Captchas: Computer Tests Can Defeat Spam

Computerworld - On the Internet, nobody knows you're a dog. Or a rogue robot program stealthily gathering personal information from chat rooms or registering for thousands of free e-mail accounts from which to blast out spam.

One way to stymie such bots is to use a captcha. Short for "completely automatic public Turing test to tell computers and humans apart," a captcha is a program that can generate and grade tests that are easy for humans to solve but very difficult for computers to crack.

Examples include words that have been precisely distorted by computers, images overlaid with other images or audio clips with background noise.

By including a captcha as part of the registration process for a free e-mail account, for instance, it would be relatively easy to establish whether the registrant is a human or a robot program.

"The human visual system and all of our experience in reading makes it possible to read images of text which computer vision systems at their best cannot do reliably," explains Henry Baird, a principal scientist at Palo Alto Research Center Inc. (PARC) in California.

The concept of using programs like captchas to deal with bots and spam on the Internet has been around since 1997. A team of researchers at what was then Digital Equipment Corp. was working on a way to deal with bots that were trying to influence the way certain sites were ranked on the company's AltaVista search engine. Researchers at the company developed and patented a character-recognition test that was used during the AltaVista registration process to weed out automated programs.

In September 2000, Pittsburgh-based Carnegie Mellon University's computer science department started developing similar programs in response to a request from Yahoo Inc.

Like AltaVista, Yahoo was grappling with rogue programs that were invading its chat rooms and illegally marketing products, stealing personal information and spamming users. "The idea was to create a computer program that could distinguish bots from humans. The program would have to serve as a sentry, but it couldn't itself pass the very test it gives," says Manuel Blum, a professor of computer science at Carnegie Mellon.

The result was Gimpy, a captcha containing seven words chosen at random from a dictionary of 850 words and then distorted and overlaid with clutter via software. Passing the test required identifying at least three of the distorted words correctly.

A simpler one-word version of Gimpy, called E-Z Gimpy, is currently used by Yahoo on its Web site to weed out humans from bots during the registration process.