[TYPO3-dev] captcha

Fri Dec 15 17:39:50 CET 2006

Hi all,

lurker here, usually in awe and respect for the technical knowledge and
bright ideas expressed on this list.

the whole point about "spam" and "spammer" is that the recipient of a
message is the sole person entitled to decide what he wants to receive
and what not and everything he does not want to receive is spam. And
whoever does not respect the recipients judgement/decision is a spammer.

Steffen Müller wrote:
> One point I miss in the whole debate is accessibility.
>
> Think about disabled people, who cannot read but let their computers
> speak. For them, captchas are annoying because they are designed not to
> be readable by screenreaders.
>
> This is in my eyes the most important fact for *not* using image-captchas.
>   
Accessibility is *the* whole point about captcha. The right (or
sometimes obligation if he is paid for it) of the website's owner to
decide whom to make his content accessible to. Unfortunately there is a
trade-off between accessibility to disabled people and non-accessibility
to spambots of all sorts.

Also sometimes, with all due respect, there is no point in making a
website accessible to the disabled. Tell me what a visually impaired
person would need to access a page like
<http://www.photopla.net/060517luzern/>

A client I am currently consulting in the choice of CMS tends toward
Drupal because it has a neat captcha that asks the user to answer a
simple mathematical question. It's so neat and simple that it only
requires a couple of lines of PHP, which I implemented as quick fix on
some of my old websites (and unfortunately I am not knowledgeable enough
of Typo3 to contribute them in a different form than code snippets below):

// minimum standard captcha difficulty
// roughly one out of 2*MAX_CAPTCHA*(number of operators) spambot
messages will pass through
if(!defined('MAX_CAPTCHA')){define('MAX_CAPTCHA',10);}
// array of possible captcha operations
$capop=array('+','-','*');

// generate a new captcha
$f1=rand(0,MAX_CAPTCHA);
$f2=rand(0,MAX_CAPTCHA);
$op=$capop[rand(0,count($capop)-1)];
$f3=$f1.' '.$op.' '.$f2;
$captcha=eval('return('.$f3.');');

then store as a session variable with the captcha - something like
$_SESSION['captcha']=$captcha;

output the captcha on the form
echo 'Please solve this (to discern humans from spambots):
'.$captcha.'<input type="text" name="captcha">

and on verifying the form input kill the idiots

if($_SESSION['captcha']!=$_POST['captcha']){die("single digit IQ user
detected!");}

The beauty of this is that it is accessible (unless the viewer is
seriously deficient).

Like any captcha / spam prevention mechanism also this one is not
perfect. I already have some improvement ideas, but in the ongoing fight
against spammers it is better to keep them in the closet and escalate
only when current protection mechanisms don't work.

On a spambot infected website using only the + operator and a
MAX_CAPTCHA of 10 spam was reduced by 95% as expected. Since I have
moved to three operators, the expected reduction should be 98%, at least
mid term. I expect that at some point spambots will be able to evaluate
the math question.

When spam will annoy me again I will step up the ante.

Please, a captcha module is an absolute necessity nowadays. Just make it
flexible enough so that every website operator can choose whether to use
it and how difficult a barrier to entry he wants to set up.

Yuv