Ask HN: reCaptcha isn't stopping spam, what should I do?
Hey guys, I recently built a small posting site and put it up on a previously used url that I had to test it. Within a few hours I had dozens of spam posts. So I installed reCaptcha and tested it (to make sure it was working) and then cleaned all the spam out.
But even with reCaptcha installed, I am still getting dozens of spam posts a day still. Is there a better solution? I have looked into akismet and mollom but I am not wanting to subject post content to third parties. Is there a better captcha system?
I also have included a form field hidden from the user to catch bots but I do not think it is very effective.
Thanks for the help
23 comments
[ 12.5 ms ] story [ 69.4 ms ] threadAlso, was there any significant reduction in the spam posts after installing reCaptcha?
The link is http://wtpaf.com
FYI, I have cleared out everything just a few minutes ago while working on the site.
Spammers generally use captcha solving APIs which map to humans in low-wage countries. They pay ~$2/1000 solved captchas (a few years ago, not sure what it's like now.)
If you're not a specific target, changing your captcha might be enough to no longer easily be a victim of such a service without changes to the spammer software.
Of course, this is not a long term perfect solution against motivated adversaries, but it's a way to see how the current spammers work.
Another: Add a keydown handler to your message-textarea and log (to a hidden form field) how many key presses are being used per post. If the spam software is setting the content field programmatically, you then know how to detect them.
Include a small piece of Javascript that sets a hidden field in your form to some password when the page loads.
Then, when the form is posted, verify on the server that that field has been set to the password.
This should get rid of most of your spam. The reason it works is that you are being hit with spam from a program called "Xrumer", which doesn't emulate the Javascript of the pages it interacts with. It simple brute forces the forms on every single page it finds, and solves their captchas too. However, even the simplest Javascript will stop it from working.
If so, I know it wasn't a human that submitted the post - they could not see it - whilst automated spam tools seemingly cannot resist entering something in that field. I emailed suspect postings to myself with IP address info to add them to an IP block-list later, but showed them a fake "success" page or a "your post has been selected for moderation" page. The latter turned out to be more effective as it resulted in fewer repeated attempts.
I removed the annoying reCaptcha code altogether as a test, and never had to reinstate it. Real users hated the reCaptcha thing anyhow.
1) The form was recently submitted (i.e. you cannot submit forms from two hours ago). Done well with another approach I take, this also catches bots that try to resubmit already cracked form instances. This is a bigger issue than you might give it credit for. Often they will crack a form instance by hand and then submit variations of fields they care to spam in programatically. Crack once by hand, submit spam 10000 times automatically therafter.
2) That the delta between receiving the form submission and when it was generated is greater than how long the fastest human would take.
It has a throttling effect to spamming (if nothing else), in addition to preventing most programatic spam. It is also nice that it does not depend on client-side javascript that can be tampered with. Used in combination with some other approaches, I have several sites that serve millions of users a year that all but remove the need for captchas (contact me if you are interested).
Do bots submit instantly? Would just inserting a timestamp with javascript fix it?