Using captcha without displaying it

Tuesday, 22 April 2008 04:37

How I use captcha without making my users complete the barely readable word

Capthca sucks. For more information on how much captcha can suck see John Willis' post Top 10 Worst Captchas.

But at the same time it can be really annoying for webmasters to have their forms unprotected with all the spam bots running free out there.

What I wanted was to have the commenting feature protected against spam bots without having the innocent human users ruining their eyes on captcha like images, or complete any mathematical equation or any other additional question fields.

One very important difference between a spam bot and a human using a web browser is that the first can't run JavaScript code. However, this isn't a perfect criteria of selection, because there are humans browsing the web using browsers without JavaScript support (Opera Mini for mobile devices for example).

My ideea (and as I did some Google searches, I found out other people had similar ideas) was the followig algorithm:

Does the user have JavaScript enabled?
If yes, he's ok. Let him comment.
No? He's a suspect. Read him his rights and give him the ultimate "are you human?" test.

To do this I left the captcha system enabled and in place and wrote 2 extra lines of JavaScript that:

complete the text field with the correct word from the image: $('secretword').value='nospam';
hide the div containing the captcha image and the text field: $('captcha').style.display='none';

That's mootools JavaScript, the $ sign stands for document.getElementById(), 'secretword' is the id of the text field where the secret word from the image should be completed and 'captcha' is the id of the div containing the captcha image and text field.

So... if the user doesn't have JavaScript, he gets the normal captcha, if he does, the captcha is solved by the first line of JavaScript and its existence is hidden by the second. To view how this works, if using Firefox, go to View -> Page Style -> No page style to turn the CSS off, scroll down to the comment form and see the captcha image and (completed) text field. Go to View -> Page Style again and select Basic page style to turn the CSS back on.

To make my life a lot easier I made my captcha output only one word, nospam, so I didn't have to get the secret word from the server each time.
I was able to get away with this because I doubt anyone is going to make a special spam bot for VileWorks.com so their stupid spam bot brain will never know that the "secret word" is nospam. The same word, over and over again.
If anyone would go through the trouble of adapting their spam bot to my script, I would simply change the word. Or I would go myself through the trouble of setting the captcha back to outputting random letters and get the secret word back from the server each time.

Is this a good solution for future protection against spam for large web sites?

Certainly not. Especially not for larger sites. Even if the words ware random letters and the JavaScript was written server-side to complete the form with the correct word each time (think $('secretword').value='<?php echo $secretword; ?>'; ), as long as the secret word is in the source code of the page, it can be reached by spam bots.

Is it a good solution for me and a whole lot of other website owners?

Yes. As long as nobody can make a lot of income by any form of spam on your specific website and as long as there aren't thousands of websites that use this same specific system, nobody's going to bother to adapt a spam bot to your website.

Spam is only profitable when done massively. It might take a spammer only a 20 minutes to program his spam bot to beat the system I'm talking about, but it would take me even less time to delete his comments, ban his ip and slightly change something in my code so he would have to reprogram his spam bot.

Unless he was some sociopath trying to annoy me, he would never go throught all the trouble.

Bottom line is: the best solutions are specific solutions.

Ever seen those forms asking you to prove that you are human by entering "the result of 8 + 5"? Do you think it's hard to make an automated solution that reads two numbers and outputs their sum? Of course not. Nobody bothered because they aren't popular enough to be of any interest.

EDIT: Myeah, looks I messed something up while working with the commenting script. The comments' author's names stopped appearing for all the comments from before the incident. Looks like the the new comments that take place work fine. Strange... will have to look into it.

Comments (13)

Testing comments.

It actually is a good solution. But not THE solution.
It can be fine for small websites.
But if you integrate this system in a very interesting website for somebody out there, they can always create a bot that can intercept exactly what you are doing on that webpage and autofill what Javascript is doing for your human users who have Javascript enabled. Everything is there, in the light of the day (in the code of page).

Server side solutions now are the only way to be nearly 100% protected

I agree with Martin here, good solution but not for all cases.

thank you

Hello,

I have an other so so simple captcha. Just ask for "How much is 2 + 2" ! Only human can reply to this !
- Javascript can test it (or seveur if no JS support)
- no image to create
- the answer can be a "hidden field"

Funny that I didn't see it anwhere !

Yes, Frederic, that works for you because it's specific to your site. Like my captcha which only says "nospam" works for me.

Testing comments

test

I have stopped automated comment spam on my site 100% so far by implementing honeypot fields. The way I implemented it was by creating two fields for every form input. For example, for an email input field I first create which is then hidden using the CSS class 'hp-field'. I then create which is the actual email input field the user will see. I will know if someone is a bot if they fill out and submit the hidden field(s). It has worked wonders for me.

Netklon and ahasver: thanks for testing the comments. They work fine, trust me :)
Justin: the honeypot is a good method too. I've read about it, but I wanted to go with the fastest thing to implement I could imagine.

nice stuff!!! very good job; I think I'm going to try it too

Hey Stefan,
Your solution is definitely good. I heard another similar solution where you hide an input field using CSS. That way, only a spam bot would fill it out, because a real viewer in a browser wouldn't see it. I haven't tried it myself though.

Yes Devin, I beleive that's the honeypot Justin was talking about a few comments earlier.

Add your comment

rss

Client Reviews

wbrowne: Excellent work. Communicates very well, project done on time, trustworthy, highly recommended.

poundhosting: Slick, professional, friendly, fast! A perfect programmer, excellent work and fantastic customer service! HIGHLY RECOMMENDED! Thank you!

stevan: Did a great job for me. Went out of his way to help me. I needed some changes done and had them finished quickly. Highly Recomended!

wbrowne: Excellent to work with. Understands requirements, completes ontime.