As you may be aware following a recent increase in the amount of spam hitting phpBB3 boards, the default CAPTCHA used by phpBB3 has been “cracked”. In this post we will be looking at CAPTCHA technology; both in terms of why it is good and why it is also somewhat flawed.

What is a CAPTCHA and how does it work?

CAPTCHAs provide a challenge for spambot writers by offering a “confirmation code” in the form of an image which the user is required to enter to proceed with submission of the form. The image is distinguishable by humans however generally automated bots have problems reading the letters until considerable time is spent cracking the CAPTCHA; generating a script that is able to decipher the image and pull the letters out with a high level of accuracy.

The recent spam facing phpBB3 owners is because the CAPTCHA has been cracked and thus spambots are now able to proceed with registrations and posts that six months ago wouldn’t have been possible.

What are the benefits of using a CAPTCHA?

CAPTCHAs are able to stop basic spambots who don’t have the ability to distinguish the particular letters that make up an image. If you had a completely unique CAPTCHA that you had designed the chances are spammers wouldn’t spend the time writing code to try and crack it. However, with large software projects like phpBB the return for cracking the CAPTCHA can be immense; suddenly the spammer has access to a vast number of boards that they wouldn’t have had before.

Any drawbacks of using a CAPTCHA?

A fairly simple rule of thumb is the more the CAPTCHA is used the more spammers will attempt to crack it. So, if you are using the default CAPTCHA in a piece of popular software chances are the spammers have or are attempting to crack it. Once they have your spam defences have shrunk rapidly.

What does this all mean for bbProtection?

We would hope that with bbProtection any CAPTCHA would be redundant. While spammers are able to work at cracking CAPTCHAs and other style of spammer defence they can’t get away from what they are actually trying to post. As we have covered many times previously; by checking the actual registration and post data we are able to sort the spam from genuine users and posts.