Richard Munroe - 2007-12-07 20:30:43 - In reply to message 1 from Thiago Ferreira
Wish I could take credit for it. The original implementation was subject to exhaustive enumeration attacks which is what drove me to do this implementation. While scripts can get lucky with this interface, the interface changes each time so it's unlikely that hackers will get through easily. Further, the set of images can be tailored at each site, thus avoiding the biggest problem with CAPTCHA, breaking via image analysis. I also hide the success/file structure of the hosting website by keeping dispatch information in session variables so folks can't even bypass the authentication and get directly to the underlying web site.
I installed a 10 line PHP hack to my phpBB2 installation and have not had a successful spam since. I was spending about 1 hour a day dealing with spammers so this is a major win for me (and my clients).