> Akismet thinks your post looks like spam. Please solve a CAPTCHA to continue.

I've filled out one of these for every post I've made here. Yet I'm logged in, with a persistent state on the server side. Could something be implemented along the lines of:

ALTER TABLE users ADD COLUMN num_captchas_solved INTEGER DEFAULT 0 NOT NULL ETC;

I can understand if even an ordinary user like myself could be suspected of spam. The Internet doesn't make it easy to distinguish in a lot of cases. But my account login status does. If you made it so someone solving 12 captchas didn't get asked any more (until they actually start sending spam), that'd be really nice.

You could even award achievements! (Achievement unlocked: On Fire. 100 posts in a week? Jeezus!)

Not sure if this is the right place to ask, but this is regarding the posting server on forums.dlang.org, which I use to access all these mailing lists and such, without getting all the messages in all the lists sent to my email inbox.

On Monday, 23 May 2016 at 17:56:17 UTC, cy wrote:
>> [...]
>
> I've filled out one of these for every post I've made here. Yet I'm logged in, with a persistent state on the server side. Could something be implemented along the lines of:
>
> [...]

Hmm, I almost never get that CAPTCHA, and I don't log in to the forum.  Could be something else about your profile that Akismet flags: have you tried taking it up with them?

On Monday, 23 May 2016 at 17:56:17 UTC, cy wrote:
>
> I've filled out one of these for every post I've made here.

I often get a CAPTCHA when I'm using a VPN at home.

On Monday, 23 May 2016 at 18:54:47 UTC, Joakim wrote:
> Hmm, I almost never get that CAPTCHA, and I don't log in to the forum.  Could be something else about your profile that Akismet flags: have you tried taking it up with them?

I login here, not with them. They can't tell who I'm logged in here as, I would assume. I can't expect them to make an exception for me if I'm not even logging in with them.

Also, they're a huge, faceless corporation that heuristically targets spammers worldwide, and I don't like the idea of my activity being profiled worldwide.

They do heuristic profiling anyway. They're not supposed to be relied upon as an ultimate authority on who's a spammer. A simple counter for how many captchas solved in a given login is way more reliable than pinging them for the answer every time.

On Monday, 23 May 2016 at 17:56:17 UTC, cy wrote:
>> [...]
>
> I've filled out one of these for every post I've made here. Yet I'm logged in, with a persistent state on the server side. Could something be implemented along the lines of:
>
> ALTER TABLE users ADD COLUMN num_captchas_solved INTEGER DEFAULT 0 NOT NULL ETC;
>
> I can understand if even an ordinary user like myself could be suspected of spam. The Internet doesn't make it easy to distinguish in a lot of cases. But my account login status does. If you made it so someone solving 12 captchas didn't get asked any more (until they actually start sending spam), that'd be really nice.
>
> You could even award achievements! (Achievement unlocked: On Fire. 100 posts in a week? Jeezus!)
>
> Not sure if this is the right place to ask, but this is regarding the posting server on forums.dlang.org, which I use to access all these mailing lists and such, without getting all the messages in all the lists sent to my email inbox.

One thing that could be done is to disable the spam checker when the user is registered. As a counter part registering must be very strong: image capcha + text capcha + guess the code result + ?

On Tuesday, 24 May 2016 at 12:59:39 UTC, Basile B. wrote:

> One thing that could be done is to disable the spam checker when the user is registered. As a counter part registering must be very strong: image capcha + text capcha + guess the code result + ?

Yes, that's the reason the spam checker shouldn't just be disabled when the user is registered. But what can be done is adding a counter of every time a captcha is filled out correctly. Once they've done that enough, no prompt to guess the code again.

Then you wouldn't have to arbitrarily decide what a "strong" challenge is and just hope that it's solvable, and nobody circumvents it. Instead, you could continue to challenge them after registering, and you can record their success in stages.

There's other tricks you can use to make life harder for spammers. Tracking how long people have had their accounts for instance, and only showing captchas and limiting post rate to new accounts. Spammers would, of course, cache up a million unused accounts then, and start firing them once they're old enough. But you can measure how often they've posted, and combine that with account age to get a good idea.

You can use stronger captchas too, and more difficult to solve puzzles, if people won't keep being asked to solve them beyond a certain point. Even if spammers turn their supercomputers and south asian sweatshop workers to solving your captchas, making it harder for them costs them money and power, and all you have to do is make it not worth the trouble before they'll either run out of money, or go away.

On Monday, 23 May 2016 at 17:56:17 UTC, cy wrote:
>> Akismet thinks your post looks like spam. Please solve a CAPTCHA to continue.
>
> I've filled out one of these for every post I've made here. Yet I'm logged in, with a persistent state on the server side. Could something be implemented along the lines of:

Sorry about that. I'm a bit backlogged at the moment, but I could look at a pull request if someone could put that together.

As a workaround, you could set up a news or mail client, and post via NNTP or email.

On Tuesday, 24 May 2016 at 16:36:36 UTC, cy wrote:
> On Tuesday, 24 May 2016 at 12:59:39 UTC, Basile B. wrote:
>
>> One thing that could be done is to disable the spam checker when the user is registered. As a counter part registering must be very strong: image capcha + text capcha + guess the code result + ?
>
> Yes, that's the reason the spam checker shouldn't just be disabled when the user is registered.

Never mind it was a bad idea because a noob spammer can still register by hand and let his bot run afterward with right reg info stored for this site.

I don't know how look the "professional" spam programs but they are probably fully automated, e.g almost never anyone is behind the screen. I remember a few years ago I had a BB forum and the captcha didn't prevent some spamming bots to auto-register, though it was probably due to a security hole at this time.

On Monday, 23 May 2016 at 20:46:01 UTC, cy wrote:
> On Monday, 23 May 2016 at 18:54:47 UTC, Joakim wrote:
>> Hmm, I almost never get that CAPTCHA, and I don't log in to the forum.  Could be something else about your profile that Akismet flags: have you tried taking it up with them?
>
> I login here, not with them. They can't tell who I'm logged in here as, I would assume. I can't expect them to make an exception for me if I'm not even logging in with them.

I know, I think you'd want to take up the fact that they think you're a spammer up with them though. :)

> Also, they're a huge, faceless corporation that heuristically targets spammers worldwide, and I don't like the idea of my activity being profiled worldwide.

It's run by the company behind Wordpress, which has less than 500 employees.  Maybe they could sort out why this is hitting you so hard, when it doesn't affect others as much.

If you don't want to be profiled, you shouldn't use the web, as it's not hard to track you:

https://panopticlick.eff.org

> They do heuristic profiling anyway. They're not supposed to be relied upon as an ultimate authority on who's a spammer. A simple counter for how many captchas solved in a given login is way more reliable than pinging them for the answer every time.

I agree that captchas, particularly the D ones used here, are better.  The forum is OSS and written in D, you can submit a PR or at least file an issue:

https://github.com/CyberShadow/DFeed

On Wednesday, 25 May 2016 at 20:24:50 UTC, Joakim wrote:
> It's run by the company behind Wordpress, which has less than 500 employees.

Okay fine, maybe it's not Proctor and Gamble. But do you want to face up against 500 people and tell them to stop doing what they want?

> Maybe they could sort out why this is hitting you so hard, when it doesn't affect others as much.

It's probably because I'm running a relay program that helps people with their privacy. I'm not an exit relay or anything, but it's a good business model for tracking companies like those guys to put pressure on people who run those programs even passively, so that they can keep me from helping others have any privacy.

> If you don't want to be profiled, you shouldn't use the web, as it's not hard to track you:

The greatest achievement of any thief is to convince you it's pointless to try and stop them from stealing. Because then you try to convince others, and in doing so you help weaken the people trying to help you, and your own attackers gain more support.

So uh, don't ever tell anyone there's no point in trying to be safe. Even if you feel like it's true. If it is true, then there's no point in you telling anyone, right?

> https://panopticlick.eff.org

Yeah, that one has never managed to get me. Use a generic user agent, disallow javascript, and disable cookies, and the amount of certainty they can get goes down a whole lot. What you really have to worry about is who ISPs are in cahoots with, because ISPs can track a lot of people with 100% legal certainty, without their permission or awareness. The EFF thing is a minor, paltry concern compared to that.

Another thing to worry about is when people communicate using big, powerful centralized companies, like Google or Facebook. Organizations that have money and popularity can put pressure on people like me then, spending countless man hours developing tactics to prevent me from communicating with people, unless I allow their tracking software to run.

But Panopticlick is just an idle curiosity, security-wise.

> I agree that captchas, particularly the D ones used here, are better.  The forum is OSS and written in D, you can submit a PR or at least file an issue:
>
> https://github.com/CyberShadow/DFeed

Oh, thanks. Maybe I'll do that!