WordPress Captchas
We’ve all grown to be familiar with (yet greatly resent) the litte “type the letters in this box” features when commenting on blogs. They’re called http://iowabookgal.com/EspartoStudio,recycledbookart,bookpageprint,bookjewelry,reginasmith,reginasuhrbier/central-iowa/ Captchas and they’re designed to be sort of a Turing Test; something that humans can easily do but computers can’t.
Their real goal is to cut down on automated programs called Spambots that post links to porn, pill, and poker sites. We’ve even seen articles about spammers fighting back. Some have even created free porn sites where you get porn as long as you solve a captcha between each image. You’ve gotta give them credit.
The latest wordpress plugin isn’t an image of blurred letters though, it’s a math problem. Matt Cutts recently upgraded his blog, and it now asks me to “Please add 8 and 2” before I can leave my comment.
While it’s a better approach than the image.. (they are pretty hard to read), it’s even more flawed. A simple Google Search will show that there’s already a few other sites using this plugin. To write a spambot to take advantage of it woud be trivial:
- Search Google, extract urls
- Foreach URL, visit page and fill out form with spam
- Parse for a regular expression like Please X Y and Z
- do the math, fill out the form next to it, submit your spam.
For proof of concept, I’d write such a script, however it would be against my ethics. It would only take me 10 minutes though, honestly.
The captcha / addition is a flawed method of thinking. The goal of a spam bot isn’t to spam one website, if I only wanted to spam Matt, I’d do it by hand. The spammer’s goal is to spam as many websites as possible as quickly as possible, so any universal attempt to stop it will easily be cracked.
Instead of doing what everybody else does (captcha, math problems, kitten auth, etc) it’s far more beneficial to do what Jeremy Zawodney does. Jeremy has all of his commenters type “Jeremy” in a box before continuing. It’s real easy to code a bot to do it, but since it’ll only work on one site there’s no point. If somebody does keep spamming him repeatedly, Jeremy just bans the IP by hand.
I say let’s abandon the captcha idea in favor of making the commentor type something site related into the box. That’s how this site is going to work when I’m finished re-coding it.
There’s 2 approaches to security. One involves throwing up big walls and armed guards, etc (the captcha). The other involves simply not making yourself a viable target in the first place.
September 7th, 2006