Accessible Turing test

M

+mrcakey

I did a site for my girlfriend's sister. It's a blog-like effort and users
can add comments to each entry. She didn't want users to have passwords and
now it's getting spammed. I'd like to add a CAPTCHA but I want to keep my
halo so I'm looking for a good *accessible* CAPTCHA solution, i.e. no
obfuscated characters, no sound files, screen readable.

I got temporarily excited by the idea of a honey trap (extra form field
hidden by CSS - if it's filled in, the Turing test is failed), but first off
it presents issues with certain assistive technologies and second, I noticed
that not all spammers have filled in the optional "name" field in my comment
form.

Simple maths problems - I've heard that these are being circumvented
already.

Linguistic solutions (e.g. "Peter bought some yoghurt, milk, deodorant and
cheese. What did he buy that didn't come from a dairy?") - this is
interesting because my girlfriend's Dutch and some of the people making
comments won't be able to read English / I can't write Dutch.

I thought maybe a code table where this sort of thing might go on:

"
A B C D E F G
6 5 4 8 3 1 2

A + F = ???
"

But that would be a nightmare for screen reader users and also might even
confuse sighted users.

So I'm still stuck.

Does anyone know of a decent, fully accessible solution to this?

If not, maybe we could create one between us, like a community project?!

+mrcakey
 
M

+mrcakey

Is this any good?

XXX XXXX YY = 5
XXXXX YYY XX = 4
XX Y XXX = 4
XXXX XXXX = ?

Or is it not obvious enough what's going on?

+mrcakey
 
B

Beauregard T. Shagnasty

+mrcakey said:
I got temporarily excited by the idea of a honey trap (extra form
field hidden by CSS

That won't work because the spammers do not use your page in their
browsers. They make a copy of your page/script, and send it
programmatically directly to your POST script, thus your CSS-hidden form
will be visible.

Best way I've found is to examine all fields for the presence of:
cc:, http://, <a href, or whatever else your spammers are using, and if
found return an error page.
 
J

Jonathan N. Little

+mrcakey said:
Is this any good?

XXX XXXX YY = 5
XXXXX YYY XX = 4
XX Y XXX = 4
XXXX XXXX = ?

Or is it not obvious enough what's going on?

+mrcakey


0

No, some folks will not get it. Some cannot get 4-2=? ;-)
 
M

+mrcakey

Jonathan N. Little said:
0

No, some folks will not get it. Some cannot get 4-2=? ;-)

LOL, the correct answer was 8, so I guess that REALLY doesn't work!!!

+mrcakey
 
M

+mrcakey

Beauregard T. Shagnasty said:
That won't work because the spammers do not use your page in their
browsers. They make a copy of your page/script, and send it
programmatically directly to your POST script, thus your CSS-hidden form
will be visible.

That's the whole idea - spambots fill the field in, humans don't. Although,
I've discounted this method anyway.
Best way I've found is to examine all fields for the presence of:
cc:, http://, <a href, or whatever else your spammers are using, and if
found return an error page.

I'd like a solution that allowed legitimate users to enter such things
though.

+mrcakey
 
D

dorayme

"+mrcakey said:
Linguistic solutions (e.g. "Peter bought some yoghurt, milk, deodorant and
cheese. What did he buy that didn't come from a dairy?") - this is
interesting because my girlfriend's Dutch and some of the people making
comments won't be able to read English / I can't write Dutch.

The website is in a language that users will understand, is this right
or not right? What exactly is your reasoning here?
 
D

Disco Octopus

I did a site for my girlfriend's sister. It's a blog-like effort and users
can add comments to each entry. She didn't want users to have passwords and
now it's getting spammed. I'd like to add a CAPTCHA but I want to keep my
halo so I'm looking for a good *accessible* CAPTCHA solution, i.e. no
obfuscated characters, no sound files, screen readable.

I got temporarily excited by the idea of a honey trap (extra form field
hidden by CSS - if it's filled in, the Turing test is failed), but first off
it presents issues with certain assistive technologies and second, I noticed
that not all spammers have filled in the optional "name" field in my comment
form.

Simple maths problems - I've heard that these are being circumvented
already.

Linguistic solutions (e.g. "Peter bought some yoghurt, milk, deodorant and
cheese. What did he buy that didn't come from a dairy?") - this is
interesting because my girlfriend's Dutch and some of the people making
comments won't be able to read English / I can't write Dutch.

I thought maybe a code table where this sort of thing might go on:

"
A B C D E F G
6 5 4 8 3 1 2

A + F = ???
"

But that would be a nightmare for screen reader users and also might even
confuse sighted users.

So I'm still stuck.

Does anyone know of a decent, fully accessible solution to this?

If not, maybe we could create one between us, like a community project?!

+mrcakey

What about a set of randomly chosen simple questions like this...

What is the first letter of the alphabet?
What is the number that comes after 15?
What is colour is the road stop sign?

When you send one of these random question to your page, you also send
the ID/Key of the question. When the user posts 'a' (in the case of
the first question) the ID/Key will also be posted and you can check
against this value in your data base.

All you have to do is every now-and-then change your questions/answers
when/if the spambots catch on to the correct answer.

I used to get lots of spambot junk in my survey forms, but when I did
this approach, I have not got a single spambot junk.
 
N

nice.guy.nige

While the city slept, Travis Newbury feverishly typed:
Awwww shit, I read that wrong. I thought you typed "I did my
girlfriends sister... "

It could be a euphemism Travis... ;-)

Cheers,
Nige
 
M

+mrcakey

Travis Newbury said:
Awwww shit, I read that wrong. I thought you typed "I did my
girlfriends sister... "

I got the better of the two already. Mind, that would be a LOT of man
points.

+mrcakey
 
M

+mrcakey

Guy Macon said:
+mrcakey said:
I did a site for my girlfriend's sister. It's a blog-like effort and
users
can add comments to each entry. She didn't want users to have passwords
and
now it's getting spammed. I'd like to add a CAPTCHA but I want to keep my
halo so I'm looking for a good *accessible* CAPTCHA solution, i.e. no
obfuscated characters, no sound files, screen readable. [..]
Simple maths problems - I've heard that these are being circumvented
already.

"I've heard that..." isn't always reliable. IMO, the simple math problem
is the correct solution for you to avoid automated spamming. What you
describe above is far too small for anyone to bother programming in a
way to bypass your custom CAPTCHA.

BTW, if you can, also test for faster-than-human response times.

I'm sure it would be reasonably okay for that site, I'm just trying to find
a Rolls Royce solution. I know it's unlikely that we could come up with
something that a million web professionals haven't been able to yet, but I
thought we could try.

+mrcakey
 
T

ty

"Guy Macon" <http://www.guymacon.com/> wrote in message





+mrcakey wrote:
I did a site for my girlfriend's sister. It's a blog-like effort and
users
can add comments to each entry. She didn't want users to have passwords
and
now it's getting spammed. I'd like to add a CAPTCHA but I want to keep my
halo so I'm looking for a good *accessible* CAPTCHA solution, i.e. no
obfuscated characters, no sound files, screen readable. [..]
Simple maths problems - I've heard that these are being circumvented
already.
"I've heard that..." isn't always reliable. IMO, the simple math problem
is the correct solution for you to avoid automated spamming. What you
describe above is far too small for anyone to bother programming in a
way to bypass your custom CAPTCHA.
BTW, if you can, also test for faster-than-human response times.

I'm sure it would be reasonably okay for that site, I'm just trying to find
a Rolls Royce solution. I know it's unlikely that we could come up with
something that a million web professionals haven't been able to yet, but I
thought we could try.

+mrcakey

Is there a particular reason you are averse to the obfuscated
characters and sound files? I am aware of accessibility issues for
deaf users and screen readers. As well as the pain in the arse of
managing sound files.

I am working with a site that provides resources for ESL users, users
with cognitive disability, and deaf users. The best solution I have
come up with is re-captcha. It is a very customizable tool. All the
heavy lifting of generating pictures and sound files are handled by
their service. And it is very friendly with our screen readers. For
our needs it has been the best solution.
 
D

dorayme

ty said:
Is there a particular reason you are averse to the obfuscated
characters and sound files?

Years ago Beauregard said to me that Captchas suck and I have always
viewed them with suspicion since then...
 
B

Beauregard T. Shagnasty

dorayme said:
Years ago Beauregard said to me that Captchas suck and I have always
viewed them with suspicion since then...

I still feel that way. Once in a while I am visiting friends, helping
them with web stuff. I see them struggle with CAPTCHA entries. Some
sites - written badly - will generate a completely new form if you enter
the captcha letters incorrectly, also wiping out what else you had
typed.

And now that the spammer-hackers have figured out how to read the images
programmatically, there isn't much point any longer.

My contact forms will reject for various reasons, including the use of
"cc:" text, "href" text and so forth in any of the fields. So far, that
works.
 
J

Jonathan N. Little

Beauregard said:
My contact forms will reject for various reasons, including the use of
"cc:" text, "href" text and so forth in any of the fields. So far, that
works.

One should *always* validate user input anyway, so I have also found the
above strategy the best solution and least annoying to your users.
 
M

+mrcakey

Beauregard T. Shagnasty said:
I still feel that way. Once in a while I am visiting friends, helping
them with web stuff. I see them struggle with CAPTCHA entries. Some
sites - written badly - will generate a completely new form if you enter
the captcha letters incorrectly, also wiping out what else you had
typed.

And guess whose monitor is it that gets smashed as a result? I think we
should be able to sue such sites for the cost of repairs.
And now that the spammer-hackers have figured out how to read the images
programmatically, there isn't much point any longer.

And/or they're making the CAPTCHAs harder and harder to read. If they're
aimed at sighted people anyway, why can't they just show a picture of a
banana and ask "what's this?"?
My contact forms will reject for various reasons, including the use of
"cc:" text, "href" text and so forth in any of the fields. So far, that
works.

It's ridiculous I know, but it's a hangover from my banking background - it
takes more CPU cycles to scan the content that way than simply checking x =
y. I'll get me coat.

+mrcakey
www.dreamberry.co.uk
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,744
Messages
2,569,483
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top