The rise of the bots.
CAPTCHAs — Completely Automated Public Turing test to tell Computers and Humans Apart — seem to be popping up everywhere, even on sites where you wouldn’t think they’d be needed.
I’ve been tempted to add a CAPTCHA to Ask Leo!. Seriously tempted.
Let me explain what leads to that temptation. I’ll also explain why it’s unlikely to happen, even though the costs of not doing so can be high.
So. Many. CAPTCHAs.
Bots from AI companies and search engines are flooding websites to read pages. This traffic makes sites slow or expensive to run. Owners use CAPTCHAs to block these bots and save money. I pay for a bigger server instead so that my work gets found online.
The origin of CAPTCHA
We’re all pretty used to the occasional CAPTCHA. They exist to prevent automated systems — bots — from doing things intended only for actual humans.
The most common example is email account creation. Before CAPTCHA, bots could create thousands upon thousands of email accounts from which to send millions and millions of spam emails. CAPTCHAs put a stop to that. Spammers had to resort to other means for their garbage1.
CAPTCHAs are also commonly used to prevent bots from accessing sites over VPNs2. “Real” people encounter them more often when using VPNs, but again, this isn’t terrribly common for most people.
Things have changed.
Help keep it going by becoming a Patron.
The rise of the bots
We’re seeing the CAPTCHA above, or variations thereof, more and more frequently.
What’s odd is that there’s no clear reason why. This is not an instance of account creation, or even if there is, there doesn’t appear to be any reason bots would want to create them. Similarly, there’s nothing special about the content that would make it appear lucrative to automated processing and nefarious actions by malicious actors like spammers.
Related
How What I Do Is Threatened by AI
AI is rewriting the rules of the web, and sites like Ask Leo! are feeling the squeeze of fewer clicks, more bots, and uncertain futures. What does that mean for the content you rely on? I'll look at the challenge, the irony, the fear, and what you can do to help.#186144
But clearly there’s a problem that site owners are attempting to address by choosing to implement a CAPTCHA as an entrance requirement.
My recent experience leads me to a theory.
The rise of AI
I mentioned recently that I had to increase the size of my web server because it was getting overwhelmed with page requests.
The problem? Most requests were not from humans. They were bots.
- Search engine spiders. These have been around since the dawn of search. They scan websites and build indexes to use when people search for things online.
- AI spiders. These are new, and there are many. They’re all scanning websites to use the content on those sites to train their models or augment their responses.
I had to get a bigger and more expensive server to provide my content to spiders and bots scanning the web.
The alternative? Block the bots.
The rise of CAPTCHA
Related
Why CAPTCHA?
Been asked to spot bicycles or click “I’m not a robot”? That’s CAPTCHA at work. Here’s why websites use them, how they’re changing, and what it means to be asked to prove you’re human.#2695
My theory is that I’m not alone. Other site owners are faced with the same problem: overwhelming demand from automated systems.
There are two choices:
- Implement a method to block the bots. This is why we’re seeing so many more CAPTCHAs. They block the bots and presumably allow the website to serve its intended audience on its existing infrastructure.
- Spend money to increase capacity so as to be able to serve humans and bots alike.
Many websites are choosing the former.
I’ve chosen the latter. Why? Preventing bots means my content will never appear in their services — AI or search. I want my content to be found, and search and AI exist to share content.
Couldn’t you just ask?
There are standard ways to ask search and AI spiders not to scan your website.
Respecting that request is voluntary. As a result, while many spiders respect the requests, many scan anyway.
My sense is that typically, those that don’t respect the requests are fairly poorly written. One way that manifests is that rather than spreading their requests out over time so as not to overwhelm the sites, they flood the site with hundreds of requests at once. In effect, it’s an unintentional denial of service (DDOS) attack that can bring some sites to their knees.
Do this
Get used to it.
There’s nothing you or I as site visitors can do about this problem. From the website side of things, I can assure you it’s an ongoing race between site owners trying to block bots and allow humans, and bots getting better and better at appearing to be human.
About the only thing for certain is that this race will be with us for some time.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
The problem I have with CAPTCHA is that I just don’t seem to be able to determine to the systems satisfaction which squares show, say, traffic signals. Do you check the picture that has a tiny portion of it shown? Or not?
Another site has me press and hold a spot on their site, but I guess I don’t do that correctly either.
Now I am starting to think it is me?? I don’t have green fingers for gardening either.
I have the same issue with CAPTCHA. The images are usually underexposed, low-rez and — on a phone — too small to see clearly. And those difficulties are magnified by the uncertainty of what pieces and parts of an object I’m supposed to include when I check the tiled images. I HATE the CAPTCHA filter!
“I don’t have a clear reason why, but it’s common for VPNs to trigger CAPTCHAs when direct access does not.”
It may not be that they are specifically targeting VPN’s. It might be the high number of requests they get from VPNs which may make them look like bots.
Another example of how much AI is costing us, in money and environmental impact.
CAPTCHAs have been around since the early 2000s, long before AI bots became ubiquitous.
This all makes sense, but if I can see the check box, why can’t a bot see the checkbox and tick the box? Especially AI bots?
Those tick the box CAPTCHAs use different “fingerprinting” techniques to determine if you are a human. Sometimes they use aspects of your hardware specs or cookies to see if you’ve previously passed a CAPTCHA challenge. Other times they use different criteria like mouse movement and other behavioral and environmental signals.
There is a third option: Fingerprint which – used correct – is a solution where you can provide valuable data to the honest user and provide fake or no data to bots.
If the same fingerprint read pages from your site every two seconds, its fair to assume that it is a bot.
3 x examples:
1) You want to protect your data.
E.g. if the data is the length of a car, you can add 10% to the length.
The bot (e.g. Google bot) does not care, and you will have your page proper indexed.
When a genuine user click at the Google link, the user will – because the user has another fingerprint – read the correct data.
That way you can protect your data.
2) You want to reduce the load on the server.
Just provide less data to the bot.
3) You just want to provide data to proper search engines.
Its not difficult to find the IP-addresses of proper search engines bots like Google and Microsoft.
Make an exception IP-table and just provide fake data like in example 1, and return reduced or no data to the rest.
My problem with captchas is that they are such poor quality pictures it is sometimes impossible to determine what they are showing, leading to repeated efforts to click the right boxes. It’s really frustrating. I have 20/20 vision and use reading glasses – I can’t imagine how people with compromised vision manage.
I can answer that, with complete frustration and anger! I lost sight in one eye 8 years ago, and had a developing cataract in the other. My opthomologist didn’t want to do the surgery for several years because “we don’t have a spare.” Two years ago, my vision was bad enough that he agreed we would go forward with the surgery. I went with a lens for distance, and must wear glasses for anything close-up and to protect the eye. Most CAPTCHAs are extremely difficult to interpret, and often take excessive time. I understand the why, but absolutely hate them.
CAPTCHAS are getting so difficult and AI is getting so good, that eventually only bots will be able to solve them so they’ll switch to blocking bots that get it right and allowing only humans who can’t decipher them to get in 😉
I’ve been experiencing a flood of CAPTCHA’s when logging into my multiple gmail accounts lately and I refuse to use them, I either refresh the page and try again and if it persists I totally exit out of the browser and try again. So far I have yet to have had to use one.
I absolutely despise CAPTCHAs and there is something that I can do about them. I just close the window and never look back. I will not jump through hoops. If they make it that difficult for me (a senior), I take it that they really don’t want me to access their page and therefore I don’t.
I’m a member of the Linux Mint user’s forum. If you’re a registered member you can read and post on the forum. If a “visitor” you can read but not post. Pretty standard. The number of members and visitors online is posted on the forum dynamically. For months now the number of members online has been in the dozens at most, and the number of “visitors” (almost 100% bots) in the thousands; often up to 8 thousand. Performance was drastically affected by a de-facto DOS. The solution? Just as Leo did, add more server power. Just as Leo decided, we wanted the content to be out there unrestricted, but the penalty was more expense in computing power.
My credit union went the opposite path. Normally, signing on is a straightforward username/password screen, providing you use a known device (cookies). If not, or if you use a VPN, I’ve gone through up to 14 screens of “choose all the pictures with a bicycle” type CAPTCHAS before giving up and turning off the VPN.
In your “The rise of the bots” section you mention “there’s no clear reason why”. Wrong. It’s the Kimwolf bot network, read about it here – https://krebsonsecurity.com/2026/01/who-operates-the-badbox-2-0-botnet/
My point isn’t that we don’t understand where the bots are coming from, it’s why are they pounding sites like Ask Leo!? There’s no clear reason for those types of bots to do so.
From this webpage https://krebsonsecurity.com/2026/01/who-benefited-from-the-aisuru-and-kimwolf-botnets/ I believe it implies the bot controllers get $.30/gigabyte of data. It doesn’t say who is paying it but I have to believe it’s the various AI makers so they can learn.
I have a contact form on my website for people to get music I write, or to ask for information such as programme notes. Before I asked for a defined four digit number to be typed into an input box I used to get really bizarre messages, random gibberish. Sometimes I write computer code and was taught about ciphers as a child because of family connections – these were neither of these things, just repeated random characters – almost like an ASCII equivalent of a numbers radio station.
I have a problem with one particular website that now uses CAPTCHA’s. It seems that no matter how many of these I answer, another one appears. It’s as if it’s in a CAPTCHA loop, and I don’t know how to get beyond it to actually get too the website and its contents. Any suggestions?
If you’re using a VPN, turn it off. If not, possibly your ISP has been blacklisted for some reason. If you have a VPN, try turning it on. Try going to the same site on your cell phone with WIFI turned off (using cell data, thus a different IP).
I would like to know why no one (it seems) has ever asked THE MOST IMPORTANT QUESTION ABOUT AI?
What will happen(and it will with ever increasing knowledge and abilities) when robots become “self aware”?
When they can realize they have ALL the controls over humans already, financial,power (electrical, etc etc),medical, educational,war fighting,ability is to improve and re-build themselves,transport etc ,you name it,they can then quickly realize they do not in anyway need humans anymore.
We will become TOTALLY redundant won’t we ?
With all the power, tell me what you think robots will do with us? We will no longer be at the top of the food chain!
Not sure where you get your news from, but in the circles I pay attention to variations of that are a VERY COMMON concern.
There’s a lot of “diversity of opinion” (aka arguing) about whether it’ll happen, and what it’ll look like.
We’ll see.
Many years ago in my youth I read a SciFi short story which has stuck in my memory for some reason.
All the computers in all the worlds in the galaxy had been linked together in a giant brain. The president of the galaxy, after the ceremony, threw the switch activating the network. A bolt of lightning came down and fused the switch closed. “My God!”, exclaimed the president. “I AM god!”, came the reply from the console.
Check out some YouTube clips by Yuval Noah Harari, author of Sapiens and Homo Deus. He has some interesting insights on AI. I find him a bit alarmist, but who knows? Science fiction has predicted many things, so maybe it’s right about AI. “I’m sorry Dave , I’m afraid I can’t do that.” Hal 9000
Dear Leo, thank you very much for explaining so many IT riddles. I understand now this CHAPTCHA thing, which relieves me again of that stressful feeling for not comprehending why things are imposed on me that I have not requested. It sure feels good. Thanks a lot.
I get extremely frustrated trying to make out what my screen is showing me on CAPTCHA. The photos are dark, grainy, and nearly (to me) impossible to decypher. SO I do the “rinse & repeat” over and over again until I get tired and just give up. I have no problem in justifying my “humanity” just give us something we can decypher!
Back in 2023 or early 2024, my webserver was suddenly out of disk space. I discovered the IIS logs had gone from very small to very, very large (from a few KB to hundreds of MB, every interval … daily I think). So, asked AI what it meant, and AI confirmed that AI bots are the reason my logs have grown so huge. Our site speeds didn’t seem to suffer, but wow, the disk space was being destroyed. I thought this was comical, that AI was informing me that it was the problem.
For any geeks using IIS on a webserver, I thought I’d post some real-world data from our server’s log sizes. My webserver is low volume, but consistent for the last 11 years. The only variable as you’ll see is the AI bots (and opening them confirms it).
IIS keeps a daily log file. I used monthly/yearly averages to keep the list short…
2015 to 2022 all monthly logs were averaging 100 – 200 KB with an occasional day at 2,000 KB.
2023 (Jan – Sep): avg 2,000 – 3,000 (10,000 peak)
2023 (Oct – Dec): avg 5,000 – 10,000 (25,000 peak)
2024 (Jan – Dec): avg from 25,000 to 400,000 (avg increased every month with a few peaks at 600,000+)
2025 (Jan – Aug): avg 200,000 – 400,000 (800,000 peak) It varied widely
2025 (Sep – Dec): avg 150,000 – 200,000 (350,000 peak) We improved our CAPTCHA in August and log sizes dropped.
Interesting event:
Jan 2026: I inadvertently broke our CAPTCHA for 2 weeks starting Jan 16. During this time the files went back to pre-Aug numbers ranging from 200,000 – 600,000 (out of 14 files, 6 were over 500,000).
There is a simple solution to this problem, without causing headaches and anger in humans:
Proof of Work captchas.
These, instead of putting the effort on the human, they just tell you “click and hold for a few seconds”. Your computer does some random calculations and then you’re allowed.
This basically means you spent a little bit of electricity/power, your computer worked (Proof of Work) to access the web page.
Which seems fair. For simple visitors, it’s 100 times better than solving difficult puzzles. For bots, they have to spend seconds and power to access. And spammers rely on big numbers (hitting a lot of web pages in a short time), so this completely breaks their business model.
That’s great in theory, but the overwhelming majority of spam is sent via botnets, malware on people’s computers, that send out the spam. So the cost would go to the unsuspecting owner of the compromised computer and not the spammer or hacker.