Please change your captcha system

[escrowms]

I'm not sure which one is installed here but it creates problem for those who have weak eyes like me.

I have to try 5 times to find out right characters.



I know i can use zoom in browser or use my glasses but still i would like to say that this sites current captcha system is very old. You guys should upgrade it to recaptcha or something else.

[mashby]

Or eliminate it altogether.

[Arantor]

The problem with changing it on this site is that there is not really any alternative we can actually *use* on this site. Btw, it's the same one that's actually in SMF that you can download and use yourself.

ReCAPTCHA is weak and has been broken for some time, and the best method (anti spam questions) can't be used here because it doesn't support multiple languages.

(Oh and it goes away at 10 posts)

[prozacer]

I am totally agree!
I uses "Listen to the letters" everytime to post my comment.

[kat]

Not that it stops the little turdy spamtards, anyway...

It's bit of a shame that Microsoft beefed-up their security, after Windows 98.

Up until W2000, I could remotely fry people's mobos...

[Colin]

We should look at the statistics though and see how much it is really doing to prevent spam. If it is degrading the newer users experience then it should not be deployed.

[Burke ♞ Knight]

Be that as it may be, stopping even 25% or so of spam bots is better than stopping none.

[kat]

I'd suggest that if it stops one genuine member from joining and posting, though, it's a 100% failure.

[MrPhil]

No "hard shell defense" designed to keep bots from signing up is going to be 100% effective, at least not without being more than 0% effective in stopping genuine members from joining (including those with vision problems who can't solve visual puzzles). If you don't want to stop some genuine members, you have to accept that something less than 100% of the spammers will be stopped (super smart bots and human spam farm signups). At that point, the battle has to shift to the automated watching of post content and poster behavior. Suspicious posts need to be held for moderator approval.

[dimspace]

posted in another spam thread but relevant here.

Just some followup on this regarding ReCaptcha
==================================
First up, my forum has as first line of defence Bad Behaviour
THen the standard registration defence of smf captcha
And then we have Stop forum spam which checks emails and ips against a database and stops more spammers

Generally about 2-3 a day get through the registration and get picked up by stop forum spam and sent to a manual approval queue.

Installed the ReCaptcha mod on monday of this week to see how that compared to smf captcha.

Tuesday 17 spammers made it through registration and got picked up by "stop forum spam"
Wednesday 23
Thursday 19
Friday 26

This morning I logged on, 34 members waiting approval, all indicated as spammers by Stop forum spam

Conclusion, either I have been targetted co-incidentally by a huge spamming campaign.
Or recaptcha is nowere near as effective as the built in smf captcha

Likely the latter and that they have automated ways of getting around recaptcha

[MrPhil]

If you look at other discussions about CAPTCHA systems on this forum, you will find many saying that reCAPTCHA is totally broken. Did you turn off Bad Behaviour and Stop Forum Spam, and just run with reCAPTCHA? Or did you only replace SMF CAPTCHA with reCAPTCHA?

Of course, if you've mentioned your forum anywhere, and especially if you've boasted about how good its spam defenses are, it's entirely possible that spammers are attacking you en masse.

[dimspace]

no they are turned on. we do get a fair few spam attacks thanks to twitter. and yes, recaptcha is borked

personally i think the smf captcha is as good as any, when its not set with loads of noise so it cant be read

[Phoenix_IV]

I can't get the audio version to work. Neither with Firefox nor with Opera.

Captcha's are okay, but in this one the (small) letters are very often unreadable because of one of the stripes and some letters look very similar.
E.g. I always messed up 'u', 'v' and 'a'. Maybe you can remove those if possible?

[Arantor]

2.1's is a bit better because all the fonts are changed.

I might see about integrating my custom CAPTCHA in future though.

[Sir Osis of Liver]

Hee, hee. This reminds me of a busywork project I tinkered with on/off for a couple of years.  Go here and you'll see it. 

Good news is, it's 100% effective against bots.

Bad news is, it's been a while since I did it, and I no longer have any idea how it works.

[Arantor]

It was 100% effective against bots because it's unique. The readonly text field doesn't prevent bots. They just have to realise there's a CAPTCHA image and to OCR it (which is not even remotely a challenge, there are CAPTCHA solving bots doing neural network learning OCR in JavaScript these days), and populate the text field.

The wider deployment something is, the more it is worth automating a solution against it.

[Sir Osis of Liver]

Well, yes, it helps that it's a one-off.   But if you view source, you'll see that the code is mostly gibberish, and iirc, all the variables are randomized (md5, I think), including the text field that's submitted to the form handler, and the actual verification code.  Everything is hashed, and everything changes each time the pad refreshes, so every reload is unique.  No idea how easy it might be to beat.

[Arantor]

As a one-off, it's basically invulnerable to automation, because it's a one-off. If it were to be widely deployed it would be very vulnerable very quickly (because a bot can request the page, request the image, decode the image, build the request)... just like it does currently.

[sCali]

I'd suggest that if it stops one genuine member from joining and posting, though, it's a 100% failure.

I absolutely agree with that. I had fix the spam issue by using a random Q&A, it stopped all the automatic registration and all I had left were manual spammers which were very easy to boot off.

[Kindred]

as has alreayd been discuseed several HUNDRED times - we can not currently use the questions feature here on simplemachines.org since it does not (yet) support multi-language questions and we have a large international contingent who read limited, if any English.