Freeing the Captcha

[Joss]

With Ticket Master announcing that they have dropped reCaptcha in favour of an advertising solution (http://www.bbc.co.uk/news/technology-21260007) the question is, what do you do?

Do you just have captcha on signup forms or on everything?

Do your clients prefer to advertise their email address and cope with the spam?

Have you a great alternative that does not annoy my mother...

The days of trust have gone on the internet, but does the current trend of putting up brick walls everywhere risk isolating businesses?

What is the best policy? And where a technical solution is required, which is the best one?

[MatthewSchenker]

Hey Joss,

I hate CAPTCHA.

Just wanted to get that out of the way.

I would love if some enterprising individual developed a new idea that took hold.

Personally, I like the idea of just using something intuitive within the context of the form.  More creative, and actually makes it fun if you do it right.

Thanks,

Matthew

[Joss]

I think there are two problems with reCaptcha particularly:

1. It is difficult to use - I often refresh three or four times to get something I am confident I can read

2. It is very widely used, and therefore users are familiar with it - good for reCaptcha, not so good if you want to move away from it.

The problems of any new system is that if people do not recognise it, at least in its form, then it is as much as a barrier as reCaptcha is.

To a certain extent this means that is probably better to go with solutions from larger companies that are being pushed heavily so that at least the solution you are using is probably going to grow to be familiar to users.

On the downside, as soon as any one solution (or even type of soultion) gets pushed widely, then it becomes a target...

A bit of a minefield.

[DaveP]

I hate CAPTCHA.

Me too. Just this afternoon I logged in to a trade site using not just username + password, but dealer code + username + password (3 inputs!) only to be later confronted by this monstrosity...

So what the heck is the need when I'm already logged in, and what exactly is that behind the D?

[yellowled]

Do you just have captcha on signup forms or on everything?

No captchas anywhere, at least no visible ones. They're usually inaccessible, not as “bulletproof” as many people may think, and a nuisance to any visitor. Ever spent half an hour entering whatever you got from those stupid captcha images, failing over and over again although you were sure to have entered the correct pass phrase? Exactly.

There is no perfect solution to avoid comment or contact form spam. As soon as you offer any kind of contact via form, you're going to get spam, period. I have found that a hidden captcha/honey pot can work pretty well and avoid a lot of spam. That basically means a hidden text input field which is not supposed to be filled out and is hidden via CSS from visual browsers and screen readers. Spam bots tend to fill out said field anyway, which means the PHP logic of the form will not send it. Of course, at some point, spam bot will adapt to that as well …

YL

[MatthewSchenker]

Greetings,

As always, seems like those of us here in ProcessWire world have similar views on things.

if one needs to do such extra checks, I'm in favor of making it easy but clearly a test of being a human.  What we do depends on the site, of course.  But I think we can be creative with this and make it work.

I agree with yellowled that there is no foolproof system anyway.

Thanks,

Matthew

[Joss]

I like the challenge/answer one a friend of mine had for the sign up for his quite personal forum.

"What is the name of my dog."

[teppo]

I have found that a hidden captcha/honey pot can work pretty well and avoid a lot of spam. That basically means a hidden text input field which is not supposed to be filled out and is hidden via CSS from visual browsers and screen readers. Spam bots tend to fill out said field anyway, which means the PHP logic of the form will not send it. Of course, at some point, spam bot will adapt to that as well …

Honeypot as described by @yellowled, sometimes (depending on what you're building and for whom) accompanied with some JavaScript magic to make it sligthtly more efficient, still seems to work surprisingly well. I haven't felt any real need to apply CAPTCHA's in years. Just saying

Anyway, this 2011 smashing mag article illustrates in great detail most common spam prevention solutions. It also points out their strong and weak points and even mentions some methods I hadn't even heard of before, like the slider -- that's actually damn elegant, but of course limits your audience, as they mention in the text.

[apeisa]

I agree with Teppo. Also just realized: we haven't got yet a single spam on our form builder forms - even without using any spam filtering. Not sure if there is some build in method always on or is the iFrame keeping bots away...

[Wanze]

I also think that recaptcha is too difficult to read. But not only the text - also the audio is not understandable.

So my solution which works perfect so far is the same as yellowled said:

//HTML
<input type="text" name="email2" id="email2">

//CSS
#email2 { display: none; }

//PW / PHP
if (trim($input->post->email2) != '') echo 'hi spam';

For larger sites with lot of traffic, a combination of mulitiple approches is better

[ryan]

I agree with Teppo. Also just realized: we haven't got yet a single spam on our form builder forms - even without using any spam filtering. Not sure if there is some build in method always on or is the iFrame keeping bots away...

Hopefully you are getting at least some form entries though?  

There are a couple things in FormBuilder that will likely keep out most spam even if you don't enable any spam prevention measures. You are right that the iframe makes it invisible to most spiders, so that's one of them. The other is that it requires a unique submit "key" for each form submission, and it must match up with the key in the form that was presented, as well as the one saved in the user's session. Most automated spam isn't sophisticated enough to maintain sessions and retain values in hidden fields. They usually just populate every field available with their spam. So it's unusual for spam to get through a FormBuilder form, even if you aren't using any spam prevention measures. 

[apeisa]

Haha, oh yes. We get submissions through

[DaveP]

This is interesting - http://docs.jquery.com/Tutorials:Safer_Contact_Forms_Without_CAPTCHAs

[MatthewSchenker]

This is interesting - http://docs.jquery.com/Tutorials:Safer_Contact_Forms_Without_CAPTCHAs

Thanks Dave for sharing this.  It's definitely along the lines of what I would like to see with spam protection.  It seems like an elegant solution (until spammers find a way around it).

The only issue I see with this: what happens if the user has cookies turned off on their browser?

Thanks,

Matthew

[Joss]

The only issue I see with this: what happens if the user has cookies turned off on their browser?

I would think that the majority of sites where they have some sort of sign up that needs spam protection, are probably also going to rely on cookies for other things.

So, one way or another, the user is going to have trouble.

[yellowled]

Honeypot as described by @yellowled, sometimes (depending on what you're building and for whom) accompanied with some JavaScript magic to make it sligthtly more efficient, still seems to work surprisingly well.

It's funny how rather simple means often seem to work pretty well in terms of avoiding spam.

I don't know if the comment form in Textpattern still works the way it used to by default. It simply did not emit a submit button at first, but a preview button. Once you hit preview, the preview button turns into a submit button, enabling you to submit your comment. And since spam bots can't click …

[raydale]

I have found honeypot a good and low tech solution often too. The great thing is that it's unobtrusive and doesn't hamper the user experience like the dreaded Captcha fields etc.

Great to hear that Form Builder has some pretty solid built in protections.