Comments Back On; reCAPTCHA Wasn't At Fault

On Friday, we experienced a huge spike in comment spam on Radar. We turned off auto-publish for comments (they have since been turned back on). We incorrectly assumed that reCAPTCHA, one of the tools that we use to block, spam had been exploited. We were wrong (Sorry!).

After my post we were contacted by the reCAPTCHA team and they help us debug the issue. From their server logs they determined that it was definitely a human-driven attack (based on all the mistakes in the server logs) and that all of the traffic was coming from Turkish Telekom. The reCAPTCHA team was kind enough to send the following summary mail of the attack and about their service.

There are a few key points about the people spamming you:

Based on log information, it’s very clear that this was based on humans solving the CAPTCHA — the types of errors they make are common human-being mistakes (such as accidentally hitting nearby keys on the keyboard).

We at reCAPTCHA realize that some spammers may want to resort to “CAPTCHA outsourcing,” where they get humans to solve the CAPTCHAs. In general, it is relatively difficult to organize this outsourcing, and it can only be done in small scales. Also, we’re forcing spammers to put half of this outsourcing cost into digitizing books :)

Your “attack” was launched using the TurkTelekom network. This network is known to harbor spammers. See for example: (enter AS9121)

Some stats about reCAPTCHA in general:

reCAPTCHA generates the equivalent of over 2,000 people working 8 hours per day, 5 days per week on digitizing books.

reCAPTCHA is currently used by over 20,000 websites

Because reCAPTCHA is a web service, we are able to quickly adapt to trends in abuse.

If you want to use reCAPTCHA’s free service they have a page to help you get started. Previously I mainly focused on the fact that we were helping older books get digitized. After this incident I am glad that we are using them and recommend them whole-heartedly.