Is it possible to evade Captcha ?
24 Nov 2016
Recently there are been a number of high profile subscription bombs. This is where a bot subscribes an email address to thousands of subscriptions, sometimes at the rate of over 1000 per minute.This effectively makes the inbox unusable for a period of time and is almost a DOS (Denial Of Service) attack for an inbox. The common practice of confirmed out in (COI) doesn't solve the problem but actually makes it worse as the confirmation email is sent almost immediately and they flood the inbox.
The subscription bombings caused Spamhaus, the largest DNS blacklist provider, to add a number of networks and ESP's to their blacklist. This is probably the most dreaded blacklist by deliverability experts and can be notoriously difficult to get removed from. To combat the subscription bombs,Spamhaus recommended that companies use CAPTCHA on their sign up pages.
This works well as this is exactly what CAPTCHA is designed to do. Stop robots submitting forms. It actually stands for "Completely Automated Public Turing test to tell Computers and Humans Apart". There are lots of different forms of CAPTCHA. Text captcha, image captcha, friend recognition captcha etc. The problem is most humans don't like CAPTCHA at all and find it intrusive and time consuming.
So, the question is are there any viable alternatives ?
One solution is hidden fields or what are called "Honey pots". This is where you create one or multiple hidden fields in your form that aren't required. If you receive a form submission with data in these hidden fields then you know it is from a bot, as humans can't see the fields, so you can discard the submission. This works pretty well for the majority of "non-human" submissions but not all. The other issue is accessibility. A screen reader for example will read out all the fields on the screen including the hidden ones. So you probably need a warning for screen readers to tell them not to complete the text. This also servers as a warning to the bots as well.
Time-gated submissions are another option. This works on the principle that robots will submit a form almost instantanesouly after the page has loaded whereas humans will need time to read and complete the fields. The process involves creating a timestamp when the form page has completed loading. Then based on the length of the form you define the minimum amount of time before you will accept submissions. This works well for forms with maybe 3 or 4 fields but if you are just asking for an email address then it is less effective.
Another solution is multi factor authentication but this adds a layer of complexity for the user. Now when someone enters their email address they also enter their mobile phone number. You then send them a code to enter which confirms their identity. The problem with this is someone has to pay for the text messages and people don't necesarily want to give out their mobile phone number just to subscribe to a newsletter.
Multi factor authentication isn't really an option for most subcriber models, although it is the most secure. And that is the problem. The more we increase security, the more impact it has on usability. A simple email entry box on a website with traffic will eventually attract some bots. So we need to try and figure out who is human and who isn't. The methods above work but aren't totally secure but then they don't impact usability too much either. Captcha does the job but how many humans are we losing as subscribers in an attempt to block the non-humans
Please login to comment.
Comments