first and foremost, i want to express my belief that flawed captcha should not hold back rc.
the captcha is a pretty well isolated part of the package, and can be replaced in its entirety without much side-effects on the rest of the package.
i don't think anyone seriously believes that rc1 will be eventually release "as is". it's well understood that there will be several RC cycles, and even possibly minor patches within each major RC (not sure about this part).
a well isolated part like the captcha can be easily replaced between RC stages, or even going from RC to gold, and even during the life of the product, eg. between 3.0.6 and 3.0.7.
if this is truly the only thing holding back the RC, i think rc should be released today.
Kevin Clark wrote:
I'd like to hope they're going to include something along the lines of the VIP MOD which is extremely effective in phpBB2. Something where you can configure a question with a very specific answer and where you can change the wording very easily meaning the bots don't get the same 'question' so they can't learn how to 'answer' it.
this was discussed many times, and should have been done long ago.
i am not familiar with the vip mod, but i've written and used this "question and answer" thing for my site. in my implementation it is simple and hard-coded, because i was too lazy to do all the work required to edit and store the answer/question from the ACP, so i added it directly to the code.
if i would have written a full fledged mod, i think the following features should be considered (probably some/all of them exist in one mod or another):
- if guest posting is enabled at any forum, optionally this question/answer should be used to validate the guest poster (same as exists today with the captcha)
- the ability to define more than one such question, and have the registration page display one of them, either randomly or by some rule (say day-of-year % #of questions or always use one until it scrapped), so bots designers will have harder time preparing the "correct answer per site" database.
- store in the user's record in the database the registration question this user answered, so when a user is identified as spambot, we will know it was "cracked", and this question can be removed from the list. if there's only one such question, you know it's time to change it.
- add "mark as spambot" button to the mcp and/or quick-tools. this will perform the following actions:
- remove this user
- remove all the posts made by this user
- ban the username, the email address, and the ip address
- scrap the registration question this user have answered
-- i believe that the captcha-breakers have reached the level where any captcha they can't decipher will be too difficult for most humans, so the current way captcha is perceived (i.e., string of distorted characters) is no longer viable.
-- using questions is especially effective for real communities.
for instance, a bbs used by a school can expect all legit users to know the name of the principal or the exceptionally hot spanish teacher. it will also make all non-english boards almost 100% safe, at least for a long while.
-- for huge boards used by the general public this may not be good enough, but for the vast majority of the boards, i believe this method might be good for good.