How effective is CAPTCHA?

[wickedDUDE]

Hello,

One of my sites has recently starting getting A LOT of spam via form submissions. I was wondering, how effective is CAPTCHA? And, as a user, do you find it annoying? I'm seriously thinking of implementing this on the site I am working on now, but was wondering a) its effectiveness at eliminating spam, and b) whether or not users find it annoying, even in the slightest bit.

Thanks.

 

[Masetek]

What type of form is it? If it's a contact form or tell a friend or something a few lines of php would get rid of html and urls.

If it's a directory, just install the captcha that comes with the script...the spam will ony get worse

 

[Juicify]

It eliminates most spam. There still are spamsoftware that reads captchas though.

I find captchas annoying. I bet alot of people does.

 

[DewChugr]

I'll post this again here.

One thing I do, I think I saw it on Schiflett or something is this (you have to use sessions). This passes a random token with the form and through sessions to your form processing script and verifies they are the same. This makes it pretty certain the form was submitted from your site. Someone could still sit there and spam manually of course, but that would likely be quite limited.

In the page with your form use these lines, asumming sessions active.

<?php
$token = md5(uniqid(rand(), TRUE));
$_SESSION['token'] = $token;
?>

In your form use (in php because of the var)

<input type='hidden' name='token' value='$token' />


Then in the script that processes and validates your form use this.

if ($_POST['token'] != $_SESSION['token']) {
echo "Get lost mofo!";
exit;
}

You must check all form data to make sure it is something you want and not bcc:, etc. Validate all email addresses, and strip all unwanted characters, don't forget stuff like 0x, base64, content-type:, etc.

You can also pass a time stamp and check it in the processing to make sure the form was submitted with xx minutes of the form being loaded.