I'm running a few small sites with various forms for submitting information for my perusal.
They are used by vistors to my sites, and I've done a bit behind the scenes to guard against various types of attacks, such as length limits, rate limits and a bit other stuff. But one thing I've not put there, is CAPTCHA..<p>On one of the forms, I politely ask that the sender include todays date somewhere in the text, which I then validate to be within +/- 25 hours of the server time.. In other places, I've not even done that and..<p>I'm not getting spams, I'm not getting robot messages or massive abuse..<p>Did the scammers and spammers realize that stuffing every input field on the web with commercial links and javascript exploits dosen't actually work ?<p>Back in the day, I remember having to jump through several hoops to avoid automated spams and angry teenagers trying to flood my inboxes..<p>How's your experience today versus the past ?
> On one of the forms, I politely ask that the sender include todays date somewhere in the text, which I then validate to be within +/- 25 hours of the server time<p>It sounds like you made your own CAPTCHA-lite. If it's not a very attractive form to spammers, sounds like that's fine, but for bigger sites it may not be enough. CAPTCHAs don't have to always be squiggly letters... there are many picture-based puzzles these days, along with human-like interaction checks, audio puzzles, logic puzzles, video advertisement puzzles, etc.<p>I manage a forum at work and after a few years of no spam, suddenly someone found us and made hundreds of spam accounts and posts over one weekend. And Discourse doesn't have good bulk spam moderation in the UI, so it was a pain going through them afterward =/ I really wish we had a CAPTCHA!
On my 50k monthly UU side-project, I used this to eliminate a vast majority of spam submissions:<p>> $.post($(this).attr('action') + '?nospam=1'<p>(skipping processing but returning a success response when nospam is absent, so I guess it counts as an honeypot)<p>I also blacklisted the words cialis and viagra.<p>What remained were serial submissions from pen-testers who then sent emails begging for money, so I implemented a one-click removal of all submissions from an ip range.<p>That's after Cloudflare's regular WAF.<p>Not much effort, so I guess it's only an issue if it gets exponentially worse with increased traffic (which it probably does).<p>I would never use a CAPTCHA though, not my philosophy to outsource effort to the user.
I think it depends on how motivated the attackers are.<p>If we are talking about the account creation form of Facebook, you bet you will need some CAPTCHA. If it's a random form with no obvious benefit of spamming then I'm not sure how many "attempts" will be done to begin with regardless of the protection mechanisms.<p>In those cases you may be enocuntering bots that "blast spam" and usually the slightest form of barrier stops them because they tend to be made for the common denominator, for example by targeting popular blog/forum software that have a predictable form structure that the bot can be programmed for.<p>I have seen some basic anti-spam features that are "home-made captcha".<p>For example it says something like "Pandas are black and:" and you have to enter "white".<p>Those can sometimes be made in a way that is more user-friendly compared to a "real captcha".<p>However it takes some careful consideration and knowing your audience to make sure that they understand what to do. Some users may not understand it due to language or cultural differences or due to people being used to the traditional captcha.<p>You may want to remove the protection mechanism to see if you get any spam at all or not (or at least log and measure success vs failure cases).<p>Without knowing anything about your use case, personally I'd remove the CAPTCHA and see how many spams come through. Then I'd put a very basic and gentle barrier just enough to remove those spams and gradually increase the barrier if required.<p>Another thing to consider is that if your users have to login you can have some kind of basic reputation metric so that "known good" users are not subject to the same restrictions.
Here is a fun story: years ago I avoided using CAPTCHAs on my sites by simply adding a hidden file upload field (hidden by js) and a hidden field that was expected to be empty.<p>Lots of spam bots did not run JS back then and tried posting values in fields that were supposed to be empty.<p>And then there were many many bots that could not properly form an empty multi part upload request, because that was not implemented in the most popular web request libraries (like curl). It is probably not as effective anymore since it's way easier to run the headless browser these days, but I used that approach for many years. :)<p>My log files were full of spam that was caught this way.
Chuck up an unprotected form on the Internet and see the crap that gets submitted, it's the worst.<p>I use a mix of honeypots and Cloudflare Turnstile to avoid the spam.
The thing with captchas is that they're basically security by obscurity; the less sites/services use one, the less spam will get through. That's because if you're someone like Google or Facebook, the payoff for writing bots specifically to crack their anti spam measures is huge, while the same isn't true of the average blog/forum/wiki.<p>So a homemade solution like the one in your post works fine for many sites. The bots written for forms without captchas can't solve it, and their developers won't waste the time changing the script to fix that, because it's not worth the effort.<p>If your site/service becomes extremely popular on the other hand... you'll need a more robust anti spam solution. And given how thoroughly things like Recaptcha have been cracked, those won't cut it there either.
The amount of bots scanning for vulnerabilities or spam for a hidden, no seo, no important website approaches 700 visits a day. In the past it was a bit more personal as someone had to target you directly, now it's just crawlers and bots everywhere. I know not anyone is able to do the same but I basically block ASN for all clouds and cheap vps hosters + few countries.
I set up a form to send basic email info for wedding RSVPs for my wedding, no validation, and never got a single piece of spam. Granted it’s hosted in Cloudflare so don’t know if they blocked out all the hard work for me.
How did you manage to spot the spam? I host static comments on my site[1] with a comment form. I get a lot of spam that looks like Russian!<p>[1] <a href="https://rishikeshs.com" rel="nofollow">https://rishikeshs.com</a>
I run three businesses. One has a captcha and two don't (contact us forms and sign up forms). I get around 1-3 spam submissions per-day for forms that don't contain a captcha.
> Did the scammers and spammers realize that stuffing every input field on the web with commercial links and javascript exploits dosen't actually work ?<p>How sure are you about this?
captcha will be hard to replace or improve on as the most pointless and agrivating thing
ever invented
the only way I ever go through with it is if I am getting something material,money say,that is locked behind a craptcha event