> rephrasing. honeypot field (i.e. hidden from users, needs to be empty, usually filled by bots) is the "simplier implementation".
> If users programming bots wants to tackle your site, they find the > honeypot pretty easily and then code accordingly, so back to square 1. > My experience is this: if the "users programming bots" attack your site then you are dealing with a human and CAPTCHAs are irrelevant. We are dealing with bots here. Honeypot empty field seemed to be OK once, but not now. Second one is js execution. This is effectively mitigating a lot (>90%) of > attempts on the aforementioned site. > I don't know why you state that js verification can be passed by bots... > usually they don't want to waste cpu resources loading a full js > environment (spidermonkey, phantomjs) just to crack your site (that's the > other <10%) > > I believe most bots initially bypass JS by ignoring it -- they detect the fields and how they are submitted and then just try to whizz off some data. The spammers are just building on to that basic approach to defeat the most obvious defences. e.g. The empty honeypot field. However, there are still very effective ways of obfuscating the form with JS. The added JS checkbox is currently very effective. I would recommend that as a minimally obtrusive test. However, I also think the spambots will eventually start looking out for that one too. http://uxmovement.com/forms/captchas-vs-spambots-why-the-checkbox-captcha-wins/ For a slightly more obtrusive test the Qs and As are good. The obvious ones are static prompts, e.g. What is the sum of 3 and 2? I had good success with that. for a while, but some spambots seem to look for that now. I currently have total success with my random Qs and As and I can totally change these if and when the spambots catch up. I like the 5 secs idea -- I never thought of that! Summary: 1. I would try the JS checkbox, 5 secs delay, and/or look at my Qs and As implementation. 2. Failing that you have to fall back to: increasingly complex image CAPTCHAs, Login, Moderation and Askimet solutions etc. If the spambot programmers target your site (and let's face it, they would only do so if you are a worthy target), you have to work with the second group anyway :( -- --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
