For as long as the web has been around, Spam has been a prolific problem for developers and site owners. A number of techniques have been developed to combat those annoying little robots that trawl the ‘net and find web forms with which to pedal their wares - inevitably drugs puporting to increase the size of your anatomy, or offering exclusive ‘videos’ of the rich and famous. But do these methods work, and are they suitable for all application? Well, we thought that it might just be useful to put together a list of some of the most popular techniques, and which ones work best.

One of the biggest decisions we have to make as a developer is to strike the happy medium between security and prevention, and user-friendliness. A number of the graphic CAPTCHA systems that are available at the moment present the user with a difficult-to-read string of letters (and sometimes numbers), while others require the human user to complete a simple sum. As web technologies increase in complexity and intelligence, it’s likely that there will be more methods introduced, but for now let’s just focus on the ones that are currently widely used.

Before we go much further, it might be worthwhile just to explain what CAPTCHA actually means. Apparently, the word is acronym of Completely Automatic Public Turing test to tell Computers and Humans Apart (indeed, quite a mouthful). Other sources claim that this is not the true origins of the word, and that it is simply a derision of the English term “capture”. The concept is routed in the tests developed by computer forefather Alan Turing, who devised a series of games and puzzles to see if a computer could be described as “intelligent”.

So, without further adiue, let’s look at the numerous methods of implementing the Captcha.

Graphical CAPTCHA

This is probably the most common method of implementing the test. The user is presented with a word, phrase or string of alpha-numerical characters which are obfuscated (to obscure the text or make it unclear) and must enter the correct pattern in a text box. There are numerous online services for generating this type of CAPTCHA and developers have also created a series of software classes to achieve the same result. The illustration below shows a modern CAPTCHA, which rather than distorting the word relies on making the text difficult to read by optical character recognition (OCR) software:

By adding the horizontal line OCR programmes would be unable (in theory) to segment the string and determine the characters making up the CAPTCHA. Despite being the most widely used method, it can be very unfriendly to genuine system users as some of the more complex generators create strings which are simply impossible to read. Take the following as an example, it is impossible to determine the characters used:

Another major problem with this particular method is it can often be unclear to the user whether they are required to match the case used in the CAPTCHA as well as the series of characters. For example, in the following example we don’t know whether “mr blocked” will be accepted as well as “Mr blocked”:

Mathematical Sum CAPTCHA

This method seems to be gaining popularity amongst certain circles of the web development community (indeed, we use this method here at LincWeb Design). The user is presented with an easily-solved mathematical sum, and only a correct answer will yield the expected result (usually submitting the form or carrying out some action). Although it would seem logical that a bot or spider could compute the correct answer, it would be necessary for a series of RegularExpression engines to be used both to identify the textbox’ label as being a mathematical problem, and to identify the correct action to be performed (for example addition, substration, multiplication, etc.):

In an ideal world, the developer would want to automatically generate the sum to prevent automated response to the single question. For example, with a simple algorithm, the following series of questions could be generated, and the user’s response matched against the correct answer:

1 + 1
2 ÷ 12 x 2

Of course, one of the main problems with this method is that the user doesn’t want to be presented with an A-level mathematics paper whenever they wish to use your online form. The sums should be sufficiently complex to prevent a computer from generating the answer while allowing any web user to compute the correct answer.

Question + Answer Method

Another variation on the above technique is to present the user with a question which has a unified agreed answer. Example questions (and answers) might include:

What colour is snow? “White”
How many G’s in “Google”? “2”

The main concern with this method should be obvious; the question should be unambiguous and not open to interpretation. Let’s take the second question above as an example. The user might assume, that since the G character is uppercase, the correct answer is 1. He might in turn enter either 1 (as a number) or type “one”. All of these require the developer to second-guess the answers which might be received, and automation of the process is quite difficult.

Image Recognition Method

Although optical character recognition has been around for years, and is now quite sophisticated and accurate, image recognition, particular automated on the web is still not brilliant. A number of companies and approaches have monopolise on this fact, by requiring the user to click on an image which represents the presented name. For example, in the illustration below, the user is asked to click on the photograph of the “airplane”:

Variations on this particular method require the user to identify items within a picture, either by clicking on them, or even drawing around them with the cursor. However, these methods often take a degree of concentration and time to complete, and if the application is simply to post a comment on a blog, then it is often superfluous as the time needed to pass the CAPTCHA test can be greater than the process of filling out the rest of the form.

So, which is the best solution for your application? Unfortunately, there isn’t a right a wrong answer to that question. It all depends on the application, process or user that is being tested. If the test is simply to prevent spam comments on a blog for example (which are subject to review anyway), then perhaps the last method is overkill. However, if it’s to register for use of an online service or something which uses a lot of resources, it might be worthwhile to add the more stringent tests.

Hopefully you will find this little write-up useful in making your decision!