1

I am looking for opinions about how bulletproof could his captcha system be to avoid spam in a contact form.

The form submit goes through ajax.

  • So I generate 2 random numbers with javascript.
  • The sum of those numbers must be correct.
  • On form submit, I validate the inputs and the sum.
  • If all is correct, I send the form data and also both numbers with the result.
  • At backend, the 3 numbers must be received and their sum must match, otherwise something went wrong.

The question is, is this system good enough to avoid spam bots? Any other idea is welcome too.

Note:

Please avoid to recommend the google captcha due the department boss doesn't want to implement it.

Rohit Gupta
2212 gold badges3 silver badges12 bronze badges
asked Apr 25, 2018 at 15:44
2
  • 1
    Love the department boss who is deciding to reinvent the wheel rather than just reuse google's wheel... @pg02 We recently added google captcha to one of our forms and found it to be a very painless integration. One or two days effort at most, in exchange for a powerful, user friendly, captcha system. Your effort would be best spent trying to get your boss to let you use google's captcha instead of writing your own. Commented Apr 26, 2018 at 5:35
  • This guy reinvented the wheel a lot of times already 😅 That's what I'm tried before write the post... Let's see if with your comment and the answer below is enough to convince him. Thanks. Commented Apr 26, 2018 at 5:55

1 Answer 1

3

This is a very weak captcha, and not generally a good solution.

  1. It excludes legitimate users that do not have JavaScript enabled. To be fair, those are very few, but still non-zero. If having this contact form is necessary for legal compliance, you should think very carefully about such accessibility issues.

  2. It does not block bots which run JavaScript. Browser automation has become very simple, so you should assume that many bots will execute all JS just like a normal user.

  3. The numbers don't have to be random. I could record one set of numbers and reuse them for arbitrarily many requests. Note that the tripe (0, 0, 0) would be a valid combination of numbers, so I could hardcode that if I wanted to spam your site in particular.

Fundamentally, the issue with this validation method is that it relies solely on client-provided data, which you cannot trust. Instead, captchas generally use a challenge–response system: the server challenges the client with an unique problem. This problem should be easy for humans but difficult for bots.

However, challenge-response systems can still be circumvented easily by delegating the challenges to a real human, while the bot otherwise runs automatically. As such, any captcha system can only rate-limit your spam, but never prevent it entirely.

answered Apr 25, 2018 at 16:46
1
  • Nice explanation, thanks. Hope it helps to make things well. Commented Apr 26, 2018 at 5:58

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.