Post Wed Nov 08, 2006 4:58 pm

Alternatives to CAPTCHAs

There is a nice summary on sans.org of ways that you can cleverly take a bite out of comment spam without having to resort to using captchas.

The second method is simpler, and does not require javascript. Instead, one or more fake form fields are added to the form. But style sheets are used to make them "invisible". To further confuse the attacker, the fake form fields are given names like "subject" and such suggesting to the bot that these are the form fields they are looking for. However, whenever a form is submitted with content in a "hidden" field, it is discarded. I am not talking about the classic hidden form fields that are not user changeable, but form fields that are marked with "display: none"


The full summary is available at isc.sans.org
http://isc.sans.org/diary.php?storyid=1836