Got a request with a list of questions from Business to investigate the possibility of integration Google reCaptcha with our Site and one of the questions is:
How many tries of the puzzle does user get?
and the second one:
What happens if the user fails the puzzle as many times as it is allowed to attempt?
I spend a few hours to find the proper answers to the questions above and unfortunately, I didn't get success. No required information on official site, Google Search did not help as well.
Google reCaptchas do not have a default "unsuccessful attempt limit" and I'm not aware of any option set one up. Captchas are not intended to turn away humans (or hackers), regardless of how many tries it take.
Captchas (an acronym for "Completely Automated Public Turing test to tell Computers and Humans Apart") are unnecessary unless your site is at risk of excessive scraping or automated spam.
Invisible Captcha's seem to be the preferred choice nowadays, to reduce user annoyance with the security feature.
Here are links to:
Google's reCaptcha demo
Google's Invisible reCaptcha demo
FunCaptcha Verification by Puzzle
21 Free CAPTCHA Sources
Related
After reading through the documentation, i understand that recaptcha makes it difficult for the bots to do a form submission. This reduces spam for sure.
Apart from this, is there other advantage of using recaptcha?
Some articles were indicating that from a proxy or a virtual machine(for the first time), recaptcha is triggered. But is this really needed or rather what is the advantage of this?
Also, whether recaptcha does something to prevent bots crawling the website? I do not think that might be a case because this may affect search engine crawlers also.
From the documentation, "reCAPTCHA protects you against spam and other types of automated abuse." what are the other types of automated abuses in this context?
Well it doesn't matter if the bot is friendly or malicious. Some webmasters don't want bots on their website, and some bots do not respect robot.txt that would tell the bots to keep off their lawn. Besides, web crawlers should not be on the pages that require the user to post information about themselves.
To quote the website, "reCAPTCHA offers more than just spam protection. Every time our CAPTCHAs are solved, that human effort helps digitize text, annotate images, and build machine learning datasets. This in turn helps preserve books, improve maps, and solve hard AI problems."
I'm trying to get reCaptcha working on my website.
I found out I have to register my domain for this first, since I already have a google account this is quite easy, but the very last checkbox made me think:
How does google determine who the owners are?
And what kind of alerts will those be? E-Mails?
I'm a bit worried that some random person will get an E-Mail one day not knowing what to do with it since I'm not the only one working on that domain. And if they just mean my google account I'm registering this with...that doesn't make sense because they should've written "you" instead of owners then. - although your site is making this even more confusing. :D
I'm aware this is not directly a programming question.
I'm open for suggestions for a better Stack-exchange platform to ask this question at, there are too many - I couldn't find any other that seem to fit.
In the reCAPTCHA admin settings, there is a textbox where you can enter a list of email addresses for owners. This will grant them access to manage the reCAPTCHA settings and send them alerts, if enabled.
I'd like to be able to use site comment features on sites that use the Facebook Comments Social Plugin. When I'm logged in to Facebook, I see my profile picture next to the comment box and I can see other comments if any have been made.
When I make a comment, it shows up right away, but doesn't seem to register publicly. If I log out of Facebook, my comment disappears.
More information is coming to light, as well (added March 26, 2013). There are several people affected by this bug who have attempted to get help on Facebook with the issue, so far withouth success.
After I added a fake app to my Facebook developer profile, I was able to post a bug to Facebook, however it has been since closed without being resolved.
Since Facebook comments are now being used as the exclusive online interaction method by several news media outlets, this problem means that some Facebook users are disempowered from being part of the community discussion of news of the day. Does Facebook wish for that to be?
Over time and in conversations with many people, I've learned more about this issue. From the perspective of websites which host the comments plugin, I've learned that comments from certain users, not on the site banned list, are automatically queued by Facebook for moderation.
Also, I recently ran across an answer here on Stack Overflow that indicates that "Fresh" Facebook accounts are designed to be held for moderation in the Comments Plugin, presumably to prevent someone who has just created a Facebook account from using the new account to post spam comments on other websites. I wouldn't consider my account "Fresh" but it is still less than a year old. In the Facebook response which closes the website report they state "The affected user you added to the report has no friends and we suspect the user to be fake and request moderation. This is by design." While it is understandable that Facebook wants to limit the potential for fake users to post in these comments, this metric apparently also snares legitimate users.
Q.Mark, I strongly recommend that site owners not use the Facebook Social Plugin to support commenting on their sites, unless they want to annoy visitors.
Facebook uses an Orwellian blacklist/censorship model which prevents many people from posting comments. Users get no explanation for why their comments won't post. Rather, it's made to look like a malfunction of the web site, and it is only apparent after the users waste their time composing a comment.
There's discussion of the problem here (among many other places):
https://www.facebook.com/help/community/question/?id=10200248881692914
(Copy saved here:
http://burtonsys.com/Why_cant_I_post_comments_on_sites_that_have_the_facebook_social_plugin.pdf )
A FB "Like" button is useful, but site owners should not use Facebook to support comments. Use Disqus, or LiveFyre, or anything else besides Facebook.
(I realize this doesn't solve your problem, sorry! But perhaps if enough site owners dump Facebook for comments then Facebook will stop what they're doing.)
I was able to post a comment, but it didn't show up on my profile even though share on fb was enabled.
To submit a bug, all you need to do is go to developers.facebook.com/bugs and start typing something in the search field, and you'll see an option to create a bug report from there.
I am researching whether the following is possible and if so how I could go about achieving it.
We collect reviews for businesses from their customers and we’d like to post these reviews to Google places as part of the reviews they have on their.
I was wondering how I would go about getting our website to “push” this data to the Google places website, I’ve done lots of searching on the APIs but have found nothing that says it’s possible or not.
Currently the Google Places API does not have write capability. It only has read capability. Right now only ratings are available, but I suspect reviews might come someday too.
Although you can send check-in signals and fix Places through the API. Hopefully Google will add the ability to send reviews and receive them.
If you're looking to get your content added to Google, you may want to talk to their content partnerships teams http://www.google.com/support/mapcontentpartners/
Since Google's local and maps initiatives are under the same people that would be the place to go.
I too looked into this as it would be of huge value to companies if possible.
My research led me to believe that it is not possible and could possibly violate Google's TOA with negative results for the company's Places page.
Instead, I built a workaround that makes it really easy for companies to collect feedback and get their own customers to submit the reviews: http://dallasmarketingservices.com/survey-local-unveiled-how-online-reviews-affect-your-local-business/
Maybe we will see this in the future though.
I employ email validation to grant people full use of the site. The trouble is, sometimes these emails get spam-boxed, or never arrive, so I get many people complaining that they cannot confirm their account.
Was wondering if there are other (creative) ways to offer secondary validation option to users who didnt get the validation. Its a free site, so I dont want to ask for credit cards, or mobile #s.
The purpose of this is to make abuse of the site less rampant, since we ban a lot of people, and they come back with dozens of accounts to prove something. Spam/robot registrations are not an issue (right now).
What we started doing recently was letting members send us an email to a special email address. We give them a hash code, and all they have to do is put that code somewhere in the subject or the body of the email, and send it to us. We have a cron job running in the background that gets those emails, parses the subject/body looking for the hash, and if found activates the account.
It doesn't work 100%, because some ISPs also block their users from sending us emails, but no solution would work 100%.
Based on your comment in Rob S.' answer, it sounds more like you want to identify situations where the same browser is creating multiple accounts rather than confirm that what's at the other end is human.
Dropping a cookie in the user's browser can be very helpful in finding the repeat offenders, especially those not savvy enough to clear their cookies or visit while in private mode. Some forum software like vBulletin does this and can notify the administrators when it happens.
Another alternative might be browser fingerprinting, which is where you use a bunch of the information provided in the HTTP exchange. An example of this is the EFF's Panopticlick.
Just got a "fun" new way to annoy your banned people a bit.
once you ban them (I guess you close the account and ban the IP). Then log their browser agent string with their IP and screen resolution.
If there is a match when showing the website to them. Just remove the registration link/page. Dont even show the link to the page, as it might piss them off. Dont explain why its gone. Just keep it gone, eg. for 3 weeks or 2 month.
That way they dont have a cookie on the browser to remove, they cant find the registration so they cant know WHY they cant make a new account.
Secondly, if on a school or something (dont know how old they are), the other existing users will still be able to login to their accounts as its ONLY registration that has been removed. Not login.
How about that? is that clever enough?
Basically what you're looking to do is separate the humans from the robots. There are two primary ways to do this:
1) Require users signing up to check boxes and type a word spelled out in an image captcha. These are usually very difficult tasks for a computer to complete.
2) Allow users to sign-up using their account from a different site such as OpenID or Google assuming that anyone who has one of these accounts is a real person.
I recommend combining both methodologies.
Good luck!
There are unlimited ways of doing this.
You mention mobiles and free, but if you have access to a SMS-gateway, you can receive SMS-messages for free (but might need to pay some sort of monthly subscription though). But show a dynamically generated code the the current user. Store this code in "his session" and do an ajax check each 15-30 sec to see if the sms-code was received by the gateway. If so, accept the account and let them registrate. This would requiere the gateway + your users to have a personal mobile. Enough about mobiles...
Make a question or more that is randomly generated. Use pictures/tokens instad of tekst so that the user has to press the correct image in correct order to perform some sort of answer.
Could be like a jackpot-machine with 3 cells where the images are randomly placed and generated inside dynamic named files, so that robots cant analyse the names to guess the right answer.
You mention e-mails to be easy to spoof. Yes indeed, but what if the emails would come lets say each week containing some sort of "important info" that the user would need to read/use on the website to continue. Once the account hasnt been used for a certain time (lets say 3 month, kill it)... and you could also say to have a "free account" you must accept that we send you 1 mail pr. month that you need to activate within 1 week. If you dont, we are free to close/delete your account details.
... and many more
I dont know what you want to "protect", but if its for gaming, then dont let the gamers have "extra levels/weapons" until they have provided a certain amount of these codes OR paid for access OR validated by phone or something.
Thats my first 3 ideas, I think the possibilities are unlimited. The main issue here is, make it too hard to validate yourself and the users go away unless your site is REALLY worth it.
You might think of the much used "Free forever (but limited)" approach way of selling stuff these days on the net. The users can make as many accounts they want, but the licens is still only "single/small/basic". Once you get more experienced, you get more features or you might just upgrade by paying... at this time you know WHO is real and WHO isnt.
My point is, dont over protect. Just design with the mind of spammers will always find a way in, no matter how good you protect it. Those giving up first are your real users/customers.
I would rather spend time on making this product/website/game so great that EVERYONE wants to pay for an account after a while.
Lastly from real life... there are COMPANIES in China with kids employeed to play World of Warcraft with one purpose. Harvest virtual gold and sell it on Ebay to other western players who pays with real dollars. Its not allowed according to the gamelicens and their accounts/gameslicenses are constantly getting banned. But it gives them so much income so they have calculated with this and they just buy new licences and continue.
So if EVEN Blizard(WoW creators)
doesnt have enough power/money to keep
fakes out of the game, how do you
expect to do much better? :o)
Usefull answer?