Silent Captcha - working behind the scenes instead of being a barrier

**Snookerman** · 02-19-2009, 09:17 AM

I just read the 9 Common Usability Mistakes In Web Design from Smashing Magazine and this part made me wonder:

You could also use contact forms to bypass the problem of showing your email address on a page; however, you’re still likely to receive spam unless you put some good Captchas or other spam protection mechanism in place. Keep in mind that things like Captchas are barriers to user interaction and will likely degrade the user experience.

Of course I was aware of this, but now I had an idea. Wouldn't it be possible to have a silent Captcha that works behind the scenes and is not a barrier? What I was thinking is that it might be possible to recognize humans by the way they write their messages.

I don't know much (i.e. anything) about how spamming works, but I'm guessing the spam message is just inserted somehow and then sent away. A human, on the other hand, would type out the message character by character, maybe go back and make some changes, and then hit the send button.

I guess more advanced spam robots (or whatever they are) could simulate this behavior, but I'm guessing most of them can't and even those that can might not be so perfect (or rather too perfect to be human). If the human passes the test, nothing would happen, they would just have to hit send and that's it. If the test is not passed, either because it was a robot or because the human's typing tempo was too perfect, a regular Captcha could appear saying something like "We don't believe you are human, please write the word you see".

What do you think? Would this be possible? Or does it exist already? (I'm sure heaps of people have thought of this but after some searching I found nothing).

**JVposter** · 02-20-2009, 02:28 PM

Originally Posted by Snookerman

I just read the 9 Common Usability Mistakes In Web Design from Smashing Magazine and this part made me wonder:

Of course I was aware of this, but now I had an idea. Wouldn't it be possible to have a silent Captcha that works behind the scenes and is not a barrier? What I was thinking is that it might be possible to recognize humans by the way they write their messages.

I don't know much (i.e. anything) about how spamming works, but I'm guessing the spam message is just inserted somehow and then sent away. A human, on the other hand, would type out the message character by character, maybe go back and make some changes, and then hit the send button.

I guess more advanced spam robots (or whatever they are) could simulate this behavior, but I'm guessing most of them can't and even those that can might not be so perfect (or rather too perfect to be human). If the human passes the test, nothing would happen, they would just have to hit send and that's it. If the test is not passed, either because it was a robot or because the human's typing tempo was too perfect, a regular Captcha could appear saying something like "We don't believe you are human, please write the word you see".

What do you think? Would this be possible? Or does it exist already? (I'm sure heaps of people have thought of this but after some searching I found nothing).

A spammer can easily make a program easily which complete automatically all fields from a form except capcha code so i think that the capcha do not eradicate the spam atoll.

**Snookerman** · 02-20-2009, 02:41 PM

I don't think you understood my post, please read it again.

**traq** · 02-20-2009, 03:34 PM

Snooker:
that's actually a cool idea. I'm also not sure if it would work (it would have to involved reporting the user's keystrokes somehow, or something similar, so I suspect it could be viewed as a security risk), but it's neat idea.

**Twey** · 02-20-2009, 07:14 PM

A spammer can easily make a program easily which complete automatically all fields from a form except capcha code so i think that the capcha do not eradicate the spam atoll.

In that case the email is not sent.

Of course I was aware of this, but now I had an idea. Wouldn't it be possible to have a silent Captcha that works behind the scenes and is not a barrier? What I was thinking is that it might be possible to recognize humans by the way they write their messages.

I don't know much (i.e. anything) about how spamming works, but I'm guessing the spam message is just inserted somehow and then sent away. A human, on the other hand, would type out the message character by character, maybe go back and make some changes, and then hit the send button.

It's an idea, but it has a high rate of false positives (some users might want to copy/paste a whole message) and false negatives (a spammer could program their bot to randomly pause between each character and make 'mistakes', but since this seems like it would need to be client-side they could just simulate the script with an acceptable value anyway).

Some sites attempt to recognise spam by the content of the messages, but this has its problems too — YouTube will not accept Lojban comments unless we use implicit pauses, since it views the relatively high number of '.' characters as an indicator of spam (?!).

**Snookerman** · 02-20-2009, 08:47 PM

It's true that there would be errors, but surely, this should stop most of the basic spammers, shouldn't it? Of course, robots could be built to try to simulate humans as much as possible but that would require extra work and the more time the spammers would have to improve their robots, the more time for the silent captcha to learn how to find them better.

An example would be the 20 questions site. In the beginning, it was very bad at guessing the word but after some learning it is now much better than most humans. The silent captcha could work in the same way, learning something after every single usage. There are so many things to look at, the tempo, the words used, the content of the message, etc. There could even be a correlation between the language and the probable type of keyboard the user has, thus the difference in time between different letters. If this silent captcha would be used by several sites (like reCAPTCHA), the statistics could be sent to a database that would just continue learning. The spammer would have to put a lot of work into building robots that can beat it.

False negatives, like the user copying and pasting could be avoided since the user must type at least some text. If a human just copies and pastes text and sends it, odds are it's a human spammer. Also, like I mentioned before, if the silent captcha believes the user is not human, it could output a regular captcha which the falsely accused humans could use to prove themselves.

I believe this would be possible in a not so distant future.

**Twey** · 02-20-2009, 10:44 PM

But it still has to listen on the client-side, which means that it can simply be disabled.

**Snookerman** · 02-20-2009, 10:56 PM

One solution would be to use a regular captcha and remove it with the silent captcha. If the user disables it, boom: the regular captcha comes back. Take that R2D2

**Twey** · 02-21-2009, 12:13 AM

The user can submit a value that makes the server think they've been accepted by the silent CAPTCHA or just modify the client-side portion to always return true.

Thread: Silent Captcha - working behind the scenes instead of being a barrier

Thread Tools

Search Thread

Silent Captcha - working behind the scenes instead of being a barrier

Tags for this Thread

Bookmarks

Bookmarks

Posting Permissions