New CAPTCHA

[MKruer]

There is another idea that I had which is what I like to call a False Positive image, something that is easily detectable by a bot, but is not seen by the human eye. Someone posted in the main phpbb forums that one of the successes they had against posts was to simply change the html sting that send the response to the system, to something else. To dynamically generate that can, and place a bunch of fictitious calls would confuse most of the bots.

So I guess what I boils down to, is that we need a multi pronged approach, something that requires some level of user interaction plus stuff that the user would not see, but would appear to the bots. Another person was talking about developing a customizable system where you could download/update new CAPTCHA as time goes by, and or allow for the CAPTCHA to be randomized.

[Eelke]

Actually I think the algorithms are rather easy (do you think those magic eye books are done by hand? )

No, I don't, why would you think I do? Whether the algorithm is simple or not is largely irrelevant to the question whether it can be reversed. Hash-algorithms aren't too complex, and yet they can not be reversed

and a computer would have difficulty undoing it because it requires two eyes.

Could be, that wouldn't surprise me either. I'm just saying, it wouldn't surprise me either if these algorithms would prove to be rather easy to reverse. You could argue in the same way that pictures in general require eyes to interpret. We all know that's not true (as computers in general do not have eyes, and yet they are happily doing stuff like OCR).

[ElbertF]

It's also possible to dynamicly encode the image's URI with JavaScript/PHP:

<img src="empty.gif" onload="this.src=decode('$%^##$^43&^%&*');" />

The decode() function in JavaScript would have a salt dynamicly generated by PHP. If the URI changes everytime (something like "image.jpg?random=435Sdw44wr4"), it's pretty hard for bots to get the real URI.

Wouldn't it help to work with .htaccess, making the image visible only when the referrer is your own website?

[nuclear_eclipse]

Wouldn't it help to work with .htaccess, making the image visible only when the referrer is your own website?

Referring site can easily be spoofed. IIRC, It's part of the http headers that the browser/bot generates to send to the server.

[Cheater512]

It would be interesting to do some sort of JS/CSS interaction thing and if the bot doesnt do it correctly instead of a error it gets a image with the wrong letters.

[ElbertF]

Maybe the future will bring us some form of audial confirmation

I just noticed Google is using this, different voices calling some letters and numbers (in my own language) 8O

It's an option when loggin in to Google Adsense (after clicking the visually impaired button)..

[robertmf]

And what if i'm colourblind?

Your point is valid 8% of the time (for white males).
http://www.designmatrix.com/pl/cyberpl/cftcb.html" target="_blank

Do you see a '7' in the [attachment] ?

[nuclear_eclipse]

Do you see a '7' in the [attachment] ?[/color]

Hell, I'm not even colorblind and I can barely tell that it's a seven. I wouldn't have even known what it was if not already told....

[Cheater512]

Are you sure your not colour blind?
I can see it fine although I have seen a number of these before.

[DigitalShadow]

same here. the number is clearly visible.