TikiGraffiti: Using Graffiti and Street Art to combat WordPress spam

Overview

TikiGraffiti is a WordPress plugin that implements a CAPTCHA to block comment spam. TikiGraffiti is similar to other captcha plugins, but instead of using a computer-generated image with obfuscated text, it uses images of graffiti and street art.

Examples

Standard captcha image:
captcha.png

TikiGraffiti captcha images:
[photos by: Rafael Rubira, nevernevermind, Cassidy Curtis, and Bright Tal]
(click to see orginals)

Download

Download it here! This plugin has NOT been tested with WP 2.1!
Place tikigraffiti.php and tikigraffiti_imgs in your WordPress plugin directory.
You can browse the source code here.

Installation

The tikigraffiti.php script and the tikigraffiti_imgs directory should both be placed in your wp/wp-content/plugins directory. To add images, place them inside the tikigraffiti_imgs directory, and add attribution information in credits.xml (also located in the tikigraffiti_imgs directory). Images should be named with the codeword they contain, e.g. codeword.jpg.

Acknowledgments

The TikiGraffiti plugin is licensed under the GPL and is based on the SecureImage plugin.

All street art photos are licensed under a Creative Commons license that premits derivative works. All images were found on Flickr using the Creative Commons search feature.

All images distributed with TikiGraffiti are attributed to the photographer in an XML file distributed with the plugin. Also, when an image is displayed as a captcha, a link back to the original Flickr page for the photo is provided. A full list of photographer attributions is in the following section.

Although I can display photographer credits for these images, in some cases I do not know who the original artist was. Please leave a comment on this page if you have artist information so that I can properly attribute these works!

Default Images and Photo Credits

[photo: nevernevermind] [artist: ALIAS]
[photo: nevernevermind] [artist: Glenda GlitaGrrl]
Removed due to OCR spambot attack
[photo: Rafael Rubira] [artist: unknown]
[photo: nevernevermind] [artist: SP 38]
[photo: Trois TĂȘtes] [artist: WK]
[photo: nevernevermind] [artist: unknown]
[photo: Bright Tal] [artist: Klone]
[photo: Cassidy Curtis] [artist: Lime]
[photo: Trois TĂȘtes] [artist: unknown]
[photo: Trois TĂȘtes] [artist: NOMAD]
[photo: filip42] [artist: unknown]
[photo: Ben Cumming] [artist: unknown]
[photo: Trois TĂȘtes] [artist: unknown]
[photo: Trois TĂȘtes] [artist: STOK]
[photo: Kim Laughton] [artist: TEK13]
Removed due to OCR spambot attack

OCR, Image Processing, Pattern Recognition, and other CAPTCHA Attacks

Everyone seems to want to talk about how effective or ineffective this captcha is at providing security. When talking about CAPTCHAs and security, it is important to remember three things:

  1. CAPTCHAs do not provide security.
  2. CAPTCHAs do not provide security.
  3. CAPTCHAs do not provide security.

The purpose of this plugin is to slow down spambots and make our blog more fun. Right now, it does both.

There are many ways to break this CAPTCHA, many of them fairly trivial. This is not the point.

If you are interested in captcha attacks, check out PWNtcha, an impressive captcha decoder. From a strict image processing/pattern recognition point of view, well-chosen graffiti images would be very hard break algorithmically while still being human-solvable, but attackers could build a dictionary of all the graffiti images you were using. Our implementation makes dictionary attacks even easier, because we provide a link to the original image on flickr in the attribution info :)

If you are actually concerned that a spam bot is trying to algorithmically solve your CAPTCHAs (TikiGraffiti captchas or any other kind), please let me know! Our logs show that right now there are no spambots using algorithmic captcha attacks on our blog.

Update: Well, that didn’t take long. We encoutered a spambot that was trying to OCR the captchas! I removed the Authorised image because the OCR attack was successful. The OCR result that the spambot was passing for the TEK 13 image was “TEKI3″ (i instead of 1), which was pretty close, so I removed that one too! Here are the images:
authorised.jpgtek13.jpg