Hey everyone. I've been talking to DarkDragon about a new captcha system and thought it'd be cool to get some insight on the project.

I'm uncertain if he's actually going to use it so I'm not 100% positive you're going to see it here yet but in the near future it may be possible.

Anyway I had a little bit of difficulty with the current captcha system in place and for good reason I'm not going to knock it.

However with any good captcha one thing should absolutely be accomplished. Prevent automated systems from doing ANYTHING.

Which consequently means allow humans, operating normally to do anything.

So I devised a captcha that I think can accomplish this. It would be extremely hard to write software to beat my system and it's fairly easy for humans to use it.

Check it out here...

http://go-ross.com/captcha/

What I'm looking for are critiques and ideas :D if you have them then post them here or PM me directly.

If you'd like to see this on Armageddon Games let us know!

If you'd like to use the code I'm working on any of your own sites let me know.

It will be protected under the Creative Commons License so you know the drill, you're free to use, modify and redistribute it so long as you keep the hidden disclaimer (invisible when using it) intact.

Anyway I haven't been able to get a lot of feedback on it so I hope someone is alive on here and can take a look at it. Test it out, make some suggestions, critique, whatever.

If you give some substantially good advice or offer any kind of help I'll definitely give you credit for everything you've done.

Thanks guys!

I think if an algorithm can correctly identify characters from an image then solving a simple equation will be trivial in comparison. This will probably be effective in the short-term since most spam bots won't be designed to circumvent it, but that is probably true of most obscure captcha systems.

It can't hurt, I just don't know how groundbreaking it is. :shrug:

It doesn't have to be groundbreaking, it just has to be uncommon enough that spambot designers won't think of it. :)

Thanks guys. I agree it definitely isn't ground breaking but there really isn't any kind of captcha that is, is there?

In case you only answered one or two captchas there is actually a lot inside of it and it can all be configured.

For example if you refresh the page a few times there are random questions that are asked as well.

Random nonsense questions that any human could answer. A computer on the other hand would have to have an intense amount of programming in order to parse these questions and figure out a logical answer.

For example. "How do you spell dog?" Easy enough question and there are many variations of this in the captcha as well.

The mathematics have varying levels of difficulty and here in a few hours will have several representations as well.

For example instead 10 + X = 100 I will also use 10 plus X equals 100

Weird things like that will be scattered about.

Best thing is that it's database is obviously expandable! You can add and change questions as much as you want. Easily as well just by modifying the arrays within the programming.

If you have any suggestions though let me know! All will be appreciated!

As most of the spam has died down due to the inability to put links in posts and sigs until a certain number of posts, I don't think this is necessary, especially considering the majority of what most people call "spam bots" are actually living, breathing humans that are paid to spam.

It doesn't have to be groundbreaking, it just has to be uncommon enough that spambot designers won't think of it. :)


This will probably be effective in the short-term since most spam bots won't be designed to circumvent it, but that is probably true of most obscure captcha systems.

I agree ;)

Anyway, nice work rosscowar, I see its a little more comprehensive than I had originally thought. And its good to see you are passionate about your work. Good luck!

Thanks! Yeah I've never developed anything for anyone else's websites that I wasn't somehow involved with the development team personally. Plus it was the first time that I've worked on image manipulation in PHP which is surprisingly crafty ;) I may very well keep working on numerous things like this and hopefully it will be used in numerous places. Since it's still in a testing/development phase I won't actually be distributing the code anytime soon but it's available for anyone who wants it since I'll email it to you. I'd love for some pros out there to look through the code and critique it and everything or of course using it will always be nice :)

My captcha is officially live on the site and it's going through it's trial period!

Right now it is testing newcomers on the registration page but it may very well make it's way to the forums if things get out of hand :)

Either way it should be fun and interesting!

Although initially my lazy brain does not want to do math, I like the idea of using numbers. With numbers and equations there is only one answer. Questions with words can end up being open to interpretation and lead to incorrect answers. For example, "What color is the sky?" I'm sure you are looking for blue as the answer, but it's black at night, red and orange in a good sunset, and grey if you're color blind.

Hey there xyvol! I honestly didn't want to do the questions at first but I figured I'd build the functionality for it SO any other user of the captcha could easily make their own set of questions and answers and integrate it into their site.

All in all though it's extremely simple to change the questions and answers, I just added stupid silly questions to hopefully spark ideas and give the programmers an example of proper implementation.

If I were to use this on any of my own sites I would disable the questions and simply go straight math and see how effective it is. However a random question here and there is kind of fun too.

In the configuration page of the program you can enable or disable all of the following features.

Multiplication, division, addition, subtraction, big or small numbers, use questions and you can change the frequency in which a question will pop up. That is set at 30% by default.

My primary goal was versatility though, I primarily wanted it to be able to be used anywhere for a variety of purposes. So I also added the ability to easily change the color scheme, make the background transparent, and change the size of it as well.
In addition there are two different methods for implementation, you can use a session driven verification system OR an encrypted hidden post field verification system. Both of which work great but obviously session driven data is more secure.
Despite the fact that I highly doubt anyone will try to hack the encryption used on the post field.

I would love to see this implemented as soon as possible.

However I would like to note that there are a few rare registered ads that are actual humans, and SOME of them actually post surprisingly relative content (such as that regarding the current status of ZC, or why a warp won't work, etc.) I have PM'd these people about removing the ads from their signatures but I don't know who all actually complied.

EDIT: hey speak of the devil

http://armageddongames.net/showthread.php?60788-Funky-Bug-Don-t-press-!&p=884530#post884530

Check the rest of the thread in those cases - they're just repeating parts of earlier posts.

I think a combination of a captcha system for blocking bots along with restricting new member's ability to add links in their posts would work. I did notice a couple of posts where they just copy and pasted a section of text from an earlier post, then added ad links. I believe way back when I first started, custom avatars were only available after 100(?) posts, and I think you then had to ask a Mod to change it for you. Something similar might be work for linking, if it could be implemented.

Yes, it was at 100, but you could do it yourself. The custom title came at 1K.

I like the idea of disabling linking in signatures until a certain amount of posts. I think it should be extended to the body as well, blocking linking completely until a reasonable amount of posts. At least blocking linking to external URLS anyway.

Remember though, our buddy Rowgatrick got up to like 130 posts. Do we want to restrict new members from posting links until a post count, or until they verify with a staff member that they are human?

You could try manually enabling links in signatures for each member, but A: That'd be a pain in the ass, and

B: Would work against making AGN a friendlier place.

I do support the idea of members *earning* abilities though through how many posts they have. I don't think it would solve our problems though. Why exactly is it AGN that is getting bombarded? Too behind-the-times?

Supplemental: There used to be webpages users could link to in posts and signatures that would attract adbots and then catch them in an unending loop of redirects, thus doing away with them. However, judging by the apparent lack of these pages now, the bots are likely too smart for that anyways...

Disallowing links for users with fewer than five or ten posts would help a lot. If users who put links in their signatures immediately after registering could be flagged automatically, that'd be ever better.

Even if bots won't fall for endless redirects anymore, maybe there are other ways to confuse them. For instance, put a captcha on the registration page that's somehow hidden in browsers and assume anyone who does fill it in is a bot.

That's a great idea, Saffith. I like that. Can we do that?

Disallowing links for users with fewer than five or ten posts would help a lot. If users who put links in their signatures immediately after registering could be flagged automatically, that'd be ever better.

Even if bots won't fall for endless redirects anymore, maybe there are other ways to confuse them. For instance, put a captcha on the registration page that's somehow hidden in browsers and assume anyone who does fill it in is a bot.


Now that's what I call thinking outside the box. It's like being in a car chase, and when the pursuer gets too close, you slam on the brakes, watch him launch ahead, and you go the opposite direction.

For the 183 millionth time--95% aren't bots at all. They're real people being paid to post advertisements so stupid captchas and whatever other crazy schemes will not stop them.

The last time we had a major cleanup and DD installed Classic Black again, we had a system in place that wouldn't allow new users to post links. Since that time, AGN has somehow been hacked or altered so that hack was removed and the "invisible" forums can be seen by all.

I'm still thinking there's a trojan hidden in the FTP somewhere...which makes me wonder if the database has been backed up, FTP wiped, new version of vbulletin installed, and then database restored as that would remove any trojan files that dragging and dropping updates would not.

They were mostly humans for a while, but I don't think that's true anymore. Either way, it'd be worth it to block the bots if we can.

AGN has been wiped/hacked so many times, that right now I'm open to pretty much anything.

I like Saffith's idea, and agree it's worth it to eliminate bots as a problem. Then the focus can be directed to the human spammers. Restricting posts is all I can think of now, but be wary when setting a post count. It could lead to more spam posts made in order to increase the count. I like verification, but seems like a lot of work for the site operators and mods, epescialy for the users who only register to ask a ZC question, then never come back.

Human bots can't be blocked unless you disable registration full stop. Which of course is counter-active...

I'm not of the belief that most of them *are* human. Those that are will be treated not as a nuisance device, but as voluntary violators (which is what they are.) We'll still ban them, only in this case it'll be a disciplinary action in addition to preventing them from advertising.