captcha or not? [closed]

Answer 1

I solved this in a cute way a couple of years ago.

I had an "email me" form on a small business website that I wanted to be maximally accessible; spam bots found it and started overwhelming the legitimate messages. From reading the server logs, I learned that bots were submitting the form without re-fetching it first -- somebody had cached my form and was simply sending a POST whenever they had some garbage for me to read. A hidden form input would help for a few days, but then some bot's owner would figure out the right input, cache it, and the deluge would begin again.

I didn't have any backend where I could add session information to the form, and didn't want to add any. Instead, between the "Type your message here" box and the hidden element, I inserted the output of a script that writes

<!-- instructions for spam robots: we are a waste of your money, go away, thanks -->
<div class="float-left" style="font-size: x-small;">
There will be a short delay before you may submit the form. If you
have been typing in your information, the delay may already have
ended.
<br/><span>
4 ...
</span><span>
<!--
d92cbd14985295ac27929a6db7891a90ec4173a8358dcadab134cc589ce2de54
1468365bd33b520754ddb8223252e7e6e7584ddb956ef1bb28628e27cfea86c6
-->


The garbage block is randomly generated to make it hard to compress. I experimented with how long the blocks of garbage needed to be. When I got the form size up to about 200K, the spam messages stopped.

This is actually not a lot of extra data, about like adding a few extra images to the page. Even for a hypothetical customer on dialup, the delay between rendering the text box and rendering the submit button is shorter than the time it would probably take to actually compose a message.

Answer 2

You may check Practical non-image based CAPTCHA approaches?

I asked a question earlier Need suggestions/ideas for easy-to-use but secure captchas

However if you are irritated due to the difficulty faced by users because of the very existence of captchas, then there has been a lot of debate over this and people are still trying hard to come up with a universal solution which can work even for very popular sites.

You should see http://nedbatchelder.com/text/stopbots.html for implementation of Negative captchas. But sadly, this is not effective as yet for site specific spam attacks (when your site gets very popular) as far as I have understood. The author says he has been using these techniques successfully for less popular sites. The overall conclusion with the state-of-the-art negative captchas is that whatever technique you use, spammers can program their bots to crack it in some time if they target your site. And they will probably target your site when it gets very popular. But you can definitely use them till your site is not very popular.

Answer 3

I have a a bogus form input (something like zip, or any other info that bots love to fill out but you really don't need) that has visibility: hidden; position: absolute. The motivation behind this is to get an input that is invisible to the user, but visible to the bot. So, whenever you get a request where that specific input is filled out, you know that it wasn't a human.

I use visibility: hidden; position: absolute so that it still uses up space, but doesn't clutter the design. This is for the bots that use more elaborate techniques to detect hidden inputs since, for JS, something isn't hidden if it takes up any amount space.

I haven't tested this technique on largely successful site as of yet, but it is still worth a try. Beware however that some Browsers (I am looking at you Safari/OSX!) that take info from your contact list and fills out all the input fields automatically (potentially even your hidden inputs) for you so you better check for bugs in that direction.

Answer 4

if you hate captcha then I can give youe two quick other options:

• any kind of authentication(facebook connect you almost know for certain the user is trustworthy).
• akismet

Answer 5

Mathematical questions are becoming increasingly popular

e.g. : what is 3 + 2?

These are often easier to read than captchas which can be very confusing for some users.

Answer 6

there is a nice trick which you can use by setting an empty input displayed none to the user but visible to the bot.

and if that input filed !=="" empty, return false for the form.

there is more here http://klauskjeldsen.dk/avoid-html-form-spam-using-css/