How can spammers manage to circumvent captcha?

Question

I have put captcha on my blog, I still get spammers, is there a script somewhere which allows them to do this or do they do this by hand ?

Answer 1

Some people hire people from third world countries like India to break the CAPTCHAs. They just hire them thru Mechanical Turk or oDesk. Technically, there's a way to stop this as well. Just use a geo IP service to track the location of visitors. If you get a sudden influx of visitors from a country you normally don't get visitors from, and they have an abnormal browsing pattern (like typing a CAPTCHA every 20 seconds), then it's safe to assume the visitor is someone hired to break your CAPTCHA. Sure, people can circumvent this by hiring ppl in the US or whatever, but I dunno many Americans willing to work for pennies to do such menial tasks.

Answer 2

Most of the spammers use OCR to circumvent captcha. I have launched recaptcha on my blog and have not seen not one spam message since. The down side to recaptcha is that the images are really hard to make out, I guess its hard for the spammers too.

Answer 3

Best answer I ever heard was that a spammer company hired out people in India to type in the answers. It was cheaper and more accurate than writing software.

Answer 4

It depends on what type of CAPTCHA you're using. Some methods for generating CAPTCHA challenges are easily circumvented with optical character recognition. Some methods have inherent flaws that let spammers through without ever passing the challenge.

"Secure" or "good" CAPTCHA schemes that haven't yet been beaten by automated means can still be beaten by humans. One popular technique is to let the spamming software retrieve the challenge and then display it on a different website where unsuspecting humans solve it in order to gain access to some other resource.

Finally, some spammers just enter solutions by hand, because they're just that determined to annoy you.

Wikipedia has a good article on CAPTCHAs including their circumvention.

Answer 5

It depends on the captcha, of course, but most likely it's being done by hand. If your blog is popular enough, it might be worth someone's time to go through and do it themselves, in which case...you'll just have to pay attention and delete as necessary.

Answer 6

Depends which captcha and which spammers.
some captchas are weak and easy to break, or there are a limited number of them and libraries exist. Otherwise somebody is just doing it manually, either because they really want to spam you, or they are being paid in some cheap sweatshop.

recaptcha seems to be one of the more resistant ones as used here.