Skip navigation.


Telling Computers and Humans Apart in web forms without visible CAPTCHAs

Many websites use CAPTCHAs of one form or another to try and tell the difference between Humans and Computers interacting with web forms. As the BBC have recently commented, these can be cumbersome to implement and also annoying to users.

Automated ways to distinguish humans and computer bots when submitting data via a web page are relatively easy once you figure out the ways each interact with web servers.

The basic thing that almost all spambots have in common is that they

  1. Don't support session cookies,
  2. Don't run Javascript code, and
  3. Try to submit hyperlinks in one form or another

Unfortunately, to implement a website form that requires both session cookies and Javascript to submit correctly requires a little more code than a basic <form> tag, but it shouldn't be difficult to make this code generic and manipulate the browser DOM to make the developer implementation very simple. On top of that, requiring moderation for anything that includes a hyperlink means that even the human spammers don't get through.

After very close to three years of running such a system on various websites that I look after, it is still yet to be cracked by any automated bots and also has not had any false-positives (apart from requiring moderation for a very small number of posts where people are submitting legitimate URLs). The only human (non-automated) spammer that has made it through to be moderated is from one IP address in Russia that regularly tries to include a link to a fake finance blog, so again something that's very easy to block with the right back end in place.

By on October 6, 2010 | Permalink | Comment

Reader Comments

Skip to form

There are currently no comments about this article.

Comment on This Article:

Your Name:
Your Email Address:

Your Email Address will not be made public,
but the MD5 hash of it will be used to display your Gravatar.
All HTML, except <i>, <b>, <u> will require your comment to be moderated before it is publicly displayed.
If you would like your own avatar displayed, read about comment avatars.