1

I am looking for opinions about how bulletproof could his captcha system be to avoid spam in a contact form.

The form submit goes through ajax.

  • So I generate 2 random numbers with javascript.
  • The sum of those numbers must be correct.
  • On form submit, I validate the inputs and the sum.
  • If all is correct, I send the form data and also both numbers with the result.
  • At backend, the 3 numbers must be received and their sum must match, otherwise something went wrong.

The question is, is this system good enough to avoid spam bots? Any other idea is welcome too.

Note:

Please avoid to recommend the google captcha due the department boss doesn't want to implement it.

Rohit Gupta
  • 219
kosmosan
  • 123
  • 6

1 Answers1

3

This is a very weak captcha, and not generally a good solution.

  1. It excludes legitimate users that do not have JavaScript enabled. To be fair, those are very few, but still non-zero. If having this contact form is necessary for legal compliance, you should think very carefully about such accessibility issues.

  2. It does not block bots which run JavaScript. Browser automation has become very simple, so you should assume that many bots will execute all JS just like a normal user.

  3. The numbers don't have to be random. I could record one set of numbers and reuse them for arbitrarily many requests. Note that the tripe (0, 0, 0) would be a valid combination of numbers, so I could hardcode that if I wanted to spam your site in particular.

Fundamentally, the issue with this validation method is that it relies solely on client-provided data, which you cannot trust. Instead, captchas generally use a challenge–response system: the server challenges the client with an unique problem. This problem should be easy for humans but difficult for bots.

However, challenge-response systems can still be circumvented easily by delegating the challenges to a real human, while the bot otherwise runs automatically. As such, any captcha system can only rate-limit your spam, but never prevent it entirely.

amon
  • 135,795