The Failure of CAPTCHA
I've written before on my utter disdain for CAPTCHA... in spite of the fact that this blog uses it for comments. The CAPTCHA system seemed to be effective at discouraging comments for a while, but lately, I've been hit by several waves of crap attacks. Combined with .Text's brilliant "3 clicks to delete" design on the feedback page, I've determined from the access patterns of several of these attacks that it takes me longer to repair the damage than it did for the attacker to cause it. It's pretty clear to me that there's nothing sophisticated in these attacks, simply a person sitting at a computer pasting in text and providing the necessary pattern matching engine to pass the CAPTCHA. I can't see my access logs, so I don't know what countries these people are coming from. It seems like the peak rate of commenting is 3 per minute, allowing for 45 minutes effective working time per hour, that's a bit over 1000 per 8-hour day. I wonder what the piece rate is for this kind of work.
I've said it before, and I'll say it again: the only effective deterrent against weblog comment defacement is to disallow comments on posts older than a month. Sam Ruby's system seems to be effective as well, though IIRC that's a multifaceted system - forcing preview, throttling comments from a single IP, probably other things that I don't remember at the moment.