For some reason it didn’t show up in my RSSBandit, but thankfully Julie was all over the story!

I’ll save the gushing over how ridicu-smart casey is for now to point out his latest take on CAPTCHA which seems to be a topic I can’t get away from lately.  This time Jason Mauer implements his own picture based system.  This is along the lines of something I posted back in February shortly after casey posted the first article and beat the msmvps.com CAPTCHA.

Jason’s CAPTCHA is an actual good use of “security by obscurity”.  Nobody is going to spend time to write a bot to beat a single-user system.  But casey is right on target with his description of how to beat it, and why over time it becomes perfect.  It’s just process of elimination on a curve.  The bot would obviously start of slowly with a low success rate, but it just trains itself.  And adding more images does next to nothing.

Somebody asked in the comments of one of my earlier posts what the solution was.  I don’t have it.  But Jason may be on to something here.  Not necessarily with the implementation, as with the fact that it’s his own.  Stopping the spam may be an area where standardization is definitely NOT a good idea.  If you create your own implementation of a CAPTCHA or some other spam blocking method, and it’s yours alone, the likelihood is that the ROI for a spammer trying to figure out how to beat it is way wayyyy lower than the ROI of defeating one used on hundreds of systems.  There’s big room for experimentation here.  This isn’t like encryption where nobody should roll their own because they will inevitably suck at it.  We aren’t trying to protect data here, we aren’t even necessarily trying to obscure anything, or keep anyone out.  We are trying to make it hard to automate posting to our weblogs. 

In this situation, we have a lot of room to be unique and try new ideas.  But I think your own unique combination of spam stopping methods is going to be the key.  The less like everyone else you are, the less likely you are to be a target.  So get creative, and share the ideas, but don’t share the code!  (did I just say that?)