As a webmaster for several sites, I get a lot of comment spam on blogs and guestbooks. The vast majority of these comments come from automated bots that scour the web creating links back to spam sites. I’ve often wondered what’s the best way to weed out these comments from the legit ones and have ended up moderating all comments - a time consuming process.

So I have some interest in ways to prevent bots from submitting forms. One method many sites have started using are called CAPTCHAs (Completely Automated Public Turing test to tell Computers and Humans Apart).

I blogged previously about Turing tests, so let me add that these aren’t true Turing tests. The basic idea is that because computer AI isn’t up to par with human intelligence, there are certain tests you can put in place to determine if your site visitor is a bot or a human. In the case of CAPTCHAs, sites require that you look at a distorted picture and enter an alphanumeric sequence into a form before submitting. Newer examples use pictures like this click 3 pictures of kittens out of a series of 9 pictures.

Personally, I find the alphanumeric CAPTCHAs annoying - particularly when some are so difficult to read that it takes a few tries to get it right - so I haven’t implemented them on my sites. In addition, those who are visually impaired or have a learning disability like dyslexia have even more problems entering the correct sequence.

It hasn’t taken long for spammers to crack CAPTCHAs. Mostly, they do it with code but if that doesn’t work, they offer visitors a CAPTCHA to access free porn. Cory Doctorow wrote about this a while back on Boing Boing.

The ingenious crack is to offer a free porn site which requires that you key in the solution to a captcha — which has been inlined from Yahoo or Hotmail — before you can gain access. Free porn sites attract lots of users around the clock, and the spammers were able to generate captcha solutions fast enough to create as many throw-away email accounts as they wanted.

Now, chances are that they didn’t need to do this, since optical character recognition has been shown to be readily tweakable to decode captchas without human intervention — that which a computer can generate, a computer can often solve.

So now, legit visitors have a difficult time gaining access while bots have no problems getting through. That’s not what’s supposed to happen.

The World Wide Web Consortium (W3C) has been working to come up with more accessible alternatives, as discussed in this excellent presentation by Matt May. (For alternatives to CAPTCHA logic, start here.)

W3C is not the only organization that thinks CAPTCHAs are a bad idea. There’s also PWNtcha (Pretend We’re Not a Turing Computer but a Human Antagonist), a project to decode CAPTCHAs.

Two years ago, Bill Gates predicted a spam-free world by 2006. Sadly, I think there’s more spam now than ever - from email to comment and trackback spam to spam blogs (splogs) and sites made solely for Google Adsense.

I admit I haven’t actually tried using CAPTCHAs on my sites yet. I probably will experiment with them in the upcoming future, but as of now, I remain skeptical. It seems that moderation, which also isn’t without drawbacks, works the best.