The forums ran from 2008-2020 and are now closed and viewable here as an archive.

Home Forums Other Captcha and Spam blocking

  • This topic is empty.
Viewing 9 posts - 1 through 9 (of 9 total)
  • Author
  • #22513

    What is your experience with captcha? Did you write your own? Find a nice library for it?

    I made a little website for my wedding coming up, and I put a little online guestbook up there. About a week or two later I got nailed by spammers… like 200 some odd messages in a few hours. So I made my own little "captcha" but it is terrible. I literally have 3 images that it randomly selects from, and the php behind it is pretty hard coded, one id field passed in indicates which image was being used… so with 5 minutes anyone could break it, but I haven’t had a spam message since I put that up there. Does this ring true with other people’s experiences?

    I don’t suggest this sort of approach for a website that may get some actual traffic… but it worked for me. How have all of you handled this situation in the past?


    i’d prefer to ask aritmetichal operations. Like 4 + 3 = ? but i make question tag loaded with ajax. this makes hard for spammer to get the question. indeed one or another way, there are bunch of sites use no-spam-protextion. so spammers wont be much interested on protected sites even its very simple.


    Ultimately what ever you do is an up hill struggle, using CSS to stop Spam bots is not a bright move, and of course would be an accessibility nightmare (as are visual only Captchas) and potentially if your in the EU and a commercial outfit might find a kind lawyer chasing you for money.

    The second issue is known captchas can be broken, for example the CAPTCHA being used on this forum has already been broken and therefore is really useless. Also the lack of audio version would again raise the accessibility issue again, when designing and thinking about CAPTCHA you might be interested in the 10 steps to solve a CAPTCHA by Dark SEO (he also has a post on PHPBB3 captcha by the way).

    I prefer logic puzzles, for example a simple version is to present a maths puzzle, one + 3 equals or 4 plus 1 = notice the changing from words to symbols, throw in some French or odd variances. A good example I saw was the human only maths by using human derived groups to do the maths so:
    There are 5 tigers and three lions and two wolves how many animals are in the cat family?

    Because the question is done server side it will be rendered in any browser without accessibility issues. These can of course be broken but by personalising the questions and groups a spammer will have to write a program specific fo your site.

    One other alternative used by companies like StumbleUpon and FaceBook is recaptch which is an attempt to digitalise old books, this is also much harder for computers to break as at least one part is unsolvable (or rather it has no answer) for more information check out

    "box" wrote:
    but I do use Google Apps to process my form-mail addresses – and Google’s spam filter is one of the best I’ve come across and has proven to be intelligent enough to filter the spam and allow genuine messages to get through. The result of this method is that I don’t have a spam problem with my forms (unless I happen to look in my spam bin!!).

    The downside to this method is you are effectively allowing Google to blacklist your server, given that the originator is one of the factors used when determining if the content is spam, and unless you are doing some funky trick you are effectively spamming yourself by forwarding the mails to your Google account. This might not be a problem but it may become one if you then set up something like PHPList or other bulk mailer software as you may well find your legitimate mails from your domain blocked by major email providers because of all the previous spam from that server!


    I perhaps should have explained better what I meant.

    You have a form, joe spammer fills it in and hits send.
    The form is sent from your server either using sendmail or some other command to address [email protected]

    In reality your server is sending a mail not to itself but to google hosted apps.

    Google receives the email it looks at who sent it, what it doesn’t see is joe spammer server but yours, so while you may be claiming it was sent via joe the spammer the headers say the originator was your IP.

    Next time you send a mail Google goes oh look I seen that IP on spam before and marks it with a penalty the IP address alone is not enough to mark it fully as spam but is one of the negative points.

    Not a problem at the moment, but say you run a forum on your site and you send a message to the 1000 members. Google now gets 350 emails within a couple of seconds from your server which it already associates with spam. Now you have a problem


    it depends on your site, if your site has a low traffic, i do not think you need any captcha, people will not interested to spam your site…



    Ain’t that a necro. You may forget it’s usually bots doing that, not people. No site will ever be ignored, all are continuously tested and under “attack”. No need for unrelated link dropping though.


    Something I noticed on a site I managed a few years ago, that had a few forms on one page – only the first form ever got spammed. I tested on a few other sites at the time, and same pattern; The spam bots hit the form highest in the HTML and never continued to the ones lower down, so I sometimes use this observation as an extra deterrent (even now), and put a fake form higher up the page and hide it with CSS.


    A php honeypot could be a good approach as well – reject it if’s posted within for example seven seconds and require a page refresh to submit again. Won’t bother a true visitor as much as a captcha does but will filter out the bots.

Viewing 9 posts - 1 through 9 (of 9 total)
  • The forum ‘Other’ is closed to new topics and replies.