Many say, “It’s about time.” Others are saying, “We told you.” Either way, it’s as official as it gets. Bye-bye WTF blog cluttering CAPTCHAs. According to the Guardian in “How Captcha was foiled: Are you a man or a mouse?”, the CAPTCHA has been proven to not work.
While most of this ongoing series on WTF Blog Clutter has been focused on the blog sidebar and design elements, a big clutter element is the continued use of the CAPTCHA with comments with the misguided belief that it would stop comment spammers. NOT.
CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart, created to ensure that humans can read the letters and numbers in a way that computers can’t, so automated scripts and bots can’t leave a comment on your blog. Pass the test and you’ve earned the right to comment. Except that the CAPTCHA techniques have been broken and bypassed easily by computers for years.
Websites use Captchas in an attempt to disrupt the spam and malware economy – but they are not working. “Spammers and malware authors are able to break Captcha process,” says Carl Leonard, a threat research manager at Websense Security Labs. “As a result, we’ve seen an increase in the amount of mail sent out from reputable mail services such as Gmail, Hotmail and Windows Live Mail, and an increase in the number of blogs that host malicious content, or content that the spammers wish to advertise.” Email accounts on such services are particularly valuable because spam filters cannot block them without also blocking genuine mail.
Techniques to break Captcha are nothing new. First, if a human can read an image then the chances are that software can do the same thing. In 2005, a software developer, Casey Chesnut, wrote a Captcha-breaking algorithm and demonstrated it by posting automated comments to nearly 100 blogs to demonstrate their vulnerability. In response to this kind of attack, Captcha authors have devised tests that are harder to solve. Images may be more squiggly than they used to be, making them harder to break but also more troublesome for legitimate users. Other ideas include 3D Captcha, relying on object recognition rather than character recognition; or framing questions that are trivial for humans to answer but hard for software to parse. Some approaches work better than others, but there are a number of inherent problems. One is that many Captchas are inaccessible to the visually impaired, and will fall foul of accessibility legislation unless there is an alternative. Another snag is that spammers may play their trump card, using humans.
Ah, yes, the human element. Human comment spammers have been around for a while. Spammers found out they could cheaply hire third world workers to spam blogs with very little training. Combined with comment spam bots which can create incredibly legitimate looking comments using your name or blog name and content from within your blog post and other comments to make the comment look real, it’s become harder than ever to really tell what is a real comment and what is comment spam. So much so that Matt Mullenweg told attendees at the recent WordCamp 2008 in San Francisco that Akismet has a lot of trouble with known comment spammers getting back out into the comment queue because people pull them out of the comment spam queue thinking they are legitimate.
When I talked about comment spam fighting techniques with WordPress at WordCamp Dallas this year, I loved the reaction to some images I displayed of WTF CAPTCHAs I’ve collected over the years. The crowd laughed and applauded, having experienced their own WTF moments facing these ridiculous combination of letters and numbers before you can leave a comment or take the next step.
I’ve found these ugly images on some of the most beautiful blog designs ever. Designs that have me swooning with envy at their clean, clear colors and design elements. Combined with great content, these are nearly orgasmic creations, until the phone rings, there’s a knock at the door, and everything screeches to a hault when I scroll down to leave a comment and find one of those blotchy, out-of-focus, clunky CAPTCHA scripts. CAPTCHA interuptus.
I’ve tried to stare down many a CAPTCHA trying to solve its mystery. I’ll tilt my head to the side, the other side, and even consider flipping my monitor or myself upside down to figure them out. I’ve spent so much time trying to figure out the CAPTCHA message I’m supposed to solve that I’ve often forgotten when I wanted to say in the first place.
When I haven’t been able to clearly see what it is asking me to do, out of desperation I’ve clicked the “If you can’t see this, click here” link only to have the entire page reload – and lose my comment! ARGH. WTF!
Don’t insult our intelligence with one of those dumb torture test quizzes, either. How much is 4+6? What is my name? What is the name of this blog? Are you a spammer?
Come on, folks! These are CAPTCHAs in disguise and they have been broken for ages. Any decent comment spam attacker can bypass these, and if they haven’t, they probably will by tomorrow. You can’t keep these updated fast enough to outwit the comment spammers.
Let nothing come between a reader and their comment. If you do, you risk losing their comment.
I’ve talked to a lot of bloggers and blog readers about CAPTCHAs and torture tests. A lot of them say that they won’t comment on blogs with those features installed.
For those that do, many are often faced with the unfriendly white page with only another version of the CAPTCHA that says, “Wrong Answer. Please try again.” Or “Thank you for your comment” with no way to get back to get back to the blog unless you hit the Back button on your browser, and you probably won’t see your comment or know if it is acceptable, in moderation, or anything until you refresh the page. Do you have that much time and familiarity with your browser to do that?
CAPTCHAs and torture test quizzes are painful to users, and to the inexperienced blog reader, they can be exceptionally frustrating. Why bother when they don’t work?
Is There Hope for CAPTCHAs?
While I believe that CAPTCHAs have no place on blogs in the comment box, there is still a great need to improve security when it comes to logins and registration. These are highly sensitive areas. You don’t want just anyone to log into your blog or website and create havoc. There have been improvements in this area, but when it comes to the comment box – let comments come without a ticket to the dance. Everyone’s welcome to join in.
The article goes on to explain that while some, like Microsoft, are continuing to invest in improving their CAPTCHA systems, even while attackers are working harder at breaking them, community-based protect such as Akismet and Defensio Anti-Spam are actually working better at keeping comment spammers at bay.
That said, the internet is a long way from adopting this level of security, and there is always a danger that whatever steps the industry takes to improve authentication, the scammers will keep up with innovations of their own.
Mullenweg’s answer is to focus on the content rather than the user. His Akismet system for preventing spam comments relies on a combination of secret algorithms and community reports, and has proved remarkably effective.
“Ultimately Captchas are useless for spam because they’re designed to tell you if someone is ‘human’ or not, but not whether something is spam or not. Just because something came from a real human being doesn’t mean it isn’t spam, which is why content-based solutions like Akismet are the only long-term solution to the spam problem.”
If you are really worried about comment spam on your blog, I’ve long recommended a multi-layered approach, though I’m finding that Akismet does the job alone extremely well on my WordPress.com blog. By working together I believe we can protect each other from comment spam, but we also need to do more.
Work hard to keep your blog comment spam free so your readers don’t have to be assaulted by comment spam, or waste time dealing with friendly readers who point them out to you. Be aware of the games spammers and sploggers play with your comments and content and report splogs and spammers when you find them. If you recognize a company that is comment spamming, don’t do business with them.
And lastly, don’t torture your blog readers with WTF CAPTCHAs.
NOTE: Special thanks to all who have commented and blogged about this series, and a special thank you to the WordCast Podcast and the fun they’ve been having with this series.
WTF Blog Design Clutter Articles Series
- WTF Blog Design Elements: Are Blog Archives Working for Your Blog
- WTF Blog Design Clutter
- WTF Blog Clutter: Pictures of Our Bloggy Friends
- WTF Blog Design Elements: Most Recent Comments and Shout Boxes
- WTF Blog Design Elements: Twitter, Tumbler, and Microblog Babble
- WTF Blog Clutter: Unrelated Ads Angst
- WTF Blog Clutter: Feed Clutter
- WTF Blog Design Clutter: Incoming Feed Clutter
- WTF Blog Clutter Design: How Many Feed Icons Do You Need?
- WTF Blog Clutter: How’s the Weather on Your Blog?
- WTF Blog Clutter: Where Are You?
- WTF Blog Clutter: Video and Pictures
- WTF Blog Clutter: What to Call Your Feeds and Ads
- WTF Blog Clutter: Are You Ignoring Your Uncategorized Category?