The problem of bots
eating websites and submitting forms is getting way out
out of hand. To make matters worse too many people are
using virus software and blockers to hide their identity.
So webmasters need to relax normal security features just
so people can use their websites.
In comes CAPTCHA,
"Completely Automated Public Turing test to
tell Computers and Humans Apart" an acronym
used by by Carnegie Mellon University. By using some form
of visual test such as choosing the younger person in one
of two images would put the computer out of its realm. A
real human could look at an image and tell an old person
from a young child. But a computer would need some very
sophisticated programing to make that determination.
And that is how we try
to stop the bot from submitting our forms and tripping
our programs. Filtering the nonhuman traffic and
preventing program abuse.
The most common form
of CAPTCHA is done by skewing a simple sequence of
numbers or letters. By displaying the letters in an image
they become more difficult for an automated program to
read compared to basic ASCII text characters. Take that
up one notch and blur or skew the letters and even OCR (optical
Character Recognition) programs will find it difficult to
I guess it is a race
between the good guys and the bad guys. We come up with
ways to secure our pages and the scammers come up with
ways to circumvent our safeguards. Ultimately the
scammers will sell their OCR software for billions and we
will be fending off the newest technology and working
flipping burgers and saving up for a new ipod.
While confronted with
this very problem I looked for an easy solution that I
could integrate into several applications. I found some
very expensive programs and some free but very
I also found a load of
people in the same boat. There must be an easy way to
create an effective CAPTCHA without reinventing all my
Most perl modules use
dynamic on the fly image generation and complicated
encrypted query strings to solve the problem. It did not
make much sense to me.
I was also concerned
that using system resources to make images was not an
effetive use of cpu time on a busy server. So I wanted a
system with static images and just a few lines of perl
code that I could add to most any program. A simple way
to deliver an image to an html based page or program and
a way to compare the text on the image with a form input.
My fisrt few thoughts
were to use number images like 1.gif 2.gif and so on. Put
them together and the image names need to match the form.
Yeah, that is too easy
to decode. And so were the next 20 ideas I had.
I considered having a
database of numbered images and the number would be
checked against a database with the printed text that
appeared on the image. Then I realized that each image
could be decoded and then all the codes would be
But a scammer would
only need one code and they could duplicate a working
form and run a bot against it.
The trick would be to
deliver an image without a name and somehow match that
image to a database to get the text. The answer was so
simple and yet I did not see it.
If it was not going to
be complicated it would be too easy for the bot to beat.
Then it hit me.
By delivering the
image via a cgi program, there is no image name. And
rather than creating a database, the image name itself
could be the database.
I name an image "12345.gif".
Deliver it to a page using an img src tag.
When the form is
submitted with the digits "12345" I only need
to compare that to the actual name of the image that was
delivered to the page.
By using the users IP
to create a temp file with the name of the image I can
compare countless users and never give up any details of
the image or any relational data that could have any
value to a bot.
I put this all
together in less than a day and it will solve all of my
bot form submission problems. The coding took just a few
minutes, but the thought process to come up with the
concept took much more time.
I am making all the
programing freely available to anyone that is interested.
I just ask that you link back to this website so other
people in need can get the program and captcha images.