Captcha Signups?

Revelation has asked for the wisdom of the Perl Monks concerning the following question:

One thing that concerns me on sites I build is the signup routine(s). What prevents users from signing up multiple times, with different email addresses? In fact, what prevents them from spamming the signup script, adding an extra 1,000 users to my database?

Most sites send an authorized email, telling the person to click on a link to activate their account, but that can be easily passed up by harnessing perl's ability to receive mail for you (adding a line to sendmail's /etc/aliases file, and using Mime::Tools.) This security doesn't seem to be too strong, on a site where people may be inclined to spam signup scripts. On the other hand, maybe I just haven't built enough around that idea? Would it be wise to work in multiple "do this to this word," and store the answer/user information in a "register in the next day" table? My personal method of choice would be to block multiple daily signups from sites (*.com/*.net/*.org), but that doesn't seem feasible (hotmail.com,aol.com, etc.) Is there some sort of list of free email providers, so I could work around that? The idea seems to be impossible, but maybe somebody could enlighten me on an implementation of this?

My personal choice for making a signup script harder to spam is making it issue multiple requests (redirect you to a second page to enter information), and (I'm still considering this) using CAPTCHAs. or An implementation of them. (If you don't feel like going to the site: CAPTCHA stands for "Completely Automated Public Turing Test to Tell Computers and Humans Apart".) Captchas are programs that (at this point) are recognizable by humans, but hard to code a program that can decipher them. Larger sites such as yahoo & paypal use them for signups, which attests at least a bit to a captchas preventative value. In addition to this, I may be implementing Apache::Session's abilities, and storing both the correct captcha, and other pertinent user information from his two requests in a session key (preventing him/her from signing up ten times with the same cookie "CAPTCHA password". Any advice on implementing this? Is it even worth it? Do you foresee people being to program around CAPTCHAs in the near future?

How do you make sure that people don't spam your signup scripts with bots? Is this even a worry? Any pertinent previous discussions on this subject?

Comment on Captcha Signups?

Replies are listed 'Best First'.
Re: Captcha Signups? by ariels (Curate) on May 15, 2002 at 12:02 UTC
The illustrious merlyn has written about keeping robots from stuffing your forms. Be warned, though, that there was a writeup on breaking that very technique here on PerlMonks. I have, of course, been unable to find it...	[reply]
Re: Re: Captcha Signups? by Ryszard (Priest) on May 15, 2002 at 12:23 UTC
here 'tis. To the orig question. As biker suggests, there is nothing stopping a determined user from signing up multiple times. IMO you have to make the auotmated attack harder or more expensive (either time/money). Unfort the flip side is, if you make the signup process too hard, you'll get no legit users... :-( good luck, I'd be interested to hear about what you come up with.	[reply]
Re^2: Captcha Signups? by taint (Chaplain) on Apr 19, 2013 at 06:30 UTC
Greetings ariels, While this is an old thread. The article you referred to, turned out to be a real help in finding a Perl(1) based solution for me. Thanks! --chris #!/usr/bin/perl -Tw use perl::always; my $perl_version = "5.12.4"; print $perl_version;	[reply]
Re: Captcha Signups? by Biker (Priest) on May 15, 2002 at 11:28 UTC
I have 14 PCs at home. I can create as many logins as I want (almost) on every PC. That creates a high number of cookie sets. Furthermore, I can have as many (almost) e-mail accounts as I want. "What prevents users from signing up multiple times... Nothing as long as the user is ready to do it manually. And some users may be so committed. Everything went worng, just as foreseen.	[reply]
Do as slashdot does by gnubbs (Beadle) on May 15, 2002 at 13:29 UTC
So, the real question is, will this be a problem on your site? I would look at a site like slashdot, which is visited by huge numbers of technical users, and plenty of good reasons to have tons of logons for one person. As far as I know, they do nothing of the sort. Comparing your site to yahoo is probably not the most accurate comparison. First, I suspect that your site is not going to be nearly as high profile. Second, consider the reason that people would want a thousand email addresses from a public email site. I can think of about twenty that arrived in my inbox this morning. I would bet that this is not going to be an issue for you. Keep in mind that the more complicated the sign up process, the fewer real users are going to go through it.	[reply]
Re: Captcha Signups? by Anonymous Monk on Jul 01, 2005 at 00:40 UTC
"Is this even a worry?" A human is (usually) far more intelligent than a bot. "The Emperor's New Mind" viciously (and rightfully) attacks the theory of "strong AI", which states that computers' "intelligence" will someday subsume that of humans. "Instant Physics" takes the opposite stance and assumes that the disintegration of human intelligence will increase the likelihood that computers will- by default- "leave the rest of us to watch MTV." I don't know which opinion is closer to the truth, although the latter argument (which I'm sure was originally written in jest) is becoming more and more apparent... -Weegee	[reply]