Idea to enhance the invisible captcha

Topics: Business Logic Layer
May 16, 2009 at 9:30 PM

I read on Mads' blog how the captcha works:

However it doesn't seem to be working very well. I get lots of random spam still. The captcha should add another approach... Use the text changed event in the comment body to track how fast the user is typing. If it is too fast, consider the user to be a computer. Of course they could have been copy pasting, so they should get some chance to resubmit. Of course the spammers can just put some wait time in there, but that would make their spam engines too slow to be of any use.

Another additional approach is to constantly mutate the script and field names and number of fields that are used for the hidden field(s).

May 16, 2009 at 9:49 PM

The JS based captcha built into BE is designed to prevent bots from adding spam comments.  Bots (not people) usually are submitting comment spam with a tool where JS isn't enabled.  So this captcha works well.

A lot of the spam I see these days appear to be actual people who go to the blog in their browsers and add a comment.  They typically get paid a small amount of money for each piece of spam they leave.  You can usually tell this spam is being left by real people because they usually include some keywords from the blog post in their comments.

For these cases, the JS based captcha doesn't help.  Changing the field names wouldn't help either.  Checking how fast they type in their comment would be an annoyance to real visitors.  I personally always type comments and messages in a text editor and then copy-paste them into a webpage.

I think using one of the comment spam validation services is the best solution.  The Commentor extension from rtur includes an option to integrate comment spam validation from 2 different spam validation services.  When a comment is left, it is validated at that time.  The spam validation services I believe look at all the information available from a commenter to determine if it is spam -- Subject, Message Body, Email Address and IP Address.

Jul 16, 2009 at 12:44 PM

For some reason, the Commentor extension does not seem to help on my blog- it is a shared host- but running the latest version of blogengine and validated using WAEGIS...

Jan 24, 2010 at 8:05 PM

I have a captcha solution running on BLogEngine 1.5.7. I posted the steps to implement the solution on my blog: