Captcha This

There’s a lot of sites using captchas these days in an effort to prevent spamming and other automated attacks/uses of services. The idea is you have to type in the usually distorted text you see in a picture in order to proceed, and only a human would be able to read the text.

Apparently spammers have found a way to get around this by having people do the work for them. They post the captcha on one of their own sites, usually promising access to porn or warez or something of that nature, then everytime an unsuspecting internet user types in the code on their site, they use that to bypass the check and send their spam. It’s actually pretty clever.

One obvious way to combat this is to expire the captchas after a certain period of time (likely a few minutes). If it’s expired by the time they submit, then present a new one to validate. Even better would be to do it using AJAX right before the submission is made, and expire after just a few seconds. I’m sure there are probably at least some sites doing this now, though I’ve never seen one done with AJAX.

Something else I’ve never seen done before though is putting the name of the site in the captcha. This doesn’t in any way prevent it from being displayed on another site, but at least it makes it a bit less appealing to use this hack. If an effort is made to raise public awareness that you shouldn’t enter information for a captcha with another site’s name on it, then it may even lower or completely get rid of this hack.

At this point, neither of these ideas have been implemented (to my knowledge), but hopefully someone will read this and get inspired.

Digg this