Home/ Questions/Q 34267
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-10T14:03:05+00:00

It looks like we’ll be adding CAPTCHA support to Stack Overflow. This is necessary

  • 0

It looks like we’ll be adding CAPTCHA support to Stack Overflow. This is necessary to prevent bots, spammers, and other malicious scripted activity. We only want human beings to post or edit things here!

We’ll be using a JavaScript (jQuery) CAPTCHA as a first line of defense:

http://docs.jquery.com/Tutorials:Safer_Contact_Forms_Without_CAPTCHAs

The advantage of this approach is that, for most people, the CAPTCHA won’t ever be visible!

However, for people with JavaScript disabled, we still need a fallback and this is where it gets tricky.

I have written a traditional CAPTCHA control for ASP.NET which we can re-use.

CaptchaImage

However, I’d prefer to go with something textual to avoid the overhead of creating all these images on the server with each request.

I’ve seen things like..

  • ASCII text captcha: \/\/(_)\/\/
  • math puzzles: what is 7 minus 3 times 2?
  • trivia questions: what tastes better, a toad or a popsicle?

Maybe I’m just tilting at windmills here, but I’d like to have a less resource intensive, non-image based <noscript> compatible CAPTCHA if possible.

Ideas?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. A method that I have developed and which seems to work perfectly (although I probably don’t get as much comment spam as you), is to have a hidden field and fill it with a bogus value e.g.:

    <input type='hidden' name='antispam' value='lalalala' />

    I then have a piece of JavaScript which updates the value every second with the number of seconds the page has been loaded for:

    var antiSpam = function() {         if (document.getElementById('antiSpam')) {                 a = document.getElementById('antiSpam');                 if (isNaN(a.value) == true) {                         a.value = 0;                 } else {                         a.value = parseInt(a.value) + 1;                 }         }         setTimeout('antiSpam()', 1000); }  antiSpam();

    Then when the form is submitted, If the antispam value is still ‘lalalala’, then I mark it as spam. If the antispam value is an integer, I check to see if it is above something like 10 (seconds). If it’s below 10, I mark it as spam, if it’s 10 or more, I let it through.

    If AntiSpam = A Integer     If AntiSpam >= 10         Comment = Approved     Else         Comment = Spam Else     Comment = Spam

    The theory being that:

    • A spam bot will not support JavaScript and will submit what it sees
    • If the bot does support JavaScript it will submit the form instantly
    • The commenter has at least read some of the page before posting

    The downside to this method is that it requires JavaScript, and if you don’t have JavaScript enabled, your comment will be marked as spam, however, I do review comments marked as spam, so this is not a problem.

    Response to comments

    @MrAnalogy: The server side approach sounds quite a good idea and is exactly the same as doing it in JavaScript. Good Call.

    @AviD: I’m aware that this method is prone to direct attacks as I’ve mentioned on my blog. However, it will defend against your average spam bot which blindly submits rubbish to any form it can find.

    • 0