Has my 3 letter CAPTCHA been hacked?

Last night I was minding my own business, cutting some code, when the blog comments started to race in. But rubbish spam comments, not real ones.

I haven't had a big problem with spam since installing a simple CAPTCHA on my comments and contact forms, and where my previous spam:real ration was about 10:1 it's now more like 1:10 - which is great.
At the time I installed the CAPTCHA, I opted for a 3 letter CAPTCHA that wasn't case sensitive, to make life easier for my visitors. I said that when the robots managed to break the CAPTCHA, I'd have to increase it to more letters or make it more complex.

3 letter CAPTCHA image

I'm not 100% sure the spam last night was automated - there were only 20 or so messages over the course of 5 minutes before I turned off commenting for the night. This would be possible to do by hand I guess, though the comments themselves looked rather inane, in some places copy-pasting content from the blog post and using it in the comment (which would probably almost work if I didn't remember writing that exact text in the blog post).

What to do next

So, I'm going to turn comments on again and see how things go for a while.
I probably need to get cracking on writing an AKISMET plugin for Jojo CMS, as I hear Wordpress users rave about how good that thing is for stripping spam comments.
After that' I'll look at other ways to make the comments harder to spam, which will probably include rate limiting, a harder CAPTCHA or a sandbox before comments go live.

To the spammer

For crying out loud, getting a live comment link on this blog not that hard.
  • Read one of my posts.
  • Post a comment that adds value to the post overall.
  • Make sure the website you want linked to isn't MFA shit.

That's all really. Assuming this spam wasn't automated, I'm pretty sure the time required to spam is more than the time required to simply leave a decent comment.
Digg StumbleUpon del.icio.us technorati blinklist furl reddit sphinn

Tags: spamcaptchacaptcha spam