captcha / turing tests

figure this would be a good topic of discussion.. how would you implement a captcha test, to distinguish the difference between humans and computers?

the most popular method is alpha-numeric distorted images which are effective to an extent, yet sometimes very difficult even for humans. i've also seen photographic images used, "select the pony" for example, more user friendly perhaps but not quite as effective since those images could easily be indexed.

anyone know of or have any different solutions?

edit: one idea that came to mind... if you were to have an image that draws several dots at random locations, store the positions of those dots in a session variable, then ask the user to click 2 or 3 specific dots and verify where they clicked using javascript, and then verify it on the server using an asyncronous method or something else.. assuming javascript is required in order to submit the form. can anyone think of a way to spoof that? specifically, the mouse cursor position and left-click?

couldn't you go higher level than just hitting the browser page, have a program, say written in C, that hooks into the browser, gets the captcha image, finds where the dots are, calculates its position on the page, and just pump messages through to the browser simulating the mouse moving to that position and clicking? That would stop simple script automations I think, but if you went a little higher level than just loading the page, then I could see that being easy enough to spoof... That would allow the javascript and everything run, and there would be no real way to tell it wasn't a human clicking around... perhaps?

how about useragent matching?

most bots are known (or recognizable) by useragent. maybe a combination of usreagent/userinteraction can be used? userinteraction can be any of the ideas in the earlier posts.

Offcoarse as with all spam filter methods its just a matter of time before the useragent is not usable anymore but hey. captcha is broken too.

googlebots often surf as "firefox". Faking the user-agent is afaik not a big deal, but one line of code.
Interesting topic btw.
I think, that nearly every TuringTest for the web can be broken. For creating safer turing tests, i guess one has to exploit the difficulties of AI dealing with semantics, and Natural Language. therefore it would be an idea to switch from images to sounds, liek a soundfile saying "enter the word submit into this field".
what however is an interesting thing, is that in contrast to the original turing test, it's now a computer, that has to decide, on the basis of the TT, whether he's focusing a human or a computer
The purpose of captchas, and the like, however is not to umtimately distinguish machines and humans, but to increase the effort that needs to be invested, too a degree, where it is beyond the use.
This should still be possible with captchas. i think at the moment, stupid things like

would do the job as well. we'll see how long

the best sollution would be to pass a antispam act which prevents spammers to go online

This would be great. But apart from the issue of how to identify a spammer, i fear that these spamming criminals have more power and influence, that we imagine.
Did you hear of the fate of blueSecurity?
The invented blueFrog, a very efficient antispam software.
BlueSecurity lately suffered from massive continuing DDoS attacks, which at the end their hoster could not cope with. Finally BlueSecurity quit the business.
This demonstrates the power and the influence these f***ing spammers have in a very frightening way imho...

very true, spammers own the world in a way

sadly enough...

anyway, i still think a combination of things would work better than just to have someone enter a captcha code, or point some things or whatever antispam measures there are now.

Maybe useragent filtering isnt sufficient, but there must be ways to identify a spammer.