Has reCAPTCHA Been Defeated?
Without reCAPTCHA, it is not uncommon to receive hundreds of spam comments per day. Akismet can help, but it still requires blog authors to spend a lot of time wading through suspected spam. Even worse, I’d see almost weekly “false positives” from Akismet. They do an admirable job, but spam remains a big burden on site maintainers.
With reCAPTCHA, my spam count immediately dropped to zero. So I deactivated Akismet. For awhile, the problem was solved.
Last week, however, I received a spam comment. Today, one more. Both originated from Amsterdam. The first comment made absolutely no sense. It said something along the lines of “nice post”, but the web site it linked to was invalid. I don’t understand spam like this. If the spam has no usable links, how does it help the spammer sell a product? Today’s spam at least gets credit for including a link to a real web site.
For now, it is a minor nuisance. Since I moderate all comments, the spams still aren’t making it past me. There’s no way to know if a machine defeated reCAPTCHA or if a human typed in the text. Or perhaps they are exploiting a bug in WordPress or reCAPTCHA. I suppose if the problem gets worse, I’ll have to re-activate Akismet as a second line of defense after reCAPTCHA.
Spammers, you all suck. But blogs that disallow comments also suck. So I will continue to fight this battle.
I’m one of the engineers working on the reCAPTCHA project. To our knowledge, we’ve never been defeated by automated means, though we have seen at least one case of reCAPTCHAs being farmed out to humans in India. Is there any chance you can forward us more info on the couple of spam comments you’ve seen? If you can give us the IP addresses and approximate posting times of the spam comments, we can take a look at them and better analyze what happened. Since many sites worldwide are using reCAPTCHA, we have a global view of the system, and can probably find out more information about these attackers.
CAPTCHA doesn’t stop spam, it just proves whoever leaving the comment is a literate human, which happens to correlate highly with valid comments. It doesn’t do anything for trackbacks, pingbacks, or human-entered spam comments. The latter becomes more common the more popular your blog becomes.
Have you considered http://haacked.com/archive/2007/09/11/honeypot-captcha.aspx ?
It seems like a better and more reliable approach.
[...] I started seeing a handful of spams, now I receive at least 5 per day in my moderation queue. I first blogged about this a bit over a month [...]
well seems clear that the bad guys found a way I have recaptcha running under a joomla 1.510 installation, I installed recaptcha to stop the spam, to my surprise it keeps coming but is an automatic atack with nonsense messages, here is an example
This is an enquiry e-mail via http://tommydsonline.com/web/ from:
b8llg m51bc
9LjbN, wtaaf , [url=http://www.df5tsrdym5y.com]ivweb[/url], http://www.yorv1rkky0.com 5pym8
I got the same message 10 times in 2 minutes
Fri, May 22, 2009 at 9:57 PM
the form does not track the sender IP i will track that….