security posted in security  on 6 February 2007
by Andrew Lang 
View by Categories | View By Latest

Preventing spam without CAPTCHA

Earlier we wrote about CAPTCHA as a way to prevent automated posting for online forms.

The obvious disadvantage to CAPTCHA is it requires a further action from the user, and CAPTCHA text is not always readable to those even with 20/20 vision! So it's also an accessibility issue.

CAPTCHA stands for "Completely Automated Public Turing test to tell Computers and Humans Apart". The onus is on the website visitor to prove they are human, rather than the spam 'bot'!

Spammers can automatically post online forms by guessing or learning the field names of the form. Even if you use an obscure field name for the email address (for example), all it takes is a person to understand this name, then tell the spam program to use this field name.

This got us thinking - what if the field names were randomised everytime an online form was accessed? We implemented this on a test website that received spam daily without CAPTCHA.

Over the last week, this mailbox was received zero spam using this new method, so it seems to be working.

Share this article:


view my profile on Google+