arthurnegas — 2014-02-06T07:51:11-05:00 — #1
I'm working on a signup script that doesn't use captcha as a security measure. I've added off-screen honey pots and have used md5 with salt to obscure the id and names of the required fields and am making assumptions based on the time it takes to complete the form. You know the kind of thing.
I was looking for opinions on the best approach for what to do with submissions that look like they've come from spammers. Just a simple "You're registration could not be completed" or should I also be recording IPs and user-agent and building a blacklist. Also, I'm aware that Google Chrome does autofill. If I give some leeway to Chrome users for filling in some of the honeypots, would I be leaving the door open to spammers?
Many thanks in advance for any advice or opinions.
felgall — 2014-02-06T13:29:36-05:00 — #2
THis is what is known as an unobtrusive CAPTCHA.
Anything that attempts to distinguish between people and bots is a CAPTCHA.
As for what to do with registrations that look like bots but which might be real people - just ask them to confirm what they input and present them with a slightly more obtrusive CAPTCHA.
johnymilton001 — 2014-05-27T01:22:09-04:00 — #3
Never use any blog or sign up without captcha. It might be effect your blog so much. If you using captch than bot will not enter in your blog. It is working as a spam controller.
jameschandler — 2014-05-27T05:54:56-04:00 — #4
Anything you use to differentiate between human and robot is CAPTCHA. Never allow anyone to register on your site without solving captcha. Without using captcha there is too much chances for spamming.