About CAPTCHA

The problem of bots eating websites and submitting forms is getting way out out of hand. To make matters worse too many people are using virus software and blockers to hide their identity. So webmasters need to relax normal security features just so people can use their websites.

In comes CAPTCHA, "Completely Automated Public Turing test to tell Computers and Humans Apart" an acronym used by by Carnegie Mellon University. By using some form of visual test such as choosing the younger person in one of two images would put the computer out of its realm. A real human could look at an image and tell an old person from a young child. But a computer would need some very sophisticated programing to make that determination.

And that is how we try to stop the bot from submitting our forms and tripping our programs. Filtering the nonhuman traffic and preventing program abuse.

The most common form of CAPTCHA is done by skewing a simple sequence of numbers or letters. By displaying the letters in an image they become more difficult for an automated program to read compared to basic ASCII text characters. Take that up one notch and blur or skew the letters and even OCR (optical Character Recognition) programs will find it difficult to read.

FOR EXAMPLE:

I guess it is a race between the good guys and the bad guys. We come up with ways to secure our pages and the scammers come up with ways to circumvent our safeguards. Ultimately the scammers will sell their OCR software for billions and we will be fending off the newest technology and working flipping burgers and saving up for a new ipod.

While confronted with this very problem I looked for an easy solution that I could integrate into several applications. I found some very expensive programs and some free but very complicated options.

I also found a load of people in the same boat. There must be an easy way to create an effective CAPTCHA without reinventing all my programing.

Most perl modules use dynamic on the fly image generation and complicated encrypted query strings to solve the problem. It did not make much sense to me.

I was also concerned that using system resources to make images was not an effetive use of cpu time on a busy server. So I wanted a system with static images and just a few lines of perl code that I could add to most any program. A simple way to deliver an image to an html based page or program and a way to compare the text on the image with a form input.

My fisrt few thoughts were to use number images like 1.gif 2.gif and so on. Put them together and the image names need to match the form.

Yeah, that is too easy to decode. And so were the next 20 ideas I had.

I considered having a database of numbered images and the number would be checked against a database with the printed text that appeared on the image. Then I realized that each image could be decoded and then all the codes would be comprimised.

But a scammer would only need one code and they could duplicate a working form and run a bot against it.

The trick would be to deliver an image without a name and somehow match that image to a database to get the text. The answer was so simple and yet I did not see it.

If it was not going to be complicated it would be too easy for the bot to beat.

Then it hit me.

By delivering the image via a cgi program, there is no image name. And rather than creating a database, the image name itself could be the database.

I name an image "12345.gif". Deliver it to a page using an img src tag.

When the form is submitted with the digits "12345" I only need to compare that to the actual name of the image that was delivered to the page.

By using the users IP to create a temp file with the name of the image I can compare countless users and never give up any details of the image or any relational data that could have any value to a bot.

I put this all together in less than a day and it will solve all of my bot form submission problems. The coding took just a few minutes, but the thought process to come up with the concept took much more time.

I am making all the programing freely available to anyone that is interested. I just ask that you link back to this website so other people in need can get the program and captcha images.