reCAPTCHA, spam, and (Vanilla) Forums

I discovered what I consider to be fairly serious issue with the reCAPTCHA authentication system today, and wanted to share this. I’m fairly sure not many know these facts, which can affect a lot of forum owners / administrators.

I run a forum using Vanilla Forum at – regular readers of this blog would know about it. A couple of months ago, I upgraded the forum to the new, redesigned Vanilla Forum 2.x version that comes with built-in support for registration verification using reCAPTCHA. Until the 1.x branch, out-of-the-box there was no way to pre-approve registrations; a moderator had to approve each account manually. (This is what used too.) With a function as crucial as user registration I didn’t want to make modifications only to have to re-modify and test it every time I had to apply an upgrade patch. So when version 2.x came along with baked support for reCAPTCHA, I was happy to jump on-board and remove the approval process. (A move that I must admit was controversial within the community and the moderators.)

Over the past few weeks, I noticed that’s email inbox was filling up with a considerable number of mail delivery failure notifications for the initial email sent right after successful registration. I didn’t give much thought to it as I (incorrectly) believed the first step in the new Vanilla Forum sign up process was a verification email. It turns out that it is not – the system sends an email only once the user has been authenticated. Had I known this, the number of mailer daemon messages should have set alarm bells off already.

Today, one of the members (Shreyans) casually mentioned in a private message to me (in which he was discussing other technical issues that he was facing with the forum) that there seemed to be a lot of users on the board with the board with ‘nude’ or ‘naked’ in the username. To my surprise, I discovered that was indeed the case – and in many instances these user accounts had the same email address too. These were obviously spammer accounts, so I deleted them immediately. But that got me thinking how they could have gotten through.

reCAPTCHA (now owned by Google) throws CAPTCHA challenges from a corpus of OCR-recognised words from Google’s text digitisation efforts. You might have seen this verification challenge on Facebook too some time. Two words are shown and you are told to enter both correctly to pass.

Sometimes, reCAPTCHA flips you off by throwing two-dimensional arrays into the challenge

Behind the scenes, reCAPTCHA doesn’t know what both the words are. One of the words has been positively identified by OCR and is kept as a ‘control’ word. The second word is not recognised by OCR; user input for that word is taken and stored into a database. Once enough users identify an ‘unknown’ word as the same word, the reCAPTCHA system uses that result for sending back the corrected word to text digitisation programmes and adds it to the corpus of control words used in the system.

A well-known loophole is that it is possible to enter one word incorrectly and have reCAPTCHA consider the answer valid. What I couldn’t understand is how spambots could get past the control word. So I started playing around with the text I entered as reCAPTCHA response in Vanilla Forum’s registration page. I found that…

  • if the number of characters entered for each word is correct;
  • and, the words are entered as correctly as possible, except for one character (i.e., one character out of an entered word was deliberately incorrect)

…then reCAPTCHA would authenticate the entry as correct! This issue is not isolated to the Vanilla Forum implementation of reCAPTCHA either, as you can achieve similar results using the demo form on the official reCAPTCHA website.

I searched around for possible reasons for this and found this entry in the reCAPTCHA wiki:

On the verification word, reCAPTCHA intentionally allows an “off by one” error depending on how much we trust the user giving the solution. This increases the user experience without impacting security. reCAPTCHA engineers monitor this functionality for abuse.

It seems this is a problem-by-design. What seems to be crucial in equation seems to be the implication that this off-by-one error is allowed “depending on how much we trust the user giving the solution”. How exactly is this trust defined? I don’t think IP address blocking can be used (can it?), because the request for verifying inputs is sent by the server using reCAPTCHA tied to the specific public-private key pair of the site. Which means ‘block IP addresses that send large volumes of incorrect inputs’ cannot be used to define this ‘trust’, as the IP address would be of server rather than the spambot / client.

Another possible yardstick for measuring ‘trust’ would be allowing one-off errors for typographically similar characters: ‘i’ / ‘l’, ‘a’ / ‘d’, ‘r’ / ‘n’, etc. However, I don’t think their system uses this either as in all my attempts, it accepted one-off errors for entirely different-looking characters, such as ‘s’ / ‘w’, ‘q’ / ‘f’, etc.

reCAPTCHA is undoubtedly the most popular CAPTCHA implementation used on the Web these days, which makes this such a serious issue. A lot of forums and sites now use this de-facto because it’s a small way to pitch into the noble ideal of text digitisation, and also because presenting ‘real’ words appears to be a more elegant solution than randomly generated text.

Unfortunately, from what I have found through experience now the checks and balances used by reCAPTCHA are simply not good enough and seem to be leaking through at least 10 spambots daily. And this just on a relatively low-traffic website like Imagine the implications on a much juicier target like Facebook or the countless StackExchange websites, which all use it for human verification.

For now, I am going back to trusting manual moderator approval on my Vanilla Forum site. It seems when it comes to identifying humans, nobody is better at that job than a human.

Personal Reflections

A change of perspective. A dialogue in the dark.

No, I didn’t get so exhausted by my first (mammoth) post of the year that I have stopped writing. I have a couple of draft blog posts that I need to edit and refine before I publish them. So much to say, so little time to do so due to ten academic courses, learning a new language, job applications / interviews, a TV studio director role, and a new pillow cover. Life, I tell you. ‘Tis like a grapefruit.

But you know what? It’s curious how a difference of a few weeks can bring about a change of perspective. 🙂 How things remain the same and yet not the same. Now, I feel glad to have opted for a full-year on study exchange. I have even more faith that the decision I took in 2009 to do this is worthwhile. I could speak now – or I could wait till the end of my stay in Singapore and speak wiser with added hindsight.

You can figure out what I’m going to do, can’t you? You smart cookie!


Fourteen storeys below my cosy and warm room, the noise from the traffic lights was incessant. Tick tick tick tick beep beep beep beep tick tick tick tick beep beep beep beep. I couldn’t sleep! Was it because of the part of town I was staying in? Should I have coughed up cash for a costlier hostel somewhere else?

I went to Hong Kong a month ago, and while I will be writing about those adventures when I get time, I wanted to talk about an eye-opening (you’ll soon realize the significance of these choice of words) experience I had on the trip. I was looking up things to do in Hong Kong on Wikitravel from my hostel room there, when I stumbled across Dialogue In The Dark. It’s a one-of-a-kind of series of ‘experiential exhibitions’ across the world with the aim of increasing public awareness on issues surrounding visually impaired people in society. Intrigued, I put it on my HK itinerary.

Let me state what the concept of Dialogue in the Dark is. Essentially, its purpose is to bring about a change of perspective. A sighted person is led to pitch black rooms where locations that a person might encounter in daily life are recreated – a clothing store, a theatre, a café, a garden, a busy road intersection, a street market – and guided around by a visually impaired guide. The roles are reversed; here, it is the sighted person who is out of his/her element.

Dialogue In The Dark’s (DiD) Hong Kong chapter is in a shopping mall called The Household Center in Mei Foo, Kowloon district. It’s off the beaten track for most tourists. The mall itself is so different from the ones catering to tourists in Hong Kong (or Singapore for that matter) as it sells mostly Chinese goods; it is worth a whistlestop to see where residents go for shopping. All the while I was flitting about in the mall, never once did I see a tourist.

Anyway, I hadn’t made a booking online as I couldn’t use my Singaporean debit card in Hong Kong, so I showed up at the DiD office and enquired whether they had any tour slots for the day. At first, I was told that there were no tours being conducted in English for the day. I was disappointed that I would have to miss this as wouldn’t have any other chance to do this (at least on that trip), and to my surprise the staff called me a quarter-hour later telling they’d organized one for me.

At the start of the tour, I was handed a walking cane and introduced to my tour guide William. Over an hour-and-half he egged me on to explore my environment through my sense of touch, hearing, smell. It’s amazing how the human brain starts paying more attention to the other senses when sight is taken out of the equation. I felt leaves with my hands, trying to figure out what plant it was. I sat down on a park bench, feeling the smooth grain of the wood. “This one must be green in colour,” I told William. That was the first thing to came to mind when I thought of that texture. Almost silly, isn’t it. Above all, I felt guilty and embarrassed about saying that. How could I barge in and ‘definitely’ settle the look of an object with a person who couldn’t argue otherwise?

I remember throughout the tour of being paranoid that there would be a staircase in our path and I’d fall. (There were none.) Nevertheless, I couldn’t just let go of that feeling of fear. I crossed a narrow walkway surrounded by water. I crossed a street – and then I realized what the tick tick tick beep beep beep sounds that the traffic lights in Hong Kong make were for. Even when I was crossing the road, I feared the traffic light would change, or I’d trip, or I wouldn’t know when to stop (you’ve to figure out when to stop by feeling the texture of the road/pavement through your shoes). There weren’t any cars to hit me there, which only drove home the point how much more challenging this is in real life.

I tried to figure out what clothes were at a clothing store. Tried to identify fruits at a street market. Tried to figure out which magazine was National Geographic at a news-stand purely by touching the cover of the multiple ones on a rack. Found an empty seat in a music theatre and sat listening to a performance, and noticing the tiny vibrations that went across the floor as the tempo of the song changed. Experienced tiny ‘lightbulb moments’ every time I figured out what something was using senses I wasn’t used to. Bought and paid for in total darkness a can of cold coffee at the ‘cafe’ and sat down to chat with William. We spoke about what he was studying, what facilities are there for visually impaired people in the UK, how ‘friendly’ is Hong Kong for visually impaired people…

As I picked up my stuff from the lockers at the end of the tour, I finally got to see my guide. I was awed by the power of human resilience. Putting this experience into words is difficult to do and it is something you just have to go through yourself to realize how it is. It really shook me up; as I walked away, my hands were trembling and I needed a good half-an-hour to calm down.

That night, back in my hostel in Hong Kong, I realized why there was a need for that ‘noise’ from the traffic lights. And with that realization, it somehow didn’t bother me any more. I slept easily in my last night in Hong Kong.


Living by yourself at university comes with its own responsibilities, such as budgeting your expenditure. You aren’t a student unless you’re broke and short of cash.

Students often say they are on a tight budget and I agree that is true. However, I believe most of us can still afford to donate something or the other. What might be a ‘small’ amount in the pounds/dollars/rupees goes a long way in developing countries, so every little helps.

One of other unique initiatives I started supporting in 2010 through donations is Kiva. Kiva helps crowd-source funding for micro-loans in developing countries across the globe. You make a donation (minimum of $25) and choose a ‘person’ that it will go to on a Kiva site. This is done to give the transaction a human touch, but what goes in the background is that it helps ‘backfill’ a loan already given to that person by a micro-lending company in that country. Once the loan is paid back, you get the amount you invested back and can then loan it out to other projects.

I’m really drawn to Kiva’s micro-lending concept, because it helps the people you loan to to start their own business, build their own house – something that helps them become self-sustaining and makes their lives better. I’m disappointed by just one thing though – Kiva has no lending partners in India.

I make conscious efforts to donate to charitable causes. I realize that no matter how much of a ‘bad day’ I have, there are many millions of people in the world who are worse off. I donated a month’s worth of part-time work wages towards the Haiti earthquake rehabilitation effort. I supported Room To Read and Teach For India (that latter with donations from members too), two organizations making grassroots level efforts in setting up new schools/libraries. I supported MADTV’s Mike Willis’ ‘Wheelchair Week‘ – a superhuman effort involving him spending twelve hours a day in a wheelchair for one whole week, something I hold him in very high esteem for having the courage and will to do. I didn’t believe in the Facebook campaign for changing profile picture to that of cartoon characters “to campaign against child abuse” until former University of Surrey sabbatical officer Nick Entwistle made a similar challenge on Facebook – and I got to see how many people actually did get involved rather than it just being a case of ‘clicktivism‘. That allowed me get over my dismissal of the campaign as a stunt, and donated to NSPCC UK when I heard that the campaign increased donations by 85%.

(I still maintain that this clicktivism in general does more harm than good. Read more by Malcolm Gladwell in The New Yorker on new-age activism – something, which for most part, sums up what I feel on this issue. My intention, BTW, in listing the above charity names in the previous paragraph is to link to organizations that I feel are doing a really good job and making an actual impact, with the hope that some of my readers will look them up too and hopefully contribute in some way.)

Those are a few of the charities I donated to in 2010. And then, I read about Gumball Capital on TechCrunch – a charitable organization started by Travis Kiefer who’s a student at Stanford University that tries to raise money for poverty alleviation with $27 and 27 gumballs. Travis did a shout-out for from Antarctica when on a 7 continent marathon too!

(No penguins in the video because it’s hard to find them inland, so here’s a drawing made by him instead.)

It’s inspiring to hear about students-like-us like Travis Kiefer and Mike Willis who even with their busy university lives take efforts to be a part of charitable initiatives. I wish I could say with a straight face that I don’t have time to get actively involved but I can’t.

And so for 2011, I am going to make an effort to not just donate to charitable causes, but also to volunteer for at least one cause.