I am using a custom captcha php script along with news letter scripts to let users subscribe using an email id. The method of registration is based on command.

My question is that am I really safe If I remove the captcha validation from my subscription script. The subscription is simple. For example

[email protected]

The subscribe.php is called along with email as parameter using command. I am new to web programming stuff and don't have much idea about spammers in conjunction with above scenario. Any advise would greatly be appreciated.



Depdends. You'd probably safe against general malicious subscription attempts, but not against those that are specifically targeting your signup. I personally wouldn't chance it. Did a majority of subscribers complain about a difficult signup process?

What's the motivation behind your thinking of removing the captcha?

Jan Kuboschek
There is no motivation or as such. I am new to this stuff and would like to know if I am on right track or not.
+1  A: 

I've never heard of spamming subscription lists.
Spammers are known for sending their own spam, not subscribing to someone's else one %)

Col. Shrapnel

By removing the captcha, you would basically allow bots to subscribe.

Why they would want to - depends on your content. If the news letter contains no links, or only links to other non-interactive (or captcha protected) resources, you're good.

If your news letter contains link to resources where a bot can go and spam other people, chances are that they will.

Lauri Lehtinen
+1  A: 

Spambots fill out every form they can get their hands on.

I receive subscriptions from bots everyday and I'm slowly adding captchas to all forms.

A bot does not know if the form he is filling out is for a subscription, a contact form or a mass mailing opportunity.

If you don't protect yourself by either using captchas or moving some of the logic into javascript functions, you will send emails to all these addresses.

This increases your traffic, decreases your control over your subscribers, makes a mess out of your stats and sometimes you might send an email to users that didn't want to subscribe because a bot has subscribed thru a trick (i.e. [email protected] also reaches the user [email protected]).

So my advise: stay with the captcha Or: modify your form to make more use of javascript (i.e. load the form via ajax), because bots are not normal users with a browser, they only simulate them

+1  A: 

From the answers that I have read only the one from favo is really true. A spambot is a computer program that most likely goes one by one in google and searches your page for any input box and submit button.

I have experience with spam and my subscriptions but adding a capcha can get you less subscriptions. Take it off for now and if you can moderate the emails before adding them to to the mailing list. If you see you are getting to much spam then go ahead and put up the capcha. But really one or two spam emails a week is normal.

So, I recommend moderation until it gets ridiculous.

Michael Ozeryansky
The real problem is that if you are bombarded with spam emails, it would be difficult for you to identify between a real human user and spam one. Then later on you are bound to send mails to all the emails in your database. Having a captcha validation is good but it may be little annoying for end user who is subscribing. Googling shows that most of the sites subscription are without captcha. Now I have no idea if they are using any other methods/techniques to filter out spams.
well, normally you use double-opt-in, which means that you will send your new subscriber an email with a link for activation -- this also helps to filterwrong subscriptions and spam bots

Something simple I have done in the past is add a few hidden fields. Most bots will fill these in, a normal user couldn't so you simply put in some logic that says if the hidden fields contain data simply do nothing.

It is not fail safe but it certainly has stopped large amounts of bot sign ups on sites where I have implemented it.


I am using code like this:"php/varify_captcha.php", jQuery("#contact_form").serialize(),function(result, status){
if(status == "success"){"php/send_mail.php", jQuery("#contact_form").serialize(),function(result, status){

First, captcha is validated then mail is sent. My question that should I move the captcha validation inside "send_mail.php"? I have no idea about spams and their ability to read and execute the code. If yes, then they can directly call the "send_mail.php". Let me if above method is safe or shall I move captcha validation inside the "send_mail.php" to make code bit more safer.