Captcha
[update] I've accepted an answer, as lc deserves the bounty due to the well thought-out answer, but sadly, I believe we're stuck with our original worst case scenario: CAPTCHA everyone on purchase attempts of the crap. Short explanation: caching / web farms make it impossible for us to actually track hits, and any workaround (sending a non-cached web-beacon, writing to a unified table, etc.) slows the site down worse than the bots would. There is likely some pricey bit of hardware from Cisco or the like that can help at a high level, but it's hard to justify the cost if CAPTCHAing everyone is an alternative. I'll attempt to do a more full explanation in here later, as well as cleaning this up for future searchers (though others are welcome to try, as it's community wiki).
I've added bounty to this question and attempted to explain why the current answers don't fit our needs. First, though, thanks to all of you who have thought about this, it's amazing to have this collective intelligence to help work through seemingly impossible problems.
I'll be a little more clear than I was before: This is about the bag o' crap sales on woot.com. I'm the president of Woot Workshop, the subsidiary of Woot that does the design, writes the product descriptions, podcasts, blog posts, and moderates the forums. I work in the css/html world and am only barely familiar with the rest of the developer world. I work closely with the developers and have talked through all of the answers here (and many other ideas we've had).
Usability of the site is a massive part of my job, and making the site exciting and fun is most of the rest of it. That's where the three goals below derive. CAPTCHA harms usability, and bots steal the fun and excitement out of our crap sales.
To set up the scenario a little more, bots are slamming our front page tens of times a second screenscraping (and/or scanning our rss) for the Random Crap sale. The moment they see that, it triggers a second stage of the program that logs in, clicks I want One, fills out the form, and buys the crap.
In current (2/6/2009) order of votes:
lc:
On stackoverflow and other sites that use this method, they're almost always dealing with authenticated (logged in) users, because the task being attempted requires that.
On Woot, anonymous (non-logged) users can view our home page. In other words, the slamming bots can be non-authenticated (and essentially non-trackable except by IP address).
So we're back to scanning for IPs, which a) is fairly useless in this age of cloud networking and spambot zombies and b) catches too many innocents given the number of businesses that come from one IP address (not to mention the issues with non-static IP ISPs and potential performance hits to trying to track this).
Oh, and having people call us would be the worst possible scenario. Can we have them call you?
BradC
Ned Batchelder's methods look pretty cool, but they're pretty firmly designed to defeat bots built for a network of sites. Our problem is bots are built specifically to defeat our site. Some of these methods could likely work for a short time until the scripters evolved their bots to ignore the honeypot, screenscrape for nearby label names instead of form ids, and use a javascript-capable browser control.
lc again
"Unless, of course, the hype is part of you
Source: (StackOverflow)
can any one tell me how to use captcha in asp.net mvc?
is there any need to download any control for it?
Source: (StackOverflow)
I have not had much success finding how to style Google's new recaptcha (v2). The eventual goal is to make it responsive, but I am having difficulty applying styling for even simple things like width.
Their API documentation does not appear to give any specifics on how to control styling at all other than the theme parameter, and simple CSS & JavaScript solutions haven't worked for me.
Basically, I need to be able to apply CSS to Google's new version of reCaptcha. Using JavaScript with it is acceptable.
Source: (StackOverflow)
What if I have a captcha that displays a series of English characters. Will people who don't speak English have trouble interpreting and/or typing these characters? If this is the case then what is the best solution for an internationalized captcha?
Source: (StackOverflow)
Recently Google introduced a simplified "captcha" verification system (video) that enables users to pass the "captcha" just by clicking on it.
But how can it differentiate a bot from a person just by a click?
As per this answer, (assuming a similar implementation), at first "recaptcha" generates a hidden key and attaches it to a hidden input element and also lazily renders a check box (not an actual check box input but a div) with the same key which when clicked, sends an asynchronous request (XHR) to the Google backend servers to mark it as a valid verification key (i.e. a key that has to be validated when the form is submitted).
But why can't bots automate that click (at least, browser-based bots)?
How might this work?
Source: (StackOverflow)
Recaptcha is adding a "This frame prevents back/forward cache problems in Safari" iFrame to the top of my website (code included below), which is pushing off the styling by 20-30px (approximately).
If I set display: none; to the element in Firebug it fixed the problem .
Does anyone know why this element has a height (I have no CSS that applies to iFrames)? Or how to set display: none; on it?
<iframe src="about:blank" style="height: 0px; width: 0px; visibility: hidden; border-top-style: none; border-right-style: none; border-bottom-style: none; border-left-style: none; border-width: initial; border-color: initial; ">
This frame prevents back/forward cache problems in Safari.
</iframe>
Source: (StackOverflow)
I am trying to send emails from Django using an email configured by Google Apps, my configuration at the settings.py file looks something like this:
EMAIL_HOST = 'smtp.gmail.com'
EMAIL_HOST_USER = 'contact@mydomain.com'
EMAIL_HOST_PASSWORD = 'password'
EMAIL_PORT = 587
EMAIL_USE_TLS = True
When I try to send an email using:
from django.core.mail import send_mail
send_mail("Happy new year", "We wish you the best for 3001",
"contact@mydomain.com", ["someuser@gmail.com"])
I get the following error:
SMTPAuthenticationError:
(535, '5.7.1 Please log in with your web browser and then try again.
Learn more at
5.7.1 https://support.google.com/mail/bin/answer.py?answer=78754 k2sm758604obl.14')
Since I'm working on a remote server with no graphical user interface, I cannot even try to login from the browser.
Source: (StackOverflow)
There are a lot of captchas plugins in Rails and also many types of solutions for preventing spamming and flooding. So it isn't only Rails question.
Let's see what types of plugins do we have:
1. Classic image captcha (zendesk's Captcha, Simple_captcha, Validates_captcha, winton's Captcha, Raptcha).
positive:
- Can be effective to prevent automatic decrypt (not sure about Simple_captcha, but it seems that both zendesk's and winton's captchas don't achieve that, as they use pre-generated images (instead of on-demand), so our possible spam bots can be learned on that images).
negative:
- Require DB table (at least Simple Captcha. Not so bad, but do they clean it after use?).
- Require RMagick or similar (not so actual for me, as I already have it on my site).
- Fail manual decrypt ($2/1000 images as I know).
- Annoying to users and can hurts conversion rates.
2. ReCaptcha (Recaptcha, Rack-recaptcha).
positive:
- Can be effective to prevent automatic decrypt.
- Don't require Rmagick and DB table.
negative:
- Make api-calls to 3rd-party site.
- Fail manual decrypt.
- Even more annoying than previous.
3. Honey pots (Negative-captcha, Trap_door, Reverse_captcha, Honeypot-captcha, Bouncy_bots, invisible_captcha).
positive:
- User doesn't know about captcha presense.
- Don't require Rmagick and DB table.
negative:
- May fail automatic decrypt (are there any bots that can recognize this plugins?).
- Fail manual decrypt.
4. Text-base (Humanizer, Brain_buster, Gotcha).
positive:
- Don't require Rmagick and DB table (except of Brain_buster).
negative:
- May fail automatic decrypt.
- Fail manual decrypt.
- Little bit annoying (can be localized).
5. Other (Acts_as_snook)
positive:
- User doesn't know about captcha presense.
- Don't require Rmagick and DB table.
negative:
Don't know if there any because it's very unusual. But I think it may cause problems in case of flooding, as it can require post's moderation in some times.
6. Akismet-like solutions (don't know about their efficiency).
positive:
- User doesn't know about captcha presense.
- Don't require Rmagick and DB table.
negative:
- Make api-calls to 3rd-party site.
- Deliver user's details to 3rd-party site (very, very bad).
I also should say a few words about my site. Users can see protected form only after an ajax request (after putting something to cart for example). Are modern bots have abilities to do ajax requests and storing cookies?
P.s. I can't post many links as my rating is very low and also sorry for my bad English.
Source: (StackOverflow)
I have 2 forms on a single page. One of the forms has a recaptcha displaying all the time. The other should display a recaptcha only after a certain event such as maxing out login attempts. So there are times when I would need 2 recaptchas to appear on the same page. Is this possible? I know I could probably use a single one for both, but the way I have the layout, I would much prefer to have 2. Thanks.
Update: well I guess it may not be possible. Can anybody recommend another capture library to use side by side with reCaptcha? I really want to be able to have 2 captchas on the same page.
Update 2: What if put each form in an iframe? Would this be an acceptable solution?
Source: (StackOverflow)
I want to stop spammers from using my site. But I find CAPTCHA very annoying. I am not just talking about the "type the text" type, but anything that requires the user to waste his time to prove himself human.
What can I do here?
Source: (StackOverflow)
See the demo of JQuery Qaptcha here - http://www.myjqueryplugins.com/QapTcha/demo
It requires you to slide the slider to unlock and prove you're human. I've read all about how it's setting random field values and erasing them, but isn't all that done via a javascript call? And if so then wouldn't a bot just need to run the javascript method and then the qaptcha is broken?
Help me understand how this is secure...
Source: (StackOverflow)
Vkontakte API rejects requests with Captcha. Here is the example what I do.
After the third request I get Captcha error (14) - Captcha needed.
According to documentation it's sufficient to add captcha_sid and captcha_key parameters to the original requests and repeat the request.
But the response is still Captcha error (14). Is it possible to work with Captcha and OAuth in Vkontakte API?
Source: (StackOverflow)
Of all the forms of CAPTCHA available, which one is the "least crackable" while remaining fairly human readable?
Source: (StackOverflow)