-
A CAPTCHA is only going to be broken if:
1. It's a common kind of CAPTCHA which is installed on so many sites that someone will put the effort into breaking it
2. It's a very high-value target site, such as gmail or yahoo
In practice for most sites, where neither of the above two applies, nobody will bother breaking it.
If your site looks 99% identical to a zillion others, then your CAPTCHA probably will too (unless you make some custom mods) - so it will be able to get broken.
When I've had bot problems I've typically put in some very lame bot-finding stuff such as adding bot-fodder fields (sometimes hidden ones) to a form - with excellent results.
Truly automated attacks (i.e. ones with NO human input at all) don't get past anything that's at all different from what they've been trained on.
Slarty
-
-
An author just released a new script to defeat this web defense. He programmed OCR features in under 440 lines of javascript.
I guess this is the right place for it.
http://ejohn.org/blog/ocr-and-neural...in-javascript/
and
http://userscripts.org/scripts/show/38736
-
http://recaptcha.net
Right now the only effective attack against RECaptcha (that I know about, at least) is captcha farming. AFAIK you won't see farming attacks against anything less than a major site.
-
I saw the JS OCR code not too long ago as well. From what I have seen most of the ones that have been defeated lately are attacked by flaws in the code behind them letting a user bypass them and not so much an OCR attack like they used to be. Oh the evolution of spam, people need something better to do :-P