Are you a human? An alternative to CAPTCHA

Submitted by mathew on Fri, 03/04/2015 - 00:33

I recently received an email from Amazon Web Services, our hosting provider for all our database, web and email servers. The email flagged up an issue to us that an unusually high number of messages we had sent have been reported as spam. In total, 57 emails were reported as spam in the last 11,000. We have a support agreement with AWS and each time I've had cause to contact them they have always provided excellent support.

"Complaints" are normally triggered by users flagging a message as spam or moving messages into the Junk or Spam folder. Not all email systems send back complaints, but some do, and email providers such as Comcast, Apple and Yahoo do use the system.

We send email as part of the Online Syncing service. We don't send many, most of the emails we do send are either registration emails or reminders shortly before a trial account lapses. We also include an unsubscribe link in our emails and in the email headers to make it easy for people to unsubscribe. So I was surprised that the number of complaints was that high.

After investigating the most recent complaints, I discovered that all of them had something in common. Even though the email addresses looked genuine and were spread out geographically, our user accounts linked to these email addresses were registered from IP addresses based in Ukraine. Automated systems (bots) are trying to register for accounts on discussion forums in order to spread spam - even though we don't have a forum on the site. I discovered a handy site for checking IP addresses and email addresses too, StopForumSpam.com. At the time of writing the IP 46.118.116.89 has been flagged as a source of "comment spam" 1,279 times.

Since they appear to be using people's real email addresses to register, we are sending registration emails to people who are not expecting them. Quite rightly they are marking these messages as spam.

The solution

I needed to find a way to prevent bots from registering accounts and I initially thought of using a CAPTCHA. You've probably seen these before, they are images containing distorted letters or words that you have to identify and type in before you can register for an account. I don't really like using them, although reCAPTCHA at least has a positive spin, digitising text to help preserve old books and maps.

I stumbled upon an alternative called AreYouAHuman which uses puzzle games instead of distorted letters.

These are easy to solve if you're a human, but seemingly hard for machines. I like this solution as the games are well designed, look good and quite fun!

In the future we may expand the anti-spam effort to include other mechanisms to prevent bots from registering accounts. Other techniques are hidden fields that only bots would fill in, time-based detection and use of a third party blacklist of IP addresses.