The code that runs this site is by vBulletin. We have version 3.5.4 and the latest is 3.6.4, but both seem to use
the same anti-spammer technique. Both use a
captcha that consists of a distorted image of letters and numbers you must enter to get an account. A captcha is Carnegie Mellon's name for an
automated Turing test.
There is a possible problem with vBulletin's captcha technique, which is based on how the data is passed between pages 3 and 4 of the signup process. I don't have access to the PHP source code so I can't tell if the possible problem is a real problem. I've been at vBulletin's site and sent them an e-mail asking about the issue, but since I'm not their customer they won't give me "support". I doubt if a developer will see my e-mail.
While on the vBulletin site and checking out their forums
I found reference to a professional link spammer's tool set. I won't mention the product here. On that site
they claim their "bot" can read nearly any distorted text-based captcha in only 1 to 5 seconds (there are 86,400 seconds in a day). I was skeptical, of course. Their base product is $450.
Link spamming is a freakin business. Link spammers are not playing around and we should stop treating them like naughty children.
Carnegie Mellon University created the captcha and
they say some forms of text-based captchas have been "cracked" by sophisticated character recognition programs. So perhaps that link spammer's tool set really can read captcha text. They don't need 100% success, 50% is good enough. Try it, fails, try again, fails, try again and success will mean success for 7/8ths of the attempts.
Check out this picture based captcha, also developed at CMU.
I've been working on building some code from scratch for my website. I need a login system, user profile pages, story uploads, and more.
This link spammer issue has been very educational for me. I hadn't really thought about adding a captcha, or even a system to ban users. What I do have is an awesome audit system that logs every time someone logs in or changes anything in the database (what they did, user id, IP address, etc.). I should probably think about a captcha and banning system and other things too. But quite frankly, without any user being able to affect any public pages, the value of my site to link spammers should be low (read that Register article to find out why).
Oh yea,
vBulletin's official policy on link spam seems to be, "Add more mods." They don't understand how a small board with only a few members possibly be bothered by something like link spam.
I'd be astounded if the spammer bot people are not customers of vBulletin and every other publisher of forum, blog, and guestbook web code. I imagine they reverse engineer everything they get their hands on.
Because of this we may be best off with splicing in custom anti spambot code. I did note that they (the bot people) do not run Java Script because not enough forums require Java Script for account creation. They also don't do picture or audio captchas. They are able to handle automated e-mail verification and are able to automatically grab free e-mail accounts at places like Yahoo, MSN, and Google.
Scotty