: Effective captcha solutions Possible Duplicate: How can I prevent spam on sites which I control? ReCaptcha is all the rage at the moment, Based on customer/user feedback, what other
Possible Duplicate:
How can I prevent spam on sites which I control?
ReCaptcha is all the rage at the moment,
Based on customer/user feedback, what other captcha or general human verification tools have you used for your website?
Links to the API/Site appriciated,
Thanks guys!
More posts by @Alves908
7 Comments
Sorted by latest first Latest Oldest Best
I have only administered one forum, which is phpBB-based. Recaptcha was a godsend, instating it for user registration and unregistered posts reduced spam to a fraction. Additionally we still use a blacklist filter which does keep out some remaining spam but may be more annoying than helpful.
One thing that it's worth noting is that more and more spammers are using real people to do their work, rather than bots. In which case, worrying about which captcha or honeypot to use isn't going to be very useful.
I've also used simple natural language challenges, such as :
A ________ is something with numbered pages surrounded by two covers.
Hint: Rhymes with look
The caveats of this approach is having to maintain a separate challenge/hint/answer file for each language that you want to support, but I'm leaning in this direction more and more as CAPTCHA images become increasingly harder to read for some people. My wife, for instance wears heavily corrective lenses and gets extremely frustrated when she fails the 'human check' several times, even when the site is using RE-CAPTCHA.
Challenges in plain text also have the benefit of changing as users set accessibility controls to their liking.
The only requirement for the visitor is an elementary degree of literacy, so this might not work on sites like YouTube or Yahoo Answers.
Use a combination of timestamp, spinner, field names, and honeypots...
Read this article for the detailed example.
A timestamp is exactly what it sounds like. A hidden field that marks the time when the form was originally opened. This defeats playback bots that copy a form and replay back the submission process over and over with different data each time. If the timestamp isn't close enough in relation to when the form is submitted the submission is automatically rejected.
A spinner is a hash using data from the timestamp, IP address, entry ID of the article, and a secret.
Field names are all generated by applying the hash to the 'real' field names. By comparing the field names with the spinner during the post-processing stage you can verify whether the person/or bot is the same as the one who originally opened the form.
The Honeypot has already been explained by @D4V360 . It's essentially a hidden field that acts as an invisible trap for bots. If it's filled in with data then the form is automatically rejected.
I like low-tech: Doing a simple math problem works well.
Enter what 4 + 4 adds up to:
Then check server-side for 8.
This is one I've used successfully on blogs using the Math Comment Spam Protection Plugin.
Adding an extra field to your forms like:
<input name="bots_only" value="" style="display: none" />
Usually, if bots_only is passed along with a value then you've got a bot. Though browsers without CSS will see that field, if you place it after your submit button it should get ignored even if it is for some reason visible.
Captcha2 is another alternative. It works by clicking three letters following instructions on screen. Not sure how this stands up to internationalisation. It's also not free after the first 1000 impressions. If you're after something a little more light hearted then KittenAuth is interesting - click 3 kittens to continue. Finally, to see how captchas are standing up to automated cracking take a look at the PWNtcha site. It has an open source solution for cracking captchas along with details on the toughest types.
I like to use Honeypots in my forms since the user won't notice them, they keep most crap away but are not 100% foolproof. The trick is to make a new form field in your existing form, for example <input type="text" name="email" id="mailfield"/> and put #mailfield { display: none; } in your CSS. If your form is submitted with data in the email field you can be pretty sure it's a bot and discard the message.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.