Real Kato Blog: UR CAPTCHA SUCKS

Lately we've been getting robocalls at 8:00 in the morning, from someone trying to tell us that we need to update our account information for "the Internet", because apparently the we are behind on our payments.

Also, my web site has been seeing more and more comment spam.

Here's the thing: I'm supposed to have mechanisms to stop both of these things from happening, but they're not working right.

For the phone, I have something called "Privacy Manager" from AT&T. If I get a phone call from someone who doesn't send their caller ID information, they have to announce their name before the phone rings through to me. When I pick up the phone, I hear the name and decide if I want to take the call. The problem is, if it's a robocall that's already jabbering away about how our Internet is broken, Privacy Manager assumes they've announced themselves. What I want is for Privacy Manager to require the caller to prove that they're a real person, using touch tones or voice recognition or something, to block these calls from ringing through. Instead, when we pick up the phone, we hear "You have a call from UR INTERNETS IS BORKED". And by then, the robocall has hung up, so we can't even figure out where we're supposed to send our bank account and Social Security numbers in order to fix said Internets.

Now, for my web site, I have a simple image of random letters, and non-registered users have to enter those letters to post a comment. But I guess this image is pretty easily defeated by an optical character recognition program. I just didn't think spammers would bother with using OCR on my site, but I guess someone out there figures my readers would be interested in links to mortgage lenders in Russia, so there you go.

What I need in both cases is a reliable CAPTCHA mechanism. CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart. But the Privacy Manager feature for the phone was not designed for that purpose, and getting the phone company to change that feature is not likely to happen. I'm thinking about picking up a Nortel Meridian 9516 phone, which has a slew of automated attendant and call managing features that would help me deal with stuff like this. I had a 9516 phone before but I gave it away to a friend. (D'oh.)

For my web site, I guess I'm going to have to beef up the CAPTCHA. I want something that won't be onerous for guest commenters, but still sufficient to defeat computer algorithms. I thought KittenAuth was an interesting idea... maybe I'll try something like that.

Any other ideas?

Permalink 5 Comment

Posted by Ken in: site-business, techwatch

Comments

Comment #1 from Ken (Guest)
2009 May 16 - 12:07 pm : #

So I've installed a slightly updated CAPTCHA. What do you think? Too difficult? I'd encourage my regular readers to create an account here, to avoid having to go through this process.

Comment #2 from Ken (realkato)
2009 May 21 - 11:25 am : #

Gaah! Comment spam still getting through! I can't believe someone has updated their algorithm that quickly... so either these are actual people entering the validation code, or I'm getting hit with brute-force attacks. Hmm.