Changed my captcha
Enough people told me that they had trouble with the new challenge-response that I changed it. It’s still simple math, so it’s accessible-friendly, but it’s a different plug-in. The claim is that this new plug-in works even with cookies and JavaScript turned off, and that if you get the code wrong, you can hit the back button and not lose your comment. Let me know if you see any weirdness.
Roger Said,
September 10, 2006 @ 12:48 pm
Works fine with a calculator on the side. To be onnest, simply have to get used to use the brain, when adding a comment to your blog. It’s not watching at images anymore…. To me, even the back function works.
Jonathan Said,
September 10, 2006 @ 12:59 pm
It was working fine for me before…but this works just the same, good job Matt
Rajko Said,
September 10, 2006 @ 1:12 pm
Hi Matt,
may be, maths are too hard for most people
Hope you can answer me a question to language specific searches. We have a site with a german domain, but 14 languages. How can we “help” the googlebot to get the correct language for a page. A site:www.mm-boerse.de search in a specific language returns pages in nearly all languages.
Thanks in advance for your reply.
Dean Clatworthy Said,
September 10, 2006 @ 1:17 pm
Spam protection: Sum of 1 + 5 ?
You mean I have to put some thought into my responses now
On a more serious note I have believed this to be the solution to comment spamming for some time; basic general knowledge questions such as capital cities (re-arranging the phrasing of the question each time), 3-letter anagrams etc.
The way I see it is that if people aren’t intelligent enough to have the basic common knowledge of people, geography and language skills, then they are not worthy of responding.
Ryan Said,
September 10, 2006 @ 1:22 pm
Dean… anything that’s used globally across multiple sites is NOT the answer to spam protection.
The theory is that if it’s used in a ton of places, it’s worthwhile to crack it.
A much more efficient method is to make it something specific to the site. Easy to spam that one blog: yes… easy to spam multiple blogs: no.
I think this one is easier to beat than the captcha. I could write a script to crack this in literally 10 minutes.
But it is easier on the user than images. You’d be suprised how many people get them wrong. When I implemented captcha on my work site, I decided to log every wrong attempt, the IP it came from, and the data they entered. Since we have our phone # right below our online credit application, we even get 2-3 calls / day asking what to do about a captcha.
anyway… i think the new one works.
The Adam That Doesn't Belong To Matt Said,
September 10, 2006 @ 1:37 pm
It seems to work for me. I intentionally put the wrong answer to the question (1 + 6 = 11…dincha know?), entered something in here, and it told me I put in the wrong answer (duh). When I went back, the comment was here.
So it’s all good from this end.
My only concern (and it’s minor) is taht the font size is significantly smaller for the spam question than it is for the rest of the text. Could you maybe blow that spam protection text up to normal size? Thanks in advance.
Gary R. Hess Said,
September 10, 2006 @ 1:40 pm
I have had a lot of problems with captcha in the past, this one seems a lot easier. The only problem I could see is what others have said before, easy to write a script to crack it and since it’s a plug-in, the script might already exist.
WebmasterWorld has had some nice threads about captcha/spam detection etc. in the past. From a suggestion given, I changed the input name, then implemented my own version of captcha, so it wouldn’t be available on other parts of the web.
So now, if someone wants to spam the contact forms, they either have to have an over-elaborate bot or just do it themselves.
Now if only I could get something to stop all the spam on PHPBB forums…
Guillaume Theoret Said,
September 10, 2006 @ 1:42 pm
Personally, I’m a fan of this type of captcha:
http://billy-girlardo.com/WP/2006/04/07/captcha-kittens/
http://hotcaptcha.com/
But on my own site I use the Spam Karma plugin for wordpress which is actually amazingly good at deciphering real posts from spam. Only a couple of times did people have to enter a captcha because the plugin was unsure about their humanity and spam never gets through.
Dean Clatworthy Said,
September 10, 2006 @ 1:51 pm
Ryan, then let the blog owner(s) make their own questions as well. Long as it’s made clear to the blog owner(s) that the question must be very common knowledge, it would work.
Gary R. Hess Said,
September 10, 2006 @ 2:14 pm
Just to add,
I think the future of spam protection depends on questions, not particularly about the website, but general knowledge at the least.
For an example, one question might be:
“What is my last name?”
So the user would then enter “Cutts”.
Some others, “Where do I work?”, “What is this post field under?”, “What are my initials?”
The writers of the spam bot would have to be pretty creative at that point, and the bot would certainly have to be site specific; which could potentially be a problem for well-known websites like mattcutts.com.
As spam protection advances as do spam bots. I guess the truth of the matter is, no website is free from spam for a given point of time.
Keith McLaughlin Said,
September 10, 2006 @ 2:49 pm
Matt, care to share where the plugin can be found?
Jon Henshaw Said,
September 10, 2006 @ 2:50 pm
Seems to work well. What plugin are you using?
Deepak Chandra Said,
September 10, 2006 @ 3:00 pm
I have programmed it, but don’t you think it is an hour’s work to write a script that parses the question, and use google calculator to get an answer.
I think using math questions is a bad idea. What would make sense it to use some context senstive information about the post, as pointed by a comment earlier. This also act like a little test to ensure that you have read and understood the post enough to comment on it :).
Deepak
Deepak Chandra Said,
September 10, 2006 @ 3:02 pm
Errata: In my last comment I said “I have programmed it,” , whereas what I meant was “I have not programmed it,”
Deepak
Dave Dugdale Said,
September 10, 2006 @ 3:08 pm
I would also like to know the plug-in name.
shane Said,
September 10, 2006 @ 3:18 pm
Seeing as it is so trivial to crack, why not just have:
“Please type ‘11′ in the box to the left’
“Put the number ‘11′ in the box to the left’
etc
That would be trivial to crack too, but would stilll require a targetted attack. The benefit being people are less likely to get it wrong.
ToddW Said,
September 10, 2006 @ 3:37 pm
Yeah, what plugin is this?! My captcha is terrible it’s the whole spam module that sucks actualy.
Jürgen R. Plasser Said,
September 10, 2006 @ 4:00 pm
I reloaded the page several times and learned that the plugin only shows sums of two digits. That’s simply too easy to break by scripting. I think I need less than 5 minutes to get a Greasemonkey script running
I’m curious about how effective this works on a long time scale.
Jim Boykin Said,
September 10, 2006 @ 4:16 pm
What’s the name of this plug-in? I’d like to use it too.
marc Said,
September 10, 2006 @ 5:12 pm
Seemed to have workd for me. What the name of the plug-in? (Just wait for the spammers to come out with a mod that can sum numbers … then we’ll all be in trouble.
Maurice Said,
September 10, 2006 @ 5:24 pm
Well
Id go with akismet - I have done over a dozen blogs in the last nine months and i have yet to have any spam get through.
Matt Cutts Said,
September 10, 2006 @ 6:27 pm
It’s called Math Comment Spam Protection, I believe.
Gary R. Hess, all people who comment on my blog still need to be approved; this just takes the blog off the beaten path enough that most blogspammers who are dumb/stupid won’t cause problems.
step Said,
September 10, 2006 @ 7:16 pm
The plugin tested fine for me, even with an intentional wrong value. Yay for Matt! Thanks for fixing it!
Dean, you had me laughing out loud. Yes, thinking before posting doesn’t happen as often as it should…
It’s amusing to see how many comments this post got. Note: I’m still copying my replies before posting - I think I’ve been conditioned.
Dave (Original) Said,
September 10, 2006 @ 7:31 pm
RE: “and that if you get the code wrong, you can hit the back button and not lose your comment”
==========================================
After many years of posting on the www there is 1 golden rule I always apply. Before clicking “Submit” COPY your text to the Clipboard!
The Adam That Doesn't Belong To Matt Said,
September 10, 2006 @ 8:20 pm
The three most powerful forces in the universe (in reverse order):
3) Hulkamania.
2) The Super Bowl marketing machine.
1) Human stupidity and ignorance.
Dave (Original) Said,
September 10, 2006 @ 8:44 pm
LOL! @ “Hulkamania”
The other 2 seem factual.
AjiNIMC Said,
September 10, 2006 @ 8:59 pm
I liked the addition concept for spam control. I think it is cool. May be because I love maths
TxRex Said,
September 10, 2006 @ 10:55 pm
At least now I can use my glasses to see the question…before even with my glasses it was hard to make out the letters…ya ya ya…with age comes the lost of hair and eye sight…
One could use questions like the following…
At 1700 miles per hour plus, it takes about 90 minutes to circle the earth. What is the net effect of 32 feet per second per second at this speed?
or…
Are computer programers more like Einstein or Picasso?
or…
Do the best hackers work for the IRS?
or…
In an election year, who wins when both parties are wrong?
IncrediBILL Said,
September 10, 2006 @ 11:23 pm
Can’t even read this one, what font size is that 2pt or smaller?
Let me get my microscrope out and see if I can answer this captcha…
Ah, the magnifying glass on my swivel desk lamp can almost make it legible, let’s give this a shot…
Harith Said,
September 10, 2006 @ 11:39 pm
IncrediBILL
The same ting here.
I guess the reason for choosing such smaaaaaaaal fonts is that Matt must be only interested in feedback from the youngsters
Bockereyer Said,
September 11, 2006 @ 12:16 am
In an election year, who wins when both parties are wrong?
The one who sells it the best.
Ryan Said,
September 11, 2006 @ 6:06 am
There’s a Session saver plugin for firefox that prevents the “copy before submit” conditioning.
The Adam That Doesn't Belong To Matt Said,
September 11, 2006 @ 6:34 am
Nothing, since “per second per second” doesn’t exist (unless this is some form of a scientific geek trick question.)
The good ones are like Kindergarten teachers. We develop things so well that even a five-year-old can figure them out.
If IRS stands for “I Recycle Scams”, yes.
This question would have to be changed. In Canada, there are three major parties (NDP, Liberal, Conservative), a few fringe parties (Green Party, Bloc Québecois, National Party, Communist Party–no, that’s not a typo–, Natural Law Party–look up the name “Doug Henning” in Wikipedia–, and a few others that I forget).
Now…when they’re all wrong? I’d say the companies that back the party that gains majority government in the election with corporate funding win.
Interesting idea for a captcha though.
IncrediBILL Said,
September 11, 2006 @ 8:32 am
Luckily it’s not the old GRAPHIC captcha so at least I can hit CRTL+ a few dozen times in Firefox and then I can see what in the heck it says
Maurice Said,
September 11, 2006 @ 8:44 am
At 1700 miles per hour plus, it takes about 90 minutes to circle the earth. What is the net effect of 32 feet per second per second at this speed?
heh
Adam per second per second is a way of saying aceleration
the efect would depend on what direction the acceleration and how long it went on for.
ash Said,
September 11, 2006 @ 10:46 am
“Spam protection: Sum of 3 + 9 ?”
You might as well make it into an image so people have to at least read text from an image before spamming. Doesn’t take much to do 3 + 9
David Said,
September 11, 2006 @ 11:41 am
I have to agree with ash. The whole point of using CAPTCHA is that the text is in an image/cookie so that a spambot can’t read it and fill in the space. It would take me about 30 seconds to make a script to bypass this spam protection. Ok, let’s see if that’s true:
‘;
eval (’$sum = ‘.$match[1].’;');
echo ‘Fill in the form with this: (’.$sum.’)';
} else {
echo ‘Couldn\’t find spam protection string’;
}
?>
Ok, so it took me 55 seconds to type that in and it’s not tested, but it should work- unless I screwed up the reg ex.
On to my second point. Why don’t you just use Akismet http://akismet.com/ and let the spammers submit all they want? I’ve been using it for about 5 weeks now, and seriously only 3 or 4 spams have gotten through to the moderation queue in that time. I’ve also had *no* false positives and I get almost 200 spams per day.
David Said,
September 11, 2006 @ 11:43 am
Why the php code got munged is beyond me. I’ll try once more.
$page = file_get_contents (’http://www.mattcutts.com/blog/changed-my-captcha/’);
if (preg_match (’/Spam protection: Sum of ([0-9]+ \+ [0-9]+) \?/’, $page, $match)) {
echo ‘Found spam protection string. (’.$match[0].’)';
eval (’$sum = ‘.$match[1].’;');
echo ‘Fill in the form with this: (’.$sum.’)';
} else {
echo ‘Couldn\’t find spam protection string’;
}
Joseph Hunkins Said,
September 11, 2006 @ 11:43 am
Matt -
Hmmm - over at Jeremy Zz blog people are quoting TS Elliot, while here we’ve failed to navigate the 2+2 math captcha?
What does that say about your fans?
Joseph Hunkins Said,
September 11, 2006 @ 11:46 am
I’ve got it - you just need to post a Cutts Captcha Primer:
1+1 = 2
1+2 = 3
1+3 = 4
13/0 =
Investing Said,
September 11, 2006 @ 12:27 pm
If you are reading this, then I lernt to add.
Harith Said,
September 11, 2006 @ 12:38 pm
Joseph Hunkins
“What does that say about your fans?”
It says that Matt’s fans are mature, nice and intelligent, but can’t see small fonts
Eric Enge Said,
September 11, 2006 @ 1:03 pm
Good pick Matt. I just tried it on my blog, and it works like a champ.
Dave (Original) Said,
September 11, 2006 @ 6:20 pm
RE: “At 1700 miles per hour plus, it takes about 90 minutes to circle the earth”
That would depend on how high you are and in which direction you are travelling.
The Adam That Doesn't Belong To Matt Said,
September 11, 2006 @ 9:49 pm
Yeah, I can’t see Tommy Chong travelling too quickly.
Dave (Original) Said,
September 12, 2006 @ 12:12 am
Walked into that one
rocklv Said,
September 12, 2006 @ 1:34 am
that’s interesting, but it’s better to be more abstract, such as: who’s Mr President.
Ian Said,
September 12, 2006 @ 2:50 am
Of course, it makes writing a bot specifically to spam your blog quite a fun lunchtime project
Ian Said,
September 12, 2006 @ 2:52 am
Actually, I could instead try writing a Greasemonkey script that fills it in automatically for me
The Adam That Doesn't Belong To Matt Said,
September 12, 2006 @ 6:53 am
Since some of us are having problems with this, and I’m not sure if this is by design or by accident, I’m going to ask a stupid question.
Matt: is the tag surrounding the spam protection question by design? If so, is it just to make life even more difficult for the spammers by forcing them to squint and go blind?
And if that’s the case, maybe have a link for “blog spammers click here” and a whole page with text that’s 0.1em big for them to read telling them to stick it straight up their candy asses.
The Adam That Doesn't Belong To Matt Said,
September 12, 2006 @ 6:53 am
Damn tag removal…let’s try that again:
Is the <SMALL> tag by design?
Dean Said,
September 12, 2006 @ 9:16 am
Just testing this new captcha thing. Isn’t it a bit easy for bots to work out though? I mean “4 + 8″ (what it gave me) is a bit of a giveaway?
Is it actually working?
Dennis Said,
September 12, 2006 @ 11:08 am
I like the new protection. It is versatile, and reliable.
Dave (Original) Said,
September 12, 2006 @ 7:21 pm
Why the change at all Matt?
The Adam That Doesn't Belong To Matt Said,
September 12, 2006 @ 8:29 pm
Probably because the old captcha was hard to read at times, Dave. I don’t know about anyone else, but sometimes I had a tough time telling an X from a K because of the distortion, among other things.
Dave (Original) Said,
September 12, 2006 @ 11:35 pm
Yeah, I got caught between K & X a few times. This is costing me small fortune in calculator batteries though
I always wonder why so many captchas use distorted pictures of characters etc. It’s as if they believe code can read it if the picture is clear?
IncrediBILL Said,
September 12, 2006 @ 11:59 pm
>> It’s as if they believe code can read it if the picture is clear
Apparently you’re alpabet is missing the 3 letters O C and R.
IncrediBILL Said,
September 13, 2006 @ 12:00 am
It’s late can’t type, matt won’t correct egregious errors [weeps]
Dave (Original) Said,
September 13, 2006 @ 3:31 am
RE: “Apparently you’re alpabet is missing the 3 letters O C and R.”
Apparently you’re alpHabet is missing the letter “h”.
The Adam That Doesn't Belong To Matt Said,
September 13, 2006 @ 6:13 am
Two words for you Dave: Windows Calculator.
Ryan Said,
September 14, 2006 @ 11:34 am
I’m confused… are you calling him an alphabet, or did you mean to say “your.”
Sorry…. but one of my general rules has always been: “If you’re insulting somebody’s spelling or grammar make sure you check yours first.”
guest Said,
September 14, 2006 @ 5:51 pm
Are you kidding me ? It took me exactly 10 mins to crack this captcha with my perl script ! Have fun
Dave (Original) Said,
September 14, 2006 @ 6:39 pm
I guess sarcasm is not your thing. There was no “insult” it was a jibe at IncrediBILL’s spelling. That is, he used “you’re”.
Sorry…..but one of my general rules has always been: “If you’re insulting someones post make sure you check your facts first.”
Yes, yes I know, sarcasm is the lowest form of wit.
TxRex Said,
September 14, 2006 @ 11:29 pm
Whew…at least I got away with my typo…
“At 1700 miles per hour plus” should have been …
At 17000 miles per hour plus, it takes about 90 minutes to circle the earth. What is the net effect of 32 feet per second per second at this speed?
Maurice…you are right…it is velocity…more specific it is the velocity of any object falling back to earth…velocity in terms of gravitational pull…
Dave…you are right also…height above earth would effect the net result…17000 miles per hour plus is the speed at which NASA puts things into orbit…
So I could have asked the question as…
In orbit, what is the net effect of gravity?
But if I had asked it that way…no one would have had as much fun with it…
kind of like google making a change and letting us all guess what the heck they did now…
Igor Klajo Said,
September 14, 2006 @ 11:52 pm
Before you had “Add x and x” . . . as smart as I am I just wrote those numbers in the input fiels, cos it said “ADD” so I add them
. . . now since it says “Sum of” and that threre is a + between the numbers . . . even my brain figures out what to do 
:D 
GSOH Said,
September 15, 2006 @ 2:08 am
Would probably be better if the question was an image instead of plain text - at least it makes it harder to parse automatically.
Dave (Original) Said,
September 15, 2006 @ 2:18 am
RE: “17000 miles per hour plus is the speed at which NASA puts things into orbit…”
Isn’t an Escape velocity of about 24,500 miles per hour is needed to go into orbit?
RE: “In orbit, what is the net effect of gravity?”
Assumming you mean Earth’s gravity, it would again depend on how far away from Earh you are. For eaxmple, our Moon is in Earths orbit.
German Boy Said,
September 15, 2006 @ 9:54 am
Uuuuh - my automatic blog comment bot has a problem with this captcha
So i have now to write with my fingers. Hope i remember the words right..
Shiotsu Said,
September 20, 2006 @ 9:56 pm
I get fed up with scammers commenting on my blog. How can I prevent that - Is captcha a solution?
Adam Said,
November 2, 2006 @ 8:35 pm
“The claim is that this new plug-in works even with cookies and JavaScript turned off, and that if you get the code wrong, you can hit the back button and not lose your comment. Let me know if you see any weirdness.”
It worked fine on your site, but can’t make this work correctly on mine. Did this work immediately or did you have to make changes so comments wouldn’t be lost? Have installed this on my site and comments are being lost if the Back button has to be hit.