We had a capture free an anti spam form idea recently, for a very long, mulit page form application that I thought I'd share and get any thoughts on.
This particular form is a multi page application but starts with a simple email field and a next button. This creates a record in a database using that email as a reference to come back and complete the form at another time. All other data entered is of course also stored. The email address is stored to the session.
We use passwords to validate the email account but they are only sent when a request to continue the form is made so we don't send emails to spam servers.
We also have another column called human_flag set to a default of 0. Our theory is lots of bots will probably hit the first email entry form field and also submit to page 2. Most bots will think their work is done and not continue. At this point the human_flag is still set to 0.
When the page is clicked an xajax call will update the human flag to 1.
Our theory is a bot can't click the page so will never be considered human.
The whole point is to not use captha, because captha sucks.
Honestly, I don't like your idea. It's innovative, yes, but I don't like it.
Captha is an inconvienience to the user and if it can be avoided it should. You have to add so much noise and distortion these days there becoming barley useable. I have on a number of aoccaisions filled in a capture when entering form info and failed to do so correctly so in order to defeat bots, captchas are defeating humans and that sucks.
I've had other ideas that work pretty well for anti-spam questions like a mix of colours in the captcha letters (without any distortion) and asking the human to enter the red letters, for example. I also have common expressions like 'Roses are ()red () blue' with radio choices. Both have prevented bots pretty well however I'd like to avoid the capthca and challenges completely while still defeating the bots.
Also if you're going to rubbish my idea please say why, If you have a critisim of this idea please post it. That was my entire reason to post it here in the first place.
My view is like this :
i like to make a web applications especially in php because user only need browser to run my app.
no need virtual machine.. no need to make my own windows gui or unix gui or for mobilephone gui...
for this reason, i can truly consentrate to make a good web app...
because of that point of view, i always avoid browser dependent script, like java script...
not all browser can run it well....
for user validation, bot or human, i prefer use captcha image contain some letters...
No need to add distortion to the image.. No need to use unique font.. casual letter is enough, because my biggest concern is very difficult to make image recognition bot... i have tried to make one, but failed....
question like znupi's say is also preferable for blind user...
if you scare that captcha may defeat human, use optimization to your captha... you need to know how far you need to blurring the message... developers always try to comfort user.. not users always try adapt to developers need...
not all browser can run it well, and not all user activate their browser's java script capability.
not all users like to use their mouse/pointer...
you can not implement it to user that use mobile phone..
you can not implement it to blind user...
and not all users like to give their true email.. :P
Whichever method you use to block the spambots will also block legitimate users. The trick is to come up with a combination approach which blocks spambots and hopefully still provides legitimate users with one means or another of being able to use the form. A combination of a CAPTCHA image and a simple question where answering either one correctly will get you through is the simplest method I can think of to achieve this since you need to allow those users who are visually, audiably or cognatively limited to pass validation while still blocking the blind, deaf, and stupid spambots.
Don't you think that's a bit better?
Another thing: if someone really wants to bash your site, they'll make a special bot that will make the ajax request, too, or fill the hidden input with the value it needs. With an image captcha, that's not possible, you have to develop OCR software which.. not many people are able to do.
If you're not adding noise and warping, you're wide open.
Some of those examples are already tough to read. If it's necessary to make it harder than the examples in the links, then distorted captcha is done. I don't like to fail entering a captcha and I'm used to captcha. Non techy types find those distorted captchas almost impossible. Captcha is supposed to keep bots out while letting humans in, it's reached a point where it's keeping humans out too.
Here's how it goes for users sometimes (myself included)
Fill out form (including a password)
enter new captcha
passwords not re-filled in
enter passwords again
enter new captcha
enter passwords again
enter new captcha
hopefully make it this time!
say out loud 'captcha sucks'
Honeypots and timestamp checks are ok too. As are challenge questions and multi stage forms. I've used them all and had sucess. I'm hoping to find the least obtrusive way to achive spam bot free forms.
So here's an evolution of the idea after thinking about your comments.
I'm thinking the human_flag coupled with a timestamp 'page drawn to submit' comparision might work well. Then a probability of the user beng a spam bot could be calculated and if there is a suspicion then a captcha is displayed for human confirmation.
I added a simple logic question to a phpbb board registration page and it stopped the spambots in their tracks. There have been zero new spam accounts since this was put in place nearly a year ago. The question: What is fourteen minus seven? Please answer using letters only, not a number.
That doesn't sound good to me, because from what I understand, there's still a way to get to the captcha, which you said can be defeated by bots. Another idea would be to use an animated captcha, here are a couple I've made: http://znupi.ath.cx/work2/captcha/index.php and http://znupi.ath.cx/work2/captcha/index2.php
I prefer the second one because there is NO frame that would show all the letters. For a human it's easily solvable, but for a bot it's much harder. Also, if you don't like the way the text is written or you don't like the lines on the background, you can apply the same logic to another captcha. If you want I can post the code.
508 compliance is about allowing blind people to access your website. Visual captchas can't be 508 compliant animated or otherwise.
If you use visual captcha you're basically saying you don't care visually impared people can't use your site. I develop for a university so we are obligated (not yet by law in the US) to reach 508 compliance.
Crazy huh, $450 is pennies to a spammer, they pay tens of thousands to buy OS vulnerabilites.
If your site is worth the effort, they'll just use people in India at $2 a day. Then we'll have to detect ips and rates for subbmission from them.
I think I'm going to make my own internet and only let nice people in. Hey, I've got it. We can print out the form and have some guy bring it to my house... Sweet.. Maybe Wikipedia could come in book form too, split into nice leather bound volumes of course.