Not sure if someone as already mention it but,
Could, some sort of “Honeypot” be a solution for you?
Regards,
Márcio
update: I see that others have offered this solution, but not used this buzz word, so I keep it. 
A good trick I found is to code in a simple question/answer Turing test using PHP.
For a science fiction site I help run, the questions for the forums were things like, what was the name of C3PO’s droid friend (R2D2).
Any real fan will know this. Many spammers - even the human ones - won’t!
Charles
Interesting topic. I hate filling out captcha’s would hate to force my visitors to do so. It would be great if there was a way to protect forms without forcing our users to suffer.
Askimet works great for comments in WP.
Busch, thanks for that link!
I would have trouble with this one:
What is ninety thousand nine hundred and fourteen as a number?
I have to slowly say it out loud, because when I read, letters have colours that help me know what the word means… and numbers are completely different. I can solve it though, just not as quickly as the other ones.
Mike Cherim has been using “is fire hot or cold” for years now on his blog… but he also uses Askimet (which occasionally eats valid comments).
I add an extra field to the form called “surname” and hide it using css.
I find that a bot will complete all the fields (including the hidden one). If my form processing script detects the surname field has been completed then the email is redirected to my spam mailbox which I only check a couple of times a month.
In the 6 months I’ve been using this method I haven’t had any false positives so I’m actually thinking of just deleting the message rather than spamming it.
In the 6 months I’ve been using this method I haven’t had any false positives so I’m actually thinking of just deleting the message rather than spamming it.
The blind using a screen reader and those using text browsers will likely fill in your bogus question. You’ve just been lucky so far.
Instead, make it obvious that it’s a spam question, and tell blind users not to fill it in.
<label for=“noanswer”> Do not fill this in: </label><input type=“text” id=“noanswer” name=“skip”>
Then hide it.
While display:none is known to hide text from screen readers, in forms it’s a different set of rules. The Big Two readers for Windows will read out display: none labels.
From your logic, there’s an easy way to spam. I would use Selenium tool (http://seleniumhq.org/), make a script to create fake accounts and etc… This tool is meant to be used as automated testing tool for the browser. It will actually use a real browser like firefox and not simply scrapping HTML or crawling HTML. Because of these tools, you really have to put “unconvenient” human questions there. Possibly, another solution is to detect “spam” using various logics then banning the IP!
I’m one of those who use the hidden textbox method
I place a label or a value to ensure those whose CSS is disabled or using screen readers know too leave it
I’ve used this method since the concept first started floating around, many many many many years ago and not had one bot bypass it
Of course, my sites are quite obscure, and I do keep upto date with talks about other methods
But every method I’ve seen could easily be bypassed in a defeated, and quite frankly, I’m surprised they aren’t already
IMO, the ask a question method would probably be the most time consuming one since the different numbers of questions can run into the millions
I had once developed a “click captcha”, an image submit button with e.g. a filled circle or a rectangle that the user had to click.
As most (all?) modern browsers send X and Y coordinates when an image button is clicked I was able to check if the clicked point was inside the given form.
Worked well, only problem was you could try and send fake values for X/Y and have a good chance to have the right ones.
In a world where computers have become as able to understand content as humans (in the sense of reading it), it’s impossible to be able to simply ask someone to identify what is provided on the screen. Unfortunately the only logical step is to ask something that requires genuine human intelligence (as machines cannot yet understand context) and hope that the end-user will also be able to make such a distinction and pass the test (though with increased difficulty comes more failure). What is unfortunate is that to get around this most spammers pay real people to fill in CAPTCHA challenges which eliminates the barrier to a large extent. As such I always recommend people never touch CAPTCHA as the only person it hurts is the legitimate user, the bad people always find a way around it - and do so because they have millions of dollars at their disposal from all the scams, illegal activities and paid-for spamming they are paid to undertake. 
CAPTCHA = Ineffective and bad accessibility, it’s not worth the hassle.
+1 to the “empty field” tip with explanation which works great (but not perfect).
I also got a tip that you could check the comment itself for urls (http, www) and stop it if contains any urls (unless you NEED an url in your form).
This should stop both machine and human spammers as much of the point of the spam is gone if they can’t post an url ?
Sure but for example our forms do need urls.
I agree. I have left many sites, and never been back, because their “captcha”, was So distorted, I couldn’t even read it. Not to mention, some color blind people will never figure some of them out, so you end up alienating users…
hi,use this link…regarding secure without captacha…
http://garyhepting.com/2010/01/securing-website-forms-with-and-without-captcha/
The problem with captchas, as I’m sure most of us are aware, is that most “legitimate” people find them annoying. They tend to work for automated crapbots but here’s some strong evidence which shows why they’re becoming increasingly futile:
As you can see, there’s no shortage of people willing to work for $5/week to fill in contact forms all day long.
I use a combination of a form “token”, and a projecthoneypot.org blacklist to prevent automated “post” requests. Of course, this can’t protect protect against the cheap slave labour approach mentioned above, but at least “legitimate” people don’t have to put up with captchas.
I’m not sure what you mean by “they can send hundreds of emails within my networks”. Are you talking about using your online contact form to send messages to third parties? If so, that can easily be fixed with some server-side checking.
As you can see, there’s no shortage of people willing to work for $5/week to fill in contact forms all day long.
As mentioned earlier, they’ll do it for free if they’re looking for pr0n. Mechanical Turks… humans doing whatever work machines can’t.
What is your form “token”? I’m not sure what that is.
An automatically generated randomised string which is included when the form is first requested, and then compared to the saved copy in the server session. When a crapbot attempts to post data directly to the form, it will fail because the token will be missing.
Likely my lack of knowledge of servers, sessions and cookies… but is the client storing this token? Does the client need client-side scripting?
I mean, a bot’s a user agent like a browser is. Why wouldn’t the bot also have a session and a generated token?
It could, if it had a “GET” request, followed by a “POST” request, like a normal “human” browser would. But some bots only do a “POST”, and that’s where the token protects the site.