Why We Now Require CAPTCHA

On Tuesday morning, September 1st, 2009, our site went down from being overloaded by spammers who ran multiple automated scripts against the site to add thousands of Twitter accounts and hundreds of thousands of spam tweets.

To prevent this from happening again, we implemented reCAPTCHA on the forms that add a new account and add a new scheduled tweet.

That is the only way to effectively block automated scripts from abusing those forms.

We have had requests from users to remove the CAPTCHA from those forms and implement it only on the login form. Unfortunately that will not help. With CAPTCHA only on the login form, spammers can still run their scripts. All they have to do is let the script present them with the CAPTCHA at login, and then they are off to the races and can let their script run against the other forms as before.

Blocking of IP addresses also does not work, because the spammers simply hop from one IP address to the next using proxy servers.

We realize this is an inconvenience. But, in the end it is just one additional form field that must be completed, and it adds a few seconds to the completion of the form. We trust that folks will understand the necessity.

The benefits are that the system performance and system uptime are better for everyone, and our service’s standing with Twitter is not jeopardized by the gazillion of spam tweets that the spammers want to push through our service to Twitter.

Professional users are not presented with the reCAPTCHA challenge on the new tweet form for two reasons, namely: a) spammers rarely want to reveal their true identities via PayPal payments, and b) Professional users have access to the bulk file upload feature that makes running scripts unnecessary for adding a lot of tweets.

Update – Wednesday, September 2nd, 2009 at 2:30 PM EST: We have listened to you and have now modified the CAPTCHA challenge on the new tweet form to appear only occasionally. We trust that this will bring balance between site security and usability.

Advertisements

38 thoughts on “Why We Now Require CAPTCHA

  1. Stephen

    I feel your pain, but this is a major inconvenience and will definitely cut down on the number of tweets I schedule here.

    Requiring 15 characters or more to be typed in for EVERY SINGLE TWEET to be scheduled is kind of absurd. There are other services that require shorter entries, such as "Type the answer to this math question in the box '4-1= ____ " That makes more sense for a service that encourages numerous entries.

    I'll also say that from my experience with Captcha on other services, the wording is sometimes almost impossible to read. Not true for this site, yet, however.

    1. socialoomph Post author

      Stephen, spammers can so easily get past that "4-1=" it is not even funny. They just need to analyze the text on the page, let their script do the math, and provide the answer on the form.

      reCAPTCHA has several benefit: a) It is Javascript based, b) it uses images that are difficult to decipher via a script, c) it has audio for folks with vision disabilities, d) new words can be requested when the current ones are hard to read, and e) every time someone solves the CAPTCHA it helps with a book digitization project.

  2. Dewald Pretorius Post author

    Stephen, spammers can so easily get past that "4-1=" it is not even funny. They just need to analyze the text on the page, let their script do the math, and provide the answer on the form. reCAPTCHA has several benefit: a) It is Javascript based, b) it uses images that are difficult to decipher via a script, c) it has audio for folks with vision disabilities, d) new words can be requested when the current ones are hard to read, and e) every time someone solves the CAPTCHA it helps with a book digitization project.

  3. Dewald Pretorius Post author

    Stephen, spammers can so easily get past that "4-1=" it is not even funny. They just need to analyze the text on the page, let their script do the math, and provide the answer on the form. reCAPTCHA has several benefits: a) It is Javascript based, b) it uses images that are difficult to decipher via a script, c) it has audio for folks with vision disabilities, d) new words can be requested when the current ones are hard to read, and e) every time someone solves the CAPTCHA it helps with a book digitization project.

  4. Will Butler

    Don't understand and for some reason you have made this our problem rather than figuring it out internally.

  5. Stephen

    Dewald, I thank you for educating me of the benefits of reCaptcha, about most of which I did not know. However, the drawback is typing in over a dozen letters or numbers or punctuation marks before scheduling ONE posting. That's laborious and I bet the number of scheduled posts/tweets goes way down as a result. People are just too lazy.

  6. ritchie

    I also understand your reasons for this rather drastic step 🙂

    Yet still, Captchas (especially ReCaptchas) are a constant annoyance. I hope there will be another solution in the future; Still love TweetLater's other feats, but I will take a look at other services that allow scheduled tweets – guess I just have a captcha-allergy 😉

  7. Jeff

    How about once every hour (or other random time)? I schedule my posts in the morning so I don't have to worry about them later.

      1. Jeff

        But they wouldn't know when the "in-between" time is, on a rotating fashion you require it. or randomly move the text box, if you shift it inbetween other text fields the script shouldn't be able to run for a portion of the time. Make a rule that if any text is entered in one of these fictitious spaces to bounce the tweet.

  8. Bill Beavers

    You've explained the problem and your solution in an understandable fashion and I get it. I wouldn't mind typing in the letters if I could just read them all. Thanks

  9. Bradley Everitt

    I Understand your issue.. but unfortunately this is a REAL inconvenience. I have enjoyed your service. But keep in mind, there are other services like yours. So I will keep using your service for now and hopefully this will be fixed.. but I also will be using CoTweet to see where that goes. I don’t have to fill out Captcha for every tweet on their system.

  10. Thomas

    Just a thought, upgrade to Pro to avoid the reCAPTCHA form… or not. I prefer ALL my Info be kept as secure as the law allows. Do what you gotta do Dewald. Thanks

  11. Al

    Dewald, a number of sites I work with have a reCAPTCHA or something like it for the log-on, but not on every single page. They track my progress through their website knowing I’m a human being.

    I can see a challenge if a human logs into your site, and then implements the spam scripts. Can’t you watch for spamming behaviors (large numbers of posts, very high speed posts, duplicate posts, etc.) perhaps combined with Jeff’s suggestion of random reCAPTCHA’s along the way?

    You’ve done a good job of identifying the advantages to you for the reCAPTCHA, but it doesn’t appear that you’ve caught on to the disadvantages to your users. It is a stumbling block to spammers and legit users alike.

    Or is this a case of “Hey, this is a FREE service. Don’t get picky!”?

    And thank you for the heretofore excellent free service. It has been excellent!

    1. Dewald Pretorius Post author

      Al, I will keep looking for and thinking about more sophisticated solutions that are less intrusive for legitimate users. For now, the quickest way to prevent abuse was reCAPTCHA. And I had to implement something fast so that my site could stay up and performance could be at acceptable levels.

      For a few weeks now I have been seeing my CPU and memory utilization skyrocketing at times, and that has completely baffled me because it had no correlation to any legitimate server load.

      I caught the spammers yesterday because they made a stupid rookie mistake. Once I knew what was causing the spikes, I could confirm via my access logs that they were indeed responsible for the severe performance slowdowns that the site has suffered from time to time.

      Since I've implemented reCAPTCHA, my server is running well below capacity, and performance of the web site is really great.

  12. Al

    And then if I forget to tick a box, your site kindly reminds me that I have to tick one checkbox, and then re-type a 15 character illegible roadblock. One click becomes a real challenge.

  13. Mitch

    I know that spammers are a headache..but..I'm starting to hate captcha… I think I'll have to come up with a different solution.. This is turning into a pain.

  14. Chris Tregenza

    I think implementing Captchas was a great quick-and-dirty solution to the spammers but it is not a longer term solution.

    I think you should consider:

    a) Shorter captchas – as someone else noted, 15 characters for a 140 character messages is a fairly big overhead.

    b) Trusted users – Once someone has been using the site for a while, the captcha should not be requested

    c) Excessive use penalty – If someone is only sending a handful of tweets per day then the capatcha should only be need once every 10 tweets. If they are sending 50+ tweets a day, the capatcha is required once every 5 tweets; 100+ tweets per day, every tweet needs a captchas.

  15. @fdc013

    Hi I understand your problem but as with most its a real pain trying to put the capture in on every tweet, is this still in the paid service where you can upload a file of list or have you removed that service, not planing on using this great service because of the inconvenience that it presents. I hope you fine another option for us. Paul

  16. Andrew

    Great that you moved fast to prevent the abuse,

    Yet, if you do lots of 'tweets in one hit to be spread out over a week. The reCAPTCHA box is a right pain and time consuming. Not to mention often, illegible. There must be an alternative other than a fee paying upgrade?

    Normally I populate my account on a Sunday morning. I can normally do this under an hour. It will be interesting this week.

  17. AskViki

    Hay! Now I can practice my typing!

    Just kidding, thanks for doing what you had to do to keep TweetLater, oops SocialOomph up and running, so what if we have to type two more words…get over it people…it's FREE!!! 🙂

    Keep up the good work DP!!

  18. Mary H Ruth

    Seems to me you're addressing the problem as best you can, and I appreciate your efforts. Specially appreciate the relatively readable CAPTCHAs. Just returned from a cross country plan trip, and the offense of the TSA requirements in airports presents the same kind of dilemma. Millions must be inconvenienced because of a malicious few. Stinks, but there you go …

  19. Mary H Ruth

    However, I meant to add, how the heck did you come up with SocialOomph? We know the meaning of oomph, but find it hard to say. No rolling off the tongue, a must for a business name. Betcha it'll come to be known as SocialOom.

  20. Ruth

    Yay, good move. Thank goodness someone is actually anti spam and anti script. They are a hard act to compete with! Again, thanks,

  21. tssi

    I can sympathize. Our own web sites have to cope with these people – it is a never-ending struggle with crooks and fools.

    We should collectively support this effort. Hopefully, the tools available to block this junk will improve with time.

    We should promote zero tolerance for spammers, trolls, adolescent flamers and all the other assorted impediments to mature participation in the web.

  22. Courtenay

    I think you've reached a nice balance with the random reCAPTCHAs. You've created a great product which I use daily — I appreciate your hard work and listening to users!

  23. Al

    Dewald, thanks for the change. I appreciate your hard work & I appreciate your listening to us po’ folk who are using your service. Thank you!

  24. Chris

    Recapcha was a good idea to block the spammers. But it can be permanent. The idea of having capcha every 50 or 100 tweets seems more handable for us, poor users.

  25. ritchie

    Much better indeed! I'm always amazed about the speed of your reactions to feedback. And one more suggestion: I guess there is no need for Captchas for pro accounts, as spammers probably won't use those 😉

  26. The Jackal

    I sympathize with the problem on BOTH SIDES of THIS coin! I run @TheJackalsMARK on Twitter. Myself, along w @Jean_ie @SpitSpam @Spamkilla etc. fight spam daily on twitter as well as FENDING OFF it’s attacks on OUR OWN accts from the KEYWORDS they target.

  27. The Jackal

    Due to the nature of the things we have to RT. THERE ARE NO PRETTY SOLUTIONS 2 MAKE EVERYONE HAPPY. and that is simply the sad reality of the internet we use! I hate CAPTCHAS 2 but they’re a neccessary evil. I use prfl vldtn 2 screen my fllwrs.

  28. The Jackal

    As u might see from my mutiple comments I do everything from cell phone. (128x160pxl screen)Like i said I HATE CAPTCHAS TOO! If I can deal w it, I KNO ppl w REAL computers CAN! Kudos on acting fast 2 protect YOUR system & TWITTER! It had 2B Done.Thx4Effrt!

  29. The Jackal

    Again, sorry 4 multiple comments 2 sya this, but this cell phone is limited to like 256 characters and didn’t want to abrvt whole thing. 🙂 Keep up the great job and 4 what it’s worth, I like the new name vs Tweetlater. has much better connotation!! TJM

Comments are closed.