Another option is to use a set of weird fonts. This is what's used in games like Runescape.

One of the things to look for when creating a spider or robot is patterns. For instance, if you want to submit a form, and the form uses the same name and values for each field and form name, it is very easy to create a spider to submit a form. If the form names vary, you have to look for sections of the HTML which are similar. If there is variation in the HTML which does not alter the lok of the page, things get very hard very quickly. Another thing that makes spidering very hard is if a lot of Javascript is used, because there are no modules to create a web page based on what the javascript says to do.

These are some of the things that made my life very hard when a client asked for spiders which helped create a site that was a clone of AddAll.com. I would suggest using them to your advantage. Be devious. Use javascript like document.location = "http://www.newwebpage.com" to change locations in ways that a spider will have trouble keeping up with. Alter form names and the names of the input so that they contain random charachters (you can keep track of their real values in a database. Use a random key you can get from a cookie you send the user to look up what the real field names are)

Chances are, if you do all these things, people will leave your site alone. Now, granted, many programmers / hackers -- given enough time and energy -- can overcome these problems. But by frustrating your attackers it is likely they will look for an easier target to pick on.

Hope that helps,

Vautrin

Time and energy are completely unneccessary.Automating mozilla is trivial.

Interesting... I've never heard of automating mozilla. Can you please give an example or reference? Also does it work with Firefox?

Perhaps this is why some of the web sites that I have used work fine with Mozilla until I try to buy something. On one site I got a secure connection and was able to do everything with Mozilla except validate a credit card. Since I really wanted to buy the product, I called the toll-free number, which has always seemed to me to be a reasonable, albeit imperfect, alternative to otherwise broken ecommerce apps.

I am interested in easy Mozilla automation, also. The API used for Mozilla regression testing looks complicated to me.

It should work perfectly the first time! - toma

While I understand the need to validate sign-ups are human, these CAPTCHA systems are horribly discriminatory towards blind or visually impaired users. Of course, to be fair, so are flash-only web sites. They can't read them, and they are blocked from using these sites.

If your web site does not work in lynx/links, it probably doesn't work with a screen reader either -- and it is broken.

You also need to consider the potential for color-blindness in users as well.

I think it was once proposed that you could create riddles involving trivially simple problems (but ones that were not trivially parseable).. but that two has problems, particularly with non-native speakers or those that won't get your riddle. They would probably be annoyed. Seemingly good multiple choice question barrages like "which one of these animals lives in the ocean" seem effective, but you can code around those. And again, what if they don't have flounders in Outer Mongolia?

I realize I am not solving your problem -- I'm only stating that CAPTCHA systems are a very bad idea.

The point you raise is valid.

I have seen examples of CAPTCHA's now where they can be spoken. So provided the site is otherwise capable of being read using a screen-reader I would assume the visually compromised would be able to follow a link to the spoken challenge.

I had another meeting with the client this afternoon. He has been told by the payment processor that either he addds CAPTCHA to the site, or they won't handle him any more. Sad, but that's just the way it is.

jdtoronto

Read my first post here at the monastery :)