It may only be a proof of concept, but using photos of people's faces does lead to some problems. I only had to reload your page 5 or 6 times before the images started repeating.
A bad person could do the following:
Write a program to request the page 1,000 times. Each time, it could grab the image, compare it against images already saved and if it's not already stored locally take a copy. Assuming you have no more than couple of hundred images, this should create a local copy of most, if not all, of your images.
The bad person could then associate a name with each of the images.
Now, they just need to request your submit form, fill it with their spam, search for the image in their local database, answer your challenge correctly, and they're done. The spam is now on your system
Even if you have thousands of images, this method could work fine.
And remember, "real people" will have a problem with your firm if they don't know the individuals. I certainly didn't know most of them. Even if I did, I might spell the name incorrectly.
That's why the major players go with images which are created on the fly:
- generate a random string of characters, eg "ryU42$x"
- select random foreground and background colours (sufficiently far apart to be usable)
- select random font
- generate an image of the text based on the above
- select a random transform and apply to the image
- add additional random "noise" to the image
- store the random text in a session variable, display the new image
This makes it all nice and neat, and generates a pretty much infinite number of images to choose from, stacking the odds in your favour rather than the hacker's.
