Talk about security against automation

[Esopo]

I always look at those "security code" images that sites have to prevent automated posts/registration and think to myself I'm pretty sure I can make an OCR to break it.

Well, today I found one I wouldn't want to have to break:
https://secure.eponym.com/signup/captcha_image.php

Try reloading it a couple of times, it changes its orientation.

Good stuff.

[COBOLdinosaur]

It's not a complicated as it looks. You can work out the orientation with a little math.  In that sample they are using the same font all the time, and the same number of characters.

If you work out the orientation, then plotting the points to determine the characters is not rocket science. It is a good start to make it more difficult to decypher, but it would be more with a font mix, character string length variation, and it they really want to make you work give each character a different orientation within the matrix so that the gridlines cannot be used for plotting.

[VGR]

yes. As far as I know, OCR have problems when the orientation is more than 10% or the like.
If the image is degraded enough to be barely readable by a human (spots badly placed, letters incomplete, changing colours, varying sizes, different orientation between letters, variable kerning, majuscules & minuscules with serif, lines crossing all letters) there are chances nobody will tune an OCR to be able to read it.

It's like for cryptography : the good one is the one that discourages people trying to break it because it would take too long for a real benefit.

an other solution you have (if it's for this site) : you already have would-be new users "parked" because they have to be manually admitted. If you want to enable them to be activated by default, then park their first posts for human validation. And make an automatic deletion of would-be accounts if they clearly are not human and were not admitted.

[COBOLdinosaur]

The probelm with anything requiring a manual step it that someone has to do it.  Okay as long as you are small but not as you get bigger.  We have a version of the graphic with letters they have to enter and then they have to validate off of a link in the email.

Even if a spmabot manages to get registered we still have anti-flood controls to keep them from spamming. The ip of every post gets recorded, and there is a cross-refernce of user id and IPs used.

I don't have to ban IPs at the forum level because I can block them right at the server so they cannot even get to the home page.  Plus I can use logging to keep track of any user that looks like they are a problem.

The problem with making sign up too difficult for bots is that some thing will also discourage real user form signing up, nd I woulld rather have to shut down the occassional bot than lose a new member.