Captcha is the generic name for an image-to-text confirmation system. This means that the system will generate an image that has either a word or random letters/numbers in it, and the user has to type the same text into a box to confirm they're human. Usually the text is obscured slightly - either warped, slanted or on a coloured background - as this makes it incredibly difficult for a computer program to "read" the image and distinguish the text from the background. What we humans find incredibly easy - pattern recognition - is incredibly difficult to program into a computer. Remember that you learnt to read as a child and it probably took you a few years to master it and many more years developing that skill. Computers are not that clever and most of them don't have the same experience! It's a very simple but very effective way of filtering the automated spammers (bots) from the real people. I'm not sure if this forum software has Captcha built in (most do) but if not it should be trivial to include it in the sign-up form, or to tweak the Captcha settings to make it a bit harder if bots are getting through. The other email confirmation is a given, as most bots will generate a random (nonsense) email address and therefore cannot confirm that they own that address by receiving email at it. That's just belt & braces.
The problem with the current group of spammers is that they are not bots. They are humans, who pass the current challenge questions that are set up when joining the forum. The current question is: What is the latest Ducati 1199 and 899 also called? Clue: P***gale. The user HAS to get the correct answer, and a bot cannot generate that answer form the clue. Captcha is OK, but the bots are always one step ahead and can crack captcha easier than a challenge question. I have installed anti-spam a month or so ago. It captures about 10 users day, of whom cannot get through the registration. It gets these from a known live database of spammers, checking IP addresses, emails and usernames. The problem we have is the users that create new IP addresses, new email addresses and new usernames. There is no way to prevent these people registering - as they are real people, likely getting paid pence an hour to spam websites. The only other way to register users is to manually vet every single new registration. It's way more time consuming to do this. Thanks, Rob.
This is still contentious as to whether the economics involved are viable. If you are only using one question on the sign-up form then it's as good as NO question. As soon as the answer is recorded, any script can easily use that same answer and defeat your sign-up page. If you want to have a question, you need more than one and it needs to be randomised to ensure that the same user doesn't see the same question twice, and is locked out after N-attempts. How many is your choice but 3 is plenty. I don't think that this is correct either. There have been plenty of firms claiming to have cracked Captcha but none of them have stood up to scrutiny. Weaknesses have been found in some Captcha implementations, but these have been attack vectors that are not based upon the Captcha (image identification) itself, but by using alternative methods such as subverting the session that contains the answer or through poor (weak image) implementations or other security feature. You can easily install Captcha (or ReCaptcha, etc) and run it for a day/week/month and see how many spammers get through to make a comparison. If it doesn't work, or it gets worse, then go back to your current method.
I am admin of a kawasaki forum, a couple of years back had to add manual checks of all new users they are not bots so captcha codes do not help only method we found to stop is an additional step of authentication that allows mods/admins to check details before accepting the ip can be easily checked against databases such as ipchecking.com to see if blacklisted often you can tell just by username and email address combo that it is sketchy spammers can be rejected, genuine accounts can be accepted also if you get the right plugins, the rejects can be added automatically to ip blacklists that auto block once added
