Mink Machine

Fighting back the spam

It is with great regret I’ve decided to install a CAPTCHA tool on this site. For those of you who don’t know what it is, have a look at the comment area field below, displaying a word. From now on, you have to type that word in the text box to post your comment.

But if it’s just about typing a few extra characters, then why the fuss? Well, two things. First, I don’t like to take this kind of measure due to idiot spammers. Second, CAPTCHA is very bad from an accessibility perspective.

As many of you know, Usenet news surrendered to the armies of spam long ago, and later our email boxes were flooded with nonsense. Next in line are the blogs, or rather the blog comments to be correct. The reason behind this strategy is to increase search engine rankings for certain sites by cross-posting the addresses to a lots of places, as number of incoming links from other site is one of the major rank factors. Movable Type have a nifty feature called nofollow, simply telling search engines not to follow links in comments, but even though it hurts the spammers page rankings it will certainly not make them give up.

This has become such a big problem nowadays that hosts are beginning to shut down comments in Movable Type, since MT-comment.cgi is heavily targeted by spammers. Simply renaming the file will only postpone the unavoidable. The option to close comments for old entries is a very last resort in my eyes, as are TypeKey approval since this will prevent a lot of would-be commenters from posting.

After carefully considering the options (including Blacklists), I had a last look at the spam statistics (the sheer amount of daily spams make my MT database cry) and went down the CAPTCHA path.

CAPTCHA is short for “completely automated public Turing test to tell computers and humans apart” and you may have noticed it when registering somewhere. The idea is very simple: The human brain is exceptionally skilled at finding information in patterns, where a computer is having a hard time. Character recognition algorithms are getting better by the hour, but this is still a fairly good way to sort human users from computer bots.

Unfortunately, installing a CAPTCHA plugin in Movable Type is certainly not for the weak of heart. It involves installing Perl modules, plugins and graphics libraries. But it seems to be working now, so I will remove the hard hat for a while.

If you’re having any problems or suggestions, please let me know.

Update: Now using the accessible CAPTCHA plugin by Jay Allen instead of SCode.

4 comments

  • avatar
    29 Nov, 2006

    I will, some day when I move to a web hotel with PHP support, install a contact form on my website, and I have been thinking about using CAPTCHA to sort out the bots. It has its drawbacks, but some have addressed this and created the best method I’ve heard of (except for its lack of support for non-vision, non-graphical web browsing): The KittenAuth.
    http://www.thepcspy.com/articles/security/the_cutest_humantest_kittenauth
    It is true to the KISS principle, something I have a soft spot for.
    On a side note, how come that every new idea are all implemented at first with an extremely naive attitude? USENET, Email, Guesbooks, Blogs, Wikis, … They are all implemented without any kind of user identification and different kinds of security measures are implemented AFTER the new media has been captured and held hostage by the spammers! When will even basic security be included during the design phase?

  • avatar
    30 Nov, 2006

    Much of the ideas you mention, such as usenet and email, were first conceived as small-scale experiments between scientists. The spam problem won’t arise until the user base of the new idea has reached a critical mass. Same thing with viruses and security holes. Firefox was hailed as a safe browser until a sufficiently large number of people began to use it, and thus made it attractive to hackers. Then the security holes began to appear one by one.
    Also, many developers and project managers believe that cool features are much more important than security.
    The first doors were probably without locks, before thieves came along and created the need for them.

  • avatar
    07 Dec, 2006

    …and after inventing the door lock they went over to invent windows without locks, for surely the thiefs would have the sense not to break into the house by the window, now that the door was locked!?
    One thing is to make an error, another is to fail to learn from past mistakes – and repeat them. People seems to be *surprised* every time a new system, which allows user contributions, is riddled by spam. Sigh.
    Human stupidity apart, what do you think of the Kitten Authorization system?

  • avatar
    07 Dec, 2006

    The kitten system is nice. I’ve also heard of a system where the user is asked to pick “beautiful” faces from a series of images. I doubt that is an useable approach…

Write a comment

Your email address will not be published. Required fields are marked *

Reine

About

Reine is a web developer who enjoys caffeine-fueled urban traveling. More...

RSS @reinel Instagram