views:

1391

answers:

8

A member of my company in greater ranking than myself refuses to use recaptcha.net on his website to thwart spam off of a public form. He thinks it would be difficult for anyone coming to our site to enter their information since the Turing Tests are "so darn hard to read".

Is there an alternative to using this method? That doesn't contain these sorts of difficult to read images?

(Okay stupid question...if it were up to me we'd use recaptcha because everyone else on earth does...but I just figured I'd check anyway.)

Also, is using a hidden field that is set by Javascript and later checked on the server really a good way to thawart spam?

I myself don't really buy that it is...since there are all sorts of Javascript engines that don't run in a browser yet can run Javascript (Rhino etc...), that could easily be used to thawart a JS/Serverside anti-spam method.

A: 

Add a non-standard required input field. For example, require a check-box that says "check me" to be checked. That will defeat any automated scripts that aren't tailored to your site. Just keep in mind it won't defeat anyone specifically targeting your site.

Strilanc
+3  A: 

CAPTCHA will reduce your spam but it won't eliminate it. People are paid to decipher those glyphs. Some sites use the glyph that was presented to them for their own site so some hapless visitor will decipher it.

Just so you're aware that it's not a perfect solution.

Based on the principle of don't solve a problem until it's a problem: is spam a significant problem on your website? There is something to be said for not annoying your customers/visitors. Even here I sometimes need to make a few edits and I get the irritating "I'm a Human Being" test on typically the last edit I need to make. It's annoying.

People have proposed all sorts of other methods for dealing with this problem. One I read about used picutres of cats and dogs that you had to classify because apparently there's a database of 30+ million of these in the US for abandoned animals or somesuch. This or anything that gets in widespread use will be defeated.

The biggest problem with spam on sites is if you use software that's in widespread use (eg phpBB). Your best bet for those is to make enough modifications to defeat out-of-the-box scripting. You may get targeted anyway but spamming is a high-volume low-success game. There's no real reason to target your site until it accounts for a significant amount of traffic.

The other thing worth mentioning is techniques that can be used to defeat scripted spam:

  • Use Javascript to write critical content rather than including it as static HTML. That's a lot harder to deal with (but not impossible);
  • Rename and/or reorder key fields like username and password. For example, generate username and password form fields and store them as session variables so they only work for that user. That then requires the user to have visited the page with the login form (rather than scripting a form response that can be POSTed directly);
  • Obfuscate the form submission. Things like unobtrusive Javascript that you can do in jQuery and similar frameworks make this pretty easy;
  • Include a CAPTCHA image and field box and then don't display them (display: none in CSS). You'll confuse parsers.
cletus
+2  A: 

The best way for not so popular sites is to insert a hidden field and check it. If it's filled then it's spam because those bots just fill in any field they find.

Georg
+3  A: 

You might want to look into Akistmet and/or Mollom.

Evan
Mollom is cool in that only spammy-looking submissions will be prompted with a CAPTCHA.
Greg
A: 

We've got an alternative, developed specifically to deal with the usability issues your co-worker is concerned about. Currently we have PHP and Python libraries for our RESTful API, as well as a WordPress plugin. More should be on the way very soon. It's also configurable. Feel free to demo it. See the configuration options. Hopefully you'll like it and check out the code.

A: 

I used to think CAPTCHAs were good and used reCAPTCHA on public forms. I noticed that spam submissions were gone but I also noticed that real submissions were cut drastically as well.

Now I don't believe in CAPTCHAs. They work but I feel they can do more harm than good. After having to enter in hard to read CAPTCHAs on other sites I understand why I don't get as many real submissions. Any input that a user must act on that is not related to their main goal is a deterrent.

I usually use several methods to prevent spam and it depends on what type of content I'm expecting in forms. I created server methods that scan comments and mark them as spam based on content. It works ok, but I'm no spam expert so it doesn't work great. I wish someone would make a web service that did this.

I think the links from Evan are pretty interesting!

metanaito
A: 

Another method that I have heard about, which basically extends the javascript idea, is getting the client's browser to perform a configurable JavaScript calculation.

It has been implemented in the NoBot sample as part of the Microsoft AJAX Control Toolkit http://www.asp.net/AJAX/AjaxControlToolkit/Samples/NoBot/NoBot.aspx for some more details of how it works.

benophobia
+1  A: 

A simple way is to display an image reading "orange", and asking users to type that.

Manu
Coding Horror FTW.
Ben Alpert