Problems with intelligent Spam Bots

Posted on:June 17 2011

I'm running a custom developed forum over at my companies website. The software only gets used there, which has the nice side effect that most spam bots usually ignored the forum. Well, here and there, some bots, which apparently randomly posted stuff in all forms they found on the web got through. But this was removed pretty quickly by adding an own developed CAPTCHA. I don't like these image based CAPTCHAs, where you need to type barely readable letters, so I came up with an own, simple math based CAPTACHA, which looked like this for example:

What's 3+2-1?

This worked quite well. It is easy to be used by people, and those massive, randomly form posting bots were stopped. But for the last three days, some new bot flooded my forum with posts. Not sure if this was a spam bot (there were no links posted by it), but it was able to break that own, custom developed CAPTCHA. Given the fact that my forum sofware is pretty unique, I think this bot must be quite sophisticated in recognizing forums and even be able to read and answer such math questions. (It only fails in posting the spam URL, maybe that's still a weakness).
So the only, quick fix I could think of for now was a new Captcha. I made it like this:

Please enter the missing letter in: "Admin?stration"

What do you think of this? I hope this works well, and I'm curious if this will hold longer.


There always is possibility that someone manually develops instruction set for bot to pass various protections, so if this wont work - i would bet that your forum is under target of someone. And if not - this kind of protection sounds cool, but could be beaten with aspell. Such protection is not popular so here u got an advantage :)
2011-06-17 13:24:00

I don't use captcha's for my sites. I hate bothering user to think & type something.

Instead I use simple Javascript. Form contains two hidden (with css) fields - one has random integer value, second is empty. They are named like email or address (so spambot will try to fill them). onsubmit event reads value from first field, mutiplies is by 7 and writes answer to second field. On server I verify if field2 == field1 * 7. If not, then submitter is spambot. Easy peasy - in 3 years I had not seen even one spammessage in my site.

And came on - it's 2011. JavaScript is mandatory for modern user.
2011-06-17 13:43:00

Come on, Niko. Do you really believe this was not a direct attack to your forum? It was probably some angry "my-stupid-question-wasnt-answered" user.
2011-06-17 13:59:00

@marinsm: I guess something like this would be also the next step for me. :)

@nostaw: Also thought about that. But usually, most of my users are pretty intelligent. Can't think of someone who uses some attack on my forum instead of simply contacting me via mail...
2011-06-17 14:58:00

Good idea, but it will be only a matter of time until the classic "dictionary-attack" will have it's great comeback...
2011-06-17 16:06:00

I used to have a simple image captcha on my site:
Use an image with a normal, readable font and then make two images out of it. Cut out pieces of the image (I used a Chessboard) so that each of the images contains half of the original image, make the rest transparent and then position them on top of each other so that the two images look like the original.

I never got any spam using this method
2011-06-17 17:02:00

duh I've forgotten the most important part:
Use akismet (
2011-06-17 17:04:00

Simple text based captchas will be broken in no time, if the guys writing the bots are so minded. That's why image based captchas are so popular these days (and still not totally fool-proof).

The idea is to leverage the specific capabilities of the human brain and sensory system to discourage spammers from doing something that would take too much effort with a computer.
Audio captchas are also an idea, but the are more clumsy and invasive (at least for non-blind people, since one looks at a web page).
2011-06-18 03:24:00

how about leaving the math question in but hiding it in the css so the bot will still try to answer it
2011-06-18 16:07:00

@martinsm: this sounds like a nice idea. I think I'll try something like that in my Captcha-protected guestbooks. This works quite well, just a very few spams, but the user has to think and type ;)
2011-06-20 07:48:00

Add comment:

Posted by:

Enter the missing letter in: "Inter?ational"




Possible Codes

Feature Code
Link [url] [/url]
Bold [b]bold text[/b]
Quote [quote]quoted text[/quote]
Code [code]source code[/code]