CAPTCHA farming

Charles Arthur's wondering why spam came through his CAPTCHA system, and concludes that people are probably being paid to sit there and fill out CAPTCHAs.

There are a couple of other possibilities. The first is that the CAPTCHA system he's using might be compromised. Some OCR systems can be surprisingly effective on them.

The second is his CAPTCHAs are being reproduced on another site for humans to solve. The canonical example would be where a visitor to a porn site is shown a CAPTCHA and asked to solve it before they can, er, continue. Unbeknownst to them, however, the CAPTCHA is actually coming from Charles' system, and the solution is then used to send him spam. This is "CAPTCHA farming".

Searching for "CAPTCHA porn" turns up a number of stories about this over the past few years.


  1. Except, as I pointed out, the captcha appears to have been filled in in India - at least, that's the IP address. Which makes me think it's almost certainly a human.

    It could have been a fake, or an OCR, but I've also seen attempted (or real) registrations from .in in the past couple of days - so I'm sticking with my hypothesis for now.

  2. Oh, the CAPTCHA is almost certainly being entered by a human. I haven't seen much that suggests that OCR is being seriously used by spammers yet (although it's probably only a matter of time).

    The IP address shows that the computer that posted the CAPTCHA results to you is (almost certainly) in India. But that could easily just be a server that's hosting the code, and the person typing in the CAPTCHA details could be elsewhere. For example, I'm typing this in the UK, but the computer it's going to be posted to is in the US.

    Pretty tricky to tell one way or the other though.

  3. Yerss.... though I also saw a number of user registrations from India, and the other day a *comprehensible* comment that was relevant to the topic from "paper shredders". Based in Pakistan, apparently.

    (That one wasn't captcha'd.)

    I think we could both be right - I'm watching a video from a Google session about captchas which does suggest the bouncing method you hinted at.

  4. what about using to solve hard captchas?