How cool is this? TinyTuring by Kevin Shay of STAGGERnation is a plugin for Movable Type that’s inspired by — wait for it — the incredibly hacky (but deadly effective) stopgap antispam measure I threw together back in 2004 in a fit of pique at the injustice of it all.
The advantage of using TinyTuring: You no longer have to hack Movable Type’s code. The disadvantage: It’s not really a Turing Test. If the plugin takes off, then there are ways in which the dedicated spammer could generate scripts that circumvent TinyTuring’s defences.
The first weakness is that the answer is a single letter. That’s 26 possible answers. Faced with a brute-force automated script aimed at TinyTuring, one in 26 automated comments would still get through. That’s good, but thousands of automated comment spams per day divided by 26 is still not zero.
The second weakness is that the answer — the letter — has to be listed as part of the question. An enterprising spammer might reverse social-engineer typical sentences and notice that most people use the default MTTinyTuring tag, which allows a trivial parsing solution, or else he might look for one-letter words and try just those. In any case, a typical sentence uses significantly fewer than 26 unique letters, so the odds can be made better than one in 26 — just by trying all the unique letters used in the sentence. Another very clever strategy would be to compare successive iterations of the question, and latch on to the one element that changes randomly.
My own original Turing Test questions were indeed of the type “Type the letter F”, but I quickly switched over to questions where the answer does not appear in the text, because spammers did catch on. Now, I use questions such as “How many letters ‘o’ in the word ‘Google’? (Type a digit)” or “Who is the father of evolution? (Hint: Charles ___ . Just his last name, thanks)”. I have found these to be invincible to scripts (and stupid people). They aren’t possible with TinyTuring, because we don’t know beforehand what the (random) answer will be for which we have to ask a question.
My original hack’s repellent effect is the promise that every time a spammer invests time on my blog to manually answer a one-of-a-kind question that no machine can answer (with a view to hardcoding that answer into a script aimed at just my blog) I will change it. This works because I care about my blog more than the spammer does. Manual spamming just isn’t economical.
A suggestion for TinyTuring 2.0, then: Make a mini content management system for question/answer pairs which we individual bloggers write ourselves. If a spammer figures out the current question/answer pair, we just change it with a new one. A further refinement would be to rotate the question/answer pair automatically after a random number of accepted comments. That should really infuriate spammers, even on high-traffic sites.
But in any case, thanks for the thanks, Kevin. I should vanity surf more often:-)
> [you] should vanity surf more often
Shouldn’t it be vanity-dash-surf (ie.
with a hyphen) instead? Incidentially,
it’s pretty good and concise term for
said hitherto largely-unnamed, vanity-
activity ;-))
/strong-on-dashes-i-am/
Well, thanks for the thanks for the thanks… I actually meant to email you directly after I released the plugin.
Your comments about TinyTuring’s limitations are all valid. Although I did build in an extra safeguard aimed at preventing the “try all 26 letters” brute-force attack: the plugin requires a submitted comment form to have not only a field with the correct letter entered, but a hidden field whose name is an encrypted string based on the letter and a two-character code that the blog owner can set through MT. So the brute-force script would have to not only “guess” the correct letter but the correct two-letter code to generate the encrypted string, making it quite a bit more difficult.
Of course, all this is moot if the spamming script simply looks at the HTML code for the page and extracts the encrypted string. I haven’t yet seen or heard any evidence that this is happening, maybe because not that many people are using TinyTuring. 🙂
There is a different plugin that appears to use something like the question/answer approach you suggest, Jay Allen’s Comment Challenge.