to hashcash, but it seems you have done it already! ;)

    Like or Dislike: Thumb up 0 Thumb down 0

  11. Thanks for it. It has worked well for a while. I need to find a better solution now though.

    Cheers!

    Like or Dislike: Thumb up 0 Thumb down 0

  12. [...] コメントの投稿がうまく反映されず WordPress 2.5 に対応したCaptchaを探していたところ Captchaプラグインの製作者が”別のを使っているよ”との事 [...]

    Like or Dislike: Thumb up 0 Thumb down 0

  13. funwl65: That’s why I removed it. Some people doesn’t like Captchas! I’m now using another anti-spam technique. See hashCash at http://wordpress-plugins.feifei.us/hashcash/

    I explain everything here

    Like or Dislike: Thumb up 0 Thumb down 0

  14. Trying to see what captcha you are using :). I used your graphical captcha on my wordpress and it worked very well but lost some visitors 8) .

    Like or Dislike: Thumb up 0 Thumb down 0

  15. es un plugin ingenioso y leo esyte post y te doy 200% razón. Te entiendo perfectamente, el tiempo es un bien escaso y la gente es muy ávida del tiempo de los demás…

    Like or Dislike: Thumb up 0 Thumb down 0

  16. [...] El Rincón de Boriel – Bye Bye Captcha [...]

    Like or Dislike: Thumb up 0 Thumb down 0

  17. thanks a lot
    been very helpful as i was looking for a solution for spam

    Like or Dislike: Thumb up 0 Thumb down 0

  18. Mark (#31):

    I agree with you to some extent, but, for example, for logic question captchas, people might find difficult to read and understand them if they’re are in other language (for example, I was unable to post to another blog, because the question was in german and I couldn’t understand a word).

    On the other Humans are much better at Visual problemas than computers nowadays. And generating logic-questions must also be automatic generated (by another computer). So if the cuestion can be automatically-generated, I guess it should be automatically answered (e.g. by detecting some language patterns).

    Asking for colors might not be a good idea (for Daltonic people, or visually impaired) either. As you can see, it remains an open question.

    Like or Dislike: Thumb up 0 Thumb down 0

  19. CAPTCHAS shouldn’t be difficult to read. Every implementation I’ve ever seen is terrible. Computers are pretty good at OCR, so why are we providing humans with an OCR problem? The one thing we know humans are better than computers at is logic problems. A better CAPTCHA would be “type the second word from the end of this sentence”, then you’d type “this” to pass the test. How about alternate the font color of each word and tell them to type the blue word?
    Or alternate the size of font and ask the user to type the word with the smallest font? Or the word that has a smiley face instead of an ‘O’? Or type the first letter of each word in the sentence? Humans are better suited than computers for all those problems.

    Like or Dislike: Thumb up 0 Thumb down 0

  20. [...] nifty Captcha! plugin too late. I just visited the site, and noticed that the plugin author has decided to stop updating the plugin. His reasons are sound, I’m not complaining. I’m just posting this to notify anyone [...]

    Like or Dislike: Thumb up 0 Thumb down 0

  21. Daniele (#27 and #28):

    If fact I’m working on another proyect that will be able to run javascript (so could be used to bypass hashcash and others). I guess I will resurrect Captcha! one of those days.

    Sometimes it fails (don’t know why), and yes, you have to reenter your comment. If so, just click “back” in your browser so you won’t lost what you have written. :S

    Like or Dislike: Thumb up 0 Thumb down 0

  22. btw, while posting the above, hashcash blocked me and I had to try again… :-(

    Like or Dislike: Thumb up 0 Thumb down 0

  23. “[...] Regarding Spam, WP-HashCash and its derivatives are methods that will eventually fail in the future. This is because those methods can be made automatic (it’s possible to make a program which interpretes JavaScript, the same way current browsers do, and sends Spam; I’ve already seen 2 ways to do that in Internet). It’s only a matter of time.
    Any test made to detect whether a user is a human or a machine, will need human intervention (like Captcha! currently does). Otherwise, the test method could be made automatic and, thus, programmable on a machine. So, only when current plugin (WP-HashCash) has been beaten, I will resurrect Captcha! again. [...]”

    I completely understand you point about needing more time for your life and so on.
    But the above (“it’s a matter of time”) is true.

    Still, your plugin remains a very good/useful piece of code that made many people happy! Be proud of that :-)

    Like or Dislike: Thumb up 0 Thumb down 0

  24. [...] koden varje gång de kommenterade. När jag gick till upphovsmannens till pluginet hemsida såg jag att han själv inte längre använde det av just den anledningen. Istället hade han gått över till ett annat plugin som fixade något [...]

    Like or Dislike: Thumb up 0 Thumb down 0

  25. 8O muy bien me gustaria que cuando lo hayan termino me avisaran para probarlo.. Saludos

    http://www.webaction.com.mx/blog

    Like or Dislike: Thumb up 0 Thumb down 0

  26. [...] I was almost sure that Askimet was based on captcha, a technology that prompts a commenter to type a random sequence of alphanumeric characters displayed on a fuzzy image randomly generated at runtime. A comment will be accepted only if the keystroke matches the string displayed on the fuzzy image. Instead, Askimet is more similar to a traditional email spam filter. It has a large database of known spammers and tries to match the “signature” of every new comment with one or more of the records in its database. While I have never been a big fan of filters based on a database of known spam (not because I like spam, but because I think that they are not the best solution to spam), I decided to enable Askimet as it was pre-installed on my Dreamhost account AND I needed to stop being spammed immediately. Using Askimet has helped fighting spammer BUT, it created another problem: too many comments marked as spam, so many that I cannot possibly review them and my only option is Delete All. Now you know why I am not a big fan of database-based spam filters. Today I was ready to spend a couple of hours installing one or more of the captcha plugins for WordPress, a task that I would have gladly avoided if I could. I started my search from the WordPress plugins page and landed into the Spam Tools page that listed 8 plugins under Captcha. I decided to start with the one called Captcha! BUT…when I clicked on its link I landed on a website sporting a vintage Sinclair ZX Spectrum ( <3 ) as top banner and this text in prominent display: Warning! CAPTCHA! is DISABLED on this site. Even though this plugin is still maitained, I’m using another one. Read why. [...]

    Like or Dislike: Thumb up 0 Thumb down 0

  27. [...] displayed on a fuzzy image randomly generated at runtime. A comment will be accepted only if the keystroke matches the string displayed on the fuzzy image. Instead, Askimet is more similar to a tradisional email spam filter. It has a large database of known spammers and tries to match the “signature” of every new comment with one or more of the records in its database. While I have neever been a big fan of spam filters (not because I like spam, but because I think that they do are not the best solution to spam), I decided to enable Askimet as it was pre-installed on my Dreamhost account AND I needed to stop being spammed immediately. Using Askimet has helped fighting spammer BUT, it created another problem: too many comments marked as spam, so many that I cannot possibly review them and my only option is Delete All. Now you know why I am not a big fan of database-based spam filters. Today I was ready to spend a couple of hours installing one or more of the captcha plugins for WordPress, a task that I would have gladly avoided if I could. I started my search from the WordPress plugins page and landed into the Spam Tools page that listed 8 plugins under Captcha. I decided to start with the one called Captcha!vinta BUT…when I clicked on its link I landed on a website sporting a vintage Sinclair ZX Spectrum ( <3 ) as top banner ans this text in prominent display: Warning! CAPTCHA! is DISABLED on this site. Even though this plugin is still maitained, I’m using another one. Read why. [...]

    Like or Dislike: Thumb up 0 Thumb down 0

  28. That hash thing doesn’t work for me. It’s not letting any comments through.

    Like or Dislike: Thumb up 0 Thumb down 0

  29. Thanks for the honesty. It is very refreshing.

    Like or Dislike: Thumb up 0 Thumb down 0

  30. How about a flash captcha, is it secure enough?

    Have a look at this visual captcha
    Visual Flash CAPTCHA

    Like or Dislike: Thumb up 0 Thumb down 0

  31. I will try both Captcha! as well as hashcash, for interest’s sake. Thank you very much for the time and effort you have put in Boriel – it’s more appreciated than you think! 8)

    Like or Dislike: Thumb up 0 Thumb down 0

  32. Looks like I’m too late, but I will also try Hashcash. Goodluck!

    Like or Dislike: Thumb up 0 Thumb down 0

  33. [...] After seeing the good results in other blogs, I’ve implemented it in mine as well. About the future of Wp-hashcash I agree with the author of Captcha plugin, who says: [...]

    Like or Dislike: Thumb up 0 Thumb down 0

  34. Genial, funciona de lujo, acabo de parar un ataque de spam solo con wp-hashcash, antes lo filtraba todo Akismet pero entraban más de 1000 comentarios de spam cada minutos y el servidor sufria :) ahora no entran :)

    Like or Dislike: Thumb up 0 Thumb down 0

  35. [...] Das bedeutet allerdings, dass HashCash nur funktioniert, solange automatisierte Spam-Software Javascript nicht interpretiert. Die Lösung bietet also nur Schutz, bis der Feind technisch aufrüstet: Regarding Spam, WP-HashCash and its derivatives are methods that will eventually fail in the future. This is because those methods can be made automatic (it’s possible to make a program which interpretes JavaScript, the same way current browsers do, and sends Spam; I’ve already seen 2 ways to do that in Internet). It’s only a matter of time. Any test made to detect whether a user is a human or a machine, will need human intervention (like Captcha! currently does). Otherwise, the test method could be made automatic and, thus, programmable on a machine. So, only when current plugin (WP-HashCash) has been beaten, I will resurrect Captcha! again. [via boriel.com] [...]

    Like or Dislike: Thumb up 0 Thumb down 0

  36. WordPress-Tutorial: Rechnen mit gegen Spam…

    Ich habe datenschmutz von händischer Kommentaraktivierung umgestellt auf eine kleine “Rechenaufgabe”, weil ich nicht jeden Kommentar einzeln händisch freischalten möchte. Die von mir gesammelten Infos zum Thema optimale S…

    Like or Dislike: Thumb up 0 Thumb down 0

  37. So how does it work? Why I can’t see it in your web page?

    Like or Dislike: Thumb up 0 Thumb down 0

  38. Boriel, supongo que estás en tu derecho.

    Para cuando quieras resucitar Captcha! te dejo una posible mejora. Cuando se falla al introducir la clave y presenta una nueva, el mensaje escrito desaparece.

    A algo así creo que se refiere Edanna en el primer comentario.

    En todo caso, gracias y buena suerte.

    Like or Dislike: Thumb up 0 Thumb down 0

  39. Thanks Boriel. I was searching for some cool plugin. After reading your post, I think I won’t need this plugin anymore (I may need it it the future though). I’ll check out HashCash.

    Gracias.

    Like or Dislike: Thumb up 0 Thumb down 0

  40. Oh I guess I could LEARN TO READ…. *sigh* Sorry.

    Like or Dislike: Thumb up 0 Thumb down 0

  41. boriel!
    first of all: thanks a lot for all the work you put into captcha over those years. it was a great help for me & all my friends using wordpress. it was the first cool and easy solution to have wp-guestbooks without getting all this spam-crap.
    i’ll check out this hascash thing, as you proposed … and that’s another thing i want to thank you about: allways giving instant help, and good advise for free.
    all the best for your future works. you’re great! ;)

    Like or Dislike: Thumb up 0 Thumb down 0

  42. [...] Here’s a link to the plugin: HashCash, made by Elliot. The Captcha! plugin wasn’t really working for me. And if I read this article correctly, the maker of the Captcha!-tool did think so to. [...]

    Like or Dislike: Thumb up 0 Thumb down 0

  43. Bueno, yo llegué aquí por el XSPF Player y te sigo leyendo ;) En serio, entiendo tu punto de vista completamente. Ya me parece meritorio dedicar tu tiempo, energias y conocimientos a algo que te aporta muchas veces más cabreos que satisfaciones.

    Saludos

    Like or Dislike: Thumb up 0 Thumb down 0

  44. [...] On the other hand, as I explain in my blog, I’ve temporally stop using Captcha!, because I’ve found a (temporally) better solution. I explained it here. This solution will be defeated (yes , it will) in the future, but meanwhile, I think it’s better to use it. [...]

    Like or Dislike: Thumb up 0 Thumb down 0

  45. [...] SPAM management, pt. 2 Tags: Experiences, Life, spam management, TechnologyWell, looks like I found this nifty Captcha! plugin too late.  I just visited the site, and noticed that the plugin author has decided to stop updating the plugin.  His reasons are sound, I’m not complaining.  I’m just posting this to notify anyone reading that there may be hiccups as I look for and try out new SPAM management plugins. Technorati Tags: Experiences, Life, spam management, Technology [...]

    Like or Dislike: Thumb up 0 Thumb down 0

  46. Boriel,

    Thank you for producing the plugin. Your reasons for discontinuing support are sound, and I wish you the best in pursuing things you enjoy more. I do appreciate the speed with which you provided support for it, it was faster than the help I’d gotten for most of the other plugins I’m running, far beyond any expectation I might have had.

    Thanks again,

    David

    Like or Dislike: Thumb up 0 Thumb down 0

  47. [...] Tja, so wie es aussieht ist wird das von mir vor einiger Zeit eingestellte Captcha Plugin nicht mehr weiterentwickelt (http://www.boriel.com/2006/05/27/bye-bye-captcha/). Der Autor empfiehlt ein Plugin namens HashCash. Dennoch, und das möchte ich hier noch einmal deutlich anmerken, gibt es keine sicheren Systeme! Man kann es Spammern möglichst schwer machen, allerdings ist es auch hier nur eine Frage der Zeit bis ein entsprechendes Gegenmittel gefunden wird. [...]

    Like or Dislike: Thumb up 0 Thumb down 0

  48. Gracias, Edanna. ;)

    Pero, como dije más arriba, tarde o temprano, el método actual será superado. Es cuestión de tiempo. Mi blog recibe diariamente cerca de 100 mensajes de spam. No es un simple capricho.

    Cualquier forma de verificar que al otro lado hay un humano requiere algún tipo de intervención (como Captcha!). Al menos, por ahora, no se me ocurre otra forma, aunque estoy en ello.

    Like or Dislike: Thumb up 0 Thumb down 0

  49. Bueno, Captcha está bien, el problema es que imagino que se ha de facilitar al usuario todo lo posible el introducir comentarios, tras un fallo al hacerlo mucha gente omite intentarlo por segunda vez.

    Y por otro lado, gracias personas como tú, el mundo de la red evoluciona, son pequeños granos de arena que juntos nos dan todo lo que poseemos hoy día.

    ¡Gracias!

    Like or Dislike: Thumb up 0 Thumb down 0