CAPTCHA No longer effective

Hi, I’m using the google Captcha api/system on my site… Its definitely working, I can’t send a contact message to myself without typing in the scrambled phrases. But yet I’m getting about 10 emails a day lately from spammers using this form. Have spammers gotten more sophisticated lately? Is anyone else experiencing this?

Yes. There are ways to scan and interpret CAPTCHAs. The reCAPTCHA service is actually one of the easier ones to read.

You can try including a blank “honeypot” input field in your form. The idea is that spammers will fill this form, put real people won’t. So when the form is submitted, you check to make sure it’s empty.

If messages from the form you are protecting with CAPTCHA are sent to an email account, I would recommend filtering them through a gmail account. Their spam filter is pretty good at filtering that stuff out.

Thats too bad, I saw a site with a new type of capture using puzzle pieces you assemble. Maybe I’ll try that one if I can find a free API somewhere. Unfortunately I can’t use spam protection, since each lead can potentially be a 5 figure sale and I don’t get many leads, I can’t afford to miss a single one. I’d rather wade through 50 spams a day than risk that. However an effective human validation system would solve all my problems. Thanks for the info!

You do realise that any CAPTCHA aalso blocks a small percentage of real people from being able to use the form as well. The more effective it is at blocking bots the more real people it potentially blocks. Just as with any form of spam protection a CAPTCHA has some false positives - so if not missing a lead is that important to you then why are you using that spam protection aka CAPTCHA.

Not sure I understand how the captcha would fail… if they get the code wrong my page says its wrong and they have to keep trying until it lets them email go through and says ‘Email sent’ etc. The script doesn’t just silently fail and lead the user to believe it was sent…

Or am I missing something?


What you’re missing is that some people have problems with various types of CAPTCHA images, spoken words, text, etc. They will leave in frustration if CAPTCHA slows them too much.

What Stephen often recommends is a timer which would differentiate an automated form-bot from a human … but it will pass human spammers just like your current CAPTCHA is apparently doing.

Nothing’s perfect but you just have to weigh the cost-aggravation (to you)-aggravation (to site visitors) to determine which method is best for you.



Some people are blind and so can’t see a visual captcha. Some people are deaf and so can’t hear an audio captcha. Some people have mental disabilities that would prevent them from being able to correctly answer a simple question type captcha. Usability studies have shown that about 70% or so of web users are disabled in some way that affects their ability to interact with some ways of doing things on the web.

If the particular captcha you are using relies on a particular ability that people have and computers do not then those people whose disability is that they don’t have that particular ability can not be distinguished from a bot using that captcha. Some captchas try to partly get around this by presenting the captcha two ways so that a person would have to be disabled in both ways in order to not be able to use one of the two. That’s why some visual captchas have the ability to play a sound file of the captcha content - that way both deaf and blind people will be able to use the captcha just as long as they are not both deaf and blind.

Do you really want to aggravate someone looking to spend a five figure amount who is colour blond and who therefore has failed to distinguish the characters in your captcha several times already and who therefore decides to go to some other site and let them have the money instead?

Ideally you want to use a captcha that clearly distinguishes based on some difference between people and bots that applies to all people and all bots. Unfortunately there is no such captcha. As David said, the closest to that non existent captcha that I have found so far is the time that it takes people to fill out the form - bots can type a lot quicker than people. Where that type of captcha may run into problems is if people copy and paste content - you’d have to try to work out the appropriate points in the process to time between to take things like that into account.

I doubt Hellen Keller is bringing him 5 figures. The recaptcha is probably the most assessable one there is. It has audio for the def and can refresh another image. On my recent site I just said screw it to the forms. And just ofsuficated my email. That’s all 99% of users want anyway - to simply email you.

Additionally I’m a large supporter of the random 5 + 2 question. I hate trying to read those captcha images. I would never subject my users to the likes of those. If a bot could do math then a bot could read. So if they are equal in regards to spam protection why not provide a simple question to your user. Ofcourse that does not account for the def. but if others really carred then they would make a audible plugin for simple math.

Which doesn’t help those with a mental disability so that they don’t know how to add numbers together - there are some people like that who are perfectly average in every other way. Of course with a financial transaction they are probably best being blocked as well as the bots.

I see your point. But realistically if a user can’t solve a simple math problem then most likely they can’t make out those horrible captchas either. So they are equal again.

If you have specific information you need to gather then yes a form is more appropriate. But if you only providing a way for them to send you a email then I think email obfuscation is better and easier for all involved. At the very least easier.

Eric I like your point about users just wanting to email, because I’m the same way. If I see a contact form I’m looking around for an actual email address I can use. I do have an image of an email address on my contact page, so maybe I can emphasize that better as an option. Maybe get rid of the captcha form altogether…

What technique are you using to obfuscate your email? I would think a spammer’s robot could reassemble it just as easily as a browser could for display?

Image of a email is no good either. You have to assume a user cant remember your email by looking at it. And they cant copy it. So they have to go back and forth between windows entering the email. I gave this considerable thought and google time. These 3 ways are the best I could find. Option one being my preferred way. I have this implemented on 2 of my sites each getting 15,000 visitors monthly and no spam at all. Aside from the human ones that is offering me seo services. I DONT WANT YOUR SERVICES. YOUR A DYING BREED. GIVE UP ALREADY.

I read your solution #1… That seems to address the problem of email address scrapers, but the spam bots are actually using my own form they aren’t just stealing my email. So your solution hides the email but what if their technology just clicks on the link and sends an email through just as though a live person were using the browser?

Bots dont click. They only read. So if they cant read it they cant use it.

In my case on my contact page ( its actually submitting my contact form with spam in the comments… I get about 15 a day now. There is no email address visible at any time in the HTML, its just a form post. So these bots are filling out their spam in my comments area and then submitting (as well as foiling the captcha). If they can do that they there must be other crawlers going around and automatically clicking on every LINKTO anchor tag? Well, you did mention the solution has worked for you for years, so I’ll give it a try. What I’m using now its useless. This is the type of email I’m getting from my form ( removed part of their URL):

NAME: fake coach purses

COMMENTS: Your Site Is Great!, http://www.{REMOVING THIS}/profile/92211 First fake coach purses, 8[,

I don’t know for sure but I believe bots can only highjack (and use it to spam others) a poorly secured form. Not an email address. So even if they are able to read your address they won’t use your mail to spam others only you. Tell me if I’m wrong?

Interesting article of captha’s ineffectiveness:

I am just going to add a question/answer system, can’t do any worse than recaptcha. It was working 100% of the time with zero spams for the past year, then just a coouple weeks ago I started getting 20+ per day. So its rubbish now.

There is nothing to prevent bots filling out forms with their garbage and having that email go to the address that the form is set up to send to. The bot can’t use the form to send to anyone other than that email address because it doesn’t have access to the email address at all. The bot doesn’t know the address it is sending to just that the form goes to an email address that does exist. So with a properly coded form that adds the email address after the form is submitted the only person who gets spammed is the owner of that address.

The purpose of introducing a CAPTCHA is to try to separate the legitimate emails going to that address from the spam ones. As only one form and one email address are involved there are several places where the CAPTCHA can be applied - to the form when it is first filled out, on the mail server where the mail is sent to, on your computer where you receive the emails. If there is an obvious difference between what legitimate emails and spam emails contain then testing for that difference would be the least obtrusive CAPTCHA.

What is Form Hijacking?

"Form Hijacking is the exploitation of vulnerable web forms to send unauthorized email. It is used predominately to send spam emails and uses the server on which the form is hosted to deliver the spam emails. This effectively makes the domain and server that processes the form the spam source allowing the real spam originator to remain anonymous. This can have serious consequences for the hijacked domain including blacklisting of the domain.

Automated robot scripts crawl the internet looking for web forms, following web page links from site to site. When they identify a web form they test the form processing script to see if it is vulnerable to hijacking. The hijacking robot script attempts to send the form processing script a character combination that will corrupt the headers of the form delivery email, this is known as email injection. These headers are basically the email delivery instructions. They can include To: From: Subject: BCC: and a range of other information applied in delivering the email. If the headers can be corrupted it is possible to set these values and the body of the email. This enables a hijacker to send an email with any subject, with any message, including any attachment, to any email address (usually as a BCC) and it is sent by the hijacked server."