Ask HN: What's your experience with PoW captchas against form spam?

6 points by pentacent_hq ↗ HN
Hey folks,

I'm building an Open Source email newsletter tool and one of the challenges we have is form spam: As soon as a signup form goes live somewhere, bots will try to sign up. This is possibly an attempt to overwhelm the inbox of people whose accounts have been compromised. But it's also bad for the people who run the newsletter as these ultimately unwanted emails reduce their sender reputation.

There was recently a discussion here on HN about this topic [1]. The post author ended up using Cloudflare Turnstile to mitigate the issue. We currently already have support for external captcha solutions like hCaptcha. However, many of our users are quite privacy-conscious and don't like having user data sent to third parties (especially non-EU third parties for our European users).

So now I've been thinking of adding an invisible proof-of-work (PoW) captcha to all signup forms. Possible implementations I've been considering are Altcha [2] and mCaptcha [3].

Now to my question: Have any of you tried using PoW captchas to protect against form spam? What have your experiences been with it so far?

[1] https://news.ycombinator.com/item?id=47609882

[2] https://altcha.org/

[3] https://mcaptcha.org/

4 comments

[ 3.6 ms ] story [ 15.2 ms ] thread
I think Altcha is better, I have heard good things about them. And it looks easy to implement and can be selfhosted which is great!!
I'm convinced the most accurate way to use a captcha is to assume that any user that completes the puzzle is a bot.
These will stop curl-based requests but will not do anything against headless browsers. mCaptcha mostly dead.

It increases cost to bot only and does not stop anything unless you sign up for the monthly subscription pay per request plan from Altcha for example. Then you are in a paid Turnstile situation. And not self host. (https://altcha.org/docs/v2/sentinel/ - with third party API services, paid IP databases, additional paid subscription key, this is only mode that will do anything of much value)

Have you seen Private Captcha? It's main point is privacy and GDPR compliance (while being self-hosted). It's a more modern PoW captcha without the limits of Altcha (mCaptcha is mostly out of equation at this point).