Is CAPTCHA unavoidable?

Let me paraphrase this before you try to read the whole thing:
Is there a way other than CAPTCHA (text/image based) to prevent Bot Spam from flooding my database?

Hello all, I’m running a forum that’s been inundated with Spam Bots nowadays. I am sick of detecting and deleting the phony users as you might have guessed. The Forum’s built in Captcha is no use at all, and the flood is unstoppable. I’m thinking of implementing reCaptcha, but many users hate that.

I have also run into spam issues on contact forms multiple times in the past. Adding a Captcha helped, always.

But I have talked to more than a few people who convey their pure loathing for captchas. Especially the middle-aged and elderly peoples of the planet hate to bring out the specs/look closer to make out the fudgy and/or small text that is presented as CAPTCHA.

I have seen and - two extremely popular and heavily advertised+used job websites - they have no Captcha~! I repeat, they have no captcha on their signup forms. No image captcha, no text captcha, nada.

How are they managing this? Isn’t it easy for someone to program a bot that auto submits the forms till their staff faints of exhaustion from sifting through bot-induced vs. real registrations?

Is there some technique other than CAPTCHA that these sites are using that I don’t know about, to prevent Bots?

Yes - use some other sort of CAPTCHA instead of a text/image based one. There are all sorts of different CAPTCHAs that are used on different sites now and not all of them involve images. All that they all have in common is that they are “Completely Automated Public Turing tests to tell Computers and Humans Apart”.

Thanks for the suggestion felgall, could you also try and answer the other question of mine, about not having a Captcha? How is that possible, can you hazard a guess, please?

Most of the different types of CAPTCHA (apart from image and text CAPTCHAs) work on the server side where they are completely invisible to anyone viewing the form. It is only the least sophisticated CAPTCHAs that are visible on the form itself.

One form of CAPTCHA that is visible in the source of the sign up page is that there are several form fields in that form that are not visible when you view the page with CSS enabled because they use display:none in the CSS. A real person visiting the page with CSS enabled will not see those fields and so will not enter anything in them. The spambots that don’t check for what fields are and are not visible will try to stick values in all the fields in the form including the hidden ones and so the server can distinguish people from bots based on what is in those fields.


Well that’s really clever. Thank you for pointing that out! Sure, this will completely throw off automated spiders! But like somebody here pointed out, this might not work if the site is manually targeted. Hmmm, but then you gave me a great head-start with the perfect keyword : all I have to do now is google “invisible captchas” to get some great ideas… thanks again :slight_smile:

Okay I came across this really awesome article with a virtually invincible technique that does not need CAPTCHA:
Ned Batchelder: Stopping spambots with hashes and honeypots

I’m posting it for the reference of any others that might need an answer to this question. If somebody still manages to create a bot that mounts an attack on your site, that article has techniques to avoid that too.

If somebody still creates a bot that can spam your form, the bot’s software must be many orders of magnitude more complex than what most bots are capable of, and I must salute your skill of pissing people off enough to go after you with such vengeance :stuck_out_tongue: Besides, now that bot is so complex that a very slight alteration in your form processing logic will be enough to make it fail, and then the cracker will have to adjust for this, and then you do something again and so on till your enemy quits the battlefield out of fatigue and boredom :slight_smile:

Yes that honeypot CAPTCHA can be quite effective at blocking some bots without real people even knowing that it is there (unless they view the source). Plus it is extremely quick and simple to add to any form.

The other ideas in that article also look like they are could be effective unobtrusive CAPTCHA techniques.