Changed my captcha

Enough people told me that they had trouble with the new challenge-response that I changed it. It’s still simple math, so it’s accessible-friendly, but it’s a different plug-in. The claim is that this new plug-in works even with cookies and JavaScript turned off, and that if you get the code wrong, you can hit the back button and not lose your comment. Let me know if you see any weirdness.

71 Responses to Changed my captcha (Leave a comment)

  1. Works fine with a calculator on the side. To be onnest, simply have to get used to use the brain, when adding a comment to your blog. It’s not watching at images anymore…. To me, even the back function works.

  2. It was working fine for me before…but this works just the same, good job Matt πŸ™‚

  3. Hi Matt,

    may be, maths are too hard for most people πŸ˜‰
    Hope you can answer me a question to language specific searches. We have a site with a german domain, but 14 languages. How can we “help” the googlebot to get the correct language for a page. A site:www.mm-boerse.de search in a specific language returns pages in nearly all languages.
    Thanks in advance for your reply.

  4. Spam protection: Sum of 1 + 5 ?

    You mean I have to put some thought into my responses now πŸ˜‰ On a more serious note I have believed this to be the solution to comment spamming for some time; basic general knowledge questions such as capital cities (re-arranging the phrasing of the question each time), 3-letter anagrams etc.

    The way I see it is that if people aren’t intelligent enough to have the basic common knowledge of people, geography and language skills, then they are not worthy of responding.

  5. Dean… anything that’s used globally across multiple sites is NOT the answer to spam protection.

    The theory is that if it’s used in a ton of places, it’s worthwhile to crack it.

    A much more efficient method is to make it something specific to the site. Easy to spam that one blog: yes… easy to spam multiple blogs: no.

    I think this one is easier to beat than the captcha. I could write a script to crack this in literally 10 minutes.

    But it is easier on the user than images. You’d be suprised how many people get them wrong. When I implemented captcha on my work site, I decided to log every wrong attempt, the IP it came from, and the data they entered. Since we have our phone # right below our online credit application, we even get 2-3 calls / day asking what to do about a captcha.

    anyway… i think the new one works.

  6. It seems to work for me. I intentionally put the wrong answer to the question (1 + 6 = 11…dincha know?), entered something in here, and it told me I put in the wrong answer (duh). When I went back, the comment was here.

    So it’s all good from this end.

    My only concern (and it’s minor) is taht the font size is significantly smaller for the spam question than it is for the rest of the text. Could you maybe blow that spam protection text up to normal size? Thanks in advance.

  7. I have had a lot of problems with captcha in the past, this one seems a lot easier. The only problem I could see is what others have said before, easy to write a script to crack it and since it’s a plug-in, the script might already exist.

    WebmasterWorld has had some nice threads about captcha/spam detection etc. in the past. From a suggestion given, I changed the input name, then implemented my own version of captcha, so it wouldn’t be available on other parts of the web.

    So now, if someone wants to spam the contact forms, they either have to have an over-elaborate bot or just do it themselves.

    Now if only I could get something to stop all the spam on PHPBB forums…

  8. Personally, I’m a fan of this type of captcha:

    http://billy-girlardo.com/WP/2006/04/07/captcha-kittens/
    http://hotcaptcha.com/

    But on my own site I use the Spam Karma plugin for wordpress which is actually amazingly good at deciphering real posts from spam. Only a couple of times did people have to enter a captcha because the plugin was unsure about their humanity and spam never gets through.

  9. Ryan, then let the blog owner(s) make their own questions as well. Long as it’s made clear to the blog owner(s) that the question must be very common knowledge, it would work.

  10. Just to add,

    I think the future of spam protection depends on questions, not particularly about the website, but general knowledge at the least.

    For an example, one question might be:

    “What is my last name?”

    So the user would then enter “Cutts”.

    Some others, “Where do I work?”, “What is this post field under?”, “What are my initials?”

    The writers of the spam bot would have to be pretty creative at that point, and the bot would certainly have to be site specific; which could potentially be a problem for well-known websites like mattcutts.com.

    As spam protection advances as do spam bots. I guess the truth of the matter is, no website is free from spam for a given point of time.

  11. Matt, care to share where the plugin can be found?

  12. Seems to work well. What plugin are you using?

  13. I have programmed it, but don’t you think it is an hour’s work to write a script that parses the question, and use google calculator to get an answer.

    I think using math questions is a bad idea. What would make sense it to use some context senstive information about the post, as pointed by a comment earlier. This also act like a little test to ensure that you have read and understood the post enough to comment on it :).

    Deepak

  14. Errata: In my last comment I said “I have programmed it,” , whereas what I meant was “I have not programmed it,”

    Deepak

  15. I would also like to know the plug-in name.

  16. Seeing as it is so trivial to crack, why not just have:
    “Please type ’11’ in the box to the left’
    “Put the number ’11’ in the box to the left’
    etc

    That would be trivial to crack too, but would stilll require a targetted attack. The benefit being people are less likely to get it wrong.

  17. Yeah, what plugin is this?! My captcha is terrible it’s the whole spam module that sucks actualy.

  18. I reloaded the page several times and learned that the plugin only shows sums of two digits. That’s simply too easy to break by scripting. I think I need less than 5 minutes to get a Greasemonkey script running πŸ˜‰

    I’m curious about how effective this works on a long time scale.

  19. What’s the name of this plug-in? I’d like to use it too.

  20. Seemed to have workd for me. What the name of the plug-in? (Just wait for the spammers to come out with a mod that can sum numbers … then we’ll all be in trouble. πŸ˜‰

  21. Well

    Id go with akismet – I have done over a dozen blogs in the last nine months and i have yet to have any spam get through.

  22. It’s called Math Comment Spam Protection, I believe.

    Gary R. Hess, all people who comment on my blog still need to be approved; this just takes the blog off the beaten path enough that most blogspammers who are dumb/stupid won’t cause problems.

  23. The plugin tested fine for me, even with an intentional wrong value. Yay for Matt! Thanks for fixing it!

    Dean, you had me laughing out loud. Yes, thinking before posting doesn’t happen as often as it should…

    It’s amusing to see how many comments this post got. Note: I’m still copying my replies before posting – I think I’ve been conditioned. πŸ˜€

  24. RE: “and that if you get the code wrong, you can hit the back button and not lose your comment”
    ==========================================

    After many years of posting on the www there is 1 golden rule I always apply. Before clicking “Submit” COPY your text to the Clipboard!

  25. Gary R. Hess, all people who comment on my blog still need to be approved; this just takes the blog off the beaten path enough that most blogspammers who are dumb/stupid won’t cause problems.

    The three most powerful forces in the universe (in reverse order):

    3) Hulkamania.
    2) The Super Bowl marketing machine.
    1) Human stupidity and ignorance.

  26. LOL! @ “Hulkamania” πŸ™‚ The other 2 seem factual.

  27. I liked the addition concept for spam control. I think it is cool. May be because I love maths πŸ™‚

  28. At least now I can use my glasses to see the question…before even with my glasses it was hard to make out the letters…ya ya ya…with age comes the lost of hair and eye sight…

    One could use questions like the following…

    At 1700 miles per hour plus, it takes about 90 minutes to circle the earth. What is the net effect of 32 feet per second per second at this speed?

    or…

    Are computer programers more like Einstein or Picasso?

    or…

    Do the best hackers work for the IRS?

    or…

    In an election year, who wins when both parties are wrong?

  29. Can’t even read this one, what font size is that 2pt or smaller?

    Let me get my microscrope out and see if I can answer this captcha…

    Ah, the magnifying glass on my swivel desk lamp can almost make it legible, let’s give this a shot…

  30. IncrediBILL

    The same ting here.

    I guess the reason for choosing such smaaaaaaaal fonts is that Matt must be only interested in feedback from the youngsters πŸ™‚

  31. In an election year, who wins when both parties are wrong?

    The one who sells it the best.

  32. There’s a Session saver plugin for firefox that prevents the “copy before submit” conditioning.

  33. At 1700 miles per hour plus, it takes about 90 minutes to circle the earth. What is the net effect of 32 feet per second per second at this speed?

    Nothing, since “per second per second” doesn’t exist (unless this is some form of a scientific geek trick question.)

    Are computer programers more like Einstein or Picasso?

    The good ones are like Kindergarten teachers. We develop things so well that even a five-year-old can figure them out.

    Do the best hackers work for the IRS?

    If IRS stands for “I Recycle Scams”, yes.

    In an election year, who wins when both parties are wrong?

    This question would have to be changed. In Canada, there are three major parties (NDP, Liberal, Conservative), a few fringe parties (Green Party, Bloc QuΓ©becois, National Party, Communist Party–no, that’s not a typo–, Natural Law Party–look up the name “Doug Henning” in Wikipedia–, and a few others that I forget).

    Now…when they’re all wrong? I’d say the companies that back the party that gains majority government in the election with corporate funding win.

    Interesting idea for a captcha though.

  34. Luckily it’s not the old GRAPHIC captcha so at least I can hit CRTL+ a few dozen times in Firefox and then I can see what in the heck it says πŸ˜‰

  35. At 1700 miles per hour plus, it takes about 90 minutes to circle the earth. What is the net effect of 32 feet per second per second at this speed?

    heh

    Adam per second per second is a way of saying aceleration

    the efect would depend on what direction the acceleration and how long it went on for.

  36. “Spam protection: Sum of 3 + 9 ?”
    You might as well make it into an image so people have to at least read text from an image before spamming. Doesn’t take much to do 3 + 9 πŸ˜‰

  37. I have to agree with ash. The whole point of using CAPTCHA is that the text is in an image/cookie so that a spambot can’t read it and fill in the space. It would take me about 30 seconds to make a script to bypass this spam protection. Ok, let’s see if that’s true:

    ‘;
    eval (‘$sum = ‘.$match[1].’;’);
    echo ‘Fill in the form with this: (‘.$sum.’)’;
    } else {
    echo ‘Couldn’t find spam protection string’;
    }
    ?>

    Ok, so it took me 55 seconds to type that in and it’s not tested, but it should work- unless I screwed up the reg ex. πŸ™‚

    On to my second point. Why don’t you just use Akismet http://akismet.com/ and let the spammers submit all they want? I’ve been using it for about 5 weeks now, and seriously only 3 or 4 spams have gotten through to the moderation queue in that time. I’ve also had *no* false positives and I get almost 200 spams per day.

  38. Why the php code got munged is beyond me. I’ll try once more.

    $page = file_get_contents (‘http://www.mattcutts.com/blog/changed-my-captcha/’);
    if (preg_match (‘/Spam protection: Sum of ([0-9]+ + [0-9]+) ?/’, $page, $match)) {
    echo ‘Found spam protection string. (‘.$match[0].’)’;
    eval (‘$sum = ‘.$match[1].’;’);
    echo ‘Fill in the form with this: (‘.$sum.’)’;
    } else {
    echo ‘Couldn’t find spam protection string’;
    }

  39. Matt –

    Hmmm – over at Jeremy Zz blog people are quoting TS Elliot, while here we’ve failed to navigate the 2+2 math captcha?
    What does that say about your fans?

  40. I’ve got it – you just need to post a Cutts Captcha Primer:
    1+1 = 2
    1+2 = 3
    1+3 = 4
    13/0 =

  41. If you are reading this, then I lernt to add.

  42. Joseph Hunkins

    “What does that say about your fans?”

    It says that Matt’s fans are mature, nice and intelligent, but can’t see small fonts πŸ™‚

  43. Good pick Matt. I just tried it on my blog, and it works like a champ.

  44. RE: “At 1700 miles per hour plus, it takes about 90 minutes to circle the earth”

    That would depend on how high you are and in which direction you are travelling.

  45. That would depend on how high you are and in which direction you are travelling.

    Yeah, I can’t see Tommy Chong travelling too quickly.

  46. Walked into that one πŸ™‚

  47. that’s interesting, but it’s better to be more abstract, such as: who’s Mr President.

  48. Of course, it makes writing a bot specifically to spam your blog quite a fun lunchtime project πŸ˜‰

  49. Actually, I could instead try writing a Greasemonkey script that fills it in automatically for me πŸ˜€

  50. Since some of us are having problems with this, and I’m not sure if this is by design or by accident, I’m going to ask a stupid question.

    Matt: is the tag surrounding the spam protection question by design? If so, is it just to make life even more difficult for the spammers by forcing them to squint and go blind?

    And if that’s the case, maybe have a link for “blog spammers click here” and a whole page with text that’s 0.1em big for them to read telling them to stick it straight up their candy asses. πŸ™‚

  51. Damn tag removal…let’s try that again:

    Is the <SMALL> tag by design?

  52. Just testing this new captcha thing. Isn’t it a bit easy for bots to work out though? I mean “4 + 8” (what it gave me) is a bit of a giveaway?

    Is it actually working?

  53. I like the new protection. It is versatile, and reliable.

  54. Why the change at all Matt?

  55. Probably because the old captcha was hard to read at times, Dave. I don’t know about anyone else, but sometimes I had a tough time telling an X from a K because of the distortion, among other things.

  56. Yeah, I got caught between K & X a few times. This is costing me small fortune in calculator batteries though πŸ™‚

    I always wonder why so many captchas use distorted pictures of characters etc. It’s as if they believe code can read it if the picture is clear?

  57. >> It’s as if they believe code can read it if the picture is clear

    Apparently you’re alpabet is missing the 3 letters O C and R.

  58. It’s late can’t type, matt won’t correct egregious errors [weeps]

  59. RE: “Apparently you’re alpabet is missing the 3 letters O C and R.”

    Apparently you’re alpHabet is missing the letter “h”.

  60. Two words for you Dave: Windows Calculator. πŸ˜‰

  61. I’m confused… are you calling him an alphabet, or did you mean to say “your.”

    Sorry…. but one of my general rules has always been: “If you’re insulting somebody’s spelling or grammar make sure you check yours first.”

  62. Are you kidding me ? It took me exactly 10 mins to crack this captcha with my perl script ! Have fun πŸ™‚

  63. I guess sarcasm is not your thing. There was no “insult” it was a jibe at IncrediBILL’s spelling. That is, he used “you’re”.

    Sorry…..but one of my general rules has always been: β€œIf you’re insulting someones post make sure you check your facts first.” πŸ™‚

    Yes, yes I know, sarcasm is the lowest form of wit.

  64. Whew…at least I got away with my typo…

    “At 1700 miles per hour plus” should have been …

    At 17000 miles per hour plus, it takes about 90 minutes to circle the earth. What is the net effect of 32 feet per second per second at this speed?

    Maurice…you are right…it is velocity…more specific it is the velocity of any object falling back to earth…velocity in terms of gravitational pull…

    Dave…you are right also…height above earth would effect the net result…17000 miles per hour plus is the speed at which NASA puts things into orbit…

    So I could have asked the question as…

    In orbit, what is the net effect of gravity?

    But if I had asked it that way…no one would have had as much fun with it…
    kind of like google making a change and letting us all guess what the heck they did now…

  65. Before you had “Add x and x” . . . as smart as I am I just wrote those numbers in the input fiels, cos it said “ADD” so I add them πŸ˜€ . . . now since it says “Sum of” and that threre is a + between the numbers . . . even my brain figures out what to do πŸ˜€ πŸ˜€ πŸ˜€

  66. Would probably be better if the question was an image instead of plain text – at least it makes it harder to parse automatically.

  67. RE: “17000 miles per hour plus is the speed at which NASA puts things into orbit…”

    Isn’t an Escape velocity of about 24,500 miles per hour is needed to go into orbit?

    RE: “In orbit, what is the net effect of gravity?”

    Assumming you mean Earth’s gravity, it would again depend on how far away from Earh you are. For eaxmple, our Moon is in Earths orbit.

  68. Uuuuh – my automatic blog comment bot has a problem with this captcha πŸ˜‰
    So i have now to write with my fingers. Hope i remember the words right..

  69. I get fed up with scammers commenting on my blog. How can I prevent that – Is captcha a solution?

  70. “The claim is that this new plug-in works even with cookies and JavaScript turned off, and that if you get the code wrong, you can hit the back button and not lose your comment. Let me know if you see any weirdness.”

    It worked fine on your site, but can’t make this work correctly on mine. Did this work immediately or did you have to make changes so comments wouldn’t be lost? Have installed this on my site and comments are being lost if the Back button has to be hit.

  71. Matt, here is a cat photo captcha that you might like if you have not seen it before.

    http://research.microsoft.com/asirra/

css.php