• cy (17/19) May 23 2016 I've filled out one of these for every post I've made here. Yet
• Joakim (4/9) May 23 2016 Hmm, I almost never get that CAPTCHA, and I don't log in to the
• cy (11/14) May 23 2016 I login here, not with them. They can't tell who I'm logged in
• Joakim (13/27) May 25 2016 I know, I think you'd want to take up the fact that they think
• cy (32/43) May 25 2016 Okay fine, maybe it's not Proctor and Gamble. But do you want to
• Joakim (23/62) May 25 2016 If they're part of a company that's trying to put out a good
• jmh530 (2/3) May 23 2016 I often get a CAPTCHA when I'm using a VPN at home.
• Basile B. (5/23) May 24 2016 One thing that could be done is to disable the spam checker when
• cy (23/27) May 24 2016 Yes, that's the reason the spam checker shouldn't just be
• Basile B. (9/16) May 25 2016 Never mind it was a bad idea because a noob spammer can still
• Vladimir Panteleev (5/10) May 25 2016 Sorry about that. I'm a bit backlogged at the moment, but I could

cy <dlang verge.info.tm> writes:

 Akismet thinks your post looks like spam. Please solve a 
 CAPTCHA to continue.

I've filled out one of these for every post I've made here. Yet 
I'm logged in, with a persistent state on the server side. Could 
something be implemented along the lines of:

ALTER TABLE users ADD COLUMN num_captchas_solved INTEGER DEFAULT 
0 NOT NULL ETC;

I can understand if even an ordinary user like myself could be 
suspected of spam. The Internet doesn't make it easy to 
distinguish in a lot of cases. But my account login status does. 
If you made it so someone solving 12 captchas didn't get asked 
any more (until they actually start sending spam), that'd be 
really nice.

You could even award achievements! (Achievement unlocked: On 
Fire. 100 posts in a week? Jeezus!)

Not sure if this is the right place to ask, but this is regarding 
the posting server on forums.dlang.org, which I use to access all 
these mailing lists and such, without getting all the messages in 
all the lists sent to my email inbox.

Joakim <dlang joakim.fea.st> writes:

On Monday, 23 May 2016 at 17:56:17 UTC, cy wrote:
 [...]

 I've filled out one of these for every post I've made here. Yet 
 I'm logged in, with a persistent state on the server side. 
 Could something be implemented along the lines of:

 [...]

Hmm, I almost never get that CAPTCHA, and I don't log in to the 
forum.  Could be something else about your profile that Akismet 
flags: have you tried taking it up with them?

cy <dlang verge.info.tm> writes:

On Monday, 23 May 2016 at 18:54:47 UTC, Joakim wrote:
 Hmm, I almost never get that CAPTCHA, and I don't log in to the 
 forum.  Could be something else about your profile that Akismet 
 flags: have you tried taking it up with them?

I login here, not with them. They can't tell who I'm logged in 
here as, I would assume. I can't expect them to make an exception 
for me if I'm not even logging in with them.

Also, they're a huge, faceless corporation that heuristically 
targets spammers worldwide, and I don't like the idea of my 
activity being profiled worldwide.

They do heuristic profiling anyway. They're not supposed to be 
relied upon as an ultimate authority on who's a spammer. A simple 
counter for how many captchas solved in a given login is way more 
reliable than pinging them for the answer every time.

Joakim <dlang joakim.fea.st> writes:

On Monday, 23 May 2016 at 20:46:01 UTC, cy wrote:
 On Monday, 23 May 2016 at 18:54:47 UTC, Joakim wrote:
 Hmm, I almost never get that CAPTCHA, and I don't log in to 
 the forum.  Could be something else about your profile that 
 Akismet flags: have you tried taking it up with them?

 I login here, not with them. They can't tell who I'm logged in 
 here as, I would assume. I can't expect them to make an 
 exception for me if I'm not even logging in with them.

I know, I think you'd want to take up the fact that they think 
you're a spammer up with them though. :)

 Also, they're a huge, faceless corporation that heuristically 
 targets spammers worldwide, and I don't like the idea of my 
 activity being profiled worldwide.

It's run by the company behind Wordpress, which has less than 500 
employees.  Maybe they could sort out why this is hitting you so 
hard, when it doesn't affect others as much.

If you don't want to be profiled, you shouldn't use the web, as 
it's not hard to track you:

https://panopticlick.eff.org

 They do heuristic profiling anyway. They're not supposed to be 
 relied upon as an ultimate authority on who's a spammer. A 
 simple counter for how many captchas solved in a given login is 
 way more reliable than pinging them for the answer every time.

I agree that captchas, particularly the D ones used here, are 
better.  The forum is OSS and written in D, you can submit a PR 
or at least file an issue:

https://github.com/CyberShadow/DFeed

cy <dlang verge.info.tm> writes:

On Wednesday, 25 May 2016 at 20:24:50 UTC, Joakim wrote:
 It's run by the company behind Wordpress, which has less than 
 500 employees.

Okay fine, maybe it's not Proctor and Gamble. But do you want to 
face up against 500 people and tell them to stop doing what they 
want?

 Maybe they could sort out why this is hitting you so hard, when 
 it doesn't affect others as much.

It's probably because I'm running a relay program that helps 
people with their privacy. I'm not an exit relay or anything, but 
it's a good business model for tracking companies like those guys 
to put pressure on people who run those programs even passively, 
so that they can keep me from helping others have any privacy.

 If you don't want to be profiled, you shouldn't use the web, as 
 it's not hard to track you:

The greatest achievement of any thief is to convince you it's 
pointless to try and stop them from stealing. Because then you 
try to convince others, and in doing so you help weaken the 
people trying to help you, and your own attackers gain more 
support.

So uh, don't ever tell anyone there's no point in trying to be 
safe. Even if you feel like it's true. If it is true, then 
there's no point in you telling anyone, right?

 https://panopticlick.eff.org

Yeah, that one has never managed to get me. Use a generic user 
agent, disallow javascript, and disable cookies, and the amount 
of certainty they can get goes down a whole lot. What you really 
have to worry about is who ISPs are in cahoots with, because ISPs 
can track a lot of people with 100% legal certainty, without 
their permission or awareness. The EFF thing is a minor, paltry 
concern compared to that.

Another thing to worry about is when people communicate using 
big, powerful centralized companies, like Google or Facebook. 
Organizations that have money and popularity can put pressure on 
people like me then, spending countless man hours developing 
tactics to prevent me from communicating with people, unless I 
allow their tracking software to run.

But Panopticlick is just an idle curiosity, security-wise.

 I agree that captchas, particularly the D ones used here, are 
 better.  The forum is OSS and written in D, you can submit a PR 
 or at least file an issue:

 https://github.com/CyberShadow/DFeed

Oh, thanks. Maybe I'll do that!

Joakim <dlang joakim.fea.st> writes:

On Wednesday, 25 May 2016 at 21:52:40 UTC, cy wrote:
 On Wednesday, 25 May 2016 at 20:24:50 UTC, Joakim wrote:
 It's run by the company behind Wordpress, which has less than 
 500 employees.

 Okay fine, maybe it's not Proctor and Gamble. But do you want 
 to face up against 500 people and tell them to stop doing what 
 they want?

If they're part of a company that's trying to put out a good 
service that will help you rather than hinder you, yes.

 Maybe they could sort out why this is hitting you so hard, 
 when it doesn't affect others as much.

 It's probably because I'm running a relay program that helps 
 people with their privacy. I'm not an exit relay or anything, 
 but it's a good business model for tracking companies like 
 those guys to put pressure on people who run those programs 
 even passively, so that they can keep me from helping others 
 have any privacy.

I doubt they're against Tor or whatever relay you're using, but 
it may be the cause.

 If you don't want to be profiled, you shouldn't use the web, 
 as it's not hard to track you:

 The greatest achievement of any thief is to convince you it's 
 pointless to try and stop them from stealing. Because then you 
 try to convince others, and in doing so you help weaken the 
 people trying to help you, and your own attackers gain more 
 support.

 So uh, don't ever tell anyone there's no point in trying to be 
 safe. Even if you feel like it's true. If it is true, then 
 there's no point in you telling anyone, right?

I wouldn't call it stealing, more like casing, ;) but yes, it is 
impossible to stop that without going to extreme measures, no 
matter how much you'd like it to be otherwise.  I appreciate that 
some will go to extreme measures, and it's good that those 
options are there for them, but it doesn't sound like you 
yourself are doing so.

 https://panopticlick.eff.org

 Yeah, that one has never managed to get me. Use a generic user 
 agent, disallow javascript, and disable cookies, and the amount 
 of certainty they can get goes down a whole lot. What you 
 really have to worry about is who ISPs are in cahoots with, 
 because ISPs can track a lot of people with 100% legal 
 certainty, without their permission or awareness. The EFF thing 
 is a minor, paltry concern compared to that.

Disabling javascript will help a lot, but the number of sites you 
can use goes way down with it.  Of course, as you say, ISP 
tracking data can always be sold too.

 Another thing to worry about is when people communicate using 
 big, powerful centralized companies, like Google or Facebook. 
 Organizations that have money and popularity can put pressure 
 on people like me then, spending countless man hours developing 
 tactics to prevent me from communicating with people, unless I 
 allow their tracking software to run.

Yeah, I don't use any of those; I was talking about tracking and 
fingerprinting that goes on outside those central services.

 But Panopticlick is just an idle curiosity, security-wise.

When they first put that site up, I was surprised how easy it was 
for them to fingerprint your browser even with cookies disabled, 
just by using all the identifying info your browser sends.  With 
all the tracking ads and pixels embedded in practically every 
website these days, it's not hard for them to track you and I've 
seen advertiser presentations on how they're actively doing so.  
It's the price of a "free" web.

jmh530 <john.michael.hall gmail.com> writes:

On Monday, 23 May 2016 at 17:56:17 UTC, cy wrote:
 I've filled out one of these for every post I've made here.

I often get a CAPTCHA when I'm using a VPN at home.

Basile B. <b2.temp gmx.com> writes:

On Monday, 23 May 2016 at 17:56:17 UTC, cy wrote:
 [...]

 I've filled out one of these for every post I've made here. Yet 
 I'm logged in, with a persistent state on the server side. 
 Could something be implemented along the lines of:

 ALTER TABLE users ADD COLUMN num_captchas_solved INTEGER 
 DEFAULT 0 NOT NULL ETC;

 I can understand if even an ordinary user like myself could be 
 suspected of spam. The Internet doesn't make it easy to 
 distinguish in a lot of cases. But my account login status 
 does. If you made it so someone solving 12 captchas didn't get 
 asked any more (until they actually start sending spam), that'd 
 be really nice.

 You could even award achievements! (Achievement unlocked: On 
 Fire. 100 posts in a week? Jeezus!)

 Not sure if this is the right place to ask, but this is 
 regarding the posting server on forums.dlang.org, which I use 
 to access all these mailing lists and such, without getting all 
 the messages in all the lists sent to my email inbox.

One thing that could be done is to disable the spam checker when 
the user is registered. As a counter part registering must be 
very strong: image capcha + text capcha + guess the code result + 
?

cy <dlang verge.info.tm> writes:

On Tuesday, 24 May 2016 at 12:59:39 UTC, Basile B. wrote:

 One thing that could be done is to disable the spam checker 
 when the user is registered. As a counter part registering must 
 be very strong: image capcha + text capcha + guess the code 
 result + ?

Yes, that's the reason the spam checker shouldn't just be 
disabled when the user is registered. But what can be done is 
adding a counter of every time a captcha is filled out correctly. 
Once they've done that enough, no prompt to guess the code again.

Then you wouldn't have to arbitrarily decide what a "strong" 
challenge is and just hope that it's solvable, and nobody 
circumvents it. Instead, you could continue to challenge them 
after registering, and you can record their success in stages.

There's other tricks you can use to make life harder for 
spammers. Tracking how long people have had their accounts for 
instance, and only showing captchas and limiting post rate to new 
accounts. Spammers would, of course, cache up a million unused 
accounts then, and start firing them once they're old enough. But 
you can measure how often they've posted, and combine that with 
account age to get a good idea.

You can use stronger captchas too, and more difficult to solve 
puzzles, if people won't keep being asked to solve them beyond a 
certain point. Even if spammers turn their supercomputers and 
south asian sweatshop workers to solving your captchas, making it 
harder for them costs them money and power, and all you have to 
do is make it not worth the trouble before they'll either run out 
of money, or go away.

Basile B. <b2.temp gmx.com> writes:

On Tuesday, 24 May 2016 at 16:36:36 UTC, cy wrote:
 On Tuesday, 24 May 2016 at 12:59:39 UTC, Basile B. wrote:

 One thing that could be done is to disable the spam checker 
 when the user is registered. As a counter part registering 
 must be very strong: image capcha + text capcha + guess the 
 code result + ?

 Yes, that's the reason the spam checker shouldn't just be 
 disabled when the user is registered.

Never mind it was a bad idea because a noob spammer can still 
register by hand and let his bot run afterward with right reg 
info stored for this site.

I don't know how look the "professional" spam programs but they 
are probably fully automated, e.g almost never anyone is behind 
the screen. I remember a few years ago I had a BB forum and the 
captcha didn't prevent some spamming bots to auto-register, 
though it was probably due to a security hole at this time.

Vladimir Panteleev <thecybershadow.lists gmail.com> writes:

On Monday, 23 May 2016 at 17:56:17 UTC, cy wrote:
 Akismet thinks your post looks like spam. Please solve a 
 CAPTCHA to continue.

 I've filled out one of these for every post I've made here. Yet 
 I'm logged in, with a persistent state on the server side. 
 Could something be implemented along the lines of:

Sorry about that. I'm a bit backlogged at the moment, but I could 
look at a pull request if someone could put that together.

As a workaround, you could set up a news or mail client, and post 
via NNTP or email.