Hacker News new | past | comments | ask | show | jobs | submit login

Admittedly I hadn't heard of using a client-side JS input box as an alternative to a Captcha. Does that sort of thing actually work, or can spammers get around it? Is there any anecdotal data to suggest that that's a better method? (not snarking; actually curious)



I guess the problem is that it stops working when you start being big enough to attract the spammers' attention and get bots tailored to your registration system. In the meantime, I guess this is just to avoid problems with general stupid bots which just fill out all the forms they can't find without trying anything fancy.


No client-side method can ever work against a sufficiently motivated spammer.

For example... 1) Start capturing packets via wireshark. 2) Fill out the form. 3) Replay the captured packets, altering the username.

Presto, now you can sign up as fast as you want.


The strategy you suggest, capturing packets, won't work against any reasonably modern codebase that has XSRF prevention. I agree with your initial statement, but I highly recommend Seleinum scripts instead of wireshark for your spamming needs. It is slower, but much more likely to actually work.


I like the other suggestion about the hidden form a little better, it doesn't really sound bulletproof to me but anything is better than a Captcha.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: