To captcha or not to captcha

Relax and enjoy The Lounge. For all Non-Joomla! topics or ones that don't fit anywhere else. Normal forum rules apply.
Locked
waarnemer
Joomla! Hero
Joomla! Hero
Posts: 2580
Joined: Sun May 04, 2008 12:37 pm

To captcha or not to captcha

Post by waarnemer » Wed Nov 13, 2019 10:13 pm

sozzled wrote:
Wed Nov 13, 2019 9:59 pm
There are solutions. CAPTCHA helps a little ... but it's ineffective at stopping the spread of spam. If people want to stop spam then one has to look beyond CAPTCHA, beyond guessable problem-solving challenges, beyond automated technological means and look closer to home.
@sozzled I am all ears... without hijacking OP's post...
Last edited by toivo on Fri Nov 29, 2019 12:55 am, edited 1 time in total.
Reason: mod note: topic locked

User avatar
sozzled
Joomla! Exemplar
Joomla! Exemplar
Posts: 8435
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia
Contact:

Re: To captcha or not to captcha

Post by sozzled » Wed Nov 13, 2019 10:19 pm

I have written scores of articles and forum posts on this subject. Use Google to search for "sozzled AND spam". Also, in the original subject that this topic has been created from, I mentioned two places where I've written about using CAPTCHA as a mechanism to prevent spam; I suggest that you review those first.
https://www.kuneze.com/blog
“If you think I’m wrong then say, ‘I think you’re wrong.’ If you say ‘You’re wrong!’, how do you know?” :)

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 37764
Joined: Sat Apr 05, 2008 9:58 pm

Re: To captcha or not to captcha

Post by Webdongle » Thu Nov 14, 2019 12:11 am

Nothing is perfect and all locks can be picked. But that is no reason to do nothing. captcha provides some level of security.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

User avatar
sozzled
Joomla! Exemplar
Joomla! Exemplar
Posts: 8435
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia
Contact:

Re: To captcha or not to captcha

Post by sozzled » Thu Nov 14, 2019 2:24 am

Agreed. The question—to CAPTCHA or not to CAPTCHA—is not a simple binary choice between one or the other. I have never implied that there was a choice; CAPTCHA is probably better than doing nothing but there a other more effective tools available. My opinion is, and always has been, that CAPTCHA ia ineffective. CAPTCHA is not totally ineffective but I'm not going to venture into speculating whether its effectiveness is 1%, 10% or 50% ... and so what? CAPTCHA is not 100% effective. I would say that CAPTCHA's effectiveness lies somewhere between 0% and 99%. I will leave others to pick a number.
https://www.kuneze.com/blog
“If you think I’m wrong then say, ‘I think you’re wrong.’ If you say ‘You’re wrong!’, how do you know?” :)

waarnemer
Joomla! Hero
Joomla! Hero
Posts: 2580
Joined: Sun May 04, 2008 12:37 pm

Re: To captcha or not to captcha

Post by waarnemer » Thu Nov 14, 2019 8:52 am

@sozzled,
I have written scores of articles and forum posts on this subject. Use Google to search for "sozzled AND spam". Also, in the original subject that this topic has been created from, I mentioned two places where I've written about using CAPTCHA as a mechanism to prevent spam; I suggest that you review those first.
That is pretty unfair.. first you write it is ineffective and we need to look closer to home... then after you tell us to google for your opinion.. and try and find your "two places".

For now I only can find your debate on using or not using the contact form. (or any contact form)..

Mind you, the results I see in a Google search are different from the results someone else sees. I am in NL, you are in Oz... I need to go two pages in Google.. (first some pages from Oxford dictionary explanations on being sozzled)

Either share your two links or explain your "two" here. Would be nice, thank you....

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 37764
Joined: Sat Apr 05, 2008 9:58 pm

Re: To captcha or not to captcha

Post by Webdongle » Thu Nov 14, 2019 9:36 am

It is a simple choice. Add the protection that captcha gives or don't. imho it is better to use a captcha
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

User avatar
toivo
Joomla! Master
Joomla! Master
Posts: 11716
Joined: Thu Feb 15, 2007 5:48 am
Location: Suzhou, China

Re: To captcha or not to captcha

Post by toivo » Thu Nov 14, 2019 10:04 am

waarnemeer wrote:That is pretty unfair.. first you write it is ineffective and we need to look closer to home... then after you tell us to google for your opinion.. and try and find your "two places".
...and also close to breaching the forum rule against self promotion, IMHO...
Toivo Talikka, Global Moderator

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 37764
Joined: Sat Apr 05, 2008 9:58 pm

Re: To captcha or not to captcha

Post by Webdongle » Thu Nov 14, 2019 10:32 am

naughty boy
tenor.gif
You do not have the required permissions to view the files attached to this post.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

User avatar
sozzled
Joomla! Exemplar
Joomla! Exemplar
Posts: 8435
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia
Contact:

Re: To captcha or not to captcha

Post by sozzled » Thu Nov 14, 2019 12:51 pm

@waarnemer: I cannot post on this forum the URLs of articles I have written because, as @toivo correctly points out, I would be in violation of forum rules. I can only say that, if you do your own research, you can find what I've written about spam and my opinions about CAPTCHA.

waarnemer wrote:
Thu Nov 14, 2019 8:52 am
Either share your two links or explain your "two" here. Would be nice, thank you ...
sozzled wrote:
Wed Nov 13, 2019 7:51 pm
[1] For example, this forum (at forum.joomla.org) is bombarded with junk many times a day.
...

[2] If you want to stop spam then you need to stop it at the source. You need to put in place mechanisms, other requirements, that require people to comply with additional conditions before they can register themselves. You might also do some research into how to prevent forum spam by looking here: https://lmgtfy.com/?q=%22How+to+stop+fo ... ena%22&s=g
Further, you would need to look at more than 20 pages of Google results to discover half of what I've written about spam and CAPTCHA over the last decade or more.

Lastly, and most importantly,
sozzled wrote:
Thu Nov 14, 2019 2:24 am
The question—to CAPTCHA or not to CAPTCHA—is not a simple binary choice between one or the other. I have never implied that there was a choice; CAPTCHA is probably better than doing nothing but there a other more effective tools available. My opinion is, and always has been, that CAPTCHA ia ineffective. CAPTCHA is not totally ineffective but I'm not going to venture into speculating whether its effectiveness is 1%, 10% or 50% ... and so what? CAPTCHA is not 100% effective. I would say that CAPTCHA's effectiveness lies somewhere between 0% and 99%. I will leave others to pick a number.
In my opinion (and there's nothing humble about it), CAPTCHA—where it can be used—offers minimal protection against "spam". In the case of this forum here, at forum.joomla.org, CAPTCHA is the only safeguard against people who register only to post junk. Now you tell me: is CAPTCHA an effective protection against the rubbish that we see posted on this forum every day? Hmmm? :pop
https://www.kuneze.com/blog
“If you think I’m wrong then say, ‘I think you’re wrong.’ If you say ‘You’re wrong!’, how do you know?” :)

waarnemer
Joomla! Hero
Joomla! Hero
Posts: 2580
Joined: Sun May 04, 2008 12:37 pm

Re: To captcha or not to captcha

Post by waarnemer » Fri Nov 15, 2019 8:10 am

You need to put in place mechanisms, other requirements, that require people to comply with additional conditions before they can register themselves.
isn't just that what a captcha does?

and yes, bots get smarter and smarter... ever since the google captchas where invented, the bots in the end got through... the google captchas already are beaten many, many times... if a 4 year old can play memory game, a bot can solve the "how many busses do you see" puzzle... (the times I have seen the same picture with busses........)

according to what I can find, the phpBB on this forum is a year behind on updates.. it has mixed content and even a notification in my debugger it uses SWFObject which has been retired 6 years ago..... so the updates done over the years probably still left traces of old unsupported technology... bad example to use this forum as proof nothing like captchas work...

My experience... google captchas do work but are not the best. Hashcash made by Michael Richey, till now, blocks all bot attempts on the contact forms I have public.

To be honest, Though the plugin hashcash is residing under the "captcha" types, effectively it is no real "captcha" but a "proof of work".

Still, not adding an "additional condition" technology such as a captcha is a no go... at the minimum one should add at least some...

User avatar
sozzled
Joomla! Exemplar
Joomla! Exemplar
Posts: 8435
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia
Contact:

Re: To captcha or not to captcha

Post by sozzled » Fri Nov 15, 2019 8:58 am

In my view:
  • CAPTCHA probably stops 10% of all automated user account registrations.
  • CAPTCHA stops less than 75% of automated spam.
  • CAPTCHA stops less than 1% of manually-entered spam.
Therefore, CAPTCHA is ineffective.

I've answered your questions (about the "two links").I note your observations about the version on phpBB used here but it's not actually relevant to my question, which you haven't really answered:
sozzled wrote:
Thu Nov 14, 2019 12:51 pm
[Can]you tell me: is CAPTCHA an effective protection against the rubbish that we see posted on this forum every day?
https://www.kuneze.com/blog
“If you think I’m wrong then say, ‘I think you’re wrong.’ If you say ‘You’re wrong!’, how do you know?” :)

waarnemer
Joomla! Hero
Joomla! Hero
Posts: 2580
Joined: Sun May 04, 2008 12:37 pm

Re: To captcha or not to captcha

Post by waarnemer » Fri Nov 15, 2019 11:20 am

Since SPAM isn't bound to mails sent from websites or fora.. let's rephrase a little.
CAPTCHA is not a SPAM protection it is a protection against automated completion and submission of forms.

CAPTCHA doesn't stop ANY submission of MANUALLY entered forms.
CAPTCHA can stop automated completion and submission of forms IF not beaten by the bots intelligence already.

the % of stopping depends on CAPTCHA used. The Google CAPTCHAs are beaten several times.

read "captcha" as in any additional condition.

SPAM generated by submitted forms is what we prevent (registrations, confirmations, send me a copy and on..) by using an additional condition.

other SPAM (hacked sites, generated messages by already registered members, public smtp servers, screwed IOT devices....) cannot be tackled...

spam found in this forum is generated by more complex bots.. bots "specialized" in phpBB fora exploiting leaks known (maybe even unknown)...

To answer your question.. NO, I cannot tell if the captcha used is preventing it (as it is a Google one and probably beaten) nor can I tell if the registrations and posts aren't made by using any other exploit unknown to the admins yet.

Since I do not see any similar forum spam on any of the other public fora I am visiting or even member of, I am afraid it is the latter...

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 37764
Joined: Sat Apr 05, 2008 9:58 pm

Re: To captcha or not to captcha

Post by Webdongle » Fri Nov 15, 2019 1:44 pm

sozzled wrote:
Fri Nov 15, 2019 8:58 am
In my view:
  • CAPTCHA probably stops 10% of all automated user account registrations.
  • CAPTCHA stops less than 75% of automated spam.
  • CAPTCHA stops less than 1% of manually-entered spam.
Therefore, CAPTCHA is ineffective....
Where are the stats that support your view?
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

User avatar
sozzled
Joomla! Exemplar
Joomla! Exemplar
Posts: 8435
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia
Contact:

Re: To captcha or not to captcha

Post by sozzled » Fri Nov 15, 2019 5:19 pm

@Webdongle: where are your stats that say otherwise?
https://www.kuneze.com/blog
“If you think I’m wrong then say, ‘I think you’re wrong.’ If you say ‘You’re wrong!’, how do you know?” :)

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 37764
Joined: Sat Apr 05, 2008 9:58 pm

Re: To captcha or not to captcha

Post by Webdongle » Fri Nov 15, 2019 5:22 pm

I am not claiming % ... you are
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

User avatar
sozzled
Joomla! Exemplar
Joomla! Exemplar
Posts: 8435
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia
Contact:

Re: To captcha or not to captcha

Post by sozzled » Fri Nov 15, 2019 5:57 pm

@Webdongle: I am not claiming anything as an irrefutable fact and we can debate the preciseness of percentages until the cows come home. I chose my words carefully. I wrote, "in my view"—nothing more than that. I am unaware of any comprehensive study of the effectiveness of CAPTCHA; I am only addressing the original question and the original question is not (as I have repeatedly written) a binary one.

The topic subject is "To CAPTCHA or not to CAPTCHA"; I assume, that is a question.
waarnemer wrote:
Wed Nov 13, 2019 10:13 pm
sozzled wrote:
Wed Nov 13, 2019 9:59 pm
There are solutions. CAPTCHA helps a little ... but it's ineffective at stopping the spread of spam. If people want to stop spam then one has to look beyond CAPTCHA, beyond guessable problem-solving challenges, beyond automated technological means and look closer to home.
@sozzled I am all ears ...
So, let me attempt to justify what I mean by saying that CAPTCHA is ineffective at stopping spam and why, in my opinion, enabling CAPTCHA is not the best recommendation that people can make on this forum in response to the question, "Why am I getting spam?"

See the following references:
  1. https://www.infosecurity-magazine.com/o ... prevention (there are stats there that are similar to mine)
  2. https://venturebeat.com/2014/12/24/goog ... e-thought/
  3. https://www.wired.co.uk/article/captcha ... istory-fix
  4. https://www.gravityforms.com/rip-captcha/
  5. https://datadome.co/bot-management-prot ... -obsolete/
  6. https://www.washingtonpost.com/news/the ... -captchas/
  7. https://www.theverge.com/2019/2/1/18205 ... telligence
I have several websites of my own and I am an assistant manager of other websites. I have some websites where I use CAPTCHA but most of them do not use CAPTCHA. I don't have a problem with spam in relation to those websites.

In summary, therefore, there are solutions to prevent spam. CAPTCHA helps a little but it's ineffective as a complete counter-spam tool. If one wants a complete counter-spam tool, one has to look beyond CAPTCHA, beyond guessable problem-solving challenges, beyond automated technological means and look closer to home, to the source(s) that are easily exploited by spammers (regardless of the counter-measures that people may put in place in the hope that their websites remain spam-free).

And, finally, I think @waarnemer actually agrees with me. 8)
https://www.kuneze.com/blog
“If you think I’m wrong then say, ‘I think you’re wrong.’ If you say ‘You’re wrong!’, how do you know?” :)

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 37764
Joined: Sat Apr 05, 2008 9:58 pm

Re: To captcha or not to captcha

Post by Webdongle » Fri Nov 15, 2019 6:21 pm

sozzled wrote:
Fri Nov 15, 2019 5:57 pm
... CAPTCHA helps a little ... but it's ineffective at stopping the spread of spam. ...
That is what we have been trying to tell you
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

User avatar
sozzled
Joomla! Exemplar
Joomla! Exemplar
Posts: 8435
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia
Contact:

Re: To captcha or not to captcha

Post by sozzled » Fri Nov 15, 2019 6:37 pm

I disagree. That's not what this topic is about. The topic subject is "To CAPTCHA or not to CAPTCHA"; it's channelling Hamlet's famous quotation

Image

Read again my last post. I wrote:

sozzled wrote:
Fri Nov 15, 2019 5:57 pm
So, let me attempt to justify what I mean by saying that CAPTCHA is ineffective at stopping spam and why, in my opinion, enabling CAPTCHA is not the best recommendation that people can make on this forum in response to the question, "Why am I getting spam?"

.
.
.

In summary, therefore, there are solutions to prevent spam. CAPTCHA helps a little but it's ineffective as a complete counter-spam tool. If one wants a complete counter-spam tool, one has to look beyond CAPTCHA, beyond guessable problem-solving challenges, beyond automated technological means and look closer to home, to the source(s) that are easily exploited by spammers (regardless of the counter-measures that people may put in place in the hope that their websites remain spam-free).
I think I have answered the question.
https://www.kuneze.com/blog
“If you think I’m wrong then say, ‘I think you’re wrong.’ If you say ‘You’re wrong!’, how do you know?” :)

waarnemer
Joomla! Hero
Joomla! Hero
Posts: 2580
Joined: Sun May 04, 2008 12:37 pm

Re: To captcha or not to captcha

Post by waarnemer » Sat Nov 16, 2019 11:34 am

@sozzled, Then...if there are better ways to counter SPAM (and actually in this case autocomplete and submit forms, cos that is the purpose of a captcha..)
In summary, therefore, there are solutions to prevent spam. CAPTCHA helps a little but it's ineffective as a complete counter-spam tool. If one wants a complete counter-spam tool, one has to look beyond CAPTCHA, beyond guessable problem-solving challenges, beyond automated technological means and look closer to home, to the source(s) that are easily exploited by spammers (regardless of the counter-measures that people may put in place in the hope that their websites remain spam-free).
We are now very curious of what you think is better than having a captcha. Since this is a community and we are sharing our thoughts and solutions on almost everything related to joomla! and webdevelopment... do share your solutions....and allow us to make the web a better place.....

User avatar
sozzled
Joomla! Exemplar
Joomla! Exemplar
Posts: 8435
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia
Contact:

Re: To captcha or not to captcha

Post by sozzled » Sat Nov 16, 2019 3:41 pm

We're going off-topic. One question per topic, please.

You now ask, "What is better than CAPTCHA?" I've answered that question, too, elsewhere on the forum. You will just have to look again at the two links I posted in another topic—also mentioned here—to find the answer. Sorry, but self-promotion is against the forum rules; however, if you use Google, the answers are only a few mouse-clicks away.

I will not be replying again to this topic.
Cheers.
https://www.kuneze.com/blog
“If you think I’m wrong then say, ‘I think you’re wrong.’ If you say ‘You’re wrong!’, how do you know?” :)

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 37764
Joined: Sat Apr 05, 2008 9:58 pm

Re: To captcha or not to captcha

Post by Webdongle » Sat Nov 16, 2019 4:37 pm

Not off topic. It is a valid request to justify your reasons for your answer to the original question.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

waarnemer
Joomla! Hero
Joomla! Hero
Posts: 2580
Joined: Sun May 04, 2008 12:37 pm

Re: To captcha or not to captcha

Post by waarnemer » Mon Nov 18, 2019 9:36 pm

fun fact in this...

There are bots around that actually use the alternative play back sound for the visually impaired. Using speach to text technology.
In some way I think that is awesome as it is impossible for a human to actually make something up from the texts spoken by the "captcha".... I cannot tell for the english since Google insists on offering me dutch spoken words... or rather "particles" of words... I can here the speakers are dutch.. as sometimes there is an understandable word... but cut and split in the midst of spoken characters...

One cannot make anything from this..... If any hacking bot can.... three cheers for the rogue dev that made it possible to hack that way..... as for the visually impaired users it is impossible.... shame....

So since google captchas are too good at blocking visually impaired users... and not too good at blocking bots... I stick to hashcash...

But I am still interested in the other, and better, techniques.....


Locked

Return to “The Lounge”