Off Topic:
Don’t ask meow you’re supposed to answer that. 
It would be funny to see that question on a business site. 
But that could cause difficulties for non-native English speakers.
Actually, I’m a native English speaker, but I’d have to think hard about “gobble gobble”.
Mike
Likewise. Nothing is ever straightforward. 
“gobble gobble” is a common animal sound in North America. I didn’t consider that it might not be in other English-speaking areas of the world.
But then also consider this: are animal sound questions better than trying to figure out the horribly distorted letters in a CAPTCHA image?
What animal makes the ‘gobble gobble’ sound…
[ot]
A turkey - before it’s gobbled by humans. of course. ;)[/ot]
The best CAPTCHA I can think of to use on a form would be one that puts the time the form displayed in a hidden field in the form and then checks that sufficient time for a person to fill out the form has passed since then when the form is submitted.
wow , neat idea!!
But that could cause difficulties for non-native English speakers.
Good point, but I have also already seen non English captchas… oddly enough an accessibility issue in reverse… what if I don’t have a Cyrillic keyboard!!
I must confess i dont have much experience with c myself, but one method I would consider would be generating an equation:
“3 + 7 =?” easy line of text to generate in PHP but the answer you are looking for would be “10” this of course throws the bots off, with minimal fuzz
If you get that as part of a reCaptcha then there’s no problem. Because with reCaptcha the main thing it is testing you on is whether you can decode the known and deliberately scrambled word, if you don’t give the “right” answer for the scanned text (I’ve had mathematical formulae, upside-down text, all sorts) then all it has to compare your answer with are the answers that other people have given. And the chances are that few of them will have gone to the effort of looking up the Unicode for Cyrillic characters, so it has no way of knowing you’re wrong if you give the closest approximation you can using the Latin alphabet.
[FONT=verdana]
Which was exactly my point. If you decide to use that sort of challenge-response mechanism, you’ve got to think vary carefully about how the question will be perceived in various countries, cultures and languages. And it’s not limited to “English-speaking areas”. There will people from non-English speaking parts of the world who have a legitimate reason to visit your site, and who might be baffled by what, to you and me, are perfectly reasonable questions.
Mike[/FONT]
I’m sure most kids are familiar with it. I know it well, but couldn’t remember which animal it applied to. (Showing my age, I guess.)
are animal sound questions better than trying to figure out the horribly distorted letters in a CAPTCHA image?
Anything is better than that. (When I ask Captcha to sound out the words, they usually sound like animal noises to me anyway. )
You also have to keep in mind what the demographics of your site(s) are and who your target audience is.
The math challenge questions were settled on as a standard because they require no language and no local knowledge. However, math problems are easily defeated by bots. So, essentially, these types of questions don’t work anymore. CAPTCHA doesn’t work well anymore either, as many bots can bypass it.
Sometimes hidden “are you a bot?” fields help, and these don’t impact visitors because they never see them anyway.
So, the only thing that seems to be left are some sort of simple reasoning questions that bots can’t answer (yet, anyway). The trick is to make them general enough for any visitors to guess, but difficult enough to stymie bots.
What other types of challenge questions might fit the bill?
I don’t know how bots work, but I wonder if you gave an instruction like “type anything here other than an email address” but in the HTML put something like type=“email” or id=“email”, would that trip up the bots?
Wouldn’t that fail with accessibility technologies?
I’m not sure. Do they react differently to different kinds of input?
I’m surprised no-one’s mentioned the ‘Honeypot’, which uses a hidden field to tempt a bot to insert something (typically an e-mail address).
Ralph.m has mentioned something similar, but it’s not clear to me that it’s actually hidden in his version. For those not using CSS there’s an instruction not to complete the field. Optionally (as web-master) I get the spam messages diverted to me so I can monitor them from time to time. As a back-up to the Honeypot I class as spam anything where the first_name and last_name fields are the same, as most of the spam messages that I do monitor these fields are full of identical gobbledy-gook (or even gobble-gobble) like ‘oeafijbgp’. If Humbert Humbert wants to contact me he’ll have a problem, I know.
For timing script execution, how about PHP microtime (see PHP manual).
Yes, I was referring to the honeypot method, where the field to catch bots is hidden from view. The only problem is that screen readers, or those with CSS off etc., may see the form field, so there needs to be some consideration of what to say to them so they know what to do.
Wouldn’t a combination of the honeypot and the time counter work best… so we have a hidden field and also throw an error for all forms that were completed under 5 seconds…
[FONT=verdana]
That’s what I suggested, back in post #8. But I didn’t know it was called Honeypot. In fact, I didn’t know that it was such a well-known technique that it had a name.
Mike[/FONT]
The submission time is exactly what I do on my contact forms, it appears to work.
As someone asked for code; its really easy, in PHP (this has no security, its bare bones code):
On the PHP script that loads the form;
<input type="hidden" name="loadtime" value="time();" />
So literally insert a timestamp into a hidden field. (with a javascript loading form you’ll want to populate this when the user clicks your contact button)
Then on your post php script (where you send the email):
$loadtime = $_POST['loadtime'];
$totaltime = time() - $loadtime;
if($totaltime < 7)
{
echo("You took less than 7 seconds to complete the form, blah blah blah");
exit;
}
So grab the post time timestamp from the form, get the current time in a timestamp, get the load time as current_time - post_time, if the load time is less than 7, spring an error.
If your using a javascript form that opens in an overlay, have the javascript complete the timestamp; then do any time conversion if necessary.
It may not be 100% foolproof, but it definitely helps. I don’t use the honeypot exactly because of screen readers. You don’t want anything obstructing legitimate users, especially not those stuck behind accessibility software.
My timer is set to 7 seconds, which when you consider they have to enter an email address, name and a message is reasonable. The only way I can make the timer error appear on my forms is to hit the keyboard with 4 fingers on the first field, have the email ready populated via double clicking and selecting quickly and hitting the keyboard with 4 fingers again in the message and hitting submit. I have to do that like a hyperactive 3 year old to get the error, so I’m pretty confident that nobody legitimate will ever see that error unless they sit there trying to get it.
Now I have revealed it… please don’t 
Thanks for this, FizixRichard. I looks forward to giving it a try. I wasn’t sure if you could do something like
$totaltime = time() - $loadtime;
but glad to know you can.