Has reCAPTCHA Been Defeated?
Without reCAPTCHA, it is not uncommon to receive hundreds of spam comments per day. Akismet can help, but it still requires blog authors to spend a lot of time wading through suspected spam. Even worse, I’d see almost weekly “false positives” from Akismet. They do an admirable job, but spam remains a big burden on site maintainers.
With reCAPTCHA, my spam count immediately dropped to zero. So I deactivated Akismet. For awhile, the problem was solved.
Last week, however, I received a spam comment. Today, one more. Both originated from Amsterdam. The first comment made absolutely no sense. It said something along the lines of “nice post”, but the web site it linked to was invalid. I don’t understand spam like this. If the spam has no usable links, how does it help the spammer sell a product? Today’s spam at least gets credit for including a link to a real web site.
For now, it is a minor nuisance. Since I moderate all comments, the spams still aren’t making it past me. There’s no way to know if a machine defeated reCAPTCHA or if a human typed in the text. Or perhaps they are exploiting a bug in WordPress or reCAPTCHA. I suppose if the problem gets worse, I’ll have to re-activate Akismet as a second line of defense after reCAPTCHA.
Spammers, you all suck. But blogs that disallow comments also suck. So I will continue to fight this battle.
I’m one of the engineers working on the reCAPTCHA project. To our knowledge, we’ve never been defeated by automated means, though we have seen at least one case of reCAPTCHAs being farmed out to humans in India. Is there any chance you can forward us more info on the couple of spam comments you’ve seen? If you can give us the IP addresses and approximate posting times of the spam comments, we can take a look at them and better analyze what happened. Since many sites worldwide are using reCAPTCHA, we have a global view of the system, and can probably find out more information about these attackers.
CAPTCHA doesn’t stop spam, it just proves whoever leaving the comment is a literate human, which happens to correlate highly with valid comments. It doesn’t do anything for trackbacks, pingbacks, or human-entered spam comments. The latter becomes more common the more popular your blog becomes.
Have you considered http://haacked.com/archive/2007/09/11/honeypot-captcha.aspx ?
It seems like a better and more reliable approach.
[...] I started seeing a handful of spams, now I receive at least 5 per day in my moderation queue. I first blogged about this a bit over a month [...]