Yesterday I updated my CAPTCHA code, however according to the websecurity.com.ua guys my “captcha still vulnerable” and I need a more reliable one. I say no I don't, because the previous, less secure one had been quite effective up until then at preventing comment spam. Also the “proof” that is offered by the websecurity.com.ua guys is 4 test comments left in this post here. I'm somewhat suspicious of the level of automation they're achieving because of the times that these comments were posted - they're all between 10 and 20 seconds apart. You wouldn't even need to be a daskeyboard wielding touch typing ninja to achieve that frequency of posting, unless my server is really, really, really slow. I will totally concede that my previous CAPTCHA implementation was “breakable” (or maybe even broken by design) - for all I know this one could also be, but I think it's put-up-or-shut-up time for the websecurity.com.ua guys. All I've seen from them so far is a link to a form on my site with some pre-populated values (it looks like from the state of the form that it has just attempted an HTTP POST which has failed....funnily enough because of an invalid CAPTCHA), something I could cook up in about 30 seconds with WatiN/R, greasemonkey or whatever. I'd like to see from them one of the following:
- a textual description of how either the CAPTCHA can be bypassed altogether, or how the CAPTCHA value can be programmatically determined from the page/cookies/http traffic/phase of the moon/whatever - like “we take this value from the cookie your site sets, do an MD5 hash of it, salt the hash and then smoke it....”
- a script that will post comments to my site with no human intervention
- 50+ comments on a single page inside of 10 seconds, or some number that would be infeasible for a human to do, originating from a single IP address.
Unreasonable?