What I learnt from logging CAPTCHA attempts was, essentially, nothing. Every post either entered nothing at all or the correct word, and all of the correct ones were obviously from the same source (not the same IP address, but structured the same way and advertising similar things). That is, it’s not being broken by a huge dictionary attack or anything.
So I think the remaining alternatives are that someone has actually broken my CAPTCHA with 100% accuracy, or this is getting back to a human at some point. Possibly I’m caught in one of those man-in-the-middle attacks where my CAPTCHA is relayed to some porn site and decoded by a horny teenager. Alternatively, people are getting paid to leave spam. I’ve heard of this sort of thing happening – Mr Shellshear caught some of it a while ago – but if that were the case I’d expect the comments to bear traces of humanity as well, and as it stands they’re fairly obviously auto-generated. I think. Or written by particularly obtuse and formulaic humans.
Now that I read over that last paragraph again, none of those options stands out as being clearly more likely than the others.
So in a further attempt to narrow down the options, I’ve changed my CAPTCHA again. This has two advantages. One, it’s different enough to the old one that I’m fairly confident that it won’t be immediately legible to any bot that could read it before. And two, the new one looks cool. Also illegible, so I probably won’t leave it this way forever, but come on, it’s sleek.3 comments