Using captcha without displaying it

How I use captcha without making my users complete the barely readable word

Capthca sucks. For more information on how much captcha can suck see John Willis’ post Top 10 Worst Captchas.Bad Captcha
But at the same time it can be really annoying for webmasters to have their forms unprotected with all the spam bots running free out there.

What I wanted was to have the commenting feature protected against spam bots without having the innocent human users ruining their eyes on captcha like images, or complete any mathematical equation or any other additional question fields.

One very important difference between a spam bot and a human using a web browser is that the first can’t run JavaScript code. However, this isn’t a perfect criteria of selection, because there are humans browsing the web using browsers without JavaScript support (Opera Mini for mobile devices for example).

My ideea (and as I did some Google searches, I found out other people had similar ideas) was the followig algorithm:

Does the user have JavaScript enabled?
If yes, he’s ok. Let him comment.
No? He’s a suspect. Read him his rights and give him the ultimate “are you human?” test.

To do this I left the captcha system enabled and in place and wrote 2 extra lines of JavaScript that:

//complete the text field with the correct word from the image:
$('secretword').value='nospam';
//hide the div containing the captcha image and the text field:
$('captcha').style.display='none';

That’s mootools JavaScript, the $ sign stands for document.getElementById(), ‘secretword’ is the id of the text field where the secret word from the image should be completed and ‘captcha’ is the id of the div containing the captcha image and text field.

So… if the user doesn’t have JavaScript, he gets the normal captcha, if he does, the captcha is solved by the first line of JavaScript and its existence is hidden by the second.

To make my life a lot easier I made my captcha output only one word, nospam, so I didn’t have to get the secret word from the server each time.
I was able to get away with this because I doubt anyone is going to make a special spam bot for VileWorks.com so their stupid spam bot brain will never know that the “secret word” is nospam. The same word, over and over again.
If anyone would go through the trouble of adapting their spam bot to my script, I would simply change the word. Or I would go myself through the trouble of setting the captcha back to outputting random letters and get the secret word back from the server each time.

Is this a good solution for future protection against spam for large web sites?

Certainly not. Especially not for larger sites. Even if the words were random letters and the JavaScript was written server-side to complete the form with the correct word each time (think $(‘secretword’).value=’<?php echo $secretword; ?>‘; ), as long as the secret word is in the source code of the page, it can be reached by spam bots.

Is it a good solution for me and a whole lot of other website owners?

Yes. As long as nobody can make a lot of income by any form of spam on your specific website and as long as there aren’t thousands of websites that use this same specific system, nobody’s going to bother to adapt a spam bot to your website.

Spam is only profitable when done massively. It might take a spammer only a 20 minutes to program his spam bot to beat the system I’m talking about, but it would take me even less time to delete his comments, ban his ip and slightly change something in my code so he would have to reprogram his spam bot.

Unless he was some sociopath trying to annoy me, he would never go throught all the trouble.
Bottom line is: the best solutions are specific solutions.

Ever seen those forms asking you to prove that you are human by entering “the result of 8 + 5″? Do you think it’s hard to make an automated solution that reads two numbers and outputs their sum? Of course not. Nobody bothered because they aren’t popular enough to be of any interest.