You could use an unobtrusive CAPTCHA such as recording when the page first loaded and when it was submitted and requiring a minimum time between the two. Any less than that time and the form has obviously been filled out by a spambot.
You mean obtrusive CAPTCHAs such as those almost unreadable images. There are lots of other ways to do CAPTCHAs that can in some instances be completely invisible to those using the page - such as the one I suggested above of setting a minimum time for filling out the form and rejecting any filled out faster than that.
There are some techniques that can … neuter spambots abilities to hit you too hard.
A classic and simple one that makes around 80% of bots fall flat on their face (and it’s amazing this is all it takes) is to issue a random hash along with the form in a hidden input, stored server-side in a database along with the IP address and access time… Expire them on every submit or after a certain length of time (I like fifteen minutes).
So many bots just copy the form hiddens once and then try to re-use that one form request over and over – making them have to handshake the actual form for every submit takes too long – making you less of a target.
Of course, you can always have a properly configured copy of SpamAssassin running - takes care of another 80% or so, reducing what gets through to a few dozen.
Finally, there are blacklists. I’ve actually been using stopforumspam.com’s e-mail and IP address ban list which does a wonderful job of telling spammers where to shove it. I cannot sing high enough praises of said site’s functionality.
Between all of the above, on a contact form that sees 20 or so legitimate mails a day, I get maybe 3 spam a week that slips past all the filters, in 8 months I’ve only had ONE false positive, and the grand total for rejected attempts to use the form sits at around a thousand a day right now.
About 800 of those are caught by the hash before I even check stopforumspam or count what spamassassin dumps into the junk folder.
Which is how I run without a captcha on my contact forms…
What you just described is a captcha - since a captcha is basically anything that attempts to distinguish between real people and spambots.
CAPTCHA supposedly stands for “Completely Automated Public Turing Test To Tell Computers and Humans Apart” and your hash process does that at least as well as any other CAPTCHA does in making the distinction.
Indeed. I should elaborate on my thoughts. Active CAPTCHA where a user is forced to tilit their head sideways and squint to figure out the letter and then enter it in a textbox is a process I never use.
Passive CAPTCHA (no user input required and running seamlessly in the background) in cases as you have described is the best possible option since the user has no idea it is even being employed.
I like the idea of a timer. I may tinker with that in the future.
The term “CAPTCHA” is getting pigeon-holed. To many (me included), it’s only thought of as those unreadable letters and numbers, but you make a good point that it is deeper than that.